How to set up a DNS caching server using Unbound on Ubuntu

Introduction to Unbound

Unbound is a nice single purpose DNS caching solution when using something like Bind is just too heavy and just too much.

Unfortunately the Unbound website isn’t entirely clear on how to install an MVP version on Ubuntu so you have to scout the internet and use quite a bit of trial and error when setting up. The basics are simple: Install the problem, set access control to your specific networks or hosts, and Bob’s your uncle. Unfortunately this doesn’t seem to work with the basic configuration and this isn’t clear in the Unbound documentation.

This article show how to install it on Ubuntu and has a working example configuration file and show a caveat or two when using this software.


apt install unbound

Check if it’s running (caveat #1, it will be running the 1st time, but not the 2nd time):

# service unbound status
● unbound.service - Unbound DNS server
Loaded: loaded (/lib/systemd/system/unbound.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2023-10-23 05:55:17 UTC; 11s ago
Tasks: 1 (limit: 1102)
Memory: 8.4M
CPU: 65ms
Oct 23 05:55:17 unbound1 systemd[1]: Starting Unbound DNS server...
Oct 23 05:55:17 unbound1 package-helper[1152]: /var/lib/unbound/root.key does not exist, copying from /usr/share/dns/root.key

At first attempt Unbound is running. Now to configuration.

File locations

Unbound has it’s configuration in /etc/unbound. Furthermore unbound includes configuration further down in /etc/unbound/unbound.conf.d by way of this line in /etc/unbound/unbound.conf:

include-toplevel: "/etc/unbound/unbound.conf.d/*.conf"

Basic Configuration File

port: 53
access-control: allow

But when you restart it using service unbound restart, then suddenly there is no service and not idea why either (cat /var/log/syslog):

Oct 23 06:13:05 unbound1 unbound[2187]: [1698041585] unbound[2187:0] error: can't bind socket: Address already in use for port 53
Oct 23 06:13:05 unbound1 unbound[2187]: [1698041585] unbound[2187:0] fatal error: could not open ports

The problem with a default Ubuntu installation is it already has a default resolver running on port 53. When you first start Unbound without any configuration, these two apparently co-exist quite well. The problem is when you do a basic configuration might run into a problem.

You can what’s already running on port 53 this doing this:

# sudo netstat -tulpn | grep 53
tcp 0 0* LISTEN 520/systemd-resolve
tcp 0 0* LISTEN 1156/unbound
tcp 0 0* LISTEN 1156/unbound
tcp6 0 0 ::1:8953 :::* LISTEN 1156/unbound
tcp6 0 0 ::1:53 :::* LISTEN 1156/unbound
udp 0 0* 1156/unbound
udp 0 0* 520/systemd-resolve
udp6 0 0 ::1:53 :::* 1156/unbound

If you don’t have netstat then apt install net-tools.

Getting rid of Ubuntu’s resolver

If you want to get rid of Ubuntu’s resolver, do this:

systemctl stop systemd-resolved.service
systemctl disable systemd-resolved.service

A more advanced configuration file

Here is a more advanced configuration file:

port: 53
verbosity: 0
num-threads: 2
outgoing-range: 512
num-queries-per-thread: 1024
msg-cache-size: 32m
rrset-cache-size: 64m
cache-max-ttl: 86400
infra-host-ttl: 60
infra-lame-ttl: 120
access-control: allow
username: unbound
directory: "/etc/unbound"
logfile: "/var/log/unbound.log"
use-syslog: yes
hide-version: yes
so-rcvbuf: 4m
so-sndbuf: 4m
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes
control-enable: yes
control-port: 953

Problems with so-rcvbuf and so-sndbuf

However, running this will present this issue:

warning: so-rcvbuf 4194304 was not granted. Got 425984. To fix: start with root permissions(linux) or sysctl bigger net.core.rmem_max(linux) or kern.ipc.maxsockbuf(bsd) values.

The issue is so-rcvbuf want 4194304 and only got 425984. In more human readable language the send buffer want 4 megabytes but it’s only getting 416 kilobytes.

This fix is:

sysctl -w net.core.rmem_max=4194304

The next problem is this:

warning: so-sndbuf 4194304 was not granted. Got 425984. To fix: start with root permissions(linux) or sysctl bigger net.core.wmem_max(linux) or kern.ipc.maxsockbuf(bsd) values.

This fix is:

sysctl -w net.core.wmem_max=4194304

Note: These values must be persisted in /etc/sysctl.conf

error: Could not open logfile /var/log/unbound.log: Permission denied

One would think something like  or touch /var/log/unbound.log and chown unbound:unbound would work, but uh-uh. Next one would think may it should be chmod 644 but also no go. The problem is more complex and seen by this:

1 processes are in enforce mode.
/usr/sbin/unbound (3495)

Next one would think this will solve the problem:

systemctl stop apparmor

Nope, you have to do this:

vim /etc/apparmor.d/local/usr.sbin.unbound

Then add this:

# Site-specific additions and overrides for usr.sbin.unbound.
# For more details, please see /etc/apparmor.d/local/README.
/var/log/unbound/unbound.log rw,

Then this:

apparmor_parser -r /etc/apparmor.d/usr.sbin.unbound 
service unbound restart

Yay! Finally a working log file.

Happy DNS’sing and leave us a comment if you have a comment.

Share this article

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to Top