Unbound
nlnetlabs.nl/projects/unbound Desktop [Linux, Mac, OpenWrt & Windows]Validating, recursive, caching DNS resolve with support for DNS-over-TLS. Designed to be fast, lean, and secure Unbound incorporates modern features based on open standards. It's fully open source, and recently audited. (For an in-depth tutorial, see this article by DNSWatch.)
- Homepage: nlnetlabs.nl/projects/unbound
- GitHub: github.com/NLnetLabs/unbound
- Privacy: tosdr.org/en/service/2519
- Web info: web-check.xyz/results/nlnetlabs.nl
Unbound Source Code
Author
Description
Unbound is a validating, recursive, and caching DNS resolver.
Homepage
https://nlnetlabs.nl/unboundLicense
BSD-3-Clause
Created
13 Jun 17
Last Updated
04 Oct 24
Latest version
Primary Language
C
Size
101,568 KB
Stars
3,063
Forks
349
Watchers
3,063
Language Usage
Star History
Top Contributors
- @wcawijngaards (6477)
- @gthess (511)
- @ralphdolmans (325)
- @wtoorop (55)
- @Philip-NLnetLabs (37)
- @fobser (19)
- @noloader (17)
- @TCY16 (17)
- @Maryse47 (11)
- @pemensik (9)
- @countsudoku (8)
- @PMunch (8)
- @episource (7)
- @AlexanderBand (6)
- @Talkabout (6)
- @vvfedorenko (6)
- @k9982874 (6)
- @cgallred (5)
- @kimheino (5)
- @Shchelk (5)
- @ziollek (5)
- @xiaoxiaoafeifei (4)
- @edmonds (3)
- @dyunwei (3)
- @eaglegai (3)
- @fhriley (3)
- @FGasper (3)
- @rcmcdonald91 (3)
- @orbea (2)
- @mibere (2)
Recent Commits
- Yorgos Thessalonikefs (03 Oct 24)
- The fix for CVE-2024-8508 was part of 1.21.1, a security point release on 1.21.0. The code repository continues with this fix and the version number 1.22.0.
- Yorgos Thessalonikefs (03 Oct 24)
Merge branch 'release-1.21.1'
- Yorgos Thessalonikefs (03 Oct 24)
- Fix CVE-2024-8508, unbounded name compression could lead to denial of service.
- Yorgos Thessalonikefs (03 Oct 24)
- Set version to 1.21.1
- W.C.A. Wijngaards (30 Sept 24)
- Fix unbound dnstap socket test program analyzer warnings about unused variable assignments and variable initialization.
- W.C.A. Wijngaards (30 Sept 24)
- Fix negative cache NSEC3 parameter compares for zero length NSEC3 salt.
- W.C.A. Wijngaards (25 Sept 24)
- Fix #1144: [FR] log timestamps in ISO8601 format with timezone. This adds the option `log-time-iso: yes` that logs in ISO8601 format.
- Yorgos Thessalonikefs (24 Sept 24)
Changelog entry for #1143: - Merge #1143: Fix cache update when serve expired is used. Expired records are favored over resolution and validation failures when serve-expired is used.
- Yorgos Thessalonikefs (24 Sept 24)
Fix cache update when serve expired is used (#1143) - Fix cache update when serve expired is used in order to not evict still usable expired records. Modules are forbidden to update the cache if their answer is DNSSEC unchecked or bogus and a valid (expired) entry already exists. Bogus replies from the validator are also discarded in favor of existing (expired) valid replies. - serve-expired-ttl-reset should try to keep expired records in the cache in case they are reset.
- Yorgos Thessalonikefs (24 Sept 24)
- More clear text for prefetch and minimal-responses in the unbound.conf man page.
- Yorgos Thessalonikefs (24 Sept 24)
- Attempt to further fix doh_downstream_buffer_size.tdir flakiness.
- Yorgos Thessalonikefs (23 Sept 24)
- Fix doxygen warnings by commenting out CLANG_ASSISTED_PARSING, CLANG_ADD_INC_PATHS, CLANG_OPTIONS and CLANG_DATABASE_PATH; they were already disabled.
- W.C.A. Wijngaards (23 Sept 24)
- Fix dns64 with prefetch that the prefetch is stored in cache.
