I ditched my ISP's DNS service and you should too

The Domain Name Service (DNS) is responsible for translating domain names to IP addresses, allowing devices to work out where a domain name points to and connect directly to that remote network. This information is loaded as you connect to different sources, and all the data is cached locally to avoid having to run the same process for each request. Using a DNS server hosted by Google, Cloudflare, or some other company is great for reliability and such, but it's not fully private.

If you want to secure your connection to the outside world in its entirety, you'll want to consider creating your own DNS server. I did it with nothing but OPNsense, Unbound, and a few minutes to spare.

What is unbound?

And why would you want a custom DNS server?

Unbound is a powerful tool within OPNsense, which can be used as a full-fledged DNS server, though you can also use Unbound for smaller tasks such as overrides for using domain names for internal services, so they work both on the LAN and externally without having to switch between local IPs and domain names. Using Unbound as a DNS server instead of your ISP, Google, or some other company is largely down to privacy, performance, security, and the desire to self-host everything.

There are a few factors that make it worth considering, but the most important one for me is security, largely DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH). Unbound (and OPNsense for that matter) support these encrypted DNS protocols from the get-go, and everything can be configured in a few minutes, preventing any third party from snooping in on your DNS queries. Just because your connection may be encrypted, it doesn't mean your DNS lookups are, too.

You're likely familiar with Pi-hole and I've been a fan of using the platform to block unwanted ads and the like, but Unbound can handle this too with custom blacklists, depending on how far down the fine-tuning rabbit hole you wish to traverse. Performance is there too, since it's all local, and Unbound can work with root servers to create a cache of entries for rapid load times. And since it's baked into OPNsense, Unbound is lightweight and easy to set up and use.

How I quickly configured Unbound on OPNsense

It's easier than you think

All you need to do is log into your OPNsense firewall and navigate to Unbound. Enable the plugin (Services > Unbound) and uncheck the box for "Forwarding Mode". This will force all requests to be handled by Unbound, resolving via root servers instead of relying on external services, such as Google and Cloudflare. We're almost done already! All that's left to do is set appropriate access control for the LAN (this will likely be 192.168.1.0 unless configured otherwise), allowing traffic.

I would also highly recommend enabling Domain Name System Security Extensions (DNSSEC) support to ensure responses are validated cryptographically. This is important for those who value their privacy (and why else would you set up your own DNS server?) by making sure everything is secured against potential attacks. Last, but by no means least, we need to head into OPNsense's configuration to remove all DNS server entries and disable the DNS server list being overridden by DHCP/PPP on WAN.

If you wish to be extra secure, we can block port 53 to prevent any leakage from the LAN, but everything should start using your Unbound-powered DNS server on the OPNsense firewall via DHCP. That's all there is to it! OPNsense took over immediately, and everything started routing through my new Unbound DNS server. The best part about using Unbound is it can run on just about anything with a supported CPU.

Running your own DNS is great for the home lab

And your smart home

You'll likely be eyeing up a few Docker containers and services if you're serious about running a home lab. Adding a DNS into the mix is a great way to protect your home and your meticulously planned out infrastructure from potential attack. The goal with self-hosting is so you don't have to leave the home LAN to do anything. Using a DNS server managed by another company requires all your networked devices to reach out for assistance in connecting to other servers.

That's where our custom DNS server comes into play. It eliminates the need for everything to contact the outside world for DNS queries. And because Unbound deals with root servers and builds its own cache, you won't be constantly sending out queries. Being able to configure domain name usage for internal connections makes everything within a smart home easier, and Unbound is great at providing the means to set up overrides.

It has so far been an excellent ride and I don't see myself switching back.