Unbound

nlnetlabs.nl/projects/unbound
Awesome PrivacyNetworkingDNS ClientsUnbound
Unbound

Validating, recursive, caching DNS resolve with support for DNS-over-TLS. Designed to be fast, lean, and secure Unbound incorporates modern features based on open standards. It's fully open source, and recently audited. (For an in-depth tutorial, see this article by DNSWatch.)

Also Consider

Open Source

Unbound Source Code

Author

NLnetLabs

Description

Unbound is a validating, recursive, and caching DNS resolver.

#dns#dns-privacy#dnssec#recursor#resolver

Homepage

https://nlnetlabs.nl/unbound

License

BSD-3-Clause

Created

13 Jun 17

Last Updated

16 Jun 26

Latest version

release-1.25.1

Primary Language

C

Size

105,734 KB

Stars

4,625

Forks

437

Watchers

4,625

Language Usage

Language Usage

Star History

Star History

Top Contributors

Recent Commits

  • W.C.A. Wijngaards (16 Jun 26)

    - Fix for #1462: Fix that auth primary host name lookup allows CNAMEs.

  • W.C.A. Wijngaards (16 Jun 26)

    - Fix after malloc failure the rrset_insert_rr in localzone processing, during RPZ qname trigger processing, the RRset retains its previous data correcly. Thanks to Qifan Zhang, Palo Alto Networks, for the report.

  • W.C.A. Wijngaards (16 Jun 26)

    - Fix incorrect cleanup after an allocation failure for a delegation point in a region. Thanks to Qifan Zhang, Palo Alto Networks, for the report.

  • W.C.A. Wijngaards (16 Jun 26)

    - Fix that after shared memory cannot be created, from `shm-enable`, the server does not crash. Thanks to Qifan Zhang, Palo Alto Networks, for the report.

  • W.C.A. Wijngaards (16 Jun 26)

    - Fix that after malloc failure in find_tag_datas, the local_alias is cleaned up. Thanks to Qifan Zhang, Palo Alto Networks, for the report.

  • W.C.A. Wijngaards (16 Jun 26)

    - Fix incorrect cleanup after an allocation failure for a delegation point. Thanks to Qifan Zhang, Palo Alto Networks, for the report.

  • W.C.A. Wijngaards (16 Jun 26)

    - Fix for neater solution to clear log thread id after worker init failure. Thanks to Qifan Zhang, Palo Alto Networks, for the report.

  • W.C.A. Wijngaards (16 Jun 26)

    - Fix that libunbound pipe functions fail with error after an event base is set. Thanks to Qifan Zhang, Palo Alto Networks, for the report.

  • W.C.A. Wijngaards (16 Jun 26)

    - Fix locking in libunbound ub_ctx_set_event call. Thanks to Qifan Zhang, Palo Alto Networks, for the report.

  • W.C.A. Wijngaards (16 Jun 26)

    - Fix that dnscrypt configuration does not crash, due to inconsistency between secret and public keys. Also duplicate files are skipped. Thanks to Qifan Zhang, Palo Alto Networks, for the report.

  • W.C.A. Wijngaards (16 Jun 26)

    - Fix that after malloc failure in RPZ load a half built list does not crash later. The newly created RRset is linked after creation has succeeded. Thanks to Qifan Zhang, Palo Alto Networks, for the report.

  • W.C.A. Wijngaards (16 Jun 26)

    - Fix that for a zonefile only zone, if that file does not exist on server start, the server continues to start with a warning log message. Thanks to Qifan Zhang, Palo Alto Networks, for the report.

  • W.C.A. Wijngaards (16 Jun 26)

    - Fix that after malloc failure a half-built local_alias does not crash the server. Thanks to Qifan Zhang, Palo Alto Networks, for the report.

  • W.C.A. Wijngaards (16 Jun 26)

    - Fix that a signed wildcard NSEC, is checked before use, so it does not allow insecure DS proofs inappropriately. Thanks to Qifan Zhang, Palo Alto Networks, for the report.

  • W.C.A. Wijngaards (16 Jun 26)

    - Fix that dns64 does not ignore the `forward-no-cache` and `stub-no-cache` options. Thanks to Qifan Zhang, Palo Alto Networks, for the report.

  • W.C.A. Wijngaards (16 Jun 26)

    - Fix that auth-zone, and RPZ zones, do not allow out-of-zone records. These are records that are not under the zone apex. The out-of-zone records are dropped from the zone contents. Thanks to Qifan Zhang, Palo Alto Networks, for the report.

