Unbound is a validating, recursive, and caching DNS resolver that performs DNSSEC validation locally and answers queries without relying on third-party resolvers. This guide deploys Unbound using Docker Compose after freeing the system's port 53, with access controls that restrict who can query the resolver. By the end, you'll have a validating DNS resolver answering queries from approved clients on your server.
Free Port 53
Ubuntu's systemd-resolved binds port 53 by default. Release it before deploying.
1. Stop and disable systemd-resolved:
$ sudo systemctl stop systemd-resolved
$ sudo systemctl disable systemd-resolved
2. Replace the resolver configuration:
$ sudo rm /etc/resolv.conf
$ echo "nameserver 1.1.1.1" | sudo tee /etc/resolv.conf
Set Up the Directory Structure and Configuration
1. Create the project directory:
$ mkdir -p ~/unbound
$ cd ~/unbound
2. Create the Unbound configuration file:
$ nano unbound.conf
server:
interface: 0.0.0.0
interface: ::0
port: 53
access-control: 127.0.0.0/8 allow
access-control: 192.168.0.0/16 allow
access-control: 172.16.0.0/12 allow
access-control: 10.0.0.0/8 allow
access-control: YOUR_CLIENT_IP/32 allow
access-control: 0.0.0.0/0 refuse
hide-identity: yes
hide-version: yes
use-caps-for-id: yes
prefetch: yes
num-threads: 2
msg-cache-slabs: 4
rrset-cache-slabs: 4
infra-cache-slabs: 4
key-cache-slabs: 4
rrset-cache-size: 100m
msg-cache-size: 50m
so-rcvbuf: 1m
remote-control:
control-enable: no
Replace YOUR_CLIENT_IP/32 with the IP allowed to query the resolver.
Deploy with Docker Compose
1. Create the Docker Compose manifest:
$ nano docker-compose.yml
services:
unbound:
image: mvance/unbound:latest
container_name: unbound
restart: unless-stopped
environment:
TZ: UTC
ports:
- "53:53/tcp"
- "53:53/udp"
volumes:
- ./unbound.conf:/opt/unbound/etc/unbound/unbound.conf:ro
2. Start the service:
$ docker compose up -d
3. Verify the service is running:
$ docker compose ps
Test Resolution
From an allowed client, query the resolver:
$ dig @SERVER_IP vultr.com
A valid answer section confirms Unbound is resolving queries.
Next Steps
Unbound is running with DNSSEC validation and tight access controls. From here you can:
- Point your network's clients at the resolver to gain DNSSEC validation
- Tune cache sizes and thread counts for your traffic volume
- Layer block lists into
unbound.confto filter ads and malicious domains
For the full guide with additional tips, visit the original article on Vultr Docs.
Top comments (0)