Setting up Unbound from scratch

tested on ubuntu/xenial/artful and slackware14.2


Build the latest version. Libevent useful for 1000+ outgoing ports.

sha256sum unbound-1.9.3.tar.gz
tar xzf unbound-1.9.3.tar.gz
cd unbound-1.9.3/
./configure --with-libevent
nice make -j5
make install

Create a system user for Unbound to drop its priviledges,

useradd --system -d /usr/local/etc/unbound -s /sbin/nologin unbound
grep unbound /etc/passwd
grep unbound /etc/group

(using named pipe instead) – Generate some key pairs for unbound-control to work

#ls -lF /usr/local/etc/unbound/unbound*.{key,pem}

ls -lF /var/unbound.control.pipe
mkfifo /var/unbound.control.pipe

you will notice the perms are updated by the daemon as such

srw-rw---- 1 unbound unbound 0 Oct  2 12:53 /var/unbound.control.pipe=


Check how many cores you have got,

grep ^processor /proc/cpuinfo

Setup the caching name server,

ln -s /usr/local/etc/unbound/unbound.conf
cd /usr/local/etc/unbound/

Get the valid root hints


Get also the root anchors

mkdir /var/unbound/
unbound-anchor -a /var/unbound/root.key
chown -R unbound:unbound /var/unbound/

Then proceed with the setup (remove the authoritative zone part if you do not need it)

mv -i unbound.conf unbound.conf.dist
grep -Ev '^[[:space:]]*(#|$)' unbound.conf.dist > unbound.conf
vi unbound.conf

        verbosity: 1
        #verbosity: 3
        num-threads: HOW_MANY_CORES
        #interface: ::0
        access-control: allow
        #access-control: ::/0 allow
        pidfile: "/var/run/"
        root-hints: "/usr/local/etc/unbound/named.cache"
        hide-identity: yes
        hide-version: yes
        #rrset-roundrobin: yes
        qname-minimisation: yes
        #chroot path
        auto-trust-anchor-file: "/var/root.key"
        do-not-query-localhost: no

        domain-insecure: "example.local"
        domain-insecure: ""
        #local-zone: "example.local" transparent
        #local-zone: "" transparent

        control-enable: yes
        control-interface: /var/unbound.control.pipe

        name: "example.local"
        stub-addr: ::1@5353

        name: ""
        stub-addr: ::1@5353


Start and enable

tail -n0 -F /var/log/*
vi /etc/rc.local

#partly self verbose
/usr/local/sbin/unbound-checkconf /usr/local/etc/unbound/unbound.conf
/usr/bin/mkfifo /var/unbound.control.pipe
/usr/local/sbin/unbound-control start && echo Unbound started

Status (should run as unbound user)

unbound-control status
#unbound-control stats_noreset
netstat -lntup | grep -E ':53[[:space:]]'
ps auxww | grep unbound


root         8  0.0  0.0      0     0 ?        I    15:42   0:00 [kworker/u8:0-events_unbound]
root       268  0.0  0.0      0     0 ?        I    15:42   0:00 [kworker/u8:6-events_unbound]
root      1256  0.0  0.0      0     0 ?        I    15:48   0:00 [kworker/u8:1-events_unbound]
unbound   1258  2.0  0.1 258328 17568 ?        Ssl  15:48   0:00 unbound -c /usr/local/etc/unbound/unbound.conf


unbound-control reload

Analyze the cache

unbound-control dump_cache > cache.dump
less cache.dump

Flush the cache against a specific zone

unbound-control flush_zone example.local

Flush the overall cache,

unbound-control reload


Testing local-zone,

host localhost localhost
host localhost

Testing cached public zone,

host localhost
host localhost

Testing cashed stub-zone,

host example.local localhost
host pxe.example.local localhost
host INTERNAL_IP localhost


Ubuntu – make sure you do NOT have those installed: dnsmasq, resolvconf nor systemd-resolved unit, NetworkManager. If so, disable or remove them.

apt install libevent-dev libexpat1-dev

ls -lF /var/lib/unbound/root.key #does not exist yet

mkdir trash/
mv unbound.conf unbound.conf.d/ trash/

#systemctl restart unbound


cat /var/log/packages/libevent*


If Unbound service is listening but refusing to answer queries, fix access-control: as shown in the example above.

With verbosity 3, if you get,

configured stub servers failed -- returning SERVFAIL

==> check do-not-query-localhost

Against a stub zone too, if you get,

info: query response was nodata ANSWER

==> if it is not signed, domain-insecure helps.


unbound.conf - Unbound configuration file.

unbound-anchor - Unbound anchor utility.

Howto enable DNSSEC


unbound/doc/ old

[Unbound-users] reverse lookup stub zone

Unbound DNS Server Cache Control


Root Files

Unbound DNS Server Cache Control

Nethence | Pub | Lab | Pbraun | SNE Russia | xhtml