Unbound

nlnetlabs.nl/projects/unbound Desktop [Linux, Mac, OpenWrt & Windows]

Awesome Privacy ➔ Networking ➔ DNS Clients ➔ Unbound

Validating, recursive, caching DNS resolve with support for DNS-over-TLS. Designed to be fast, lean, and secure Unbound incorporates modern features based on open standards. It's fully open source, and recently audited. (For an in-depth tutorial, see this article by DNSWatch.)

Homepage: nlnetlabs.nl/projects/unbound
GitHub: github.com/NLnetLabs/unbound
Privacy: unboundapp.com/privacy-policy.html
Web info: web-check.xyz/check/nlnetlabs.nl

Open Source

Unbound Source Code

Author

NLnetLabs

Description

Unbound is a validating, recursive, and caching DNS resolver.

#dns#dns-privacy#dnssec#recursor#resolver

Homepage

https://nlnetlabs.nl/unbound

License

BSD-3-Clause

Created

13 Jun 17

Last Updated

09 Jun 26

Latest version

release-1.25.1

Primary Language

Size

101,266 KB

Stars

4,602

Forks

436

Watchers

4,602

Language Usage

Star History

Top Contributors

Recent Commits

Alex Band (08 Jun 26)
change mailing list to forum
W.C.A. Wijngaards (03 Jun 26)
- Fix that dns64 cleans up the allocated message if the adjust routines fail, and checks if there is a reply before cache store, also unbound checks if A and AAAA are malformed for auth-zones. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
W.C.A. Wijngaards (03 Jun 26)
- Fix that dump_cache has a larger buffer for records, and it checks that an owner name does not collide with BADRR on the input, and changes verbosity on the log of failure in rrset to string. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
W.C.A. Wijngaards (03 Jun 26)
- Fix that validation canonicalization of domain names in rdata checks for buffer bounds. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
W.C.A. Wijngaards (03 Jun 26)
- Fix fast_reload for when a ZONEMD lookup is in progress. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
W.C.A. Wijngaards (03 Jun 26)
- Fix negative cache NSEC3 nodata proof, to use the correct message size. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
W.C.A. Wijngaards (03 Jun 26)
- Fix PROXYv2 header read and consume, it checks the header size. Thanks to Qifan Zhang, Palo Alto Networks for the report.
W.C.A. Wijngaards (03 Jun 26)
- Fix ipset module to use larger domain name buffers, and check buffer lengths. Thanks to Qifan Zhang, Palo Alto Networks for the report.
W.C.A. Wijngaards (03 Jun 26)
- Fix that quotation and escaping works the same in auth-zone url content, as in the zonefile read. Thanks to Qifan Zhang, Palo Alto Networks for the report.
W.C.A. Wijngaards (03 Jun 26)
- Fix parse of svcbparam ech, it had incorrect length. Thanks to Qifan Zhang, Palo Alto Networks for the report.
Yorgos Thessalonikefs (03 Jun 26)
- Fix const as reported by newest compiler warnings.
W.C.A. Wijngaards (03 Jun 26)
- Fix negative cache to work with NSEC3 records without salt. Thanks to Xin Wang, Jiapeng Li, and Jiajia Liu, Northwestern Polytechnical University, for the report.
W.C.A. Wijngaards (03 Jun 26)
- Fix that the processing of class responses does not have a heap use-after-free. That could happen if at least two distinct classes are configured for resolution. Thanks to Qifan Zhang, Palo Alto Networks for the report. In addition, thanks to Xin Wang, Jiapeng Li, and Jiajia Liu, Northwestern Polytechnical University, for also reporting this.
W.C.A. Wijngaards (29 May 26)
- Fix unit test to check for new icannbundle.pem.
W.C.A. Wijngaards (29 May 26)
- Update icannbundle.pem certificates in unbound-anchor. It has the public keys for 2009 to 2029 and for 2025 to 2045.
W.C.A. Wijngaards (29 May 26)
- iana portlist updated.
W.C.A. Wijngaards (29 May 26)
- Fix header_seen detection for trust anchor files, so that it detects the id line.
W.C.A. Wijngaards (28 May 26)
- Fix #1457: race condition causes segfault when starting threads.
W.C.A. Wijngaards (27 May 26)
- Fix analyzer warning in mesh_new_client.
W.C.A. Wijngaards (27 May 26)
- Fix that validator caps number of ANY RRsets it can validate, and the wait timer is shortened. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
W.C.A. Wijngaards (27 May 26)
- Fix ipset module for name too long checks, race conditions on local name buffer, and for socket close race condition. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
W.C.A. Wijngaards (27 May 26)
- Fix that dns64 with subnetcache does not write ECS scoped answers to global cache. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
W.C.A. Wijngaards (27 May 26)
- Fix, in depth, for respip rewrite of dns64 responses. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
W.C.A. Wijngaards (27 May 26)
- Fix manual to document ratelimit, that it is for target nameservers for a domain, and keeps queries limited. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
W.C.A. Wijngaards (27 May 26)
- Fix to decrement the per-netblock tcp connection limits, so it keeps usable. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
W.C.A. Wijngaards (27 May 26)
- Fix to reset the tcp-timeout before applying a load based reduction. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
W.C.A. Wijngaards (27 May 26)
- Fix that msgencode insert_query has the correct assertion, for a local_alias. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
W.C.A. Wijngaards (27 May 26)
- Fix that the ratelimit is decremented on successful referrals. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
W.C.A. Wijngaards (27 May 26)
- Fix to limit the DSNS per-label walk in the iterator. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
W.C.A. Wijngaards (27 May 26)
- Fix for autotrust state-file line overflow, that can give hold-down bypass. Thanks to Qifan Zhang, Palo Alto Networks, for the report.

