Unwind: Validating DNS Resolver
unwind(8) is a validating DNS resolver. It resolves DNS queries on behalf of your system. If unwind(8) detects that DNS queries are blocked by the local network, it can switch to resolvers learned through autoconfiguration (see resolvd). Because it is very simple to configure, it is useful to enable unwind(8) if you do not have another caching nameserver like unbound running on the system.
Configuring unwind
In this guide, we'll provide a simple sample unwind.conf(5).
We put this in /etc/unwind.conf
:
forwarder { 203.0.113.1 authentication name dns1.example DoT 198.51.100.2 authentication name dns2.example DoT 233.252.0.3 } preference { DoT forwarder }
Note: the three IP addresses above are not real. You must replace
203.0.113.1
, 198.51.100.2
, and 233.252.0.3
with real IP addresses
from real caching DNS providers.
In this sample configuration, unwind will prefer the two DNS over TLS servers
where they are defined. In this case, that would be the two servers
dns1.example (203.0.113.1
) and dns2.example (198.51.100.2
). It then
falls back to the unencrypted nameserver 233.252.0.3
.
Note: The authentication name must match the name in the TLS certificate, or else it will not validate and unwind will refuse to use the nameserver!
Starting unwind
# rcctl enable unwind # rcctl start unwind
It will automatically be detected by the running resolvd process and place it in resolv.conf.
Flushing the cache
If you have stale DNS records, you may need to flush the old DNS cache. This can be done simply by restarting unwind:
# rcctl restart unwind