Unbound is a recursive resolver. Security depends on strict client ACLs, DNSSEC validation, and encrypted transport where required.
- Limit recursive access with
access-control ACL entries.
- Bind interfaces explicitly and avoid wildcard exposure.
- Disable open recursion on public interfaces.
¶ Validation and Privacy
- Enable DNSSEC validation.
- Use DNS-over-TLS upstream forwarding where policy requires encryption.
- Configure QNAME minimization and hardening options.
- Restrict
unbound-control to local or mgmt-only channels.
- Protect control certificates and keys.
- Disable control interface if not needed.
- Set sensible cache and rate settings.
- Enable response rate limiting when exposed to large client pools.
- Monitor for amplification-abuse indicators.