Unbound
nlnetlabs.nl/projects/unbound Desktop [Linux, Mac, OpenWrt & Windows]
Validating, recursive, caching DNS resolve with support for DNS-over-TLS. Designed to be fast, lean, and secure Unbound incorporates modern features based on open standards. It's fully open source, and recently audited. (For an in-depth tutorial, see this article by DNSWatch.)
- Homepage: nlnetlabs.nl/projects/unbound
- GitHub: github.com/NLnetLabs/unbound
- Privacy: tosdr.org/en/service/2519
- Web info: web-check.xyz/results/nlnetlabs.nl
Unbound Source Code
Author
Description
Unbound is a validating, recursive, and caching DNS resolver.
Homepage
https://nlnetlabs.nl/unboundLicense
BSD-3-Clause
Created
13 Jun 17
Last Updated
17 Jan 25
Latest version
Primary Language
C
Size
102,589 KB
Stars
3,248
Forks
366
Watchers
3,248
Language Usage
Star History
Top Contributors
-
@wcawijngaards (6503)
-
@gthess (555)
-
@ralphdolmans (325)
-
@wtoorop (55)
-
@Philip-NLnetLabs (37)
-
@fobser (19)
-
@noloader (17)
-
@TCY16 (17)
-
@Maryse47 (11)
-
@pemensik (9)
-
@countsudoku (8)
-
@PMunch (8)
-
@episource (7)
-
@AlexanderBand (6)
-
@Talkabout (6)
-
@vvfedorenko (6)
-
@k9982874 (6)
-
@ziollek (5)
-
@Shchelk (5)
-
@kimheino (5)
-
@cgallred (5)
-
@xiaoxiaoafeifei (4)
-
@rcmcdonald91 (3)
-
@FGasper (3)
-
@fhriley (3)
-
@eaglegai (3)
-
@dyunwei (3)
-
@edmonds (3)
-
@n3bul4 (2)
-
@trofi (2)
Recent Commits
-
Yorgos Thessalonikefs (17 Jan 25)
Changelog entry for #1221: - Merge #1221: Consider auth zones when checking for forwarders.
-
Yorgos Thessalonikefs (17 Jan 25)
Merge pull request #1221 from NLnetLabs/bugfix/consider-auth-zones-when-forwarding Consider auth zones when checking for forwarders
-
Yorgos Thessalonikefs (15 Jan 25)
- Use correct RFC number for resolver.arpa.
-
Yorgos Thessalonikefs (14 Jan 25)
- Add resolver.arpa and service.arpa to the default locally served zones.
-
Yorgos Thessalonikefs (14 Jan 25)
- Take configured auth zones into consideration when checking if a request needs to be forwarded.
-
Yorgos Thessalonikefs (13 Jan 25)
- Fix typo.
-
Yorgos Thessalonikefs (13 Jan 25)
- Fix #1213: Misleading error message on default access control causing refuse.
-
Yorgos Thessalonikefs (10 Jan 25)
Changelog entry for #1214: - Merge #1214: Use TCP_NODELAY on TLS sockets to speed up the TLS handshake.
-
Yorgos Thessalonikefs (10 Jan 25)
Merge pull request #1214 from NLnetLabs/bugfix/tls-handshake Use TCP_NODELAY on TLS sockets to speed up the TLS handshake.
-
Yorgos Thessalonikefs (10 Jan 25)
- Use TCP_NODELAY on TLS sockets to speed up the TLS handshake.
-
Yorgos Thessalonikefs (31 Dec 24)
Changelog entry for #1174: - Merge #1174: Serve expired cache update fixes. Fixes a regression bug with serve-expired that appeared in 1.22.0 and would not allow the iterator to update the cache with not-yet-validated entries resulting in increased outgoing traffic.
-
Yorgos Thessalonikefs (31 Dec 24)
Serve expired cache update fixes (#1174) - Fixes a regression bug with serve-expired that appeared in 1.22.0 and would not allow the iterator to update the cache with not-yet-validated entries resulting in increased outgoing traffic. - Treat serve_expired_norec_ttl as a backoff timer for failed updates of expired records. - Try to use expired answers instead of SERVFAIL if serve-expired is enabled even without serve-expired-client-timeout. - Add suggestion to refresh the cached norec_ttl and expired_ttl when a response cannot update the usable expired entry.
-
Yorgos Thessalonikefs (20 Dec 24)
- For #1207: [FR] Support for RESINFO RRType 261 (RFC9606), add LDNS_RR_TYPE_RESINFO similar to LDNS_RR_TYPE_TXT.
