Unbound adalah validating, recursive, and caching DNS resolver yang open-source. Bedanya sama BIND atau dnsmasq, Unbound fokus jadi DNS resolver murni bukan authoritative server (ngasih tau domain Kalian punya IP berapa), tapi jembatan buat nanya ke root DNS terus jawabin client lu dengan validasi DNSSEC.
Kenapa banyak yang pake?
- Ringan: Cepat, low memory, cocok buat VPS kecil
- Aman: DNSSEC validation built-in, anti DNS spoofing
- Privasi: Bisa jadi local resolver, ngurangin leak ke ISP
- Flexible: Support DoT (DNS over TLS), DoH, access control
Cara Install & Konfigurasi Dasar
1. Install (Debian/Ubuntu)
sudo apt update && sudo apt install unbound -y2. Konfigurasi Basic (/etc/unbound/unbound.conf)
server:
# Interface & Port
interface: 0.0.0.0
port: 53
# Access Control (sesuaikan subnet lu)
access-control: 127.0.0.0/8 allow
access-control: 192.168.0.0/16 allow
access-control: 10.0.0.0/8 allow
# Security
harden-glue: yes
harden-dnssec-stripped: yes
harden-referral-path: yes
# Performance
num-threads: 2
msg-cache-slabs: 4
rrset-cache-slabs: 4
infra-cache-slabs: 4
key-cache-slabs: 4
rrset-cache-size: 128m
msg-cache-size: 64m
# Logging
verbosity: 1
logfile: "/var/log/unbound/unbound.log"
# Forward ke DNS over TLS (Cloudflare/Quad9)
forward-zone:
name: "."
forward-addr: 1.1.1.1@853#cloudflare-dns.com
forward-addr: 1.0.0.1@853#cloudflare-dns.com
forward-tls-upstream: yes3. Restart & Enable
sudo systemctl restart unbound
sudo systemctl enable unbound
# Test
dig @127.0.0.1 google.comFitur Keren yang Bisa Dipake
| Fitur | Fungsi | Contoh Use Case |
|---|---|---|
| DNS over TLS (DoT) | Enkripsi query ke upstream | Privacy, anti sniffing ISP |
| DNS over HTTPS (DoH) | DNS lewat HTTPS | Bypass firewall DNS |
| DNSSEC Validation | Verifikasi signature DNS | Anti cache poisoning |
| Local Zones | Override domain tertentu | Block ads, local dev domain |
| Access Control | ACL berbasis IP | Batasi siapa bisa query |
Contoh: Block Ads dengan Unbound
Tambahin di config buat redirect domain iklan ke localhost:
server:
local-zone: "doubleclick.net" redirect
local-data: "doubleclick.net A 127.0.0.1"
# Atau pake file external
include: /etc/unbound/adblock.confKalian bisa generate list block otomatis pake tool kayak unbound-adblock atau script Python yang fetch list dari StevenBlack/hosts terus convert ke format Unbound.
Monitoring & Troubleshooting
Cek status & statistik:
# Statistik real-time
sudo unbound-control stats_noreset
# Flush cache
sudo unbound-control flush
# Test DNSSEC
dig @127.0.0.1 dnssec-failed.org
# Harusnya return SERVFAIL kalo DNSSEC validation aktifLog analysis:
sudo tail -f /var/log/unbound/unbound.log | grep queryPerbandingan Singkat
| Resolver | Kelebihan | Kekurangan |
|---|---|---|
| Unbound | DNSSEC native, DoT/DoH, modular | Setup agak verbose |
| dnsmasq | Simple, DHCP combo | DNSSEC limited |
| BIND | Full-featured, authoritative | Heavy, complex |
| systemd-resolved | Integrated Ubuntu | Fitur terbatas |
Kesimpulan
Unbound itu pilihan solid kalo kalian butuh DNS resolver yang aman, cepat, dan bisa dikustomisasi penuh. Cocok buat:
- Home server / homelab
- VPS sebagai DNS internal
- Privacy-focused setup (DoT/DoH)
- Ad-blocking network-wide