- W.C.A. Wijngaards (17 Sept 24)
- Add redis-command-timeout: 20 and redis-connect-timeout: 200, that can set the timeout separately for commands and the connection set up to the redis server. If they are not specified, the redis-timeout value is used.
- W.C.A. Wijngaards (16 Sept 24)
Changelog comment for #1140. - Merge #1140: Fix spelling mistake in comments.
- Tochus (16 Sept 24)
Fix spelling mistake in comments (#1140) I noticed a spelling mistake in the comments. The term “chain of trust” was incorrectly written as “chainoftrust”. This change corrects the spelling to “chain of trust” which is the correct term used in English.
- Yorgos Thessalonikefs (11 Sept 24)
- Fix and add comments in testdata/val_negcache_ttl.rpl.
- W.C.A. Wijngaards (10 Sept 24)
- Add unit test for ttl limit for aggressive nsec.
- W.C.A. Wijngaards (10 Sept 24)
- Fix to limit NSEC and NSEC3 TTL when aggressive nsec is enabled (RFC9077).
- Yorgos Thessalonikefs (06 Sept 24)
- Fix comment to not trigger doxygen unknown command.
- Yorgos Thessalonikefs (06 Sept 24)
- Fix alloc-size and calloc-transposed-args compiler warnings.
- W.C.A. Wijngaards (05 Sept 24)
- Fix config file read for dnstap-sample-rate.
- W.C.A. Wijngaards (02 Sept 24)
Changelog note for #1135 - Merge #1135: Add new IANA trust anchor.
- Keelan Cannoo (02 Sept 24)
Add new IANA trust anchor (#1135) Signed-off-by: Keelan Cannoo <[email protected]> Co-authored-by: Keelan10 <[email protected]>
- W.C.A. Wijngaards (30 Aug 24)
- Fix for #1132, comment about adjusted copy of reference check.
- W.C.A. Wijngaards (30 Aug 24)
Changelog note for #1132 and fix for #1132. - Merge #1132: b.root renumbering. - Fix for #1132, adjusted unit test for change in the test file.
- Loganaden Velvindron (30 Aug 24)
b.root renumbering (#1132) https://b.root-servers.org/news/2023/05/16/new-addresses.html Worked together with Jaykishan Muktawoa <[email protected]>
- W.C.A. Wijngaards (29 Aug 24)
- Fix to print port number in logs for auth zone transfer activities.
- W.C.A. Wijngaards (29 Aug 24)
- Unit test for auth zone transfer TLS, and TLS failure.
- W.C.A. Wijngaards (28 Aug 24)
- Fix that stub-zone and forward-zone clauses do not exhaust memory for long content.
Unbound Website
Website
NLnet Labs - Unbound - About
Unbound is a validating, recursive, caching DNS resolver. It is designed to be fast and lean and incorporates modern features based on open standards. To help increase online privacy, Unbound supports DNS-over-TLS and DNS-over-HTTPS which allows clients to encrypt their communication. In addition, it supports various modern standards that limit …
Redirects
Redirects to https://nlnetlabs.nl/projects/unbound/about/
Security Checks
All 66 security checks passed
Server Details
- IP Address 185.49.140.10
- Hostname open.nlnetlabs.nl
- Location Amsterdam, Noord-Holland, Netherlands (Kingdom of the), EU
- ISP Stichting NLnet Labs
- ASN AS8587
Associated Countries
- NL
- US
- DE
Saftey Score
Website marked as safe
100%
Blacklist Check
nlnetlabs.nl was found on 0 blacklists
- ThreatLog
- OpenPhish
- PhishTank
- Phishing.Database
- PhishStats
- URLhaus
- RPiList Not Serious
- AntiSocial Blacklist
- PhishFeed
- NABP Not Recommended Sites
- Spam404
- CRDF
- Artists Against 419
- CERT Polska
- PetScams
- Suspicious Hosting IP
- Phishunt
- CoinBlockerLists
- MetaMask EthPhishing
- EtherScamDB
- EtherAddressLookup
- ViriBack C2 Tracker
- Bambenek Consulting
- Badbitcoin
- SecureReload Phishing List
- Fake Website Buster
- TweetFeed
- CryptoScamDB
- StopGunScams
- ThreatFox
- PhishFort
Website Preview
Unbound Docker
Container Info
pihole-unbound
