How to Set Up Unbound DNS Resolver on Ubuntu

Unbound is a free, open-source, recursive, and validating DNS caching server. It uses DNS-over-TLS and DNS-over-HTTPS to encrypt connections between clients. Compared to Bind9, Unbound is lightweight and extremely fast. A caching server will help you reduce the loading time of the website by keeping the cache database on an Unbound server. It is also capable of DNSSEC validation and can serve as a trust anchor.

In this post, we will show you how to set up an Unbound DNS Resolver on Ubuntu 20.04.

Step 1 – Install Required Dependencies

Before starting, you must install some essential DNS tools in your system. You can install all of them using the following commands:

apt-get update -y

apt-get install bind9-utils dnsutils net-tools -y

Next, you will need to stop and disable the default systemd-resolved service in your server. You can do it with the following command:

systemctl stop systemd-resolved
systemctl disable systemd-resolved

Once all the packages are installed, you can proceed to the next step.

Step 2 – Install and Configure Unbound DNS

By default, the Unbound package is included in the Ubuntu default repository. You can install it using the following command:

apt-get install unbound -y

After installing Unbound DNS, you will need to configure it. By default, the Unbound main configuration file is located at /etc/unbound/unbound.conf. However, it is recommended to create a separate configuration file:

nano /etc/unbound/unbound.conf.d/myunbound.conf

Add the following lines:

server:
port: 53
verbosity: 0
num-threads: 2
outgoing-range: 512
num-queries-per-thread: 1024
msg-cache-size: 32m
interface: 0.0.0.0
rrset-cache-size: 64m
cache-max-ttl: 86400
infra-host-ttl: 60
infra-lame-ttl: 120
access-control: 127.0.0.0/8 allow
access-control: 0.0.0.0/0 allow
username: unbound
directory: "/etc/unbound"
logfile: "/var/log/unbound.log"
use-syslog: no
hide-version: yes
so-rcvbuf: 4m
so-sndbuf: 4m
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes
remote-control:
control-enable: yes
control-port: 953
control-interface: 0.0.0.0

Save and close the file, then validate the configuration file with the following command:

unbound-checkconf /etc/unbound/unbound.conf.d/myunbound.conf

You should get the following output:

unbound-checkconf: no errors in /etc/unbound/unbound.conf.d/myunbound.conf

Next, create a log file for Unbound and set proper permissions:

touch /var/log/unbound.log
chown unbound:unbound /var/log/unbound.log

Step 3 – Start Unbound DNS Service

At this point, Unbound DNS is installed and configured. Now, restart the Unbound service and enable it to start at system reboot:

systemctl restart unbound
systemctl enable unbound

You can also verify the status of Unbound with the following command:

systemctl status unbound

Sample output:

● unbound.service - Unbound DNS server
     Loaded: loaded (/lib/systemd/system/unbound.service; enabled; vendor preset: enabled)
     Active: active (running) since Sun 2021-08-15 06:30:33 UTC; 7s ago
       Docs: man:unbound(8)
    Process: 2788 ExecStartPre=/usr/lib/unbound/package-helper chroot_setup (code=exited, status=0/SUCCESS)
    Process: 2791 ExecStartPre=/usr/lib/unbound/package-helper root_trust_anchor_update (code=exited, status=0/SUCCESS)
   Main PID: 2804 (unbound)
      Tasks: 2 (limit: 2353)
     Memory: 4.8M
     CGroup: /system.slice/unbound.service
             └─2804 /usr/sbin/unbound -d

Aug 15 06:30:32 ubuntu2004 systemd[1]: Starting Unbound DNS server...
Aug 15 06:30:33 ubuntu2004 package-helper[2796]: /var/lib/unbound/root.key has content
Aug 15 06:30:33 ubuntu2004 package-helper[2796]: success: the anchor is ok
Aug 15 06:30:33 ubuntu2004 systemd[1]: Started Unbound DNS server.

At this point, the Unbound service is started and listening on port 53. You can check it using the following command:

ss -antpl | grep 53

Sample output:

LISTEN    0         256                0.0.0.0:53               0.0.0.0:*        users:(("unbound",pid=3407,fd=6))                                              
LISTEN    0         256                0.0.0.0:53               0.0.0.0:*        users:(("unbound",pid=3407,fd=4))                                              
LISTEN    0         4096         127.0.0.53%lo:53               0.0.0.0:*        users:(("systemd-resolve",pid=356,fd=13))                                      
LISTEN    0         256                0.0.0.0:953              0.0.0.0:*        users:(("unbound",pid=3407,fd=7))                                              

Step 4 – Test Unbound DNS

Now, you must use the dig command and perform some DNS queries to test the Unbound DNS server.

We will use ubuntu.com for testing.

dig ubuntu.com @localhost

Sample output:

; <<>> DiG 9.16.1-Ubuntu <<>> ubuntu.com @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6037
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ubuntu.com.			IN	A

;; ANSWER SECTION:
ubuntu.com.		60	IN	A	91.189.88.181
ubuntu.com.		60	IN	A	91.189.88.180

;; Query time: 307 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Aug 15 06:32:18 UTC 2021
;; MSG SIZE  rcvd: 71

As you can see, the query time is 307 msec in the first query. Your query is now cached.

Next, let’s rerun the same query:

dig ubuntu.com @localhost

Sample output:

; <<>> DiG 9.16.1-Ubuntu <<>> ubuntu.com @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37832
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ubuntu.com.			IN	A

;; ANSWER SECTION:
ubuntu.com.		49	IN	A	91.189.88.180
ubuntu.com.		49	IN	A	91.189.88.181

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Aug 15 06:33:36 UTC 2021
;; MSG SIZE  rcvd: 71

As you can see, the query time is 0 msec.

You can also test the Unbound DNS server from the client machine. In this case, you will need to specify your Unbound DNS server IP with the query:

dig ubuntu.com @69.87.221.220

Sample output:

; <<>> DiG 9.9.5-3ubuntu0.4-Ubuntu <<>> ubuntu.com @69.87.221.220
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 28051
;; flags: qr rd ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; Query time: 365 msec
;; SERVER: 69.87.221.220#53(69.87.221.220)
;; WHEN: Sun Aug 15 12:04:37 IST 2021
;; MSG SIZE  rcvd: 12

Step 5 – Troubleshooting Unbound

If you want to check the status of the Unbound DNS, run the following command:

unbound-control status

Sample output:

version: 1.9.4
verbosity: 0
threads: 2
modules: 3 [ subnet validator iterator ]
uptime: 65 seconds
options: reuseport control(ssl)
unbound (pid 3407) is running...

If you want to back up a DNS Cache to a text file, run the following command:

unbound-control dump_cache > cache.txt

You can verify the cache.txt file with the following command:

cat cache.txt

Sample output:

START_RRSET_CACHE
END_RRSET_CACHE
START_MSG_CACHE
END_MSG_CACHE
EOF

In some cases, your DNS server cannot reply to your query. In this case, you can flush the DNS cache using the following command:

unbound-control flush ubuntu.com

Conclusion

In the above guide, we explained how to install and use an Unbound DNS caching server on Ubuntu 20.04. We also tested using the dig command to query Unbound DNS and get a response. Try it out on your VPS from Atlantic.Net today!