Unbound

Unbound is a validating, recursive, caching DNS resolver. The C implementation of Unbound is developed and maintained by NLnet Labs.

OpenWrt by default uses dnsmasq for DNS forwarding (and DHCP serving) which works well for many cases. However dependence on the upstream resolver can be cause for concern. It is often provided by the ISP, and some users have switched to public DNS providers. Either way can result in problems due to performance, hijacking, trustworthiness, privacy, etc. Running a local recursive resolver is a solution.

Unbound is available on the package repository with complete documentation is in its README. It has available UCI/LuCI features and should be familiar to those that have tweaked dnsmasq. The README includes information to integrate with either dnsmasq or odhcpd and to configure Unbound as forwarding client of DoT.

DNS over TLS is fully supported with Unbound configuration helpers in UCI/LuCI. You can manage zone recursion, zone forward, and zone transfer preferences. These are present in a form similar to how the firewall pin point rules work. You may forward specific domains to specific DNS servers with or without TLS. This may be useful where you need location specific resolution for ISP co-located services such as is often done by Google (8.8.8.8, 8.8.4.4), but wish to have a private DNS like Cloudflare (1.1.1.1) mask location while resolving general look-ups.

Since there are significant feature enhancements over the years, including UCI/LuCI for TLS, see documentation for your version:

This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2026/03/31 18:58
  • by phinn