🧠 1. What is Unbound DNS?
Unbound is a DNS Resolver developed by NLnet Labs.
It’s designed to resolve domain names for internal users — that is, to find the real IP address of a domain such as www.google.com.
Unlike BIND9, which is commonly used as an Authoritative DNS server to host your company’s domain records, Unbound’s role is to perform recursive lookups on behalf of clients inside your network.
⚙️ 2. Core Functionality and Features
| Feature | Description |
|---|---|
| Recursive DNS Resolver | Queries root DNS servers directly and resolves names step by step. |
| DNS Forwarder Mode | Can forward queries to specific DNS servers (e.g., 8.8.8.8, 1.1.1.1, or your internal BIND9). |
| DNS over TLS (DoT) | Supports encrypted DNS queries for better privacy. |
| DNS Rebind Protection | Prevents malicious domains from returning private IPs. |
| Blocklist / Override | Add custom domain overrides or block unwanted domains (ads, trackers). |
| DHCP Integration | Automatically registers DHCP hostnames. |
| Local Caching | Caches DNS results to speed up repeated lookups. |
🧩 3. How Unbound Works
Here’s a simplified process of how Unbound resolves DNS queries:
Client → OPNsense (Unbound) → Root DNS → TLD → Authoritative DNS → Return IP → Cache → Client
Step-by-step:
- A user’s computer sends a DNS query to the OPNsense firewall.
- Unbound checks its local cache — if the result exists, it returns immediately.
- If not, Unbound recursively queries the Internet’s DNS hierarchy.
- The resolved IP is stored in cache and returned to the user.
- If Forwarding Mode is enabled, Unbound will simply forward queries to another DNS server (like your BIND9).
⚖️ 4. Unbound vs. BIND9 — Key Differences
| Comparison | Unbound | BIND9 |
|---|---|---|
| Primary Role | Recursive Resolver | Authoritative DNS Server |
| Maintains Zones | Limited (for overrides only) | Full zone management |
| Root Hints | Built-in | Requires manual maintenance |
| Query Type | Recursive / Forwarding | Authoritative / Forwarding |
| Management | Web UI (OPNsense) | Text-based config files |
| Typical Use | Internal name resolution, caching | Hosting company/public domains |
🧱 5. Will Unbound Conflict with BIND9?
Not necessarily — as long as they don’t both bind to the same interface or port (53).
✅ Scenario 1: Running on different hosts
No problem at all.
OPNsense (Unbound) → internal DNS resolver
BIND9 server → authoritative public DNS
⚙️ Scenario 2: Running on the same host
Avoid conflicts by:
- Binding each service to a different interface or IP address:
Unbound → listens on LAN (53) BIND9 → listens on WAN (53) - Or make Unbound forward all requests to BIND9:
OPNsense → Services → Unbound DNS → General → Enable Forwarding Custom DNS servers: 10.0.0.5 (BIND9)This way, Unbound handles caching, filtering, and security checks, while BIND9 handles the actual resolution.
🧰 6. Typical Enterprise Architectures
| Architecture Type | Description |
|---|---|
| 1. Unbound (internal resolver) + BIND9 (public authoritative) | The most common setup. Internal users query Unbound, which recursively resolves or forwards to external DNS servers. |
| 2. Unbound forwarding to BIND9 | Suitable when your BIND9 uses internal/external “views” for split DNS. |
| 3. Unbound for LAN, BIND9 for DMZ/public zone | Layered design to separate internal and external name resolution. |
🔐 7. Security & Performance Advantages
| Feature | Benefit |
|---|---|
| DNS Cache | Speeds up repeated queries and reduces external traffic. |
| DNSSEC Validation | Ensures DNS responses haven’t been tampered with. |
| Rebind Protection | Blocks malicious private IP responses. |
| DNS-over-TLS | Encrypts DNS traffic for privacy. |
| Centralized Management | Fully managed via OPNsense Web GUI. |
🧮 8. Example Network Setup
[Client PC] → 10.0.0.1 (OPNsense Unbound)
↓
(Cache lookup)
↓
Forward to BIND9 (10.0.0.5)
↓
BIND9 resolves → IP returned → Cache → Client
✅ 9. Conclusion
Unbound and BIND9 are not competitors — they complement each other.
- Unbound is ideal for internal DNS resolution, caching, and DNSSEC validation.
- BIND9 continues to serve as your authoritative DNS for public-facing domains.
A properly designed architecture can integrate both seamlessly:
- Unbound handles private LAN queries and filtering.
- BIND9 hosts your corporate or external DNS zones.
Together, they provide a fast, secure, and layered DNS infrastructure suitable for modern enterprises.