Skip to content

Unbound Recursive DNS

An alternative to BIND, Unbound is a modern validating, recursive, and caching DNS server maintained by NLnet Labs.

Prerequisites and assumptions

  • A server running Rocky Linux
  • Able to use firewalld for creating firewall rules

Introduction

There are two types of DNS servers: authoritative and recursive. Where authoritative DNS servers advertise a DNS zone, recursive servers resolve queries on behalf of clients by forwarding them to an ISP or public DNS resolver or the root zones for larger servers.

For example, your home router is likely running an embedded recursive DNS resolver that forwards to your ISP or a well-known public DNS server, which is also a recursive DNS server.

Installing and enabling Unbound

Install Unbound:

dnf install unbound

Configuring Unbound

Before making changes to any configuration file, move the original installed working file, unbound.conf:

cp /etc/unbound/unbound.conf /etc/unbound/unbound.conf.orig

That will help in the future if the introduction of errors into the configuration file occurs. It is always a good idea to make a backup copy before making changes.

Edit the unbound.conf file. The author uses vi, but you can substitute your favorite command line editor:

vi /etc/unbound/unbound.conf

Insert the following:

server:
    interface: 0.0.0.0
    interface: ::
    access-control: 192.168.0.0/16 allow
    access-control: 2001:db8::/64 allow

forward-zone:
    name: "."
    forward-addr: 1.0.0.1@53
    forward-addr: 1.1.1.1@53

Replace 192.168.0.0/16 and 2001:db8::/64 with the subnets for which you are resolving DNS queries. Save your changes.

Taking a closer look

  • The interface denotes the interfaces (IPv4 or IPv6) on which you want to listen for DNS queries. We are listening on all interfaces with 0.0.0.0 and ::.
  • The access-control denotes which subnets (IPv4 or IPv6) you want to allow DNS queries from. We are allowing requests from 192.168.0.0/16 and 2001:db8::/64.
  • The forward-addr defines the servers we will forward to. We are forwarding to Cloudflare's 1.1.1.1.

Enabling Unbound

Next, allow DNS ports in firewalld and enable Unbound:

firewall-cmd --add-service=dns --zone=public
firewall-cmd --runtime-to-permanent
systemctl enable --now unbound

Check DNS resolution with the host command:

$ host google.com 172.20.0.100
Using domain server:
Name: 172.20.0.100
Address: 172.20.0.100#53
Aliases:

google.com has address 142.251.215.238
google.com has IPv6 address 2607:f8b0:400a:805::200e
google.com mail is handled by 10 smtp.google.com.

%

Conclusion

Most people use their home router's DNS resolver or public DNS resolvers run by ISPs and tech companies. In-home labs and large networks, it is the norm to run a network-wide resolver to reduce latency and network load by caching DNS requests for commonly requested websites such as Google. A network-wide resolver also enables intranet services such as SharePoint and Active Directory.

Unbound is one of many open-source tools that make resolving DNS possible. Congratulations, you have your very own DNS resolver!

Author: Neel Chauhan

Contributors: Steven Spencer, Ganna Zhyrnova