Unbound Icon

Validating, recursive, caching DNS resolve with support for DNS-over-TLS. Designed to be fast, lean, and secure Unbound incorporates modern features based on open standards. It's fully open source, and recently audited. (For an in-depth tutorial, see this article by DNSWatch.)

Open Source

Unbound Source Code




Unbound is a validating, recursive, and caching DNS resolver.







13 Jun 17

Last Updated

17 May 24

Latest version


Primary Language



102,279 KB







Language Usage

Language Usage

Star History

Star History

Recent Commits

  • Yorgos Thessalonikefs (17 May 24)

    Changelog entry for #1069: - Merge #1069: Fix unbound-control stdin commands for multi-process Unbounds.

  • Yorgos Thessalonikefs (17 May 24)

    Fix unbound-control stdin commands for multi-process Unbounds (#1069) - Fix unbound-control commands that read stdin in multi-process operation (local_zones_remove, local_zones, local_datas_remove, local_datas, view_local_datas_remove, view_local_datas). They will be properly distributed to all processes. dump_cache and load_cache are no longer supported in multi-process operation. - Remove testdata/remote-threaded.tdir. testdata/09-unbound-control.tdir now checks both single and multi process/thread operation. --------- Co-authored-by: Wouter Wijngaards <[email protected]>

  • W.C.A. Wijngaards (16 May 24)

    - Fix #1071: [FR] Clear both in-memory and cachedb module cache with `unbound-control flush*` commands.

  • Yorgos Thessalonikefs (16 May 24)

    Changelog entry for #1070: - Merge #1070: Fix rtt assignement for low values of infra-cache-max-rtt.

  • Yorgos Thessalonikefs (16 May 24)

    Fix rtt assignement for low values of infra-cache-max-rtt (#1070) * Fix rtt assignement for still useful servers when a low value for infra-cache-max-rtt is configured.

  • Yorgos Thessalonikefs (15 May 24)

    - Add missing common functions to tdir tests.

  • W.C.A. Wijngaards (10 May 24)

    - Fix when the mesh jostle is exceeded that nameserver targets are marked as resolved, so that the lookup is not stuck on the requestlist.

  • W.C.A. Wijngaards (08 May 24)

    - Fix to squelch udp connect errors in the log at low verbosity about invalid argument for IPv6 link local addresses.

  • W.C.A. Wijngaards (08 May 24)

    The code repository continues with version 1.20.1.

  • W.C.A. Wijngaards (07 May 24)

    - Fix for #1062: declaration before statement, avoid print of null, and redundant check for array size. And changelog note for merge of #1062.

  • Wouter Wijngaards (07 May 24)

    Merge pull request #1062 from xiaoxiaoafeifei/master Fix potential overflow bug while parsing port in function cfg_mark_ports

  • zhailiangliang (07 May 24)

    Fix potential overflow bug while parsing port in function cfg_mark_ports

  • W.C.A. Wijngaards (01 May 24)

    - Set version number to 1.20.0 for release.

  • W.C.A. Wijngaards (01 May 24)

    - Fix for the DNSBomb vulnerability CVE-2024-33655. Thanks to Xiang Li from the Network and Information Security Lab of Tsinghua University for reporting it.

  • W.C.A. Wijngaards (29 Apr 24)

    - Fix doxygen comment for errinf_to_str_bogus.

  • Yorgos Thessalonikefs (29 Apr 24)

    - Cleanup unnecessary strdup calls for EDE strings.

  • W.C.A. Wijngaards (26 Apr 24)

    - Man page entry for unbound-checkconf -q.

  • Yorgos Thessalonikefs (26 Apr 24)

    - Fix #876: [FR] can unbound-checkconf be silenced when configuration is valid?

  • W.C.A. Wijngaards (26 Apr 24)

    - Add unit tests for cachedb and subnet cache expired data.

  • W.C.A. Wijngaards (26 Apr 24)

    - Fix cachedb with serve-expired-client-timeout disabled. The edns subnet module deletes global cache and cachedb cache when it stores a result, and serve-expired is enabled, so that the global reply, that is older than the ecs reply, does not return after the ecs reply expires.

  • W.C.A. Wijngaards (25 Apr 24)

    - Fix doc unit test for out of directory build.

  • W.C.A. Wijngaards (25 Apr 24)

    - Fix to disable fragmentation on systems with IP_DONTFRAG, with a nonzero value for the socket option argument.

  • W.C.A. Wijngaards (25 Apr 24)

    Changelog note for #1041 and #1038. - Merge #1041: Stub and Forward unshare. This has one structure for them and fixes #1038: fatal error: Could not initialize thread / error: reading root hints.

  • Wouter Wijngaards (25 Apr 24)

    Merge pull request #1041 from NLnetLabs/stubfwd-unshare Stub and Forward unshare

  • Yorgos Thessalonikefs (25 Apr 24)

    Update locking management for iter_fwd and iter_hints methods. (#1054) fast reload, move most of the locking management to iter_fwd and iter_hints methods. The caller still has the ability to handle its own locking, if desired, for atomic operations on sets of different structs. Co-authored-by: Wouter Wijngaards <[email protected]>

  • W.C.A. Wijngaards (25 Apr 24)

    - Fix configure flto check error, by finding grep for it.

