Unbound is a validating, recursive, and caching DNS resolver. The C implementation of Unbound is developed and maintained by NLnet Labs.

OpenWrt base install uses Dnsmasq for DNS forwarding (and DHCP serving). This works well for many cases. Dependence on the upstream resolver can be cause for concern. It is often provided by the ISP, and some users have switched to public DNS providers. Either way can result in problems due to performance, hijacking, trustworthiness, or several other reasons. Running a recursive resolver is a solution.

Releases LEDE 17.01 and OpenWrt 18.06 have included UCI/LuCI for the Unbound package and complete documentation in its README. The UCI/LuCI features should be familiar to those that have tweaked dnsmasq in the past. “How To” are available for integration with either dnsmasq or odhcpd. “How To” are available to configure Unbound as forwarding client of DoT.

DNS over TLS is fully supported with Unbound configuration helpers in UCI and LuCI. You should be able to find it all in the README. You can manage zone recursion, zone forward, and zone transfer preferences. These are present in a form similar to how the firewall pin point rules work. You may forward specific domains to specific DNS servers with or without TLS. This may be useful where you need location specific resolution for ISP colocated services such as is often done by Google (www.youtube.com by, but wish to have a private DNS like CloudFlare ( mask location while resolving general look-ups.


Note there are significant options enhancements from 18.06 to 19.07 including UCI/LuCI for TLS.

This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2021/03/02 17:13
  • by doppel-d