Deploying Unbound Validating DNS Resolver on Ubuntu 24.04

26 de Maio de 2026, 17:35

Deploying Unbound Validating DNS Resolver on Ubuntu 24.04

Tópico: Deploying Unbound Validating DNS Resolver on Ubuntu 24.04
Categoria: Tutoriais | Programação & Tecnologia
Idioma Principal: Português (Conteúdo de Tecnologia)

Descrição do Conteúdo / Informações:
-------------------------------------------------------------------------
Unbound is a validating, recursive, and caching DNS resolver that performs DNSSEC validation locally and answers queries without relying on third-party resolvers. This guide deploys Unbound using Docker Compose after freeing the system's port 53, with access controls that restrict who can query the resolver. By the end, you'll have a validating DNS resolver answering queries from approved clients on your server.

Free Port 53

Ubuntu's systemd-resolved binds port 53 by default. Release it before deploying.

1. Stop and disable systemd-resolved:

$ sudo systemctl stop systemd-resolved
$ sudo systemctl disable systemd-resolved

2. Replace the resolver configuration:

$ sudo rm /etc/resolv.conf
$ echo "nameserver 1.1.1.1" | sudo tee /etc/resolv.conf

Set Up the Directory Structure and Configuration

1. Create the project directory:

$ mkdir -p ~/unbound
$ cd ~/unbound

2. Create the Unbound configuration file:

$ nano unbound.conf

server:
interface: 0.0.0.0
interface: ::0
port: 53

access-control: 127.0.0.0/8 allow
access-control: 192.168.0.0/16 allow
access-control: 172.16.0.0/12 allow
access-control: 10.0.0.0/8 allow
access-control: YOUR_CLIENT_IP/32 allow
access-control: 0.0.0.0/0 refuse

hide-identity: yes
hide-version: yes
use-caps-for-id: yes
prefetch: yes

num-threads: 2
msg-cache-slabs: 4
rrset-cache-slabs: 4
infra-cache-slabs: 4
key-cache-slabs: 4
rrset-cache-size: 100m
msg-cache-size: 50m
so-rcvbuf: 1m

remote-control:
control-enable: no

Replace YOUR_CLIENT_IP/32 with the IP allowed to query the resolver.

Deploy with Docker Compose

1. Create the Docker Compose manifest:

$ nano docker-compose.yml

services:
unbound:
image: mvance/unbound:latest
container_name: unbound
restart: unless-stopped
environment:
TZ: UTC
ports:
- "53:53/tcp"
- "53:53/udp"
volumes:
- ./unbound.conf:/opt/unbound/etc/unbound/unbound.conf:ro

2. Start the service:

$ docker compose up -d

3. Verify the service is running:

$ docker compose ps

Test Resolution

From an allowed client, query the resolver:

$ dig @SERVER_IP vultr.com

A valid answer section confirms Unbound is resolving queries.

Next Steps

Unbound is running with DNSSEC validation and tight access controls. From here you can:

• Point your network's clients at the resolver to gain DNSSEC validation

• Tune cache sizes and thread counts for your traffic volume

• Layer block lists into unbound.conf to filter ads and malicious domains

For the full guide with additional tips, visit the original article on Vultr Docs.