Unbound is a caching DNS resolver that comes as a part of OpenBSD base. You can use this to provide faster as well as more secure DNS lookup for the users on your network.

Here's a sample /var/unbound/etc/unbound.conf:

<code>
server:
        interface: 127.0.0.1 # listen on localhost
        interface: 192.168.1.1 # listen on 192.168.1.1 to provide DNS for users on a network
        interface: ::1
        #do-ip6: no

        access-control: 0.0.0.0/0 refuse # block all users by default
        access-control: 127.0.0.0/8 allow # allow localhost to use unbound
        access-control: 192.168.0.0/16 allow # allow users on your network to use unbound
        access-control: ::0/0 refuse # block all IPv6 users by default
        access-control: ::1 allow # allow IPv6 localhost to use unbound

        hide-identity: yes
        hide-version: yes

remote-control:
        control-enable: yes
        control-interface: /var/run/unbound.sock

forward-zone:
        name: "."
        forward-addr: 185.117.154.144
        forward-addr: 165.227.40.43
        forward-addr: 217.144.132.169
        forward-addr: 212.237.22.141
        forward-addr: 165.227.108.86
</code>

The forward-addr lines indicate which nameserver unbound will query. You can find a list of public servers on [[https://servers.opennic.org/|OpenNIC]].

if you are using another server as a master, set forwarding from this server as a priority:
<code>
forward-zone:
        name: "example.com."
        forward-addr: 10.10.10.10@53
        forward-first: no
        forward-no-cache: no
</code>

If you need to store local zones, add a block to the "server" section about it:
<code>
        local-zone: "localhost." static
        local-data: "localhost. 10800 IN NS localhost."
        local-data: "localhost. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
        local-data: "localhost. 10800 IN A 127.0.0.1"
        local-data: "localhost. 10800 IN AAAA ::1"
</code>

To start unbound:
<code>
$ doas rcctl enable unbound
$ doas rcctl start unbound
</code>

For the computer that runs unbound, you'll want to make sure /etc/resolv.conf uses 127.0.0.1 as the nameserver (that is, you query unbound running on port 53). In /etc/resolv.conf:

<code>
nameserver 127.0.0.1
lookup file bind
</code>

Check to make sure /etc/resolv.conf.tail does not contain any other name servers except 127.0.0.1. All your nameservers should instead be specified in /var/unbound/etc/unbound.conf.

If the computer running unbound uses DHCP for network configuration, you will want to include this line in /etc/dhclient.conf:

<code>
ignore domain-name-servers;
</code>

This tells OpenBSD's dhclient to ignore the name server provided by the dhcp server.

If the computer running unbound is also providing a dhcp server for your local network, you will want to add this line inside your /etc/dhcpd.conf blocks:

<code>
option domain-name-servers 192.168.1.1;
</code>