Ramblings of an aging IT geek
← Ramblings of an aging IT geek
networking

running my own recursive resolver at home

Why I dropped the upstream forwarders and let Unbound do full recursion from the root servers on my home network.

John Mylchreest
John Mylchreest
2023-09-11 · 3 min read

Network cables in a patch panel

For years my home DNS was Pi-hole forwarding to a public resolver, because that's what every guide tells you to do. It works. But it means every name my network ever looks up goes to one company, and it means my "private" DNS is only as private as their logging policy. So I switched the homelab to a proper recursive resolver: Unbound, talking to the root servers directly, caching everything, asking nobody for permission.

The setup is less dramatic than it sounds. Unbound ships with sane defaults and the recursion is built in. The minimal config that matters:

server:
    interface: 0.0.0.0
    access-control: 192.168.0.0/16 allow
    hide-identity: yes
    hide-version: yes
    qname-minimisation: yes
    prefetch: yes
    cache-min-ttl: 300

qname-minimisation is the one I care about most. Instead of sending the full name you want to every server in the chain, it only sends as much as each one needs to answer. The root servers learn you're asking about something under .com, not the exact host. It's a small privacy win that costs nothing.

A rack of homelab equipment

The thing nobody warns you about: the first lookup of any name is slower. You're walking from the root down, hop by hop, instead of a forwarder handing you a cached answer. For a cold cache that's a few hundred milliseconds where a forwarder would give you single digits. prefetch: yes and a sensible cache-min-ttl paper over most of it, because anything you visit twice is served from RAM. After a day of normal use the cache hit rate sat comfortably above 90% and nobody in the house noticed any difference.

DNSSEC validation came along for the ride. Unbound ships the root trust anchor and validates by default, so a tampered answer gets thrown out rather than served. I tested it with the usual deliberately-broken test domains and got the SERVFAIL I wanted.

Would I tell everyone to do this? No. If you just want ad-blocking, a forwarder is fine and simpler. But if you'd rather not route every lookup through a third party, running your own recursion is a couple of config lines and a bit of patience on cold cache. I'm keeping it.