Atlantic.Net Blog

How to Set Up Unbound DNS Resolver on Ubuntu 20.04

Hitesh Jethva
by Atlantic.Net (273 posts) under Tutorials, VPS Hosting
0 Comments

Unbound is a free, open-source, recursive, and validating DNS caching server. It uses DNS-over-TLS and DNS-over-HTTPS to encrypt connections between clients. Compared to Bind9, Unbound is lightweight and extremely fast. A caching server will help you to reduce the loading time of the website by keeping the cache database on an Unbound server. It is also capable of DNSSEC validation and can serve as a trust anchor.

In this post, we will show you how to set up Unbound DNS Resolver on Ubuntu 20.04.

Prerequisites

  • A fresh Ubuntu 20.04 server on the Atlantic.Net Cloud Platform
  • A root password configured on your server

Step 1 – Create Atlantic.Net Cloud Server

First, log in to your Atlantic.Net Cloud Server. Create a new server, choosing Ubuntu 20.04 as the operating system with at least 2GB RAM. Connect to your Cloud Server via SSH and log in using the credentials highlighted at the top of the page.

Once you are logged in to your Ubuntu 20.04 server, run the following command to update your base system with the latest available packages.

apt-get update -y

Step 2 – Install Required Dependencies

Before starting, you will need to install some basic DNS tools in your system. You can install all of them using the following command:

apt-get install bind9-utils dnsutils net-tools -y

Once all the packages are installed, you can proceed to the next step.

Step 3 – Install and Configure Unbound DNS

By default, the Unbound package is included in the Ubuntu default repository. You can install it using the following command:

apt-get install unbound -y

After installing Unbound DNS, you will need to configure it. By default, the Unbound main configuration file is located at /etc/unbound/unbound.conf. However, it is recommended to create a separate configuration file:

nano /etc/unbound/unbound.conf.d/myunbound.conf

Add the following lines:

server:
port: 53
verbosity: 0
num-threads: 2
outgoing-range: 512
num-queries-per-thread: 1024
msg-cache-size: 32m
interface: 0.0.0.0
rrset-cache-size: 64m
cache-max-ttl: 86400
infra-host-ttl: 60
infra-lame-ttl: 120
access-control: 127.0.0.0/8 allow
access-control: 0.0.0.0/0 allow
username: unbound
directory: "/etc/unbound"
logfile: "/var/log/unbound.log"
use-syslog: no
hide-version: yes
so-rcvbuf: 4m
so-sndbuf: 4m
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes
remote-control:
control-enable: yes
control-port: 953
control-interface: 0.0.0.0

Save and close the file, then validate the configuration file with the following command:

unbound-checkconf /etc/unbound/unbound.conf.d/myunbound.conf

You should get the following output:

unbound-checkconf: no errors in /etc/unbound/unbound.conf.d/myunbound.conf

Next, create a log file for Unbound and set proper permissions:

touch /var/log/unbound.log
chown unbound:unbound /var/log/unbound.log

Step 4 – Start Unbound DNS Service

At this point, Unbound DNS is installed and configured. Now, restart the Unbound service and enable it to start at system reboot:

systemctl restart unbound
systemctl enable unbound

You can also verify the status of Unbound with the following command:

systemctl status unbound

Sample output:

● unbound.service - Unbound DNS server
     Loaded: loaded (/lib/systemd/system/unbound.service; enabled; vendor preset: enabled)
     Active: active (running) since Sun 2021-08-15 06:30:33 UTC; 7s ago
       Docs: man:unbound(8)
    Process: 2788 ExecStartPre=/usr/lib/unbound/package-helper chroot_setup (code=exited, status=0/SUCCESS)
    Process: 2791 ExecStartPre=/usr/lib/unbound/package-helper root_trust_anchor_update (code=exited, status=0/SUCCESS)
   Main PID: 2804 (unbound)
      Tasks: 2 (limit: 2353)
     Memory: 4.8M
     CGroup: /system.slice/unbound.service
             └─2804 /usr/sbin/unbound -d

Aug 15 06:30:32 ubuntu2004 systemd[1]: Starting Unbound DNS server...
Aug 15 06:30:33 ubuntu2004 package-helper[2796]: /var/lib/unbound/root.key has content
Aug 15 06:30:33 ubuntu2004 package-helper[2796]: success: the anchor is ok
Aug 15 06:30:33 ubuntu2004 systemd[1]: Started Unbound DNS server.

