Unbound is a validating, recursive, caching DNS resolver. It is designed to be fast and lean and incorporates modern features based on open standards.
To help increase online privacy, Unbound supports DNS-over-TLS which allows clients to encrypt their communication. In addition, it supports various modern standards that limit the amount of data exchanged with authoritative servers. These standards do not only improve privacy but also help to make the DNS more robust. The most important are Query Name Minimisation, the Aggressive Use of DNSSEC-Validated Cache and support for authority zones, which can be used to load a copy of the root zone.
Unbound runs on FreeBSD, OpenBSD, NetBSD, MacOS, Linux and Microsoft Windows, with packages available for most platforms. It is included in the base system of FreeBSD and OpenBSD and in the standard repositories of most Linux distributions. Installation and configuration are designed to be easy. Setting up a resolver for your machine or network can be done with only a few lines of configuration.
It is free, open source software under the BSD license. The guiding principles for our product development roadmap are first and foremost the security and privacy of the user. In addition, all functionality must be backed by well established open standards. We continually improve the functionality of Unbound for all of our users. This means we do not make custom builds or provide specific features to paying customers only. Our priorities are guided by the feedback from our user base, in particular, those users with a support contract, as well as the wider Internet community. Sponsored functionality will be given a higher priority where possible and is evaluated on a case-by-case basis.
Reason To Use Unbound
- Lightweight – Unbound was originally developed in C based from a Java prototype. Its authors wrote the source code to be very modular in design, and to be very lightweight. They wanted to design a solution that would be the smallest possible that would achieve the minimum requirements as a validator, resolver, and caching server. In addition to meeting these requirements, they wanted the server to achieve high-performance. Unbound’s minimalistic design will be a recurring theme throughout the rest of this article.
- Easy to configure – Unbound is very easy to configure. It is configured through a configuration file that is quite like YAML (Yet Another Markup Language). There are not a great number of configuration directives needed to set up Unbound since the service has a relatively simple and single role.
- High performance – Unbound’s lightweight code structure, simple and modular design contribute to making Unbound an extremely high-performing recursive name server. Initial benchmark testing has shown Unbound to offer up to 2x the performance over other name servers (with or without DNSSEC Validation enabled). Unbound essentially has two (2) modes of operation:
- Threaded mode – uses the Libevent cross compiled wrapper library for added scalability
- Forked mode – allows Unbound to operate unthreaded and forks separate processes
- Supports DNSSEC validation – Unbound was designed to perform DNSSEC validation, a mechanism to protect DNS data, from the ground up. DNSSEC validation is not implemented as a plug-in or bolt-on like some other DNS servers. It was designed integral to Unbound at its inception. This makes Unbound a higher performing solution than the others because validation code was optimized in Unbound. Additional features for trust anchor management (RFC 5011) are in the works and that will only serve to enhance an already great product.
- Adds software diversity – Enterprise customers and ISPs can now introduce a proven and reliable alternative to BIND for providing a validating, recursive, caching-only layer of DNS servers with Unbound. Unbound introduces software diversity to the masses. BIND DNS is at the center of what has been termed a “monoculture”. Software diversity is good for the Internet, and it’s good for the ISP and Enterprise too. Software and code diversity allows us to mix different DNS vendor solutions to provide the same or better service. A bug in one vendor’s product will not likely be visible in the others.
- Production-Ready – surfnet.nl announced back in September 2009 that all SURFnet DNS resolvers were DNSSEC capable. Their implementation of DNSSEC validation relied on the Unbound DNS server package. Other major carriers and ISPs ( I cannot name for obvious reasons ) are about to deploy Unbound probably for all the same reasons stated in this blog post. If major carriers are starting to put Unbound into service for their customers, it makes sense that it’s ready for the enterprise as well.
- Single-purpose – Because Unbound was coded to be a validating, recursive, and caching resolver, it doesn’t suffer from the split- or dual personalities that DNS server solutions do. Unbound is, for the most part, a single-purpose server. Since Unbound is not authoritative for data, the code and function become simplified. There is no code to support Dynamic DNS updates, or zone transfers, etc. Instead, this single purpose server is best-in-class at what it was coded to support: recursion, validation, and caching resolution.
- Security – Unbound has not skimped on DNS Security at the expense of simplicity and performance. On the contrary. Unbound is feature-rich with DNS Security with its harden-glue, access control, max randomness for query ID and ports, response scrubbing, case preservation, and Denial of Service or DoS protection features. These are just some of the features that make Unbound one of the most secure DNS server implementations.
- Manageability – Unbound has an extended management command line interface or CLI that provides remote management capabilities, as well as, an extensive set of network monitoring statistics. Unbound-control uses a secure connection from the client to the server running Unbound using Secure Sockets Layer or SSL. Commands are sent from the client and responses from the server are displayed as output. An additional CLI called, unbound-control-setup, is provided to assist in the OpenSSL shared keys and configuration directives for getting unbound-control operational. The statistics output can be used to “feed” known capacity planning tools such as Munin, or Cacti for graphing many of the different baseline and extended statistics that Unbound tracks.
- Portable solution – Unbound has been ported to run on a wide range of hardware OS platforms, including Linux, BSD, Solaris SPARC and X86, MacOS/X, and Windows. Windows 32-bit pre-compiled binary packages are available directly from NLnet Labs, or you can download the source package and compile it yourself.