Configuration

Unbound has a vast array of configuration options for advanced use cases, which can seem a little overwhelming at first. Luckily, all of the defaults are sensible and secure, so in a lot of environments you can run Unbound without changing any options. Below we will go through a basic, recommended config, but feel free to add and experiment with options as you need them.

Note

The instructions in this page assume that Unbound is already installed.

The basic configuration which you can use out of the box is shown below. To use it, you need to create a file with this config as its content (or copy the config to the default config file which can be found during the installation process).

server:
    # can be uncommented if you do not need user privilige protection
    # username: ""

    # can be uncommented if you do not need file access protection
    # chroot: ""

    # location of the trust anchor file that enables DNSSEC. note that
    # the location of this file can elsewhere
    auto-trust-anchor-file: "/usr/local/etc/unbound/root.key"
    # auto-trust-anchor-file: "/var/lib/unbound/root.key"

    # send minimal amount of information to upstream servers to enhance privacy
    qname-minimisation: yes

    # specify the interfaces to answer queries from by ip-address.
    interface: 0.0.0.0
    # interface: ::0

    # addresses from the IP range that are allowed to connect to the resolver
    access-control: 192.168.0.0/16 allow
    # access-control: 2001:DB8/64 allow

By default the Unbound config uses chroot to provide an extra layer of defence against remote exploits. If Unbound is not starting because it cannot access files due to permission errors caused by chroot, a solution can be to enter file paths as full pathnames starting at the root of the filesystem (/). Otherwise, if chroot is not required you can disable it in the config.

# disable chroot
chroot: ""

By default Unbound assumes that a user named “unbound” exists, which you can add this user with an account management tool available on your system. You can also disable this feature by adding username: "" in the config. If it is enabled, after the setup, any other user privileges are dropped and the configured username is assumed.

Important

Unbound comes with the unbound-checkconf tool. This tool allows you to check the config file for errors before starting Unbound. It is very convenient because if any errors are found it tells you where they are, which is particularly useful when Unbound is already running to avoid failure to restart due to a configuration error.

Set up Remote Control

A useful functionality to enable is the use of the unbound-control command. This allows command makes starting, stopping, and reloading Unbound easier. To enable this functionality we need to add remote-control to the config and enable it.

remote-control:
    # enable remote-control
    control-enable: yes

    # location of the files created by unbound-control-setup
    #server-key-file: "/usr/local/etc/unbound/unbound_server.key"
    #server-cert-file: "/usr/local/etc/unbound/unbound_server.pem"
    #control-key-file: "/usr/local/etc/unbound/unbound_control.key"
    #control-cert-file: "/usr/local/etc/unbound/unbound_control.pem"

To use the unbound-control command, we need to invoke the unbound-control-setup command. This creates a number of files in the default install directory. The default install directory is /usr/local/etc/unbound/ on most systems, but some distributions may put it in /etc/unbound/ or /var/lib/unbound.

Apart from an extensive config file, with just about all the possible configuration options, unbound-control-setup creates the cryptographic keys necessary for the control option.

unbound-control-setup

If you use a username like unbound in the config to run the daemon (which is the default setting), you can use sudo to create the files in that user’s name, so that the user running Unbound is allowed to read the keys. This is also a solution if the /usr/local/etc/unbound/ (or any other default direcotry) directory is write-protected, which is the case for some distributions.

sudo -u unbound unbound-control-setup

You can now control Unbound using the unbound-control command. Note that if your configuration file is not in the default location or not named unbound.conf, the name (and possibly path) need to be provided when using the command using the -c flag.

Set up Trust Anchor (Enable DNSSEC)

To enable DNSSEC, which we strongly recommend, we need to set up a trust anchor as it allows the verification of the integrity of the responses to the queries you send.

To help, we can use the unbound-anchor command. unbound-anchor performs the setup by configuring a trust anchor. The default location that unbound-anchor creates this in is determined by your installation method. Usually the default directory is /usr/local/etc/unbound/.

Note that using a package manager to install Unbound, on some distributions, creates the root key during installation. On Ubuntu 20.04.1 LTS for example, this location is /var/lib/unbound/root.key. On macOS Big Sur this location is /opt/homebrew/etc/unbound/root.key If you create the root key yourself (by using the unbound-anchor command), then the path to the anchor file in the configuration file should be changed to the correct location. To find out the default location you can use the unbound-anchor command again with the -vvv option enabled. To enable DNSSEC, we add auto-trust-anchor-file under the server options in the config.

# enable DNSSEC
auto-trust-anchor-file: "/var/lib/unbound/root.key"

Note that on some systems the /usr/local/etc/unbound/ directory might be write-protected.

If the unbound-control-setup command fails due to the insufficient permissions, instead run the command as the correct user.

sudo -u unbound unbound-anchor