Unbound configure for quad9

lumilumi · December 26, 2025, 2:59am

uci set unbound.fwd_google.enabled="0" uci set unbound.fwd_cloudflare.enabled="0" while uci -q del unbound.@zone[4]; do :; done uci add unbound zone uci set unbound.@zone[-1].enabled="1" uci set unbound.@zone[-1].fallback="0" uci set unbound.@zone[-1].zone_type="forward_zone" uci add_list unbound.@zone[-1].zone_name="quad9" uci add_list unbound.@zone[-1].server="9.9.9.9" uci add_list unbound.@zone[-1].server="149.112.112.112" uci add_list unbound.@zone[-1].server="2620:fe::fe" uci add_list unbound.@zone[-1].server="2620:fe::9" uci set unbound.@zone[-1].tls_upstream="1" uci set unbound.@zone[-1].tls_index="

dns.quad9.net


" uci commit unbound service unbound restart

this doesnt seem to b working

lumilumi · December 26, 2025, 4:53am

github.com/openwrt/packages

net/unbound/files/README.md

master

# Unbound Recursive DNS Server with UCI
<!-- markdownlint-disable -->

## Unbound Description
[Unbound](https://www.unbound.net/) is a validating, recursive, and caching DNS resolver. The C implementation of Unbound is developed and maintained by [NLnet Labs](https://www.nlnetlabs.nl/). It is based on ideas and algorithms taken from a java prototype developed by Verisign labs, Nominet, Kirei and ep.net. Unbound is designed as a set of modular components, so that also DNSSEC (secure DNS) validation and stub-resolvers (that do not run as a server, but are linked into an application) are easily possible.

## Package Overview
OpenWrt default build uses [dnsmasq](http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html) for DNS forwarding and DHCP. With a forward only resolver, dependence on the upstream recursors may be cause for concern. They are often provided by the ISP, and some users have switched to public DNS providers. Either way may result in problems due to performance, "snoop-vertising", hijacking (MiM), and other causes. Running a recursive resolver or resolver capable of TLS may be a solution.

Unbound may be useful on consumer grade embedded hardware. It is fully DNSSEC and TLS capable. It is _intended_ to be a recursive resolver only. NLnet Labs [NSD](https://www.nlnetlabs.nl/projects/nsd/) is _intended_ for the authoritative task. This is different than [ISC Bind](https://www.isc.org/downloads/bind/) and its inclusive functions. Unbound configuration effort and memory consumption may be easier to control. A consumer could have their own recursive resolver with 8/64 MB router, and remove potential issues from forwarding resolvers outside of their control.

This package builds on Unbounds capabilities with OpenWrt UCI. Not every Unbound option is in UCI, but rather, UCI simplifies the combination of related options. Unbounds native options are bundled and balanced within a smaller set of choices. Options include resources, DNSSEC, access control, and some TTL tweaking. The UCI also provides an escape option and works at the raw `unbound.conf` level.

## HOW TO: Ad Blocking
The UCI scripts will work with [net/adblock](https://github.com/openwrt/packages/blob/master/net/adblock/files/README.md) and/or [net/adblock-fast](https://github.com/openwrt/packages/blob/master/net/adblock-fast/files/README.md), if they are installed and enabled. It's all detected and integrated automatically. In brief, the [net/adblock](https://github.com/openwrt/packages/blob/master/net/adblock/files/README.md) or [net/adblock-fast](https://github.com/openwrt/packages/blob/master/net/adblock-fast/files/README.md) create distinct local-zone files that are simply included in the unbound conf file during UCI generation. If you don't want this, then disable or reconfigure respective package to not send these files to Unbound.

With [net/adblock](https://github.com/openwrt/packages/blob/master/net/adblock/files/README.md) package specifically, a few additional tweaks may be needed to enhance the realiability and effectiveness. Ad Block option for delay time may need to be set for upto one minute (adb_triggerdelay), because of boot up race conditions with interfaces calling Unbound restarts. Also many smart devices (TV, microwave, or refigerator) will also use public DNS servers either as a bypass or for certain connections in general. If you wish to force exclusive DNS to your router, then you will need a firewall rule for example:

**/etc/config/firewall**:
```

This file has been truncated. show original

theres also stuff about DNS hijacking --

theres also the unbound documentation that says something different there too

i'm getting conflicting information about how to configure unbound - as well as confusing instructions about where to configure unbound

I am trying to configure unbound to work with quad 9 instead of google

what is the right way to do this? or is there no solution . . . is there someone who has done this before?

brada4 · December 26, 2025, 8:40am

What reaction you expect on your ai generated litter soup?

lumilumi · December 26, 2025, 9:12am

apologies, Ive been working on trying to get a few programs set up on my open wrt one and having a lot of difficulty getting anyprogram im tryin to work (adblock, unbound, and wireguard with mullvad)

I have a disability, and i've only just started using linux about a month ago so I'm pretty lacking in things that might be considered common knowledge

do you think im on the right forum to get help for this? where should I go if this is the wrong forum?
(for trying to set up unbound to use quad nine instead of google / cloud)

if you dont mind sharing, why do you think my post is ai generated?

frollic · December 26, 2025, 9:26am

AdBlock should be fairly easy to configure, which one of the ones available are you using ?
What's the use case for unbound?

Wireguard guide by @egc - https://github.com/egc112/OpenWRT-egc-add-on/blob/main/notes/OpenWRT%20WireGuard%20Client%20Setup%20guide%20using%20LuCi.pdf

lumilumi · December 26, 2025, 9:26am

I am trying to use unbound to encrypt DNS - and use quad 9 - I believe its called dns over tls? or maybe the other way around

frollic · December 26, 2025, 9:27am

Use https-DNS-proxy instead, way easier to set up, unless you need DoT instead of DoH.

Depending on which adblock package you pick, it might already have DoT or DoH built in (I believe AGH does).

lumilumi · December 26, 2025, 9:32am

i'm looking for recrusive DNS - and to use quad nine specifically

and I think that means I need DoT

frollic · December 26, 2025, 9:33am

OK - https://quad9.net/news/blog/doh-with-quad9-dns-servers/ ?

lumilumi · December 26, 2025, 9:43am

it looks like quad nine has Doh support - but how do I get..

unbound to run through quad nine? that was my first post I was attempting to change the config of unbound - but it didnt seem to do anything when I checked in terminal - the IP appeared the same as before

as well as quad nine only worked in browser when I forced it to through browser settings

Ideally I want my router to force DNS / encrypt the Dns as well
but i've also found conflicting information about whether I should delete
dnsmasq or delete ohcdp (?) I always mess up the acronym

and I can't find good info on what they do / what the difference is between them (it seems unbound can work with one or the other, but I don't know why)

frollic · December 26, 2025, 10:07am

You need to disable secure DNS on OS level and in browsers or implement the hijacking you linked to earlier and block DoT and DoH in the router.
It's all described on the hijacking page.

bobbenheim · December 26, 2025, 10:08am

You go to services → Unbound DNS → zones where you can add the nameservers you found at Quad9

brada4 · December 26, 2025, 10:10am

That is mutually exclusive. Cant help you changing what quad9 uses for recursive DNS.

lumilumi · December 26, 2025, 10:17am

like disable secure DNS on laptop or phone? or do you mean on my router OS

how would I input the hijacking method into an openwrt one router?

lumilumi · December 26, 2025, 10:19am

can you help me understand how the two are mutually exclusive?

I'm confused because unbound seems to be able to be conifgured to custom servers (default seems to be google)
but I want to change default to quad9 instead

what do you mean? I don't understand

frollic · December 26, 2025, 10:19am

On both, if you want to control it.

Yes, that's what the link you posted is about.

You don't control Q9's upstream DNSes.

lumilumi · December 26, 2025, 10:21am

ok thank you! I have tried this one - and it still didn't seem to work
it appeared in terminal as if my IP was unchanged / did not seem to be able to connect to quad nine

do you know of a way to check for sure if i'm using quad 9 thru terminal? (i'm having trouble because each output is a little confusing for me, and everyone seems to have a different set of commands to try)

lumilumi · December 26, 2025, 10:23am

so if i'm putting quad 9 into unbound does it break it?

frollic · December 26, 2025, 10:23am

Why would your IP change when you swap DNS ?

Break what ?

lumilumi · December 26, 2025, 10:25am

when trying to set up DNS - they usually say - check if your laptop can connect to quad nine or clearbrowsing or whatnot

but i'm not getting the outputs in terminal that would say I successfully connected to quad 9 or that anything seemed to change

I may be just totally misunderstanding something though - how do you check if dns works through terminal? (im using linux mint - and the router is openwrt 1)