A Linux network-level advertisement and Internet tracker blocking application which acts as a DNS sinkhole. This version has Ubound software installed on it so you don't need to rely on external DNS providers. When the installation is complete, navigate to your.ip.goes.here:1010/admin. Follow the article <a href='https://medium.com/@niktrix/getting-rid-of-systemd-resolved-consuming-port-53-605f0234f32f'>here</a>
DockerHub Metrics
- Pull Count 2,223,601
- Stars 63
- Date Created 31 Dec 20
- Last Updated 5 months ago
View on DockerHub
cbcrowe/pihole-unboundRun Command
docker run -d \ -p 53:53/tcp \ -p 53:53/udp \ -p 1010:80/tcp \ -p 4443:443/tcp \ -e ServerIP=${ServerIP} \ -e TZ=${TZ} \ -e DNSSEC=${DNSSEC} \ -e DNS1=${DNS1} \ -e DNS2=${DNS2} \ -v /portainer/Files/AppData/Config/PiHole-Unbound:/etc/pihole \ -v /portainer/Files/AppData/Config/PiHole-Unbound/DNS:/etc/dnsmasq.d \ --restart=unless-stopped \ cbcrowe/pihole-unbound:latest
Compose File
version: 3.8 services: pi-hole-unbound: image: cbcrowe/pihole-unbound:latest ports: - 53:53:tcp - 53:53:udp - 1010:80:tcp - 4443:443:tcp environment: ServerIP: 192.168.0.X TZ: Europe\London DNSSEC: DNS1: 127.0.0.1#5335 DNS2: 127.0.0.1#5335 volumes: - /portainer/Files/AppData/Config/PiHole-Unbound:/etc/pihole - /portainer/Files/AppData/Config/PiHole-Unbound/DNS:/etc/dnsmasq.d restart: unless-stopped
Environment Variables
- Var Name Default
- ServerIP 192.168.0.X
- TZ Europe\London
- DNSSEC null
- DNS1 127.0.0.1#5335
- DNS2 127.0.0.1#5335
Port List
- 53:53/tcp
- 53:53/udp
- 1010:80/tcp
- 4443:443/tcp
Volume Mounting
- /portainer/Files/AppData/Config/PiHole-Unbound /etc/pihole
- /portainer/Files/AppData/Config/PiHole-Unbound/DNS /etc/dnsmasq.d
Permissions
- read ✅ Yes
- write ✅ Yes
- admin ✅ Yes
Unbound Reviews
More DNS Clients
-
A flexible DNS proxy, with support for modern encrypted DNS protocols including DNSCrypt V2, DNS-over-HTTPS and Anonymized DNSCrypt. Also allows for advanced monitoring, filtering, caching and client IP protection through Tor, SOCKS proxies or Anonymized DNS relays.
-
Non-root, small-sized DNS changer utilizing DNS-over-HTTPS and DNS-over-TLS. (Note, since this uses Android's VPN API, it is not possible to run a VPN while using Nebulo.)
-
Free and open source DNS changer with support for DNS-over-HTTPS, DNS-over-Tor, and DNSCrypt v3 with Anonymized Relays. (Note, since this uses Android's VPN API, it is not possible to run a VPN while using RethinkDNS + Firewall.)
-
Simple all that allows for the use for dnscrypt-proxy 2 on an iPhone.
-
Stubby
(Desktop [Linux, Mac, OpenWrt & Windows])
dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+StubbyActs as a local DNS Privacy stub resolver (using DNS-over-TLS). Stubby encrypts DNS queries sent from a client machine (desktop or laptop) to a DNS Privacy resolver increasing end user privacy. Stubby can be used in combination with Unbound - Unbound provides a local cache and Stubby manages the upstream TLS connections (since Unbound cannot yet re-use TCP/TLS connections), see example configuration.
About the Data: Unbound
API
You can access Unbound's data programmatically via our API.
Simply make a GET
request to:
https://api.awesome-privacy.xyz/networking/dns-clients/unbound
The REST API is free, no-auth and CORS-enabled. To learn more, view the Swagger Docs or read the API Usage Guide.
About the Data
Beyond the user-submitted YAML you see above, we also augment each listing with additional data dynamically fetched from several sources. To learn more about where the rest of data included in this page comes from, and how it is computed, see the About the Data section of our About page.
Share Unbound
Help your friends compare DNS Clients, and pick privacy-respecting software and services.
Share Unbound and Awesome Privacy with your network!