Jump to content

Unbound: Difference between revisions

From Official NixOS Wiki
← Older editNewer edit →
J8 (talk | contribs)
6 edits
VisualWikitext
J8 (talk | contribs)
6 edits
m add minimal configuration
J8 (talk | contribs)
6 edits
DNS resolver and DNS forwarder with a blocklist
Line 3: Line 3:
Unbound is a validating, recursive, caching DNS resolver. It is designed to be fast and lean and incorporates modern features based on open standards.
Unbound is a validating, recursive, caching DNS resolver. It is designed to be fast and lean and incorporates modern features based on open standards.


== Minimal configuration ==
== Minimal configuration. DNS resolver ==
 
In this case our DNS queries upstream are not encrypted.
 
<syntaxhighlight lang="nixos">
<syntaxhighlight lang="nixos">
services.unbound = {
services.unbound = {
Line 18: Line 21:
</syntaxhighlight>
</syntaxhighlight>


== Example configuration ==
== DNS forwarder with blocklists ==
 
In this case we are using DoH to Quad9 and Cloudflare public DNS resolvers and filtering with a blocklist as Pi-Hole does.
 
<syntaxhighlight lang="nixos">
<syntaxhighlight lang="nixos">
services.unbound = {
services.unbound = {
     enable = true;
     enable = true;
     settings = {
 
      server = {
     settings.server.module.config = "'respip validator iterator'"; # RPZ
        # When only using Unbound as DNS, make sure to replace 127.0.0.1 with your ip address
 
        # When using Unbound in combination with pi-hole or Adguard, leave 127.0.0.1, and point Adguard to 127.0.0.1:PORT
    settings.rpz = [{
         interface = [ "127.0.0.1" ];
         name = "blocklist_hageziPro";
         port = 5335;
         url = "https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/rpz/pro.txt";
        access-control = [ "127.0.0.1 allow" ];
    }]
        # See `man unbound.conf`
 
        prefetch = true;
    settings.forward-zone = [{
        hide-identity = true;
         name = ".";
        hide-version = true;
        forward-tls-upstream = true;
      };
        forward-addr = [
      forward-zone = [
             "9.9.9.9@853#dns.quad9.net";
         # Example config with quad9
             "149.112.112.112@853#dns.quad9.net"
        {
            "1.1.1.1@853#cloudflare-dns.com";
          name = ".";
            "1.0.0.1@853#cloudflare-dns.com";
          forward-tls-upstream = true; # Protected DNS
         ]
          forward-addr = [
     }];
             "9.9.9.9#dns.quad9.net"
};
             "149.112.112.112#dns.quad9.net"
          ];
         }
      ];
     };
  };
</syntaxhighlight>
</syntaxhighlight>


Revision as of 22:34, 23 March 2026

Unbound is a DNS server. Quoting the official project page:

Unbound is a validating, recursive, caching DNS resolver. It is designed to be fast and lean and incorporates modern features based on open standards.

Minimal configuration. DNS resolver

In this case our DNS queries upstream are not encrypted. 

services.unbound = {
    enable = true;
    settings.server.qname-minimisation = true;   # optional
};

Test if it's working 

$ systemctl status unbound.service
$ nslookup nixos.org localhost

DNS forwarder with blocklists

In this case we are using DoH to Quad9 and Cloudflare public DNS resolvers and filtering with a blocklist as Pi-Hole does. 

services.unbound = {
    enable = true;

    settings.server.module.config = "'respip validator iterator'"; # RPZ

    settings.rpz = [{
        name = "blocklist_hageziPro";
        url = "https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/rpz/pro.txt";
    }]

    settings.forward-zone = [{
        name = ".";
        forward-tls-upstream = true;
        forward-addr = [
            "9.9.9.9@853#dns.quad9.net";
            "149.112.112.112@853#dns.quad9.net"
            "1.1.1.1@853#cloudflare-dns.com";
            "1.0.0.1@853#cloudflare-dns.com";
        ]
    }];
};

Further reading

Retrieved from "https://wiki.nixos.org/w/index.php?title=Unbound&oldid=30922"