Unwind: Validating DNS Resolver

unwind(8) is a validating DNS resolver. It resolves DNS queries on behalf of your system. If unwind(8) detects that DNS queries are blocked by the local network, it can switch to resolvers learned through autoconfiguration (see resolvd). Because it is very simple to configure, it is useful to enable unwind(8) if you do not have another caching nameserver like unbound running on the system.

Configuring unwind

In this guide, we'll provide a simple sample unwind.conf(5).

We put this in /etc/unwind.conf:

forwarder {
	203.0.113.1 authentication name dns1.example DoT
	198.51.100.2 authentication name dns2.example DoT
	233.252.0.3
}
preference { DoT forwarder }

Note: the three IP addresses above are not real. You must replace 203.0.113.1, 198.51.100.2, and 233.252.0.3 with real IP addresses from real caching DNS providers.

In this sample configuration, unwind will prefer the two DNS over TLS servers where they are defined. In this case, that would be the two servers dns1.example (203.0.113.1) and dns2.example (198.51.100.2). It then falls back to the unencrypted nameserver 233.252.0.3.

Note: The authentication name must match the name in the TLS certificate, or else it will not validate and unwind will refuse to use the nameserver!

Starting unwind

# rcctl enable unwind
# rcctl start unwind

It will automatically be detected by the running resolvd process and place it in resolv.conf.

Flushing the cache

If you have stale DNS records, you may need to flush the old DNS cache. This can be done simply by restarting unwind:

# rcctl restart unwind