Ideas about Unbound DNS server

创建于 2029 / 约需 9 分钟

本文距离上次更新已经超过 1000 天。因此,其中的信息可能已经过时。

I have used the combination of Unbound and dnscrypt-proxy on my PC for a period of time. I was using dnsmasq with dnscrypt-proxy, but dnsmasq seemed unstable (Even if it was deployed on my computer and used by just me!). Replacing dnsmasq with unbound seems to be a good solution.


Here (Chinese Simplified) is a great example by phoenixlzx.

Fallback servers

Unbound will do load-balancing on the listed forward-addrs, instead of requesting the servers one by one, skipping to next server only if the previous one fails. In the instance of me, I want it to request my dnscrypt-proxy server first, and use other servers as fallback. It's obviously not doing me good.

Finally I moved the fallback configures and wrote it in /etc/resolv.conf. Not so exciting but it also works.

Forwarding rules

dnscrypt-proxy apply the first matching rule it comes across. Unbound is more rational and will match the most accurate one.

DNS over TLS (DoT) support of Unbound

Unbound supports DNS over TLS (but not DNS over HTTPS) at forwarding DNS queries. By adding forward-tls-upstream: yes (or forward-ssl-upstream: yes) you can ask the server to send DoH request to servers you specify. Then we don't need dnscrypt-proxy to make secured DNS queries.

See this article for detailed configurations.

My config file (working on a Manjaro Linux):

  verbosity: 1
  do-daemonize: no
  use-syslog: yes
  username: unbound
  directory: "/etc/unbound"
  root-hints: "root.hints" # Get it here:
  trust-anchor-file: trusted-key.key # Run `sudo unbound-anchor` for this file
  module-config: "iterator"  # "validator iterator" if you want DNSSEC
  tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt # Differ per distribution
  access-control: allow

      name: "."
      forward-ssl-upstream: yes


Webmention 回应