Dagorret

Unbound on Windows: how I installed it, how I configure it, and why I choose it over AdGuard Home and Technitium

by

dagorret
in

Introduction

In my infrastructure, I decided to deploy Unbound as the primary DNS resolver on Windows,
prioritizing true recursion, privacy, full control over DNS resolution flow, and a minimal attack surface.

I evaluated widely used solutions such as AdGuard Home and Technitium DNS, but after an in-depth technical analysis I concluded
that Unbound is superior when the objective is a native, clean DNS resolver without unnecessary intermediaries.

In this document, I describe my complete configuration and explain why I ruled out other alternatives.

What Unbound Is from a Technical Perspective

Unbound is a validating recursive DNS resolver that:

  • Implements DNS RFCs in a strict and standards-compliant manner
  • Queries root servers directly
  • Performs native DNSSEC validation
  • Does not rely on upstream resolvers by design
  • Is optimized for performance and security

For me, Unbound is not a filter, not a proxy, and not a web interface. It is a pure DNS resolver, and that is precisely what I require.

Base Unbound Configuration

Configuration file:
C:\Program Files\Unbound\service.conf

server:
  interface: 0.0.0.0
  port: 53

  access-control: 127.0.0.0/8 allow
  access-control: 192.168.1.0/24 allow

  verbosity: 1
  do-ip4: yes
  do-ip6: no
  do-udp: yes
  do-tcp: yes

  harden-glue: yes
  harden-dnssec-stripped: yes
  harden-referral-path: yes
  use-caps-for-id: yes

  qname-minimisation: yes
  aggressive-nsec: yes

  prefetch: yes
  prefetch-key: yes

  cache-min-ttl: 300
  cache-max-ttl: 86400

  rrset-roundrobin: yes

  root-hints: "C:/Program Files/Unbound/root.hints"
  auto-trust-anchor-file: "C:/Program Files/Unbound/root.key"

Full Recursive Mode (No Upstreams)

This is the default mode I use and the one I recommend. In this configuration, no
forward-zone is defined.

What Happens Internally

  • Unbound queries root servers directly
  • It then contacts TLD and authoritative servers
  • Each response is validated with DNSSEC and cached locally

Technical Advantages

  • Privacy: my DNS queries are not sent to third parties
  • Independence: I do not depend on Google, Cloudflare, or other providers
  • Resilience: the resolver continues to function even if an upstream fails

Use of Classic Upstreams (UDP / TCP)

In restrictive networks or environments where access to root servers is not possible,
I use traditional DNS forwarders:

forward-zone:
  name: "."
  forward-addr: 8.8.8.8
  forward-addr: 1.1.1.1

This option sacrifices independence but may be required in certain scenarios.

DNS-over-TLS (DoT)

When native encryption is required without compromising stability, I use DNS-over-TLS:

forward-zone:
  name: "."
  forward-tls-upstream: yes
  forward-addr: 1.1.1.1@853#cloudflare-dns.com
  forward-addr: 9.9.9.9@853#dns.quad9.net

In this way, DNS queries are transmitted over encrypted channels and the upstream server is authenticated using TLS.

DNS-over-HTTPS (DoH)

Unbound does not implement DoH directly, which I consider a sound design decision.

When DoH is required, I use a modular architecture:

Unbound → cloudflared or stubby → DoH provider

forward-zone:
  name: "."
  forward-addr: 127.0.0.1@5053

This approach keeps Unbound focused exclusively on DNS resolution.

Use of Quad9

In some scenarios, I use Quad9 due to its strong focus on privacy and security:

forward-zone:
  name: "."
  forward-tls-upstream: yes
  forward-addr: 9.9.9.9@853#dns.quad9.net
  forward-addr: 149.112.112.112@853#dns.quad9.net

Why I Do Not Use AdGuard Home

  • It is not a true recursive resolver; it primarily operates as a DNS proxy
  • It relies on external upstreams in most deployments
  • It combines DNS resolution and filtering within the same process
  • It introduces unnecessary complexity for a primary DNS resolver

From my perspective, ad blocking should be implemented as a separate layer, not as part of the DNS resolver itself.

Why I Do Not Use Technitium DNS

  • It is a very comprehensive solution, but excessively heavy for pure DNS resolution
  • Recursive resolution is not the primary focus of its design
  • It introduces too many layers and abstractions
  • It increases both attack surface and operational complexity

I prefer a tool that performs a single task and performs it correctly.

Conclusion

I chose Unbound because I require a recursive, validating, independent, and minimalist DNS resolver.
I am not looking for flashy interfaces or additional features, only a correctly implemented DNS stack.

Unbound delivers exactly that.

Comments

Leave a Reply