🌐 DNS Deep Dive
12 min de lecture
Running Your Own DNS Resolver
Set up a private DNS resolver with Unbound for faster lookups, better privacy, and custom filtering on your network.
Why Run Your Own Resolver?
Public DNS resolvers (Google 8.8.8.8, Cloudflare 1.1.1.1) are convenient, but running your own gives you:
- Privacy — Your DNS queries never leave your network. No third party logs your browsing.
- Speed — A local resolver with caching eliminates round-trips to external servers.
- Control — Block ads, malware domains, and tracking at the DNS level.
- DNSSEC validation — Verify cryptographic signatures locally.
Choosing Software
| Software | Type | Best For |
|---|---|---|
| Unbound | Recursive resolver | Privacy-focused home/small office |
| Pi-hole | Forwarding + ad blocking | Easy setup, web UI |
| BIND | Full authoritative + recursive | Enterprise environments |
| Knot Resolver | Recursive with scripting | Advanced users |
Unbound is the recommended choice for most users — lightweight, secure by default, and well-documented.
Basic Unbound Setup
# Install on Ubuntu/Debian
sudo apt install unbound
# Download root hints (list of root DNS servers)
sudo curl -o /var/lib/unbound/root.hints \
https://www.internic.net/domain/named.root
# Basic configuration at /etc/unbound/unbound.conf
Minimal /etc/unbound/unbound.conf:
server:
interface: 0.0.0.0
access-control: 192.168.1.0/24 allow
do-ip6: no
hide-identity: yes
hide-version: yes
# DNSSEC validation
auto-trust-anchor-file: "/var/lib/unbound/root.key"
# Performance
num-threads: 2
msg-cache-size: 64m
rrset-cache-size: 128m
# Privacy
qname-minimisation: yes
Testing Your Resolver
# Start and enable
sudo systemctl enable --now unbound
# Test resolution
dig @127.0.0.1 example.com A
# Verify DNSSEC
dig @127.0.0.1 +dnssec cloudflare.com A
Adding Ad Blocking
Download and integrate a blocklist:
# Fetch blocklist and convert to Unbound format
curl -s https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts | \
grep '^0.0.0.0' | awk '{print "local-zone: \""$2"\" redirect\nlocal-data: \""$2" A 0.0.0.0\""}' \
> /etc/unbound/blocklist.conf
# Include in unbound.conf:
# include: "/etc/unbound/blocklist.conf"
sudo systemctl restart unbound
Point Your Network to It
Set your router's DHCP to distribute your resolver's IP as the DNS server for all devices on your network. This way every device benefits without per-device configuration.