Jump to content

Unbound

From Official NixOS Wiki
Revision as of 22:34, 23 March 2026 by J8 (talk | contribs) (DNS resolver and DNS forwarder with a blocklist)

Unbound is a DNS server. Quoting the official project page:

Unbound is a validating, recursive, caching DNS resolver. It is designed to be fast and lean and incorporates modern features based on open standards.

Minimal configuration. DNS resolver

In this case our DNS queries upstream are not encrypted. 

services.unbound = {
    enable = true;
    settings.server.qname-minimisation = true;   # optional
};

Test if it's working 

$ systemctl status unbound.service
$ nslookup nixos.org localhost

DNS forwarder with blocklists

In this case we are using DoH to Quad9 and Cloudflare public DNS resolvers and filtering with a blocklist as Pi-Hole does. 

services.unbound = {
    enable = true;

    settings.server.module.config = "'respip validator iterator'"; # RPZ

    settings.rpz = [{
        name = "blocklist_hageziPro";
        url = "https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/rpz/pro.txt";
    }]

    settings.forward-zone = [{
        name = ".";
        forward-tls-upstream = true;
        forward-addr = [
            "9.9.9.9@853#dns.quad9.net";
            "149.112.112.112@853#dns.quad9.net"
            "1.1.1.1@853#cloudflare-dns.com";
            "1.0.0.1@853#cloudflare-dns.com";
        ]
    }];
};

Further reading

Retrieved from "https://wiki.nixos.org/w/index.php?title=Unbound&oldid=30922"