Unbound
Validating, recursive, caching DNS resolver
Unbound is a validating, recursive, caching DNS resolver designed to be fast, lean and standards-compliant. It implements modern privacy and DNSSEC-focused features and runs on Linux, BSD and macOS. (nlnetlabs.nl)
Key Features
- DNSSEC validation and support for DNSSEC-related optimizations (aggressive use of DNSSEC-validated cache).
- Recursive, validating and caching resolver behavior with configurable cache policies and performance tuning.
- Encrypted client transport: supports DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH) to protect client→resolver traffic.
- Query Name Minimisation and other privacy-preserving standards to limit data sent to authoritative servers.
- Authority zones / ability to load a copy of the root zone for isolated or offline operation.
- libunbound API for embedding resolver functionality into applications.
- Configurable build options and runtime modules (TLS via OpenSSL, optional libevent, modular extensions).
Use Cases
- Run a local or network resolver for homes, offices or ISPs that needs DNSSEC and encrypted client transport.
- Deploy a privacy-focused resolver for client devices by enabling DoT/DoH and query name minimisation.
- Integrate DNS resolution into applications or services using the libunbound API for validated lookups.
Limitations and Considerations
- Unbound is a recursive/validating resolver and is not designed to act as an authoritative DNS server.
- Some features require build-time dependencies (C toolchain, OpenSSL, libexpat; building from source may need flex and bison). Optional modules (e.g., libevent) change runtime behavior and scalability trade-offs.
- Primary platform focus is Unix-like systems (Linux/BSD/macOS); Windows support is limited compared to Unix platforms.
Unbound is a mature, open-source DNS resolver maintained by NLnet Labs with an emphasis on security, privacy and standards compliance. It is widely packaged for major Unix-like distributions and is suitable for both personal and operator-scale resolver deployments.
Categories:
Tags:
Tech Stack:
Autotools
GNU Make
systemd
C
LinuxSimilar Services
Pi-hole
Network-wide DNS sinkhole for ad and tracker blocking
Pi-hole is a network-wide DNS sinkhole that blocks ads and trackers for all devices on your network, with a web dashboard, query logs, and optional DHCP server.
AdGuard Home
Network-wide DNS server that blocks ads, trackers, phishing and malware
Open-source DNS-based ad & tracker blocking server for networks. Offers per-device rules, parental controls, encrypted upstream DNS (DoH/DoT/DNSCrypt), web UI and API.
MyIP (IPCheck.ing)
Open-source IP toolbox for IP, DNS, WebRTC and network diagnostics
MyIP (IPCheck.ing) is an open-source web IP toolbox that detects local/public IPs, runs DNS leak and WebRTC checks, speed/latency/MTR tests, availability and whois lookup...
Technitium DNS Server
Authoritative and recursive DNS server with web console
Cross-platform DNS server with authoritative/recursive modes, encrypted DNS (DoH/DoT/DoQ), DNSSEC, ad/malware blocking, DHCP, and an HTTP API with web admin UI.
Blocky
Fast, lightweight DNS proxy and ad-blocker in Go
Open-source DNS proxy and network-wide ad-blocker for local networks. Supports DoH/DoT, per-client rules, caching, deep CNAME inspection, Prometheus metrics, Docker and H...
OPNsense
Open source firewall and routing platform for network security
OPNsense is an open source FreeBSD-based firewall and routing platform with a web GUI, API, VPN, traffic shaping, and security features for networks and homelabs.