  • W.C.A. Wijngaards (16 Jun 26)

    - Fix that a half-written trust anchor file does not crash the server at runtime. It unlinks a wrong file from the list. Thanks to Qifan Zhang, Palo Alto Networks, for the report.

  • W.C.A. Wijngaards (16 Jun 26)

    - Fix that when SVCB records cannot be written out, and are written in unknown format, that the zone read allows such unknown format SVCB records. Thanks to Qifan Zhang, Palo Alto Networks, for the report.

  • W.C.A. Wijngaards (16 Jun 26)

    - Fix to disallow $INCLUDE for secondary zones. Start up of server continues if a secondary zone fails to load. Failed loads clear the zone data, so there is no partial zone. Thanks to Qifan Zhang, Palo Alto Networks, for the report.

  • W.C.A. Wijngaards (15 Jun 26)

    - Fix that dns64 bypasses rpz-passthru rule during synthesis. This restricted more than necessary. Thanks to Qifan Zhang, Palo Alto Networks, for the report.

  • W.C.A. Wijngaards (15 Jun 26)

    - Fix misconfigured ipsecmod hook causing path name similarity with other file. The ipsecmod is changed for exec of the hook. The ipsecmod hook, if a script, has to start now with a line like `#!/bin/sh`. Thanks to Qifan Zhang, Palo Alto Networks, for the report.

  • W.C.A. Wijngaards (15 Jun 26)

    - Fix DNAME synthesis from cache that keeps use of 0TTL entries in a sliding window. It did not surpass RRSIG expiry. Thanks to Qifan Zhang, Palo Alto Networks, for the report.

  • W.C.A. Wijngaards (15 Jun 26)

    - Fix log of an aliased qname, to not use freed region memory. Thanks to Qifan Zhang, Palo Alto Networks, for the report.

  • W.C.A. Wijngaards (15 Jun 26)

    - Fix that fast_reload does not terminate the server for errors in config, for key files. Thanks to Qifan Zhang, Palo Alto Networks, for the report.

  • W.C.A. Wijngaards (15 Jun 26)

    - Fix integer overflow for very high values of `sock-queue-timeout`. Thanks to Qifan Zhang, Palo Alto Networks, for the report.

  • W.C.A. Wijngaards (15 Jun 26)

    - Fix erroneous DNS error report values after bogus AAAA query caused error information that was not cleared by a successful A subquery. Thanks to Qifan Zhang, Palo Alto Networks, for the report.

  • W.C.A. Wijngaards (15 Jun 26)

    - Fix integer overflow in infra-cache-max-rtt calculation. Thanks to Qifan Zhang, Palo Alto Networks, for the report.

  • W.C.A. Wijngaards (15 Jun 26)

    - Fix for fast_reload that removes an auth zone while its lookups are in progress, for a primary name. Also after the change, it no longer picks up the old results. Thanks to Qifan Zhang, Palo Alto Networks, for the report.

  • W.C.A. Wijngaards (15 Jun 26)

    - Fix that fast_reload when a zonemd verification lookup it in progress with subnet loaded, deregisters the callback. Thanks to Qifan Zhang, Palo Alto Networks, for the report.

  • W.C.A. Wijngaards (15 Jun 26)

    - Fix that misconfigured `iter-scrub-ns: 0` causes request failures. Thanks to Qifan Zhang, Palo Alto Networks, for the report.

Unbound Security

5.8/10

Repo Security Summary

Updated 25 May 26 Fuzz tested

  • Security-Policy 10/10
  • Packaging N/A
  • Maintained 10/10
  • Dangerous-Workflow 10/10
  • Code-Review 0/10
  • CII-Best-Practices 0/10
  • Token-Permissions 0/10
  • Binary-Artifacts 10/10
  • SAST 0/10
  • License 10/10
  • Fuzzing 10/10
  • Pinned-Dependencies 0/10
  • Signed-Releases N/A
  • Branch-Protection N/A

Unbound Website

Website

NLnet Labs - Unbound - About

Unbound is a validating, recursive, caching DNS resolver. It is designed to be fast and lean and incorporates modern features based on open standards. To help increase online privacy, Unbound supports DNS-over-TLS and DNS-over-HTTPS which allows clients to encrypt their communication. In addition, it supports various modern standards that limit …