Unbound Security

5.8/10

Repo Security Summary

Updated 25 May 26 Fuzz tested

Security-Policy 10/10
Packaging N/A
Maintained 10/10
Dangerous-Workflow 10/10
Code-Review 0/10
CII-Best-Practices 0/10
Token-Permissions 0/10
Binary-Artifacts 10/10
SAST 0/10
License 10/10
Fuzzing 10/10
Pinned-Dependencies 0/10
Signed-Releases N/A
Branch-Protection N/A

Unbound Website

Website

NLnet Labs - Unbound - About

Unbound is a validating, recursive, caching DNS resolver. It is designed to be fast and lean and incorporates modern features based on open standards. To help increase online privacy, Unbound supports DNS-over-TLS and DNS-over-HTTPS which allows clients to encrypt their communication. In addition, it supports various modern standards that limit …

Redirects

Redirects to https://nlnetlabs.nl/projects/unbound/about/

Security Checks

All 65 security checks passed

Server Details

IP Address 128.140.76.106
Hostname static.106.76.140.128.clients.your-server.de
Location Nuremberg, Bayern, Germany, EU
ISP Hetzner Online GmbH
ASN AS24940

Associated Countries

Safety Score

Website marked as safe

100%

Blacklist Check

nlnetlabs.nl was found on 0 blacklists

AntiSocial Blacklist
Artists Against 419
Badbitcoin
Bambenek Consulting
CERT Polska
CoinBlockerLists
CRDF
CryptoScamDB
EtherAddressLookup
EtherScamDB
Fake Website Buster
MetaMask EthPhishing
NABP Not Recommended Sites
OpenPhish
PetScams
PhishFeed
PhishFort
Phishing.Database
PhishStats
PhishTank
Phishunt
RPiList Not Serious
Scam.Directory
SecureReload Phishing List
Spam404
StopGunScams
Suspicious Hosting IP
ThreatFox
ThreatLog
TweetFeed
URLhaus
ViriBack C2 Tracker

Website Preview

View full report at web-check.xyz

Unbound Docker

Container Info

pihole-unbound

A Linux network-level advertisement and Internet tracker blocking application which acts as a DNS sinkhole. This version has Ubound software installed on it so you don't need to rely on external DNS providers. When the installation is complete, navigate to your.ip.goes.here:1010/admin. Follow the article <a href='https://medium.com/@niktrix/getting-rid-of-systemd-resolved-consuming-port-53-605f0234f32f'>here</a>