-
Yorgos Thessalonikefs (13 Dec 24)
Changelog entry for #1204: - Merge #1204: ci: set persist-credentials: false for actions/checkout per zizmor suggestion.
-
Yorgos Thessalonikefs (13 Dec 24)
Merge pull request #1204 from NLnetLabs/zizmor-improvements
-
Maarten Aertsen (13 Dec 24)
set persist-credentials: false per zizmor suggestion
-
Yorgos Thessalonikefs (03 Dec 24)
- Fix typo in log_servfail.tdir test.
-
Yorgos Thessalonikefs (03 Dec 24)
Changelog entry for #1187: - Merge #1187: Create the SSL_CTX for QUIC before chroot and privilege drop.
-
Yorgos Thessalonikefs (03 Dec 24)
Create the SSL_CTX for QUIC before chroot and privilege drop (#1187) Fixes #1185 by creating the SSL_CTX for QUIC before chroot and privilege drop, just like the other SSL_CTX creations. --------- Co-authored-by: Wouter Wijngaards <[email protected]>
-
Yorgos Thessalonikefs (03 Dec 24)
- Safeguard alias loop while looking in the cache for expired answers.
-
Yorgos Thessalonikefs (03 Dec 24)
- Merge #1198: Fix log-servfail with serve expired and no useful cache contents.
-
Yorgos Thessalonikefs (03 Dec 24)
Merge pull request #1198 from NLnetLabs/bugfix/log-servfail-serve-expired Fix log-servfail with serve expired and no useful cache contents
-
Yorgos Thessalonikefs (03 Dec 24)
- For #1175, the default value of serve-expired-ttl is set to 86400 (1 day) as suggested by RFC8767.
-
Yorgos Thessalonikefs (03 Dec 24)
Changelog entry for #1189, #1197: - Merge #1189: Fix the dname_str method to cause conversion errors when the domain name length is 255. - Merge #1197: dname_str() fixes.
-
Yorgos Thessalonikefs (03 Dec 24)
Merge pull request #1197 from NLnetLabs/dname_str-more-tests dname_str() fixes
-
Yorgos Thessalonikefs (02 Dec 24)
- For #1193, introduce log-servfail.tdir and cleanup the log-servfail setting from other tests.
-
Yorgos Thessalonikefs (02 Dec 24)
- Fix #1193: log-servfail fails to log host SERVFAIL responses in Unbound 1.19.2 on Ubuntu 24.04.1 LTS, by not considering cached failures when trying to reply with expired data.
-
Yorgos Thessalonikefs (02 Dec 24)
- For #1189, homogenize the input buffer size for dname_str().
-
Yorgos Thessalonikefs (02 Dec 24)
- For #1189, add unit tests for dname_str() and debug check the input buffer size.
-
wenxuan70 (24 Nov 24)
Fix the dname_str method to cause conversion errors when the domain name length is 255
Unbound Website
Website
NLnet Labs - Unbound - About
Unbound is a validating, recursive, caching DNS resolver. It is designed to be fast and lean and incorporates modern features based on open standards. To help increase online privacy, Unbound supports DNS-over-TLS and DNS-over-HTTPS which allows clients to encrypt their communication. In addition, it supports various modern standards that limit …
Redirects
Redirects to https://nlnetlabs.nl/projects/unbound/about/
Security Checks
All 66 security checks passed
Server Details
- IP Address 185.49.140.10
- Hostname open.nlnetlabs.nl
- Location Amsterdam, Noord-Holland, Netherlands (Kingdom of the), EU
- ISP Stichting NLnet Labs
- ASN AS8587
Associated Countries
-
NL
-
US
-
DE
Saftey Score
Website marked as safe
100%
Blacklist Check
nlnetlabs.nl was found on 0 blacklists
- ThreatLog
- OpenPhish
- PhishTank
- Phishing.Database
- PhishStats
- URLhaus
- RPiList Not Serious
- AntiSocial Blacklist
- PhishFeed
- NABP Not Recommended Sites
- Spam404
- CRDF
- Artists Against 419
- CERT Polska
- PetScams
- Suspicious Hosting IP
- Phishunt
- CoinBlockerLists
- MetaMask EthPhishing
- EtherScamDB
- EtherAddressLookup
- ViriBack C2 Tracker
- Bambenek Consulting
- Badbitcoin
- SecureReload Phishing List
- Fake Website Buster
- TweetFeed
- CryptoScamDB
- StopGunScams
- ThreatFox
- PhishFort
Website Preview
Unbound Docker
Container Info
pihole-unbound
