Skip to content

SYSTEM Cited by 1 source

Unbound

Unbound is an open-source recursive DNS resolver from NLnet Labs. It recursively resolves DNS queries, caches the results, and supports per-zone forwarding rules so different domains can be routed to different upstream resolvers.

Features relevant to wiki sources

  • Recursive resolution + caching. Client-side caching tier on every host reduces load on the shared upstream.
  • Per-zone forwarding rules. forward-zone: stanzas in unbound.conf route different domains to different upstream resolvers. Canonical use case: service-discovery domains to systems/consul, private AWS domains to the VPC resolver, public Internet to a different upstream.
  • Smoothed-RTT timeout calculations. Unbound calculates retry timeouts from a smoothed average of historical round-trip times to each upstream. The calculations are per forwarding rule, so even if two rules target the same upstream IP, their timeout state is independent (relevant when one rule is expected fast, the other expected slow).
  • Request-list introspection. unbound-control dump_requestlist prints the internal todo-list of in-flight queries โ€” a load-bearing debugging tool for diagnosing "queries are queuing up" failure modes.
  • Extensive statistics. Unbound exposes metrics on query rates, query types, cache-hit ratios, and request-list depth; see stripe/datadog-checks unbound.py for one production collector.

Seen in

  • Stripe โ€” The secret life of DNS packets (2024-12-12). Stripe runs Unbound on every host (local cache) and as a central cluster of DNS servers. Forwarding rules route service-discovery queries to Consul, configured domains to Route 53 via the VPC resolver, and everything else to the VPC resolver. The 2024-12-12 post canonicalises unbound-control dump_requestlist as the DNS-queue-depth diagnostic tool and per-zone forwarding rules as the load-distribution fix โ€” splitting in-addr.arpa (all reverse queries) off the central cluster onto each host's local Unbound so 10.in-addr.arpa. (private, fast) and the generic .in-addr.arpa. (public, slow) keep independent smoothed-RTT timeout state.
Last updated ยท 470 distilled / 1,213 read