Unbound DNS resolver? Cut out the middleman!
Why be exposed to privacy risks by using public DNS servers when you can have your own proper validating, recursive, caching DNS resolver? In the following guide we will install and configure our own instance of a popular DNS resolver. We will use Unbound from NLnet Labs on a Debian based linux distro, but you can use this same configuration file across kernels and other supported operating systems.
To install, open the terminal and paste the following command:
Some error messages may appear. Since there is no configuration file present, Unbound will not be able to start. To create the Unbound configuration file create “example.conf” in the following directory:
You can use nano or any other file editor utility to copy and save the content below:
Next step will be to pull the root.hints file from the domain authority for the first time. Execute these two separate commands:
The Unbound resolver is now up and running, and will now listen on localhost 127.0.0.1 port 5678. You can change to another IP/port combination in the configuration file.
To make sure that the root.hints file is kept updated (changes rarely and infrequently so around 6 months is quite safe), we can create a cron job that will take care of that for us. Let’s use a separate script for customization sake. Paste the content below in a text editor, like nano, and give it the .sh extension:
You can save that file to your home folder, or any other path of your choosing. Don’t forget to give the .sh file permissions to execute:
Finally, let’s schedule a task using cron:
Add this line in the end of the prompt/file and save it:
These steps will schedule an update of your root.hints at 4 AM every 1st of February and July, and restart the Unbound service to apply the changes.
To make sure your device(s) is(are) using your Unbound instance, make the TXT record query below.
In the non-authoritative answer, the “ns” record is the unicast IP address of the requesting recursive resolver. You should get your IP if the Unbound instance is local, or your VPS IP if in the cloud. If not, your device is not using your Unbound resolver but some other DNS provider. Check your network/device for DNS leaks.
Optional step: Paired with pi-hole or AdGuardHome, you can add an extra layer between you and the resolver, filtering nefarious domains.