habibzain Just husband, father and enthusiastic men about System Administration. Love to write short article about it. Perhaps can help and be useful for others.

Install Unbound Ubuntu 20.04/22.04 With Package Manager

6 min read

Install Unbound ubuntu 20

Hi Dude, in this article is a continuation of the unbound DNS resolver installation series. In the previous article, we discussed how to install the unbound dns resolver using the installer with the latest version. Then compile it manually. Well, in this post we will install Install Unbound ubuntu 20.04 as DNS Resolver using the package manager.

Basically the installation is the same. What makes the difference is the source. If by compiling, we can use the latest version, but if using the Package Manager we can only use the version available from the repository. Can’t get the latest version. Ok, lets do it.

On this post, i am use two host.

  • 1 host server unbound with IP
  • 1 host windows as client with IP

Install Unbound Ubuntu 20.04 From Package Manager

apt update
apt install unbound net-tools bind9-utils

After install package finished, check running port with netstat command.

habibza@habibzasrv:~$ sudo netstat -tulpn

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0  *               LISTEN      49197/unbound
tcp        0      0 *               LISTEN      819/systemd-resolve
tcp        0      0    *               LISTEN      885/sshd: /usr/sbin
tcp6       0      0 ::1:53                  :::*                    LISTEN      49197/unbound
tcp6       0      0 :::22                   :::*                    LISTEN      885/sshd: /usr/sbin
udp        0      0  *                           49197/unbound
udp        0      0 *                           819/systemd-resolve
udp        0      0*                           817/systemd-network
udp6       0      0 ::1:53                  :::*                                49197/unbound

As we can see, port 53 is shared by service unbound and systemd-resolve. Systemd-resolve use and unbound use

Lets check status unbound.service.

Install Unbound ubuntu 20
starting unbound

And also version of unbound.

habibza@habibzasrv:~$ unbound -V
Version 1.9.4

Configure line: --build=x86_64-linux-gnu --prefix=/usr --includedir=${prefix}/include --mandir=${prefix}/share/man --infodir=${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-silent-rules --libdir=${prefix}/lib/x86_64-linux-gnu --libexecdir=${prefix}/lib/x86_64-linux-gnu --disable-maintainer-mode --disable-dependency-tracking --disable-rpath --with-pidfile=/run/unbound.pid --with-rootkey-file=/var/lib/unbound/root.key --with-libevent --with-pythonmodule --enable-subnet --enable-dnstap --enable-systemd --with-chroot-dir= --with-dnstap-socket-path=/run/dnstap.sock --libdir=/usr/lib
Linked libs: libevent 2.1.11-stable (it uses epoll), OpenSSL 1.1.1f  31 Mar 2020
Linked modules: dns64 python subnetcache respip validator iterator

BSD licensed, see LICENSE in source package for details.
Report bugs to unbound-[email protected] or https://github.com/NLnetLabs/unbound/issues

Testing the resolver locally

To verify that the server works correctly, it’s a good idea to test it before committing the entire network to it. Luckily we can test this on the machine that you installed Unbound on (locally) and from any other machine (remotely) that will be using the resolver after we expose Unbound to the network.

The command for testing locally on the Unbound machine is use dig example.com @ In this example i will dig mx yahoo.com.

dig result from unbound service

As a we see together result of dig show us for answering of mx yahoo.com from

See also  Zimbra Enable DMARC, SPF and DKIM

Determine /etc/resolv.conf as default resolver services

By default, Ubuntu runs the systemd-resolved stub resolver which listens on You need to stop it, so unbound can bind to

We have two way to fix it.

Unbound and Systemd-resolve Run Together.