  • W.C.A. Wijngaards (24 Apr 24)

    - Fix ci workflow for macos for moved install locations.

  • Yorgos Thessalonikefs (23 Apr 24)

    - Merge #1053: Remove child delegations from cache when grandchild delegations are returned from parent.

  • Yorgos Thessalonikefs (22 Apr 24)

    - When a granchild delegation is returned, remove any cached child delegations up to parent to not cause delegation invalidation because of an expired child delegation that would never be updated. Most likely to happen without qname-minimisation. Reported by Roland van Rijswijk-Deij.

  • W.C.A. Wijngaards (22 Apr 24)

    - Fix edns subnet to sort rrset references when storing messages in the cache. This fixes a race condition in the rrset locks.

Unbound Website


NLnet Labs - Unbound - About

Unbound is a validating, recursive, caching DNS resolver. It is designed to be fast and lean and incorporates modern features based on open standards. To help increase online privacy, Unbound supports DNS-over-TLS and DNS-over-HTTPS which allows clients to encrypt their communication. In addition, it supports various modern standards that limit …


Redirects to https://nlnetlabs.nl/projects/unbound/about/

Security Checks

All 66 security checks passed

Server Details

  • IP Address
  • Hostname open.nlnetlabs.nl
  • Location Amsterdam, Noord-Holland, Netherlands (Kingdom of the), EU
  • ISP Stichting NLnet Labs
  • ASN AS8587

Associated Countries

  • NL
  • US
  • DE

Saftey Score

Website marked as safe


Blacklist Check

nlnetlabs.nl was found on 0 blacklists

  • ThreatLog
  • OpenPhish
  • PhishTank
  • Phishing.Database
  • PhishStats
  • URLhaus
  • RPiList Not Serious
  • AntiSocial Blacklist
  • PhishFeed
  • NABP Not Recommended Sites
  • Spam404
  • CRDF
  • Artists Against 419
  • CERT Polska
  • PetScams
  • Suspicious Hosting IP
  • Phishunt
  • CoinBlockerLists
  • MetaMask EthPhishing
  • EtherScamDB
  • EtherAddressLookup
  • ViriBack C2 Tracker
  • Bambenek Consulting
  • Badbitcoin
  • SecureReload Phishing List
  • Fake Website Buster
  • TweetFeed
  • CryptoScamDB
  • StopGunScams
  • ThreatFox
  • PhishFort

Website Preview

Unbound Docker

Container Info


A Linux network-level advertisement and Internet tracker blocking application which acts as a DNS sinkhole. This version has Ubound software installed on it so you don't need to rely on external DNS providers. When the installation is complete, navigate to your.ip.goes.here:1010/admin. Follow the article <a href='https://medium.com/@niktrix/getting-rid-of-systemd-resolved-consuming-port-53-605f0234f32f'>here</a>


DockerHub Metrics

  • Pull Count 2,123,520
  • Stars 58
  • Date Created 31 Dec 20
  • Last Updated 4 months ago

View on DockerHub


Run Command

docker run -d \ 
  -p 53:53/tcp \
  -p 53:53/udp \
  -p 1010:80/tcp \
  -p 4443:443/tcp \
  -e ServerIP=${ServerIP} \
  -e TZ=${TZ} \
  -e DNS1=${DNS1} \
  -e DNS2=${DNS2} \
  -v /portainer/Files/AppData/Config/PiHole-Unbound:/etc/pihole \
  -v /portainer/Files/AppData/Config/PiHole-Unbound/DNS:/etc/dnsmasq.d \
  --restart=unless-stopped \

Compose File

version: 3.8
    image: cbcrowe/pihole-unbound:latest
      - 53:53:tcp
      - 53:53:udp
      - 1010:80:tcp
      - 4443:443:tcp
      ServerIP: 192.168.0.X
      TZ: Europe\London
      - /portainer/Files/AppData/Config/PiHole-Unbound:/etc/pihole
      - /portainer/Files/AppData/Config/PiHole-Unbound/DNS:/etc/dnsmasq.d
    restart: unless-stopped

Environment Variables

  • Var Name Default
  • ServerIP 192.168.0.X
  • TZ Europe\London
  • DNSSEC null
  • DNS1
  • DNS2

Port List

  • 53:53/tcp
  • 53:53/udp
  • 1010:80/tcp
  • 4443:443/tcp

Volume Mounting

  • /portainer/Files/AppData/Config/PiHole-Unbound /etc/pihole
  • /portainer/Files/AppData/Config/PiHole-Unbound/DNS /etc/dnsmasq.d


  • read ✅ Yes
  • write ✅ Yes
  • admin ✅ Yes

Unbound Reviews

More DNS Clients

About the Data: Unbound


You can access Unbound's data programmatically via our API. Simply make a GET request to:


The REST API is free, no-auth and CORS-enabled. To learn more, view the Swagger Docs or read the API Usage Guide.

About the Data

Beyond the user-submitted YAML you see above, we also augment each listing with additional data dynamically fetched from several sources. To learn more about where the rest of data included in this page comes from, and how it is computed, see the About the Data section of our About page.

Share Unbound

Help your friends compare DNS Clients, and pick privacy-respecting software and services.
Share Unbound and Awesome Privacy with your network!

View DNS Clients (6)