Docker image for Unbound, a validating, recursive, and caching DNS resolver.
Tip
Want to be notified of new releases? Check out ๐ Diun (Docker Image Update Notifier) project!
- Run as non-root user
- Latest Unbound release compiled from source
- Bind to unprivileged port
- Multi-platform image
git clone https://github.com/crazy-max/docker-unbound.git
cd docker-unbound
# Build image and output to docker (default)
docker buildx bake
# Build multi-platform image
docker buildx bake image-all| Registry | Image |
|---|---|
| Docker Hub | crazymax/unbound |
| GitHub Container Registry | ghcr.io/crazy-max/unbound |
Following platforms for this image are available:
$ docker buildx imagetools inspect crazymax/unbound --format "{{json .Manifest}}" | \
jq -r '.manifests[] | select(.platform.os != null and .platform.os != "unknown") | .platform | "\(.os)/\(.architecture)\(if .variant then "/" + .variant else "" end)"'
linux/amd64
linux/arm/v6
linux/arm/v7
linux/arm64
linux/ppc64le
linux/s390x
/config: Additional configuration files
5053/tcp 5053/udp: DNS listening port
Docker compose is the recommended way to run this image. You can use the following docker compose template, then run the container:
docker compose up -d
docker compose logs -fYou can also use the following minimal command:
docker run -d -p 5053:5053 --name unbound crazymax/unboundRecreate the container whenever I push an update:
docker compose pull
docker compose up -dWhen Unbound is started the main configuration /etc/unbound/unbound.conf is imported.
If you want to override settings from the main configuration you have to create
config files (with .conf extension) in /config folder.
The packaged configuration sets so-sndbuf: 0 so Unbound uses the kernel
default socket send buffer size. This avoids the common warning about a
requested 4194304 byte send buffer not being granted when the container is
running without elevated kernel socket limits. If you need a larger buffer, set
so-sndbuf explicitly in /config and raise the host limit accordingly.
For example, you can set up forwarding queries
to the appropriate public DNS server for queries that cannot be answered by
this server using a new configuration named /config/forward-records.conf:
forward-zone:
name: "."
forward-tls-upstream: yes
# cloudflare-dns.com
forward-addr: 1.1.1.1@853
forward-addr: 1.0.0.1@853
#forward-addr: 2606:4700:4700::1111@853
#forward-addr: 2606:4700:4700::1001@853
A complete documentation about Ubound configuration can be found on NLnet Labs website: https://nlnetlabs.nl/documentation/unbound/unbound.conf/
Warning
Container has to be restarted to propagate changes
This image already embeds a root trust anchor to perform DNSSEC validation.
If you want to generate a new key, you can use unbound-anchor
which is available in this image:
docker run -t --rm --entrypoint "" -v "$(pwd):/trust-anchor" crazymax/unbound:latest \
unbound-anchor -v -a "/trust-anchor/root.key"If you want to use your own root trust anchor, you can create a new config file
called for example /config/00-trust-anchor.conf:
auto-trust-anchor-file: "/root.key"
Note
See documentation
for more info about auto-trust-anchor-file setting.
And bind mount the key:
services:
unbound:
image: crazymax/unbound
container_name: unbound
ports:
- target: 5053
published: 5053
protocol: tcp
- target: 5053
published: 5053
protocol: udp
volumes:
- "./config:/config"
- "./root.key:/root.key"
restart: alwaysThe cache DB module is already configured in the module-config directive and compiled into the daemon.
You just need to create a new Redis service with persistent storage enabled in your compose file along the Unbound one.
services:
redis:
image: redis:6-alpine
container_name: unbound-redis
command: redis-server --save 60 1
volumes:
- "./redis:/data"
restart: always
unbound:
image: crazymax/unbound
container_name: unbound
depends_on:
- redis
ports:
- target: 5053
published: 5053
protocol: tcp
- target: 5053
published: 5053
protocol: udp
volumes:
- "./config:/config:ro"
restart: alwaysAnd declare the backend configuration to use this Redis instance in /config
like /config/cachedb.conf:
cachedb:
backend: "redis"
secret-seed: "default"
redis-server-host: redis
redis-server-port: 6379
Want to contribute? Awesome! The most basic way to show your support is to star the project, or to raise issues. You can also support this project by becoming a sponsor on GitHub or by making a PayPal donation to ensure this journey continues indefinitely!
Thanks again for your support, it is much appreciated! ๐
MIT. See LICENSE for more details.