#Other#Tools cbcrowe/pihole-unbound:latest

Run Command

docker run -d \
  -p 53:53/tcp \
  -p 53:53/udp \
  -p 1010:80/tcp \
  -p 4443:443/tcp \
  -e ServerIP=${ServerIP} \
  -e TZ=${TZ} \
  -e DNSSEC=${DNSSEC} \
  -e DNS1=${DNS1} \
  -e DNS2=${DNS2} \
  -v /portainer/Files/AppData/Config/PiHole-Unbound:/etc/pihole \
  -v /portainer/Files/AppData/Config/PiHole-Unbound/DNS:/etc/dnsmasq.d \
  --restart=unless-stopped \
  cbcrowe/pihole-unbound:latest

Compose File

version: 3.8
services:
  pi-hole-unbound:
    image: "cbcrowe/pihole-unbound:latest"
    ports:
      - "53:53/tcp"
      - "53:53/udp"
      - "1010:80/tcp"
      - "4443:443/tcp"
    environment:
      ServerIP: 192.168.0.X
      TZ: Europe\London
      DNSSEC: 
      DNS1: 127.0.0.1#5335
      DNS2: 127.0.0.1#5335
    volumes:
      - "/portainer/Files/AppData/Config/PiHole-Unbound:/etc/pihole"
      - "/portainer/Files/AppData/Config/PiHole-Unbound/DNS:/etc/dnsmasq.d"
    restart: unless-stopped

Environment Variables

Var Name Default
ServerIP 192.168.0.X
TZ Europe\London
DNSSEC null
DNS1 127.0.0.1#5335
DNS2 127.0.0.1#5335

Port List

53:53/tcp
53:53/udp
1010:80/tcp
4443:443/tcp

Volume Mounting

/portainer/Files/AppData/Config/PiHole-Unbound /etc/pihole
/portainer/Files/AppData/Config/PiHole-Unbound/DNS /etc/dnsmasq.d

Unbound Reviews

More DNS Clients

DNS Cloak

(iOS)
apps.apple.com/us/app/dnscloak-secure-dns-client/id1452162351

Simple all that allows for the use for dnscrypt-proxy 2 on an iPhone.

Open Source s-s/dnscloak

View DNS Cloak Report
DNScrypt-proxy 2

(Desktop [BSD, Linux, Solaris, Windows, MacOS & Android])
dnscrypt.info

A flexible DNS proxy, with support for modern encrypted DNS protocols including DNSCrypt V2, DNS-over-HTTPS and Anonymized DNSCrypt. Also allows for advanced monitoring, filtering, caching and client IP protection through Tor, SOCKS proxies or Anonymized DNS relays.

Open Source DNSCrypt/dnscrypt-proxy

View DNScrypt-proxy 2 Report
Nebulo

(Android)
nebulo.app

Non-root, small-sized DNS changer utilizing DNS-over-HTTPS and DNS-over-TLS. (Note, since this uses Android's VPN API, it is not possible to run a VPN while using Nebulo.)

Open Source Ch4t4r/Nebulo

View Nebulo Report
RethinkDNS & Firewall

(Android)
rethinkdns.com/app

Free and open source DNS changer with support for DNS-over-HTTPS, DNS-over-Tor, and DNSCrypt v3 with Anonymized Relays. (Note, since this uses Android's VPN API, it is not possible to run a VPN while using RethinkDNS + Firewall.)

Open Source celzero/rethink-app

View RethinkDNS & Firewall Report
Stubby

(Desktop [Linux, Mac, OpenWrt & Windows])
dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby

Acts as a local DNS Privacy stub resolver (using DNS-over-TLS). Stubby encrypts DNS queries sent from a client machine (desktop or laptop) to a DNS Privacy resolver increasing end user privacy. Stubby can be used in combination with Unbound - Unbound provides a local cache and Stubby manages the upstream TLS connections (since Unbound cannot yet re-use TCP/TLS connections), see example configuration.

Open Source getdnsapi/stubby

View Stubby Report

About the Data: Unbound

API

You can access Unbound's data programmatically via our API. Simply make a GET request to:

https://api.awesome-privacy.xyz/v1/services/unbound

The REST API is free, no-auth and CORS-enabled. To learn more, view the API Docs or read the API Usage Guide.

Share Unbound

Help your friends compare DNS Clients, and pick privacy-respecting software and services.
Share Unbound and Awesome Privacy with your network!

← Previous

DNScrypt-proxy 2

View DNS Clients (6)

Nebulo