Unbound is a validating, recursive, and caching DNS resolver. Unbound is developed and currently maintained by NLnet Labs, a non-profit, public benefit foundation. It is based on the ideas and algorithms taken from a Java prototype developed by Verisign Labs, Nominet, Kirei, and ep.net. Unbound was released to the public in May 2008 under the BSD Licensing model which allows its use in other products without any major restrictions. In this article, we’ll discuss ten (10) reasons to use Unbound as a validating, recursive, and caching DNS service part of your Core Network Services (CNS) Infrastructure.
- Lightweight – Unbound was originally developed in C based from a Java prototype. Its authors wrote the source code to be very modular in design, and to be very lightweight. They wanted to design a solution that would be the smallest possible that would achieve the minimal requirements as a validator, resolver, and caching server. In addition to meeting these requirements, they wanted the server to achieve very high-performance. Unbound’s minimalistic design will be a recurring theme throughout the rest of this article.
- Easy to configure – Unbound is very easy to configure. It is configured through a configuration file that is quite like YAML (Yet Another Markup Language). There are not a great number of configuration directives needed to set up Unbound since the service has a relatively simple and single role.
Example 1 – minimal configuration for caching-only DNS
# unbound.conf for a local subnet. server: interface: 192.168.1.10 interface: FD00:2216:9203:2::4 access-control: 192.168.0.0/16 allow access-control: ::1 allow verbosity: 1
Example 2 – enabling DNSSEC validation
server: # chroot disabled here as example, to make pathnames work chroot: "" directory: "/etc/unbound" # trust anchors. In separate files, to be updated from cron. trust-anchor-file: "/etc/unbound/anchors/root.anchor" # ... more trust anchors trust-anchor-file: "/etc/unbound/anchors/br.anchor" trust-anchor-file: "/etc/unbound/anchors/se.anchor" trust-anchor-file: "/etc/unbound/anchors/bg.anchor" trust-anchor-file: "/etc/unbound/anchors/pr.anchor"
As you can see, it’s quite easy to set up and configure Unbound.
- High performance – Unbound’s lightweight code structure, simple and modular design contribute to making Unbound an extremely high-performing recursive name server. Initial benchmark testing has shown Unbound to offer up to 2x the performance over other name servers (with or without DNSSEC Validation enabled). Unbound essentially has two (2) modes of operation:
Threaded mode - uses the Libevent cross compiled wrapper library for added scalability
Forked mode - allows Unbound to operate unthreaded and forks separate processes
- Supports DNSSEC validation – Unbound was designed to perform DNSSEC validation, a mechanism to protect DNS data, from the ground up. DNSSEC validation is not implemented as a plug-in or bolt-on like some other DNS servers. It was designed integral to Unbound at its inception. This makes Unbound a higher performing solution than the others, because validation code was optimized in Unbound. Additional features for trust anchor management (RFC 5011) are in the works and that will only serve to enhance an already great product.
- Adds software diversity – Enterprise customers and ISPs can now introduce a proven and reliable alternative to BIND for providing a validating, recursive, caching-only layer of DNS servers with Unbound. Unbound introduces software diversity to the masses. BIND DNS is at the center of what has been termed a “monoculture”. Software diversity is good for the Internet, and it’s good for the ISP and Enterprise too. Software and code diversity allow us to mix different DNS vendor solutions to provide the same or better service. A bug in one vendor’s product will not likely be visible in the others.
- Production-Ready – surfnet.nl announced back in September 2009 that all SURFnet DNS resolvers were DNSSEC capable. Their implementation of DNSSEC validation relied on the Unbound DNS server package. Other major carriers and ISPs ( I cannot name for obvious reasons ), are about to deploy Unbound probably for all the same reasons stated in this blog post. If major carriers are starting to put Unbound into service for their customers, it makes sense that it's ready for the enterprise as well.
- Single-purpose – Because Unbound was coded to be a validating, recursive, and caching resolver, it doesn’t suffer from split- or dual personalities that other DNS server solutions do. Unbound is, for the most part, a single-purpose server. Since Unbound is not authoritative for data, the code and function becomes simplified. There is no code to support Dynamic DNS updates, or zone transfers, etc. Instead, this single purpose server is best-in-class at what it was coded to support: recursion, validation, and caching resolution.
- Security – Unbound has not skimped on DNS Security at the expense of simplicity and performance. On the contrary. Unbound is feature-rich with DNS Security with its harden-glue, access control, max randomness for query ID and ports, response scrubbing, case preservation, and Denial of Service or DoS protection features. These are just some of the features that make Unbound one of the most secure DNS server implementations.
- Manageability – Unbound has an extended management command line interface or CLI that provides remote management capabilities, as well as, an extensive set of network monitoring statistics. Unbound-control uses a secure connection from the client to the server running Unbound using Secure Sockets Layer or SSL. Commands are sent from the client and responses from the server are displayed as output. An additional CLI called, unbound-control-setup, is provided to assist in the OpenSSL shared keys and configuration directives for getting unbound-control operational. The statistics output can be used to “feed” known capacity planning tools such as Munin, or Cacti for graphing many of the different baseline and extended statistics that Unbound tracks.
- Portable solution – Unbound has been ported to run on a wide range of hardware OS platforms, including Linux, BSD, Solaris SPARC and X86, MacOS/X, and Windows. Windows 32-bit pre-compiled binary packages are available directly from NLnet Labs, or you can download the source package and compile it yourself.
http://www.unbound.net/ - The home of Unbound DNS
http://www.nlnetlabs.nl/ - The home of NLnet Labs
Unbound - Validating Caching Resolver Training materials - Wouter Wijngaards (NLnet Labs)