Unbound is a recursive resolver. Security depends on strict client ACLs, DNSSEC validation, and encrypted transport where required.
Domain hijacking via promiscuous NS records. This vulnerability allows an attacker to perform domain hijacking by exploiting promiscuous handling of NS records in the cache. An attacker could redirect users to malicious nameservers.
harden-below-nxdomain and harden-referral-path are enabled as defense-in-depth.access-control ACL entries.Unbound can be run inside a chroot jail to limit the filesystem scope available to the process. This reduces the impact of potential exploitation:
chroot: "/etc/unbound"
Unbound supports privilege dropping after binding to privileged ports. It starts as root to open port 53, then drops to an unprivileged user:
username: "unbound"
do-daemonize: yes
Response Policy Zones (RPZ) allow administrators to define custom DNS response policies – blocking malicious domains, redirecting queries, or overriding upstream responses. This is useful for threat intelligence integration and corporate DNS policy enforcement:
rpz:
name: "rpz.local"
zonefile: "/etc/unbound/rpz.db"
Unbound can serve stale data while refreshing expired records in the background. This improves resilience during upstream outages and prevents clients from receiving SERVFAIL responses when the resolver cannot reach authoritative nameservers. See the Configuration page for details.
When deployed behind a load balancer, PROXYv2 support ensures Unbound sees original client IPs for ACL enforcement and logging rather than the proxy’s address.
unbound-control to local or mgmt-only channels.