-
Notifications
You must be signed in to change notification settings - Fork 0
Using Unbound as upstream DNS server
Jack'lul edited this page Sep 1, 2025
·
24 revisions
Note
On Asuswrt-Merlin installing Unbound Manager from amtm might be more convenient - skip to step 5 and replace port 5335 with 53535.
-
Install Unbound -
opkg install unbound-daemon. -
Create new
/opt/etc/unbound/unbound.conf:
# This configuration is based on:
# https://docs.pi-hole.net/guides/dns/unbound/
# https://github.com/MartineauUK/Unbound-Asuswrt-Merlin/blob/master/unbound.conf
# https://nlnetlabs.nl/documentation/unbound/unbound.conf/
server:
# Verbosity level
# 0 - errors only
# 1 - basic operational information (default)
verbosity: 0
# Use a more human readable time format in the logs
log-time-ascii: yes
# Log messages that say why queries return SERVFAIL
#log-servfail: yes
# If no logfile is specified, syslog is used
# The logfile must be within the chroot path or chroot option must be disabled!
#logfile: "/opt/var/log/unbound.log"
# This file is written before chrooting, so it can be any path
pidfile: "/opt/var/run/unbound.pid"
# Chroot jail the process, make sure to run the following command:
# chmod 755 /opt/var/lib/unbound && chown -R nobody:nobody /opt/var/lib/unbound
username: "nobody"
directory: "/opt/var/lib/unbound"
chroot: "/opt/var/lib/unbound"
# Run on loopback address, 127.0.0.1:5335
interface: 127.0.0.1
port: 5335
do-ip4: yes
do-udp: yes
do-tcp: yes
# Whether IPv6 queries are answered or issued
# May be set to no if you don't have IPv6 connectivity
do-ip6: yes
# Uncomment the following line when setting 'do-ip6: no'
# This will explicitly drop ALL IPv6 responses
#private-address: ::/0
# You want to leave this to no unless you have *native* IPv6 connectivity
# With 6to4 and Terredo tunnels your web browser should favor IPv4 for the same reasons
prefer-ip6: no
# To use external root hints file uncomment the following line and run:
# wget https://www.internic.net/domain/named.cache -O /opt/var/lib/unbound/root.hints
# chmod 644 /opt/var/lib/unbound/root.hints
# chown nobody:nobody /opt/var/lib/unbound/root.hints
# It's a good idea to set up a cron to fetch it once every few months
#root-hints: "/opt/var/lib/unbound/root.hints"
# To enable DNSSEC uncomment the following line and run:
# install -m 644 /opt/etc/unbound/root.key /opt/var/lib/unbound/root.key
# chown nobody:nobody /opt/var/lib/unbound/root.key
#auto-trust-anchor-file: "/opt/var/lib/unbound/root.key"
# Trust glue only if it is within the servers authority
harden-glue: yes
# Require DNSSEC data for trust-anchored zones
# If such data is absent, the zone becomes BOGUS
harden-dnssec-stripped: yes
# Return NXDOMAIN to queries for a name below another name that is already known to be NXDOMAIN
harden-below-nxdomain: yes
# Reduce EDNS reassembly buffer size.
# This value has been suggested in DNS Flag Day 2020.
edns-buffer-size: 1232
# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
# See https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
use-caps-for-id: no
# Deny queries of type ANY with an empty response
deny-any: yes
# Perform prefetching of close to expired message cache entries
# This only applies to domains that have been frequently queried
prefetch: yes
# Prefetch DNSSEC keys to speed up validation process
prefetch-key: yes
# One thread should be sufficient, can be increased on beefy machines
# It should be unnecessary to seek performance enhancement by increasing num-threads above 1
num-threads: 1
# Disable memory slabs for threads
# This should be a power of two value close to num-threads
msg-cache-slabs: 1
rrset-cache-slabs: 1
infra-cache-slabs: 1
key-cache-slabs: 1
# Ensure kernel buffer is large enough to not lose messages in traffic spikes
so-rcvbuf: 1m
# Increase number of TCP buffers
incoming-num-tcp: 100
outgoing-num-tcp: 100
# Use higher port numbers to prevent possible NAT issues on routers
outgoing-port-avoid: 0-32767
outgoing-port-permit: 32768-65535
# Prevent potential DNS loops
do-not-query-localhost: yes
# Do not expose server identity
hide-identity: yes
hide-version: yes
# Tweak cache
cache-min-ttl: 3600
cache-max-ttl: 86400
msg-cache-size: 8m
rrset-cache-size: 16m
key-cache-size: 8m
# Print statistics to the log (for every thread) every N seconds
#statistics-interval: 3600
# Ensure privacy of local IP ranges
private-address: 127.0.0.0/8
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
private-address: fd00::/8
private-address: fe80::/10
# Ensure no reverse queries to non-public IP ranges (RFC6303 4.2)
private-address: 192.0.2.0/24
private-address: 198.51.100.0/24
private-address: 203.0.113.0/24
private-address: 255.255.255.255/32
private-address: 2001:db8::/32
# Accept queries from local IP ranges
access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: 10.0.0.0/8 allow
access-control: 172.16.0.0/12 allow
access-control: 192.168.0.0/16 allow
access-control: ::0/0 refuse
access-control: ::1 allow
# Speed up recursion speed by having the root zone fetched from file and cached
auth-zone:
name: "."
url: "https://www.internic.net/domain/root.zone"
fallback-enabled: yes
for-downstream: no
for-upstream: yes
zonefile: "/opt/var/lib/unbound/root.zone"
- Create
/opt/var/lib/unboundand set correct permissions:
mkdir -pm 755 /opt/var/lib/unbound
chown -R nobody:nobody /opt/var/lib/unboundIf you wish to use external root hints file or enable DNSSEC then check the instructions within the config file.
-
Start Unbound service -
/opt/etc/init.d/S61unbound start. -
Modify
/opt/etc/pihole/pihole.toml: This can also be set through the web interface inSettings -> DNS.
[dns]
upstreams = [
"127.0.0.1#5335"
]-
Pi-hole should detect the changes in the config file and restart itself but in case it didn't run
/opt/etc/init.d/S65pihole-FTL restart.