Redirects

Redirects to https://nlnetlabs.nl/projects/unbound/about/

Security Checks

All 65 security checks passed

Server Details

  • IP Address 128.140.76.106
  • Hostname static.106.76.140.128.clients.your-server.de
  • Location Nuremberg, Bayern, Germany, EU
  • ISP Hetzner Online GmbH
  • ASN AS24940

Associated Countries

  • AT AT
  • US US
  • NL NL
  • DE DE

Safety Score

Website marked as safe

100%

Blacklist Check

nlnetlabs.nl was found on 0 blacklists

  • AntiSocial Blacklist
  • Artists Against 419
  • Badbitcoin
  • Bambenek Consulting
  • CERT Polska
  • CoinBlockerLists
  • CRDF
  • CryptoScamDB
  • EtherAddressLookup
  • EtherScamDB
  • Fake Website Buster
  • MetaMask EthPhishing
  • NABP Not Recommended Sites
  • OpenPhish
  • PetScams
  • PhishFeed
  • PhishFort
  • Phishing.Database
  • PhishStats
  • PhishTank
  • Phishunt
  • RPiList Not Serious
  • Scam.Directory
  • SecureReload Phishing List
  • Spam404
  • StopGunScams
  • Suspicious Hosting IP
  • ThreatFox
  • ThreatLog
  • TweetFeed
  • URLhaus
  • ViriBack C2 Tracker

Website Preview

Website preview
View full report at web-check.xyz

Unbound Docker

Container Info

pihole-unbound

A Linux network-level advertisement and Internet tracker blocking application which acts as a DNS sinkhole. This version has Ubound software installed on it so you don't need to rely on external DNS providers. When the installation is complete, navigate to your.ip.goes.here:1010/admin. Follow the article <a href='https://medium.com/@niktrix/getting-rid-of-systemd-resolved-consuming-port-53-605f0234f32f'>here</a>

#Other#Tools cbcrowe/pihole-unbound:latest

Run Command

docker run -d \
  -p 53:53/tcp \
  -p 53:53/udp \
  -p 1010:80/tcp \
  -p 4443:443/tcp \
  -e ServerIP=${ServerIP} \
  -e TZ=${TZ} \
  -e DNSSEC=${DNSSEC} \
  -e DNS1=${DNS1} \
  -e DNS2=${DNS2} \
  -v /portainer/Files/AppData/Config/PiHole-Unbound:/etc/pihole \
  -v /portainer/Files/AppData/Config/PiHole-Unbound/DNS:/etc/dnsmasq.d \
  --restart=unless-stopped \
  cbcrowe/pihole-unbound:latest

Compose File

version: 3.8
services:
  pi-hole-unbound:
    image: "cbcrowe/pihole-unbound:latest"
    ports:
      - "53:53/tcp"
      - "53:53/udp"
      - "1010:80/tcp"
      - "4443:443/tcp"
    environment:
      ServerIP: 192.168.0.X
      TZ: Europe\London
      DNSSEC: 
      DNS1: 127.0.0.1#5335
      DNS2: 127.0.0.1#5335
    volumes:
      - "/portainer/Files/AppData/Config/PiHole-Unbound:/etc/pihole"
      - "/portainer/Files/AppData/Config/PiHole-Unbound/DNS:/etc/dnsmasq.d"
    restart: unless-stopped

Environment Variables

  • Var Name Default
  • ServerIP 192.168.0.X
  • TZ Europe\London
  • DNSSEC null
  • DNS1 127.0.0.1#5335
  • DNS2 127.0.0.1#5335

Port List

  • 53:53/tcp
  • 53:53/udp
  • 1010:80/tcp
  • 4443:443/tcp

Volume Mounting

  • /portainer/Files/AppData/Config/PiHole-Unbound /etc/pihole
  • /portainer/Files/AppData/Config/PiHole-Unbound/DNS /etc/dnsmasq.d

Unbound Reviews

More DNS Clients

View More...

About the Data: Unbound

API

You can access Unbound's data programmatically via our API. Simply make a GET request to: 

https://api.awesome-privacy.xyz/v1/services/unbound

The REST API is free, no-auth and CORS-enabled. To learn more, view the API Docs or read the API Usage Guide.

Share Unbound

Help your friends compare DNS Clients, and pick privacy-respecting software and services.
Share Unbound and Awesome Privacy with your network!

← Previous

DNScrypt-proxy 2
View DNS Clients (6)
Next →

Nebulo