What is unbound DNS?
Unbound is a validating, recursive, and caching DNS resolver developed by NLnet Labs. It’s a free and open-source software that can be used to run your own DNS server on your own computer or network. Here’s a breakdown of what each of those terms means:
• Validating: Unbound checks the authenticity of DNS records using DNSSEC, which helps to prevent spoofing and other attacks.
https://www.imperva.com/learn/application-security/dnssec/
• Recursive: Unbound can follow DNS queries all the way to the authoritative name servers, unlike a non-recursive resolver which would only ask other DNS servers for the answer.
*Recursive query is between a client and its local DNS server.
*Iterative query is between local DNS server and other DNS servers.
DNS Queries — Recursive and Iterative | by Geeky much! | Networks & Security | Medium
• Caching: Unbound stores frequently accessed DNS records in memory, which can improve performance by reducing the number of times it needs to query other DNS servers.
What Is DNS Cache and How to Flush It - KeyCDN Support
Here are some of the benefits of using Unbound:
- Privacy: Unbound can be configured to use DNS-over-TLS (DoT), which encrypt your DNS queries and prevent them from being intercepted by third parties.
- Security: Unbound supports DNSSEC, which helps to prevent spoofing and other attacks.
- Performance: Unbound can be very fast, especially if it is configured to use a caching server.
- Customization: Unbound is highly configurable, which means that you can tailor it to your specific needs.
Unbound is a popular choice for people who want to take control of their own DNS and improve their privacy and security. It is also a good choice for people who run their own web servers or homelab that requires static mapping for virtual machines hostnames.
Goal:
Enable Unbound as internal DNS resolver for the lab environment.
OPNsense
To enable Unbound DNS:
Navigate to Services > Unbound DNS > General
Enable Unbound – checked
Notes:
*In order for the client to query unbound, there need to be an ACL assigned in Services > Unbound DNS > Access Lists. The configured interfaces should gain an ACL automatically by default allowing access to unbound. If the client address is not in any of the predefined networks, please add one manually.
*If using firefox – turn off built in DNS-over-HTTPS (DoH) inside firefox setting so queries can route through unbound.
Source
https://forums.lawrencesystems.com/t/own-or-public-dns-resolver/11163/3
https://docs.opnsense.org/manual/unbound.html
https://nlnetlabs.nl/projects/unbound/about/
https://unbound.docs.nlnetlabs.nl/
Steven's Event Log 