The resolver your machine uses by default is defined in /etc/systemd/resolved.conf in the DNS entry (It uses ). While just changing this file will work as long as the machine doesn’t reboot, we need to make sure that this change is persistent. To do that, we need to change the DNS entry to be equal to (or whatever IP address Unbound is bound to) so the machine uses Unbound as default. To make the change persistent, we also need to set the DNSStubListener to no so that is not changed by our router (such as with a “recommended resolver” mentioned below). We also want to enable the DNSSEC option so that we can verify the integrity the responses we get to our DNS queries. With your favourite text editor (e.g. vim) we can modify the file:

vim /etc/systemd/resolved.conf

Here, under there [Resolve] header we add (or rather, enable by removing the “#”) the options:


To actually have the system start using Unbound, we then need to create a symlink to overwrite /etc/resolv.conf to the one we modified.

ln -fs /run/systemd/resolve/resolv.conf /etc/resolv.conf

With this file modified, we can restart using this configuration with:

systemctl restart systemd-resolved

After restart, we can check file /etc/resolv.conf.

Scheck status service unbound and systemd-resolv.

Check systemd-resolve --status.

root@habibza:~# systemd-resolve --status
       LLMNR setting: no
MulticastDNS setting: no
  DNSOverTLS setting: no
      DNSSEC setting: yes
    DNSSEC supported: yes
         DNS Servers:
          DNSSEC NTA: 10.in-addr.arpa

Link 2 (ens33)
      Current Scopes: DNS
DefaultRoute setting: yes
       LLMNR setting: yes
MulticastDNS setting: no
  DNSOverTLS setting: no
      DNSSEC setting: yes
    DNSSEC supported: yes
  Current DNS Server:
         DNS Servers:
          DNS Domain: localdomain

Unbound Replaces the Role of systemd-resolved

Second way is unbound replace role of systemd-resolved as default resolver in /etc/resolv.conf.

By default if we installed unbound from package manager there will be 2 services created, that is unbound.service and unbound-resolvconf.service, where unbound-resolvconf.service is not running.

root@habibza:~# systemctl status unbound-resolvconf.service
● unbound-resolvconf.service - Unbound DNS server via resolvconf
     Loaded: loaded (/lib/systemd/system/unbound-resolvconf.service; enabled; vendor preset: enabled)
     Active: inactive (dead)
  Condition: start condition failed at Tue 2022-07-26 11:34:02 WIB; 15min ago

Jul 26 11:34:01 habibza systemd[1]: Condition check resulted in Unbound DNS server via resolvconf being skipped.

The first thing we have to do is replace /etc/resolv.conf with the openresolv service. Install the openresolv package first.

apt install openresolv

After openresolv installed, we must stop service systemd-resolved.

systemctl stop systemd-resolved.service
systemctl disable systemd-resolved.service

Remove /etc/resolv.conf and this file will auto generated with unbound-resolvconf.service.

 rm -rf /etc/resolv.conf

Ok, after that restart unbound.service and unbound-resolvconf.service.

 systemctl restart unbound.service
 systemctl restart unbound-resolvconf.service
 cat /etc/resolv.conf
# Generated by resolvconf

We can see Generated by resolvconf, unbound-resolvconf.service is running properly.

See also  Easy Install Docker on Ubuntu 20.04

Setting unbound.conf

For first setup, we can fill with simple confugration. We can tuning it later.

The default config is found at /etc/unbound/unbound.conf

        # location of the trust anchor file that enables DNSSEC
#        auto-trust-anchor-file: "/var/lib/unbound/root.key"
        # send minimal amount of information to upstream servers to enhance privacy
        qname-minimisation: yes
        # the interface that is used to connect to the network (this will listen to all interfaces)
        # interface: ::0
        # addresses from the IP range that are allowed to connect to the resolver
        access-control: allow
        access-control: allow
        # access-control: 2001:DB8/64 allow
        do-ip4: yes
        do-ip6: no
        do-udp: yes
        do-tcp: yes
        # allows controling unbound using "unbound-control"
        control-enable: yes

The interface is currently configured to listen to any address on the machine, and the access-control only allows queries from the and IP subnet range.

