Unbound Setup Tutorial on OpenWrt
Unbound Setup Tutorial on OpenWrt
1. What Is Unbound?
Unbound is a validating, recursive, and caching DNS resolver focused on security, privacy, and performance. Unbound works by querying DNS Root Servers directly, then continuing to TLD and authoritative servers, without relying on public DNS providers such as Google DNS or Cloudflare.
Main advantages of Unbound:
- No third-party DNS dependency
- Full DNSSEC validation support
- Can operate as a local recursive resolver
- DNS caching for faster responses
- Lightweight and suitable for OpenWrt routers
With Unbound, your OpenWrt router becomes a fully independent DNS resolver for the entire local network.
2. Unbound vs Stubby vs AdGuard Home vs Pi-hole
Comparison between Unbound and other popular DNS solutions:
| Feature | Unbound | Stubby | AdGuard Home | Pi-hole |
|---|---|---|---|---|
| Type | Recursive DNS Resolver | DNS-over-TLS Stub Resolver | DNS + Ad Blocking | DNS + Ad Blocking |
| Queries Root Servers | Yes | No | No | No |
| DNSSEC Validation | Yes | No | Limited | Limited |
| DNS-over-TLS / HTTPS | No (native) | Yes | Yes | Yes |
| Ad Blocking | No | No | Yes | Yes |
| Privacy Level | Very High | Depends on provider | Medium | Medium |
| Public DNS Dependency | No | Yes | Yes | Yes |
| Suitable as Main Resolver | Yes | No | Partial | Partial |
Summary:
- Use Unbound if you want a fully independent, private, and secure DNS resolver
- Use Stubby if you only need DNS-over-TLS
- Use AdGuard Home / Pi-hole if ad blocking is the main goal
Unbound is commonly paired with dnsmasq on OpenWrt.
3. Installing Unbound on OpenWrt
3.1 Update Package List
opkg update
3.2 Install Required Packages
opkg install unbound-daemon luci-app-unbound unbound-control
If flash storage is limited, LuCI is optional:
opkg install unbound-daemon unbound-control
4. Unbound Configuration (Port 5533 & DNS Leak Prevention)
4.1 Configuration Concept
- Unbound listens on
127.0.0.1:5533 - dnsmasq remains active on port
53 - dnsmasq forwards DNS queries to Unbound
- DNS servers from WAN are completely disabled to prevent DNS leaks
4.2 Configure Unbound via LuCI
Navigate to:
Services → Unbound DNS
Main settings:
Basic Settings
- Enable Unbound: Enabled
- Local Service Only: Enabled
- Listen Port:
5533 - Enable DNSSEC: Enabled
- Enable DNS Cache: Enabled
- DNS64: Disabled (unless using IPv6 NAT64)
Recommended Advanced Settings
- Prefetch Support: Enabled
- EDNS Buffer Size:
1232 - Hide Identity: Enabled
- Hide Version: Enabled
Save and apply the configuration.
4.3 Configure dnsmasq to Use Unbound
Apply the following configuration via CLI:
uci set dhcp.@dnsmasq[0].noresolv='1'
uci add_list dhcp.@dnsmasq[0].server='127.0.0.1#5533'
uci commit dhcp
/etc/init.d/dnsmasq restart
Explanation:
noresolv=1prevents dnsmasq from using WAN DNS servers127.0.0.1#5533forwards all DNS queries to Unbound
4.4 Disable WAN DNS Peers (DNS Leak Prevention)
This step is mandatory to ensure no DNS queries bypass Unbound.
Via LuCI:
Network → Interfaces → WAN → Edit
Set the following:
- Use DNS servers advertised by peer: Disabled
- Custom DNS servers: Leave empty
Apply the changes.
Via CLI:
uci set network.wan.peerdns='0'
uci delete network.wan.dns
uci commit network
/etc/init.d/network restart
5. Verification and Testing
5.1 Check Unbound Listening Port
ss -lntup | grep 5533
5.2 Enable and Use unbound-control (Statistics and Monitoring)
Ensure unbound-control is installed:
opkg install unbound-control
Enable the control socket by adding the following configuration to /etc/unbound/unbound.conf or via LuCI advanced settings:
control-enable: yes
control-interface: /var/run/unbound.sock
Restart Unbound:
/etc/init.d/unbound restart
Useful monitoring commands:
unbound-control status
unbound-control stats
unbound-control stats_noreset
Available statistics include:
- Total DNS queries
- Cache hit and miss ratios
- DNSSEC validation results
- Unbound uptime
5.3 DNS Functionality Test
nslookup google.com 127.0.0.1
Ensure queries resolve correctly and no ISP DNS servers are used.
root@NixpoinWrt:~# nslookup google.com 127.0.0.1
Server: 127.0.0.1
Address: 127.0.0.1:53
Non-authoritative answer:
Name: google.com
Address: 74.125.68.113
Name: google.com
Address: 74.125.68.100
Name: google.com
Address: 74.125.68.139
Name: google.com
Address: 74.125.68.138
Name: google.com
Address: 74.125.68.102
Name: google.com
Address: 74.125.68.101
Non-authoritative answer:
Name: google.com
Address: 2404:6800:4003:c02::8b
Name: google.com
Address: 2404:6800:4003:c02::66
Name: google.com
Address: 2404:6800:4003:c02::71
Name: google.com
Address: 2404:6800:4003:c02::64
root@NixpoinWrt:~#
6. DNS Architecture Overview
Client
↓
dnsmasq (port 53)
↓
Unbound (127.0.0.1:5533)
↓
Root DNS → TLD → Authoritative
7. Conclusion
With this configuration:
- No public DNS providers are used
- DNS leaks are fully prevented
- DNSSEC validation is enabled
- The setup remains fully compatible with OpenWrt
Unbound is an excellent choice for users who want maximum privacy, security, and control over DNS resolution.
Unbound can also be combined with AdGuard Home or Pi-hole for filtering, while keeping Unbound as the primary recursive resolver.