Use unbound as an DNS-over-TLS resolver and authoritative dns server

2 minute read


In previous blog posts, I described howto setup stubby as an DNS-over-TLS resolver. I used stubby on my laptop(s) and unbound on my internal network.

But I’m migrating away from stubby in favour of unbound.

Unbound is a popular DNS resolver, it’s less known that you can also use it as an authoritative DNS server.

I created a docker container that can serve both purposes, although you can use the same logic without docker.

It’s available at


Dockerfile to run unbound inside a docker container. The unbound daemon will run as the unbound user. The uid/gid is mapped to 5000153.


clone the git repo

$ git clone
$ cd docker-stafwag-unbound



The default DNS port is set to 5353 this port is mapped with the docker command to the default port 53 (see below). If you want to use another port, you can edit etc/unbound/unbound.conf.d/interface.conf.

Use unbound as an authoritative DNS server

To use unbound as an authoritative authoritive DNS server - a DNS server that hosts DNS zones - add your zones file etc/unbound/zones/. Alternatively, you can also use a docker volume to mount /etc/unbound/zones/ to your zone files.

The entrypoint script will create a zone.conf file to serve the zones.

You can use subdirectories. The zone file needs to have $ORIGIN set to our zone origin.

Use DNS-over-TLS

The default configuration uses quad9 to forward the DNS queries over TLS. If you want to use another vendor or you want to use the root DNS servers director you can remove this file.

Build the image

$ docker build -t stafwag/unbound . 


Recursive DNS server with DNS-over-TLS


$ docker run -d --rm --name myunbound -p -p stafwag/unbound


$ dig @

Authoritative dns server.

If you want to use unbound as an authoritative dns server you can use the steps below.

Create a directory with your zone files:

[staf@vicky ~]$ mkdir -p ~/docker/volumes/unbound/zones/stafnet
[staf@vicky ~]$ 

Create the zone files

Zone files

$TTL	86400 ; 24 hours
$ORIGIN stafnet.local.
@  1D  IN	 SOA @	root (
			      20200322001 ; serial
			      3H ; refresh
			      15 ; retry
			      1w ; expire
			      3h ; minimum
@  1D  IN  NS @ 

stafmail IN A

$TTL    86400 ;
@       IN      SOA     stafnet.local. root.localhost.  (
                        20200322001; Serial
                        3h      ; Refresh
                        15      ; Retry
                        1w      ; Expire
                        3h )    ; Minimum
        IN      NS      localhost.
10      IN      PTR     stafmail.

Make sure that the volume directoy and zone files have the correct permissions.

$ chmod 755 ~/docker/volumes/unbound/zones/stafnet/
$ chmod 644 ~/docker/volumes/unbound/zones/stafnet/*

run the container

$ docker run -d --rm --name myunbound -v ~/docker/volumes/unbound/zones/stafnet:/etc//unbound/zones/ -p -p stafwag/unbound


[staf@vicky ~]$ dig @ soa stafnet.local

; <<>> DiG 9.16.1 <<>> @ soa stafnet.local
; (1 server found)
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37184
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 4096
;stafnet.local.			IN	SOA

stafnet.local.		86400	IN	SOA	stafnet.local. root.stafnet.local. 3020452817 10800 15 604800 10800

;; Query time: 0 msec
;; WHEN: Sun Mar 22 19:41:09 CET 2020
;; MSG SIZE  rcvd: 83

[staf@vicky ~]$ 

Have fun


Leave a comment