Here's how to use unbound as a local caching resolver:

Edit /etc/resolv.conf so it queries localhost on port 53:

<code>
# Generated by age0 dhclient
nameserver 127.0.0.1
lookup file bind
</code>

Inside /var/unbound/etc/unbound.conf, you will see this at the top:

<code>
server:
        interface: 127.0.0.1
        interface: ::1

        # override the default "any" address to send queries; if multiple
        # addresses are available, they are used randomly to counter spoofing
        #outgoing-interface: 192.0.2.1
        #outgoing-interface: 2001:db8::53

        access-control: 0.0.0.0/0 refuse
        access-control: 127.0.0.0/8 allow
        access-control: ::0/0 refuse
        access-control: ::1 allow
</code>

Make sure you are listening on 127.0.0.1 (for localhost) so that your VPS can query localhost on port 53, and also ::1 on port 53 (for IPv6).

For access control, you want to refuse 0.0.0.0/0 (all IPv4s) but allow 127.0.0.0/8 (everything that originates locally). Again, refuse ::0/0 (all IPv6s) but allow ::1 (localhost).

Put this at the bottom of the file:

<code>
forward-zone:
        name: "."                               # use for ALL queries
forward-addr: 163.53.248.170
forward-addr: 103.236.162.119
forward-addr: 192.99.85.244
forward-addr: 31.171.251.118
forward-addr: 51.254.25.115
forward-addr: 46.101.70.183
forward-addr: 45.71.112.70
forward-addr: 87.98.175.85
forward-addr: 185.208.208.141
forward-addr: 89.35.39.64
forward-addr: 87.98.175.85
forward-addr: 172.98.193.42
forward-addr: 111.67.20.8
</code>

These are IP addresses for DNS servers which I got from [[https://servers.opennic.org/]]. However, the servers change regularly so make sure you update the list.

To start unbound:

<code>
$ doas rcctl enable unbound
$ doas rcctl start unbound
</code>

To test if unbound is working:

<code>
$ dig @127.0.0.1 google.com
</code>

You should see something like this:

<code>
;; ANSWER SECTION:
google.com.             29      IN      A       172.217.27.142
</code>