A Linux network-level advertisement and Internet tracker blocking application which acts as a DNS sinkhole. This version has Ubound software installed on it so you don't need to rely on external DNS providers. When the installation is complete, navigate to your.ip.goes.here:1010/admin. Follow the article <a href='https://medium.com/@niktrix/getting-rid-of-systemd-resolved-consuming-port-53-605f0234f32f'>here</a>
DockerHub Metrics
- Pull Count 2,260,537
- Stars 65
- Date Created 31 Dec 20
- Last Updated 8 months ago
View on DockerHub
cbcrowe/pihole-unboundRun Command
docker run -d \ -p 53:53/tcp \ -p 53:53/udp \ -p 1010:80/tcp \ -p 4443:443/tcp \ -e ServerIP=${ServerIP} \ -e TZ=${TZ} \ -e DNSSEC=${DNSSEC} \ -e DNS1=${DNS1} \ -e DNS2=${DNS2} \ -v /portainer/Files/AppData/Config/PiHole-Unbound:/etc/pihole \ -v /portainer/Files/AppData/Config/PiHole-Unbound/DNS:/etc/dnsmasq.d \ --restart=unless-stopped \ cbcrowe/pihole-unbound:latest
Compose File
version: 3.8 services: pi-hole-unbound: image: cbcrowe/pihole-unbound:latest ports: - 53:53:tcp - 53:53:udp - 1010:80:tcp - 4443:443:tcp environment: ServerIP: 192.168.0.X TZ: Europe\London DNSSEC: DNS1: 127.0.0.1#5335 DNS2: 127.0.0.1#5335 volumes: - /portainer/Files/AppData/Config/PiHole-Unbound:/etc/pihole - /portainer/Files/AppData/Config/PiHole-Unbound/DNS:/etc/dnsmasq.d restart: unless-stopped
Environment Variables
- Var Name Default
- ServerIP 192.168.0.X
- TZ Europe\London
- DNSSEC null
- DNS1 127.0.0.1#5335
- DNS2 127.0.0.1#5335
Port List
- 53:53/tcp
- 53:53/udp
- 1010:80/tcp
- 4443:443/tcp
Volume Mounting
- /portainer/Files/AppData/Config/PiHole-Unbound /etc/pihole
- /portainer/Files/AppData/Config/PiHole-Unbound/DNS /etc/dnsmasq.d
Permissions
- read ✅ Yes
- write ✅ Yes
- admin ✅ Yes
Unbound Reviews
More DNS Clients
-
A flexible DNS proxy, with support for modern encrypted DNS protocols including DNSCrypt V2, DNS-over-HTTPS and Anonymized DNSCrypt. Also allows for advanced monitoring, filtering, caching and client IP protection through Tor, SOCKS proxies or Anonymized DNS relays.
-
Non-root, small-sized DNS changer utilizing DNS-over-HTTPS and DNS-over-TLS. (Note, since this uses Android's VPN API, it is not possible to run a VPN while using Nebulo.)
-
Free and open source DNS changer with support for DNS-over-HTTPS, DNS-over-Tor, and DNSCrypt v3 with Anonymized Relays. (Note, since this uses Android's VPN API, it is not possible to run a VPN while using RethinkDNS + Firewall.)
-
Simple all that allows for the use for dnscrypt-proxy 2 on an iPhone.
-
Stubby
(Desktop [Linux, Mac, OpenWrt & Windows])
dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+StubbyActs as a local DNS Privacy stub resolver (using DNS-over-TLS). Stubby encrypts DNS queries sent from a client machine (desktop or laptop) to a DNS Privacy resolver increasing end user privacy. Stubby can be used in combination with Unbound - Unbound provides a local cache and Stubby manages the upstream TLS connections (since Unbound cannot yet re-use TCP/TLS connections), see example configuration.
About the Data: Unbound
API
You can access Unbound's data programmatically via our API.
Simply make a GET
request to:
https://api.awesome-privacy.xyz/networking/dns-clients/unbound
The REST API is free, no-auth and CORS-enabled. To learn more, view the Swagger Docs or read the API Usage Guide.
About the Data
Beyond the user-submitted YAML you see above, we also augment each listing with additional data dynamically fetched from several sources. To learn more about where the rest of data included in this page comes from, and how it is computed, see the About the Data section of our About page.
Share Unbound
Help your friends compare DNS Clients, and pick privacy-respecting software and services.
Share Unbound and Awesome Privacy with your network!