To configure Unbound on Debian or Ubuntu, you can follow these steps:
Open the Unbound configuration file using a text editor. The configuration file is located at /etc/unbound/unbound.conf.
sudo nano /etc/unbound/unbound.conf
Make any necessary changes to the configuration file. The configuration file is well-documented and contains numerous comments to help you understand its contents. Here are a few common configuration options you may want to consider:
interface: This option specifies the network interface Unbound should listen on. By default, Unbound listens on all available network interfaces. If you want to restrict Unbound to a specific network interface, you can specify its IP address here.
access-control: This option specifies the IP addresses or networks that are allowed to query Unbound. By default, Unbound allows queries from any IP address. You can use this option to restrict queries to specific IP addresses or networks.
forward-zone: This option specifies the DNS servers that Unbound should forward queries to if it cannot find the answer locally. You can specify one or more forward zones here.
cache-max-ttl: This option specifies the maximum time-to-live (TTL) for cached DNS records. By default, Unbound caches records for up to 86400 seconds (one day). You can adjust this value to suit your needs.
Save the configuration file and exit the text editor.
Restart the Unbound service to apply the new configuration.
sudo systemctl restart unbound
That’s it! Your Unbound configuration is now updated and the service is running with the new configuration.
QNAME minimization is enabled by default in modern Unbound versions. It reduces the amount of information sent to upstream nameservers by sending only the minimum label count needed to resolve each delegation step. If a server does not respond to a minimized query, Unbound falls back to sending the full QNAME (best-effort fallback).
You can explicitly enable or adjust it in unbound.conf:
qname-minimisation: yes
qname-minimisation-strict: no
Setting qname-minimisation-strict: yes disables the fallback and strictly minimizes, which may cause resolution failures for non-compliant nameservers.
Unbound supports DNS-over-QUIC (DoQ), providing encrypted DNS transport over QUIC (UDP-based). This offers an alternative to DNS-over-TLS (DoT) with improved performance characteristics in lossy networks. Configure DoQ in unbound.conf:
# Listen for DoQ queries
quic-port: 853
quic-port-control: 853
DoQ can be combined with DoT for defense-in-depth on upstream forwarding.
Unbound supports the DNSSEC Aggressive NSEC cache feature, which reduces resolver load and improves response times for NXDOMAIN and NODATA responses. By caching NSEC/NSEC3 proof records aggressively, Unbound can answer negative queries from cache without re-querying upstream nameservers. This is particularly useful in environments with high volumes of non-existent domain lookups (e.g., typo domains, malware DGA patterns).
Enable it in unbound.conf:
aggressive-nsec: yes
Unbound can serve stale cache data while refreshing in the background, improving resilience during upstream outages. This behavior follows RFC 8767 (Serve Stale). Configure with:
serve-expired: yes
serve-expired-ttl: 86400
serve-expired-ttl-reset: 3600
Unbound supports the PROXYv2 protocol, enabling it to receive original client IP addresses when deployed behind a reverse proxy or load balancer. This is essential for accurate logging and access control in proxied deployments.
use-systemd: yes
# PROXYv2 is enabled when the incoming connection uses the PROXY protocol
# Ensure your load balancer is configured to send PROXYv2 headers
You can follow the steps below:
Configure Unbound to listen only on the VPN client interface by editing the unbound.conf file
sudo nano /etc/unbound/unbound.conf
Add the following line to the top of the file
interface: <VPN client interface IP address>
Replace <VPN client interface IP address> with the IP address of the VPN client interface. You can find the IP address by running the command ip addr.
unbound.conf fileforward-zone:
name: "."
forward-addr: <VPN server IP address>
Replace <VPN server IP address> with the IP address of the VPN server.
sudo systemctl start unbound
dig @localhost example.com
Replace example.com with the domain name you want to query.
If the DNS server is working correctly, you should see the DNS response from the VPN server.
Squeezing every bit of performance from your Unbound resolver? Our experts help with:
Optimize your setup: office@linux-server-admin.com | Contact Us