Unbound is a validating, recursive, and caching DNS resolver that performs DNSSEC validation locally and answers queries without relying on third-party resolvers. This guide deploys Unbound using Docker Compose after freeing the system's port 53, with access controls that restrict who can query the resolver. By the end, you'll have a validating DNS resolver answering queries from approved clients on your server.

Free Port 53

Ubuntu's systemd-resolved binds port 53 by default. Release it before deploying.

1. Stop and disable systemd-resolved:

$ sudo systemctl stop systemd-resolved
$ sudo systemctl disable systemd-resolved

2. Replace the resolver configuration:

$ sudo rm /etc/resolv.conf
$ echo "nameserver 1.1.1.1" | sudo tee /etc/resolv.conf

Set Up the Directory Structure and Configuration

1. Create the project directory:

$ mkdir -p ~/unbound
$ cd ~/unbound

2. Create the Unbound configuration file:

$ nano unbound.conf

server:
  interface: 0.0.0.0
  interface: ::0
  port: 53

  access-control: 127.0.0.0/8 allow
  access-control: 192.168.0.0/16 allow
  access-control: 172.16.0.0/12 allow
  access-control: 10.0.0.0/8 allow
  access-control: YOUR_CLIENT_IP/32 allow
  access-control: 0.0.0.0/0 refuse

  hide-identity: yes
  hide-version: yes
  use-caps-for-id: yes
  prefetch: yes

  num-threads: 2
  msg-cache-slabs: 4
  rrset-cache-slabs: 4
  infra-cache-slabs: 4
  key-cache-slabs: 4
  rrset-cache-size: 100m
  msg-cache-size: 50m
  so-rcvbuf: 1m

remote-control:
  control-enable: no

Replace YOUR_CLIENT_IP/32 with the IP allowed to query the resolver.

Deploy with Docker Compose

1. Create the Docker Compose manifest:

$ nano docker-compose.yml

services:
  unbound:
    image: mvance/unbound:latest
    container_name: unbound
    restart: unless-stopped
    environment:
      TZ: UTC
    ports:
      - "53:53/tcp"
      - "53:53/udp"
    volumes:
      - ./unbound.conf:/opt/unbound/etc/unbound/unbound.conf:ro

2. Start the service:

$ docker compose up -d

3. Verify the service is running:

$ docker compose ps

Test Resolution

From an allowed client, query the resolver:

$ dig @SERVER_IP vultr.com

A valid answer section confirms Unbound is resolving queries.

Next Steps

Unbound is running with DNSSEC validation and tight access controls. From here you can:

• Point your network's clients at the resolver to gain DNSSEC validation
• Tune cache sizes and thread counts for your traffic volume
• Layer block lists into unbound.conf to filter ads and malicious domains

For the full guide with additional tips, visit the original article on Vultr Docs.