Simple unwind drop-in replacement for unbound
ideal for tiny routers
unbound(8) is a validating DNS resolver with complex configurations well suited for datacenter.
unwind(8) is a simple validating DNS resolver wizard.
It's time to unwind.
relayd(8) forwards DNS traffic between a client and unwind(8) using unpredictable requested IDs in the DNS header.
unwind(8) queries its recursor, a DoT forwarder, or an authoritative nameserver.
- lightweight
- fast
- simple configuration
- sane defaults
- best practice recursor
- automatic cache
- efficient blocking list
- residential
home.arpa.network support
Include and configure pf.conf.unwinder
pfctl -f /etc/pf.confInstall and configure myname
Install and configure nsd.conf
Install and configure the master zones
nsd-control-setup
rcctl restart nsdInstall and configure the unwind-block list fetcher and daily.local updates.
echo badexample.com > /var/db/unwind-block.txt.local
/usr/local/bin/unwind-block > /var/db/unwind-block.txtInstall and configure the unwind-unblock exceptions and daily.local updates.
echo example.com > /var/db/unwind-unblock.txt
/usr/local/bin/unwind-unblock > /var/db/unwind-block.txt.clean
mv /var/db/unwind-block.txt.clean /var/db/unwind-block.txtInstall and configure the egress interface
cp src/etc/hostname.if /etc/hostname.em0
sh /etc/netstart em0Install resolv.conf
Enable dhcpleased and resolvd on -release or -stable
rcctl enable dhcpleased resolvd
rcctl start dhcpleased resolvdInstall and configure unwind.conf
rcctl enable unwind
rcctl restart unwindInstall and configure TLS certificates for DoT
n.b. To use DoT e.g. on a laptop, configure its unwind
# $OpenBSD: unwind.conf
# Macros
v4unwinder="10.0.0.1 authentication name unwinder.example.com DoT"
v6unwinder="fd80:a:b:c::1 authentication name unwinder.example.com DoT"
# Global Configuration
forwarder {
$v4unwinder
$v6unwinder
}
preference DoTInstall and configure relayd.conf
rcctl restart relaydInstall and configure dhcpd.conf
rcctl restart dhcpdInstall and configure rad.conf
rcctl restart rad$ du -h /var/db/unwind-block.txt
12.4M /var/db/unwind-block.txt$ unwindctl status memory
msg-cache: 76198 / 1048576 (7.27%)
rrset-cache: 228898 / 1048576 (21.83%)
key-cache: 34504 / 1048576 (3.29%)
neg-cache: 14212 / 102400 (13.88%)$ ps aux -U _unwind
USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
_unwind 10938 0.0 0.4 16824 15980 ?? IpU 26Jun21 34:30.76 unwind: resolver (unwind)
_unwind 19822 0.0 1.6 65644 66052 ?? Ip 26Jun21 13:35.89 unwind: frontend (unwind)$ fstat -u _unwind -n
USER CMD PID FD DEV INUM MODE R/W SZ|DV
_unwind unwind 19822 wd 4,57 207368 40755 r 512
_unwind unwind 19822 root 4,57 207368 40755 r 512
_unwind unwind 19822 0 4,48 17811 20666 rw 2,2
_unwind unwind 19822 1 4,48 17811 20666 rw 2,2
_unwind unwind 19822 2 4,48 17811 20666 rw 2,2
_unwind unwind 19822 3* unix stream 0x0
_unwind unwind 19822 4 kqueue 0x0 0 state: W
_unwind unwind 19822 5* unix stream 0x0
_unwind unwind 19822 6* internet dgram udp 127.0.0.1:53
_unwind unwind 19822 7* internet6 dgram udp [::1]:53
_unwind unwind 19822 8* internet stream tcp 0x0 127.0.0.1:53
_unwind unwind 19822 9* internet6 stream tcp 0x0 [::1]:53
_unwind unwind 19822 10 4,57 129757 100644 rw 376
_unwind unwind 19822 11* unix stream 0x0 /dev/unwind.sock
_unwind unwind 19822 12* route raw 0 0x0
_unwind unwind 19822 13* unix stream 0x0 /dev/unwind.sock
_unwind unwind 10938 wd 4,48 49761 40700 r 512
_unwind unwind 10938 0 4,48 17811 20666 rw 2,2
_unwind unwind 10938 1 4,48 17811 20666 rw 2,2
_unwind unwind 10938 2 4,48 17811 20666 rw 2,2
_unwind unwind 10938 3* unix stream 0x0
_unwind unwind 10938 4 kqueue 0x0 0 state: W
_unwind unwind 10938 5* unix stream 0x0Caveats
Some public DNS resolvers (e.g. Google, Cloudflare) provide a response to DNS forward queries for home.arpa from IANA blackhole servers.
As a feature, unwind provides a negative response to DNS reverse-mapping queries for IP addresses that are not globally unique i.e. AS112 zones
Split-horizon DNS is not supported. A redirection and reflection is used for connecting to the external address of the firewall from a host on the LAN.