When we’ve modified the configuration we check it for mistakes with the unbound-checkconf command:

root@habibza:~# unbound-checkconf /etc/unbound/unbound.conf
unbound-checkconf: no errors in /etc/unbound/unbound.conf

Testing the setup

After running the unbound-checkconf command to see if your config file is correct, you can test your setup by running Unbound in “debug” mode. This allows you to see what is happening during startup and catch any errors. The unbound(8) manpage shows that the -d flag will start Unbound in this mode. The manpage also shows that we can use the -c flag to specify the path to the config file, so we can use the one we created. We also recommend increasing the verbosity of the logging to 1 or 2, to see what’s actually happening (-v or -vv). We can stop with 'ctrl + c' in keyboard.

unbound -d -vv -c unbound.conf

Set up Remote Control

Apart from an extensive config file, with just about all the possible configuration options, unbound-control-setup creates the cryptographic keys necessary for the control option.

root@habibza:~# unbound-control-setup
setup in directory /etc/unbound
unbound_server.key exists
unbound_control.key exists
create unbound_server.pem (self signed certificate)
create unbound_control.pem (signed client certificate)
Signature ok
subject=CN = unbound-control
Getting CA Private Key
Setup success. Certificates created. Enable in unbound.conf file to use
root@habibza:/etc/unbound# ls -al /etc/unbound/
total 32
drwxr-xr-x   3 root root 4096 Jul 26 15:22 .
drwxr-xr-x 102 root root 4096 Jul 26 14:59 ..
-rw-r--r--   1 root root 1130 Jul 26 15:20 unbound.conf
drwxr-xr-x   2 root root 4096 Jul 26 14:58 unbound.conf.d
-rw-r-----   1 root root 2455 Jul 26 11:33 unbound_control.key
-rw-r-----   1 root root 1342 Jul 26 15:22 unbound_control.pem
-rw-r-----   1 root root 2459 Jul 26 11:33 unbound_server.key
-rw-r-----   1 root root 1334 Jul 26 15:22 unbound_server.pem

We have to add path of cert for completetion remote control in the config unbound.conf above.

        # allows controling unbound using "unbound-control"
        control-enable: yes
        control-port: 953
        server-key-file: "/etc/unbound/unbound_server.key"
        server-cert-file: "/etc/unbound/unbound_server.pem"
        control-key-file: "/etc/unbound/unbound_control.key"
        control-cert-file: "/etc/unbound/unbound_control.pem"

Set up Trust Anchor (Enable DNSSEC)

To enable DNSSEC, which we strongly recommend, we need to set up a trust anchor as it allows the verification of the integrity of the responses to the queries you send.

See also  Install Zimbra 8.8.15 in Ubuntu 20.04 (Part 2)

To help, we can use the unbound-anchor command.

unbound-anchor performs the setup by configuring a trust anchor. This trust anchor will only serve as the initial anchor from builtin values. To keep this anchor up to date, Unbound must be able to read and write to this file. The default location that unbound-anchor creates this in is determined by your installation method.

Usually the default directory is /usr/local/etc/unbound/. Or in /etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf if we install unbound via apt.


Final step, restart service unbound.

systemctl restart unbound

Testing DNS Resolver and DNSSEC in Client.

After configuration finished, test it in client. In host client, pointind DNS client to IP unbound.

i am use web tool beliw for test dnssec.


This is last word from article Install Unbound Ubuntu 20.04. Unbound is very light and powerfull.

Source :

Let's Buy Me Coffee.

Buy Me a Coffee at ko-fi.com

habibzain Just husband, father and enthusiastic men about System Administration. Love to write short article about it. Perhaps can help and be useful for others.

Ispconfig Nginx Directives Laravel

In a typical Laravel installation, the public folder contains all of the publicly accessible files for the application. This includes the index.php file, which...
47 sec read

How to Hide Version nginx

Nginx is a popular web server that powers many websites and applications. However, by default, nginx reveals its version number in the HTTP response...
1 min read

How to Install SSH in Windows 10/11

SSH (Secure Shell) is a protocol that allows us to securely remote servers and devices over a network. SSH can be used for various...
1 min read

Leave a Reply

Your email address will not be published. Required fields are marked *

Never miss a story from us, get weekly updates in your inbox