At this point, the Unbound service is started and listening on port 53. You can check it using the following command:

ss -antpl | grep 53

Sample output:

LISTEN    0         256                0.0.0.0:53               0.0.0.0:*        users:(("unbound",pid=3407,fd=6))                                              
LISTEN    0         256                0.0.0.0:53               0.0.0.0:*        users:(("unbound",pid=3407,fd=4))                                              
LISTEN    0         4096         127.0.0.53%lo:53               0.0.0.0:*        users:(("systemd-resolve",pid=356,fd=13))                                      
LISTEN    0         256                0.0.0.0:953              0.0.0.0:*        users:(("unbound",pid=3407,fd=7))                                              

Step 5 – Test Unbound DNS

Now, you will need to use the dig command and perform some DNS queries to test the Unbound DNS server.

We will use ubuntu.com for testing.

dig ubuntu.com @localhost

Sample output:

; <<>> DiG 9.16.1-Ubuntu <<>> ubuntu.com @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6037
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ubuntu.com.			IN	A

;; ANSWER SECTION:
ubuntu.com.		60	IN	A	91.189.88.181
ubuntu.com.		60	IN	A	91.189.88.180

;; Query time: 307 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Aug 15 06:32:18 UTC 2021
;; MSG SIZE  rcvd: 71

As you can see the query time is 307 msec in the first query. Your query is now cached.

Next, let’s run the same query again:

dig ubuntu.com @localhost

Sample output:

; <<>> DiG 9.16.1-Ubuntu <<>> ubuntu.com @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37832
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ubuntu.com.			IN	A

;; ANSWER SECTION:
ubuntu.com.		49	IN	A	91.189.88.180
ubuntu.com.		49	IN	A	91.189.88.181

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Aug 15 06:33:36 UTC 2021
;; MSG SIZE  rcvd: 71

As you can see the query time is 0 msec.

You can also test the Unbound DNS server from the client machine. In this case, you will need to specify your Unbound DNS server IP with the query:

dig ubuntu.com @69.87.221.220

Sample output:

; <<>> DiG 9.9.5-3ubuntu0.4-Ubuntu <<>> ubuntu.com @69.87.221.220
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 28051
;; flags: qr rd ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; Query time: 365 msec
;; SERVER: 69.87.221.220#53(69.87.221.220)
;; WHEN: Sun Aug 15 12:04:37 IST 2021
;; MSG SIZE  rcvd: 12

Step 6 – Troubleshooting Unbound

If you want to check the status of the Unbound DNS, run the following command:

unbound-control status

Sample output:

version: 1.9.4
verbosity: 0
threads: 2
modules: 3 [ subnet validator iterator ]
uptime: 65 seconds
options: reuseport control(ssl)
unbound (pid 3407) is running...

If you want to back up a DNS Cache to a text file, run the following command:

unbound-control dump_cache > cache.txt

You can verify the cache.txt file with the following command:

cat cache.txt

Sample output:

START_RRSET_CACHE
END_RRSET_CACHE
START_MSG_CACHE
END_MSG_CACHE
EOF

In some cases, your DNS server cannot reply to your query. In this case, you can flush the DNS cache using the following command:

unbound-control flush ubuntu.com

Conclusion

In the above guide, we explained how to install and use an Unbound DNS caching server on Ubuntu 20.04. We also performed some testing using the dig command to query Unbound DNS and get a response. Try it out on your VPS from Atlantic.Net today!

Get A Free To Use Cloud VPS

Free Tier Includes:
G3.2GB Cloud VPS Free to Use for One Year
50 GB of Block Storage Free to Use for One Year
50 GB of Snapshots Free to Use for One Year


Looking for a Hosting Solution?

We Provide Cloud, Dedicated, & Colocation.

  • Seven Global Data Center Locations.
  • Flexible Private, Public, & Hybrid Hosting.
  • 24x7x365 Security, Support, & Monitoring.
Contact Us Now! Med Tech Award FTC
SOC Audit HIPAA Audit HITECH Audit

Recent Posts

Get started with 12 months of free cloud VPS hosting

Free Tier includes:
G3.2GB Cloud VPS Server Free to Use for One Year
50 GB of Block Storage Free to Use for One Year
50 GB of Snapshots Free to Use for One Year


New York, NY

100 Delawanna Ave, Suite 1

Clifton, NJ 07014

United States

San Francisco, CA

2820 Northwestern Pkwy,

Santa Clara, CA 95051

United States

Dallas, TX

2323 Bryan Street,

Dallas, Texas 75201

United States

Ashburn, VA

1807 Michael Faraday Ct,

Reston, VA 20190

United States

Orlando, FL

440 W Kennedy Blvd, Suite 3

Orlando, FL 32810

United States

Toronto, Canada

20 Pullman Ct, Scarborough,

Ontario M1X 1E4

Canada

London, UK

14 Liverpool Road, Slough,

Berkshire SL1 4QZ

United Kingdom

Resources