Install unbound with your package manager. I use
aptso in my case I
sudo apt install unboundand it is installed, it depends on your system which package manager you have.
Create and edit
vimbut you can use whichever text editor you prefer. In my case I do
sudo vim /etc/unbound/unbound.conf
Once you are in your terminal and ready to input into the config file, insert the following. Only enable IPv6 if it is native to your network, 6to4 tunneling is not native IPv6. Also you need to set
num-threads:to the number of threads for your machine! default is one, in my config I have 4.
server: interface: 127.0.0.1 port: 5335 do-ip6: no do-ip4: yes do-udp: yes do-tcp: yes # Set number of threads to use num-threads: 4 # Hide DNS Server info hide-identity: yes hide-version: yes # Limit DNS Fraud and use DNSSEC harden-glue: yes harden-dnssec-stripped: yes harden-referral-path: yes use-caps-for-id: yes harden-algo-downgrade: yes qname-minimisation: yes aggressive-nsec: yes rrset-roundrobin: yes auto-trust-anchor-file: "/var/lib/unbound/root.key" # Minimum lifetime of cache entries in seconds cache-min-ttl: 300 # Configure TTL of Cache cache-max-ttl: 14400 # Optimizations msg-cache-slabs: 8 rrset-cache-slabs: 8 infra-cache-slabs: 8 key-cache-slabs: 8 serve-expired: yes serve-expired-ttl: 3600 edns-buffer-size: 1232 prefetch: yes prefetch-key: yes target-fetch-policy: "3 2 1 1 1" unwanted-reply-threshold: 10000000 # Set cache size rrset-cache-size: 256m msg-cache-size: 128m # increase buffer size so that no messages are lost in traffic spikes so-rcvbuf: 1m private-address: 192.168.0.0/16 private-address: 169.254.0.0/16 private-address: 172.16.0.0/12 private-address: 10.0.0.0/8 private-address: fd00::/8 private-address: fe80::/10
- Restart unbound with
sudo systemctl restart unboundit is now listening on the specified port and doing what the config says.
Telling AdGuard Home to use Unbound
Go into your AdGuard Home admin panel and go to Settings -> DNS settings
In the Upstream DNS servers box you now put
Telling Pi-hole to use Unbound
- Go into Settings and Upstream DNS settings, uncheck every DNS box and check one custom IPv4 address, input
- You should enable DNSSEC in Pi-hole or AdGuard Home, whichever you're using. This way you can see in the query log the DNSSEC replies you're getting on resolved domains.
AdGuard & Pi-hole Discord: https://discord.gg/VzThBmB