docker.recipes

Unbound DNS

intermediate

Recursive DNS resolver.

Overview

Unbound is a validating, recursive, caching DNS resolver developed by NLnet Labs that prioritizes security, privacy, and performance. Unlike forwarding DNS servers that relay queries to upstream providers like Google or Cloudflare, Unbound performs full recursive resolution by querying authoritative name servers directly from the DNS root, eliminating third-party visibility into your DNS queries. This approach provides enhanced privacy protection while offering built-in DNSSEC validation to prevent DNS spoofing and cache poisoning attacks. This Docker deployment creates a self-contained recursive DNS resolver that can serve as the primary DNS server for your entire network or specific applications. Unbound excels at reducing DNS lookup latency through intelligent caching mechanisms and can be configured with custom DNS filtering, local domain resolution, and advanced security features. The containerized setup simplifies management while maintaining the flexibility to customize resolver behavior through comprehensive configuration options. Homelab enthusiasts, privacy-conscious users, and network administrators benefit from deploying Unbound as it provides complete control over DNS resolution without relying on external DNS services. The resolver is particularly valuable when paired with DNS filtering solutions like Pi-hole, where Unbound serves as the upstream recursive resolver, creating a comprehensive DNS security and privacy stack that blocks advertisements while maintaining query privacy through direct root server communication.

Key Features

  • Full recursive DNS resolution bypassing third-party DNS providers for complete query privacy
  • Built-in DNSSEC validation with automatic trust anchor updates for DNS security
  • Aggressive NSEC caching and prefetching to minimize response times
  • DNS over TLS (DoT) support for encrypted upstream queries when needed
  • Local zone configuration for custom domain resolution and DNS rebinding protection
  • Memory-efficient design with configurable cache sizes and TTL limits
  • Access control lists for restricting query sources and preventing DNS abuse
  • Integration support with Pi-hole and other DNS filtering solutions as upstream resolver

Common Use Cases

  • 1Primary DNS resolver for home networks seeking privacy from commercial DNS providers
  • 2Upstream recursive resolver behind Pi-hole for ad-blocking with enhanced privacy
  • 3Corporate network DNS infrastructure requiring full control over resolution paths
  • 4Development environments needing custom local domain resolution and testing
  • 5Privacy-focused setups eliminating DNS query logging by external providers
  • 6Network security implementations requiring DNSSEC validation for all DNS responses
  • 7Multi-site deployments needing consistent DNS behavior without internet dependencies

Prerequisites

  • Docker and Docker Compose installed with root privileges for port 53 binding
  • At least 256MB available RAM for DNS caching and recursive query processing
  • Network port 53 available (TCP/UDP) and not conflicting with existing DNS services
  • Basic understanding of DNS concepts including recursive vs forwarding resolution
  • Access to create and edit unbound.conf configuration file with proper syntax
  • Firewall configuration allowing DNS traffic if serving external network clients

For development & testing. Review security settings, change default credentials, and test thoroughly before production use. See Terms

docker-compose.yml

docker-compose.yml
1services: 
2  unbound: 
3    image: mvance/unbound:latest
4    container_name: unbound
5    restart: unless-stopped
6    volumes: 
7      - ./unbound.conf:/opt/unbound/etc/unbound/unbound.conf
8    ports: 
9      - "53:53/tcp"
10      - "53:53/udp"

.env Template

.env
1# Create unbound.conf configuration

Usage Notes

  1. 1Docs: https://nlnetlabs.nl/documentation/unbound/
  2. 2Recursive DNS resolver - queries root servers directly
  3. 3No reliance on upstream DNS providers for privacy
  4. 4Pair with Pi-hole: Pi-hole uses Unbound as upstream
  5. 5DNSSEC validation support for security
  6. 6Configure in unbound.conf - examples at https://calomel.org/unbound_dns.html

Quick Start

terminal
1# 1. Create the compose file
2cat > docker-compose.yml << 'EOF'
3services:
4  unbound:
5    image: mvance/unbound:latest
6    container_name: unbound
7    restart: unless-stopped
8    volumes:
9      - ./unbound.conf:/opt/unbound/etc/unbound/unbound.conf
10    ports:
11      - "53:53/tcp"
12      - "53:53/udp"
13EOF
14
15# 2. Create the .env file
16cat > .env << 'EOF'
17# Create unbound.conf configuration
18EOF
19
20# 3. Start the services
21docker compose up -d
22
23# 4. View logs
24docker compose logs -f

One-Liner

Run this command to download and set up the recipe in one step:

terminal
1curl -fsSL https://docker.recipes/api/recipes/unbound/run | bash

Troubleshooting

  • Permission denied on port 53: Run container with appropriate privileges or use non-standard ports with port forwarding
  • Unbound fails to start with config errors: Validate unbound.conf syntax using 'unbound-checkconf' command before mounting
  • Slow DNS resolution performance: Increase cache size settings and enable prefetching in unbound.conf configuration
  • DNSSEC validation failures: Check system time synchronization and verify trust anchor configuration
  • Cannot resolve local domains: Configure local-zone and local-data entries in unbound.conf for custom domain handling
  • High memory usage: Reduce cache sizes, adjust TTL settings, and limit concurrent query processing in configuration

Community Notes

Loading...
Loading notes...

Download Recipe Kit

Get all files in a ready-to-deploy package

Includes docker-compose.yml, .env template, README, and license

Components

unbound

Tags

#unbound#dns#resolver#privacy

Category

Home Lab & Self-Hosting

Related Recipes

Ad Space