Here's how to use unbound as a local caching resolver:
Edit /etc/resolv.conf so it queries localhost on port 53:
# Generated by age0 dhclient nameserver 127.0.0.1 lookup file bind
Inside /var/unbound/etc/unbound.conf, you will see this at the top:
server: interface: 127.0.0.1 interface: ::1 # override the default "any" address to send queries; if multiple # addresses are available, they are used randomly to counter spoofing #outgoing-interface: 192.0.2.1 #outgoing-interface: 2001:db8::53 access-control: 0.0.0.0/0 refuse access-control: 127.0.0.0/8 allow access-control: ::0/0 refuse access-control: ::1 allow
Make sure you are listening on 127.0.0.1 (for localhost) so that your VPS can query localhost on port 53, and also ::1 on port 53 (for IPv6).
For access control, you want to refuse 0.0.0.0/0 (all IPv4s) but allow 127.0.0.0/8 (everything that originates locally). Again, refuse ::0/0 (all IPv6s) but allow ::1 (localhost).
Put this at the bottom of the file:
forward-zone: name: "." # use for ALL queries forward-addr: 163.53.248.170 forward-addr: 103.236.162.119 forward-addr: 192.99.85.244 forward-addr: 31.171.251.118 forward-addr: 51.254.25.115 forward-addr: 46.101.70.183 forward-addr: 45.71.112.70 forward-addr: 87.98.175.85 forward-addr: 185.208.208.141 forward-addr: 89.35.39.64 forward-addr: 87.98.175.85 forward-addr: 172.98.193.42 forward-addr: 111.67.20.8
These are IP addresses for DNS servers which I got from https://servers.opennic.org/. However, the servers change regularly so make sure you update the list.
To start unbound:
$ doas rcctl enable unbound $ doas rcctl start unbound
To test if unbound is working:
$ dig @127.0.0.1 google.com
You should see something like this:
;; ANSWER SECTION: google.com. 29 IN A 172.217.27.142