Ideas about Unbound DNS server

Re:Linked

I have used the combination of Unbound and dnscrypt-proxy on my PC for a period of time. I was using dnsmasq with dnscrypt-proxy, but dnsmasq seemed unstable (Even if it was deployed on my computer and used by just me!). Replacing dnsmasq with unbound seems to be a good solution.

Configuration

Here (Chinese Simplified) is a great example by phoenixlzx.

Fallback servers

Unbound will do load-balancing on the listed forward-addrs, instead of requesting the servers one by one, skipping to next server only if the previous one fails. In the instance of me, I want it to request my dnscrypt-proxy server first, and use other servers as fallback. It’s obviously not doing me good.

Finally I moved the fallback configures and wrote it in /etc/resolv.conf. Not so exciting but it also works.

Forwarding rules

dnscrypt-proxy apply the first matching rule it comes across. Unbound is more rational and will match the most accurate one.

DNS over TLS (DoT) support of Unbound

Unbound supports DNS over TLS (but not DNS over HTTPS) at forwarding DNS queries. By adding forward-tls-upstream: yes (or forward-ssl-upstream: yes) you can ask the server to send DoH request to servers you specify. Then we don’t need dnscrypt-proxy to make secured DNS queries.

See this article for detailed configurations.

My config file (working on a Manjaro Linux):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
server:
verbosity: 1
do-daemonize: no
use-syslog: yes
username: unbound
directory: "/etc/unbound"
root-hints: "root.hints" # Get it here: https://www.internic.net/domain/named.root
trust-anchor-file: trusted-key.key # Run `sudo unbound-anchor` for this file
module-config: "iterator" # "validator iterator" if you want DNSSEC
interface: 127.0.0.54
tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt # Differ per distribution
access-control: 127.0.0.1/8 allow

forward-zone:
name: "."
forward-ssl-upstream: yes
forward-addr: 8.8.8.8@853#dns.google
forward-addr: 9.9.9.9@853#dns.quad9.net
forward-addr: 1.0.0.1@853#cloudflare-dns.com