Posted inNetwork

Build Your Own DNS Resolver with Unbound: Master Privacy and Boost Linux Network Speed

Network tutorial - IT technology blog
Network tutorial - IT technology blog

Set Up in 5 Minutes: Basic Unbound Installation

Instead of using “borrowed” DNS, build your own DNS “well” for your system. I’m performing this guide on Ubuntu/Debian. If you’re using CentOS or Fedora, simply replace apt with dnf.

# Update the system and install Unbound
sudo apt update
sudo apt install unbound -y

# Download root hints (the map Unbound uses to find root servers)
wget https://www.internic.net/domain/named.cache -O /etc/unbound/root.hints

# Create a minimal configuration file
sudo nano /etc/unbound/unbound.conf.d/pi-hole.conf

Paste the following configuration into the file. This is a basic setup but sufficient for most needs:

server:
    interface: 127.0.0.1
    port: 53
    do-ip4: yes
    do-udp: yes
    do-tcp: yes
    root-hints: "/etc/unbound/root.hints"
    access-control: 127.0.0.0/8 allow
    auto-trust-anchor-file: "/var/lib/unbound/root.key"

Enable the service and enjoy the results:

sudo systemctl restart unbound
dig google.com @127.0.0.1

If you see the line status: NOERROR, you’ve officially mastered your own internal DNS resolver.

Why Build Your Own DNS When Google/Cloudflare Are So Convenient?

Everyone loves the convenience of 8.8.8.8 or 1.1.1.1, but the price is your privacy. Every time you hit Enter on a web address, tech giants know exactly what you’re doing. Running your own Unbound instance helps you cut off this tracking.

Even more dangerous is DNS Hijacking. Many ISPs often “accidentally” redirect failed DNS requests to ad pages or block websites using spoofed IPs. Unbound solves this issue completely. It performs recursive queries directly from Root Servers, bypassing all intermediaries.

My experience: DNS is vital when the network gets unstable during peak hours. When DNS response is slow, browsing feels incredibly frustrating even if your bandwidth is hundreds of Mbps. With Unbound and its local cache, latency drops from 150ms to nearly 0ms for subsequent visits.

How It Works: Recursion Instead of Forwarding

Recursive Resolver vs. Forwarder

Most DNS services we use are Forwarders—they ask on your behalf and return the result. Unbound is different; it’s a true Recursive resolver. The process works like a conversation:

  1. You ask: “Where is itfromzero.com?”
  2. Unbound asks the Root Server (“.”): “Who handles .com?”
  3. Root Server points to the TLD Server (“.com”).
  4. Unbound then asks the TLD Server: “Where is itfromzero.com located?”
  5. Finally, it retrieves the IP from the Authoritative Server and hands it to you.

Rock-Solid Security with DNSSEC

DNSSEC acts like a security seal for DNS data. Unbound checks these digital signatures by default. If a domain’s IP is spoofed (DNS Poisoning), Unbound detects the signature mismatch and immediately blocks the incorrect result, protecting you from phishing sites.

Advanced Configuration: Optimizing for High-Performance Servers

If your server has plenty of resources, don’t hesitate to fine-tune Unbound for better performance. Add the following lines to your configuration file:

server:
    num-threads: 2 # Set this to the number of your CPU cores

    # Optimize cache fragmentation
    msg-cache-slabs: 4
    rrset-cache-slabs: 4
    infra-cache-slabs: 4
    key-cache-slabs: 4

    # Increase cache size for faster responses
    rrset-cache-size: 100m
    msg-cache-size: 50m

    # Stealth mode
    hide-identity: yes
    hide-version: yes
    prefetch: yes # Automatically refresh cache before expiration

The Power of DNS over TLS (DoT)

Want to forward requests to Cloudflare but fear ISP snooping? DoT is the solution. Add this section to encrypt all outgoing queries:

forward-zone:
    name: "."
    forward-addr: 1.1.1.1@853#cloudflare-dns.com
    forward-addr: 1.0.0.1@853#cloudflare-dns.com
    forward-ssl-upstream: yes

Practical Deployment Tips

Deploying Unbound can sometimes run into minor bugs that might eat up your afternoon. Here are some points to keep in mind:

  • Port 53 Conflict: Ubuntu typically has systemd-resolved occupying port 53. Disable it with: sudo systemctl disable --now systemd-resolved.
  • Write permissions for root.key: If logs show “permission denied”, grant the unbound user access to the /var/lib/unbound/root.key file.
  • Open Firewall Ports: If used across a LAN, don’t forget to open port 53 (both UDP and TCP) on your Firewall.

Pro tip: Run the dig command twice. The second time, you’ll see a Query time of 0 msec—proof that the cache is working perfectly.

# First run: May take 150-200 msec
dig itfromzero.com @127.0.0.1 | grep "Query time"

# Second run: 0 msec - That's the speed of light!
dig itfromzero.com @127.0.0.1 | grep "Query time"

Owning your DNS isn’t just about speed; it’s the first step toward a deeper understanding of Internet infrastructure. If you get stuck at any point, feel free to leave a comment, and we’ll figure it out together.

Share:
Tags: