# Unboudn DNS Resolver

# Unbound DNS Resolver

Unbound is a fast, secure, validating, recursive, and caching DNS resolver. It's commonly used for privacy (no third-party logs), DNSSEC validation, and performance via local caching. 

## Installation

```bash
apt update && apt dist-upgrade -y
apt install sudo vim unbound unbound-anchor dns-root-data
```

## Basic Configuration

Create or edit a config file. Common location:

`/etc/unbound/unbound.conf` (main file, often includes other files)

```bash
vim /etc/unbound/unbound.conf
```

**Minimal** recommended config (for home use):

```bash
server:
    # DNSSEC trust anchor (auto-updates)
    auto-trust-anchor-file: "/var/lib/unbound/root.key"

    # Privacy: minimal information sent upstream
    qname-minimisation: yes

    # Listen on all interfaces (or 127.0.0.1 for local-only)
    interface: 0.0.0.0
    # interface: ::0   # IPv6

    # Allow queries from your local network
    access-control: 127.0.0.0/8 allow
    access-control: 192.168.178.0/16 allow   # Adjust to your subnet (e.g. 10.0.0.0/8)
    # access-control: 172.16.0.0/12 allow

    # Security & performance
    harden-glue: yes
    harden-dnssec-stripped: yes
    use-caps-for-id: no
    edns-buffer-size: 1232
    prefetch: yes
    num-threads: 1   # Increase on powerful hardware

    # Hide private addresses
    private-address: 192.168.178.0/16
    private-address: 10.0.0.0/8
    private-address: 172.16.0.0/12

    # Logging
    verbosity: 0
```

## Root Hints & DNSSEC

Most package installs handle this automatically via `dns-root-data`. To update manually:

```bash
wget https://www.internic.net/domain/named.root -qO- | sudo tee /var/lib/unbound/root.hints

# Initialize DNSSEC trust anchor
sudo unbound-anchor -a /var/lib/unbound/root.key
```

## Start and Enable the Service

```bash
sudo systemctl enable --now unbound
sudo systemctl restart unbound
```

Check status:

```bash
sudo systemctl status unbound
```

Validate config:

```bash
unbound-checkconf
```

## Test It

```bash
# Local test
dig example.com @192.168.178.118

# Should show SERVER: 127.0.0.1#53
```

## Configure your client to DNS Server

which is in my case 192.168.178.118

```bash
vim /etc/resolv.conf
```

```bash
nameserver 192.168.178.118
```

## Validate DNSSEC

to validate your DNSSEC you can got to this page:

https://wander.science/projects/dns/dnssec-resolver-test/