-
Notifications
You must be signed in to change notification settings - Fork 0
Using Unbound as upstream DNS server
Jack'lul edited this page Sep 22, 2025
·
24 revisions
Note
On Asuswrt-Merlin installing Unbound Manager from amtm might be more convenient - skip to step 5 and replace port 5335 with 53535.
-
Install Unbound -
opkg install unbound-daemon. -
Create new
/opt/etc/unbound/unbound.conf:
# This configuration is based on:
# https://docs.pi-hole.net/guides/dns/unbound/
server:
# If no logfile is specified, syslog is used
# The logfile must be within the chroot path or chroot must be disabled!
#logfile: "/opt/var/log/unbound.log"
# Verbosity level
# 0 - errors only
# 1 - basic operational information (default)
verbosity: 0
# Run as unprivileged user in a different working directory
# Also chroot jail the process, make sure to run the following command:
# chmod 755 /opt/var/lib/unbound && chown -R nobody:nobody /opt/var/lib/unbound
username: "nobody"
directory: "/opt/var/lib/unbound"
chroot: "/opt/var/lib/unbound"
# Run on loopback address
interface: 127.0.0.1
port: 5335
do-ip4: yes
do-udp: yes
do-tcp: yes
# Whether IPv6 queries are answered or issued
# May be set to no if you don't have IPv6 connectivity
do-ip6: yes
# You want to leave this to no unless you have *native* IPv6 connectivity
# With 6to4 and Terredo tunnels your web browser should favor IPv4 for the same reasons
prefer-ip6: no
# To use external root hints file uncomment the following line and run:
# wget https://www.internic.net/domain/named.cache -O /opt/var/lib/unbound/root.hints
# chmod 644 /opt/var/lib/unbound/root.hints
# chown nobody:nobody /opt/var/lib/unbound/root.hints
# It's a good idea to set up a cron to fetch it once every few months
#root-hints: "/opt/var/lib/unbound/root.hints"
# To enable DNSSEC uncomment the following line and run:
# install -m 644 /opt/etc/unbound/root.key /opt/var/lib/unbound/root.key
# chown nobody:nobody /opt/var/lib/unbound/root.key
#auto-trust-anchor-file: "/opt/var/lib/unbound/root.key"
# Trust glue only if it is within the servers authority
harden-glue: yes
# Require DNSSEC data for trust-anchored zones
# If such data is absent, the zone becomes BOGUS
harden-dnssec-stripped: yes
# Reduce EDNS reassembly buffer size.
# This value has been suggested in DNS Flag Day 2020.
edns-buffer-size: 1232
# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
# See https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
use-caps-for-id: no
# Perform prefetching of close to expired message cache entries
# This only applies to domains that have been frequently queried
prefetch: yes
# One thread should be sufficient, can be increased on beefy machines
# It should be unnecessary to seek performance enhancement by increasing num-threads above 1
num-threads: 1
# Ensure kernel buffer is large enough to not lose messages in traffic spikes
so-rcvbuf: 1m
# Use higher port numbers to prevent possible NAT issues
# Recommended to uncomment when running on a router
#outgoing-port-avoid: 0-32767
#outgoing-port-permit: 32768-65535
# Ensure privacy of local IP ranges
private-address: 127.0.0.0/8
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
private-address: fd00::/8
private-address: fe80::/10
# Ensure no reverse queries to non-public IP ranges (RFC6303 4.2)
private-address: 192.0.2.0/24
private-address: 198.51.100.0/24
private-address: 203.0.113.0/24
private-address: 255.255.255.255/32
private-address: 2001:db8::/32
- Create
/opt/var/lib/unboundand set correct permissions:
mkdir -pm 755 /opt/var/lib/unbound
chown -R nobody:nobody /opt/var/lib/unboundIf you wish to use external root hints file or enable DNSSEC then check the instructions within the config file.
-
Start Unbound service -
/opt/etc/init.d/S61unbound start. -
Modify
/opt/etc/pihole/pihole.toml: This can also be set through the web interface inSettings -> DNS.
[dns]
upstreams = [
"127.0.0.1#5335"
]-
Pi-hole should detect the changes in the config file and restart itself but in case it didn't run
/opt/etc/init.d/S65pihole-FTL restart.