DNS-over-TLS Setup with Unbound
Protect your DNS queries from ISP monitoring and tampering by enabling encrypted DNS (DoT) on Unbound. This guide walks you through each step with real settings and menu paths.
Last updated
Why Enable Encrypted DNS on Unbound?
By default, DNS queries are sent in plain text over UDP port 53. This means your ISP, network administrator, or anyone on your local network can see every domain you visit. Encrypted DNS solves this by wrapping your DNS queries in TLS or HTTPS encryption.
- DNS-over-HTTPS (DoH) sends DNS queries inside HTTPS on port 443 — the same port used for web traffic. This makes it very difficult to block or detect.
- DNS-over-TLS (DoT) sends DNS queries encrypted via TLS on port 853. It is a dedicated protocol that is easier for network admins to manage but may be blocked on some networks.
This guide shows you how to configure DoT on Unbound.
Step-by-Step Setup Instructions
Follow these steps to enable encrypted DNS on Unbound:
-
Install Unbound
Install Unbound on your system. On Debian/Ubuntu: sudo apt install unbound. On RHEL/CentOS/AlmaLinux: sudo dnf install unbound. On Arch Linux: sudo pacman -S unbound. -
Edit the Unbound configuration
Open the Unbound configuration file: sudo nano /etc/unbound/unbound.conf. You will configure Unbound to forward queries to an upstream DNS resolver over TLS instead of resolving recursively. -
Add forward zone with TLS
Add the following to unbound.conf:\n\nserver:\n tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt\n\nforward-zone:\n name: "."\n forward-tls-upstream: yes\n forward-addr: 1.1.1.1@853#one.one.one.one\n forward-addr: 1.0.0.1@853#one.one.one.one\n forward-addr: 9.9.9.9@853#dns.quad9.net\n forward-addr: 149.112.112.112@853#dns.quad9.net\n\nThe @853 specifies the TLS port, and #hostname is used for certificate verification. -
Set the TLS certificate bundle
The tls-cert-bundle path varies by distribution. Debian/Ubuntu: /etc/ssl/certs/ca-certificates.crt. RHEL/CentOS: /etc/pki/tls/certs/ca-bundle.crt. Alpine: /etc/ssl/certs/ca-certificates.crt. This is required for Unbound to verify the upstream server TLS certificate. -
Test and start Unbound
Test the configuration: sudo unbound-checkconf. Fix any errors reported. Start Unbound: sudo systemctl enable --now unbound. Verify it is running: sudo systemctl status unbound. -
Point your system DNS to Unbound
Configure your system to use Unbound as its DNS resolver by setting the DNS server to 127.0.0.1 (localhost). On systemd systems, add DNS=127.0.0.1 to /etc/systemd/resolved.conf and restart systemd-resolved. Test with: dig @127.0.0.1 example.com.
After configuring encrypted DNS, it is recommended to clear your DNS cache and test the configuration using a DNS leak test site.
Recommended Encrypted DNS Providers
These providers support encrypted DNS and are compatible with Unbound:
| Provider | Primary IP | Secondary IP | DoH URL | DoT Hostname | |
|---|---|---|---|---|---|
| Cloudflare | 1.1.1.1 |
1.0.0.1 |
https://cloudflare-dns.com/dns-query |
one.one.one.one |
|
8.8.8.8 |
8.8.4.4 |
https://dns.google/dns-query |
dns.google |
||
| Quad9 | 9.9.9.9 |
149.112.112.112 |
https://dns.quad9.net/dns-query |
dns.quad9.net |
|
| Mullvad | 194.242.2.2 |
194.242.2.3 |
https://dns.mullvad.net/dns-query |
dns.mullvad.net |
Verify Your Encrypted DNS Setup
After configuring encrypted DNS on Unbound, run our DNS Privacy Check to verify your queries are encrypted and your ISP cannot see your DNS traffic.
Run DNS Privacy CheckEncrypted DNS Guides for Other Platforms
Set up encrypted DNS on all your devices for comprehensive protection:
- Windows 11 (DoH)
- macOS (DoH & DoT)
- Android (DoT)
- iPhone & iPad (DoH & DoT)
- Firefox (DoH)
- Chrome (DoH)
- Microsoft Edge (DoH)
- Linux (systemd-resolved) (DoT)
- Router (DoH & DoT)
Related Resources
Frequently Asked Questions
Why use Unbound for encrypted DNS instead of systemd-resolved?
Unbound provides more granular control over DNS behavior including caching policies, DNSSEC validation, query minimization (RFC 7816), and per-zone forwarding rules. It is the preferred choice for servers, Pi-hole setups, and users who need advanced DNS features beyond what systemd-resolved offers.
Can Unbound use DNS-over-HTTPS instead of DNS-over-TLS?
Unbound natively supports DNS-over-TLS (DoT) for upstream forwarding. It does not natively support DNS-over-HTTPS (DoH) as a client. If you need DoH, chain Unbound with cloudflared or dnscrypt-proxy as the upstream forwarder.
Can I combine Unbound with Pi-hole?
Yes, this is a popular setup. Pi-hole handles ad blocking and forwards DNS queries to Unbound running locally. Configure Pi-hole to use 127.0.0.1#5335 (Unbound on a custom port) as its upstream DNS. Then configure Unbound with forward-tls-upstream for encrypted forwarding. See our Unbound setup guide for detailed instructions.
How do I verify Unbound is using DNS-over-TLS?
Run: sudo unbound-control stats_noreset | grep tls. Look for num.query.tls which shows the count of TLS queries. You can also capture traffic with: sudo tcpdump -i any port 853 -c 10 — you should see encrypted traffic to your configured upstream servers on port 853.