Your ISP sees every domain you visit. Your browser leaks data to digital trackers. Your smart fridge pings mystery servers. Sound like a tech nightmare? It is. But here is the twist: you can stop almost all of it with a Raspberry Pi and thirty minutes of configuration. This guide walks you through building a recursive DNS server using Pi-hole paired with Unbound. The result? ad-free browsing and complete privacy protection across your entire network. No more relying on shady third party DNS services that log your queries. You become your own DNS authority.
Why Recursive DNS Matters (And Why 1.1.1.1 Is Not Enough)
Most guides tell you to point Pi-hole at Cloudflare or Google DNS. That misses the point entirely. Forwarding your queries, even to privacy-focused resolvers, still creates a centralized trail of every domain you visit. Unbound changes the game by turning your Pi-hole into a recursive resolver.
Here is how recursion works. When your device asks for techcrunch.com, Unbound queries the root servers directly. Then the TLD servers. Then the authoritative nameservers. It builds the answer from scratch and caches it locally. Your queries never touch third party logs. Cloudflare might delete logs after 24 hours, but yours never existed in the first place.
The tradeoff? Initial lookups take slightly longer. Unbound solves this with aggressive caching and DNSSEC validation. For privacy advocates, the milliseconds of extra latency are the cost of network sovereignty.
The Build: Installing Pi-hole and Unbound
Hardware requirements are minimal. A Raspberry Pi 4 with 2GB RAM handles thousands of queries per second. Older Pi 3 models work fine for home networks. You need an Ethernet connection. WiFi introduces latency and packet loss that undermine recursive performance.
Start with a fresh Raspberry Pi OS Lite installation. Configure a static IP in /etc/dhcpcd.conf or via your router's DHCP reservation. This prevents IP conflicts that break DNS resolution for your entire network.
Install Pi-hole first: curl -sSL https://install.pi-hole.net | bash. Choose your static IP during setup. Enable the web interface. Select a strong admin password. Do not configure upstream DNS at the prompt. You will point Pi-hole at Unbound instead.
Now install Unbound. sudo apt install unbound unbound-host. The default configuration is functional but suboptimal. Create a custom config at /etc/unbound/unbound.conf.d/pi-hole.conf:
server:
verbosity: 0
interface: 127.0.0.1
port: 5335
do-ip4: yes
do-udp: yes
do-tcp: yes
do-ip6: no
prefer-ip6: no
harden-glue: yes
harden-dnssec-stripped: yes
harden-referral-path: yes
unwanted-reply-threshold: 10000
val-clean-additional: yes
edns-buffer-size: 1232
prefetch: yes
prefetch-key: yes
num-threads: 2
msg-cache-slabs: 2
rrset-cache-slabs: 2
infra-cache-slabs: 2
key-cache-slabs: 2
rrset-cache-size: 128m
msg-cache-size: 64m
so-rcvbuf: 1m
so-sndbuf: 1m
forward-zone:
name: "."
forward-addr: 127.0.0.1@5335These settings optimize for home networks. Prefetching prevents latency on cache misses. Hardening options block DNS pollution attacks. The buffer sizes work around some ISPs that fragment packets. The thread count matches Pi 4's core configuration.
Verifying Your Configuration Works
Restart Unbound: sudo service unbound restart. Test recursive resolution with: dig @127.0.0.1 -p 5335 openstreetmap.org. The flags section should show 'ad' for authenticated data. This confirms DNSSEC is validating signatures. No 'ad' flag means your queries are vulnerable to tampering.
Now configure Pi-hole to use Unbound. Navigate to Settings > DNS. Uncheck every upstream provider. Add 127.0.0.1#5335 as a custom upstream. Save. Check the main Pi-hole dashboard. Your query log should start populating.
Test blocking with: dig doubleclick.net from a client using the Pi-hole as its DNS. The response should return 0.0.0.0. If you see an IP address, check your Pi-hole blocklists. The default lists are conservative. Add StevenBlack's unified hosts list for comprehensive protection.
Pros, Cons, and Troubleshooting Pitfalls
The benefits are substantial. Complete query privacy. Network-wide ad blocking that works in browsers and mobile apps. Custom blocklists for malware and phishing. Docker containers and VMs obey the same rules as your phone.
But recursive DNS has sharp edges. The first query for each domain goes through the full resolution chain. This can take 200-500ms versus 10ms for cached queries. The solution: patience and cache warming. Popular domains get cached quickly. Unbound's prefetch feature also anticipates queries based on TTL expiration.
Pitfall one: ISP DNS hijacking. Some providers intercept port 53 traffic and redirect it to their resolvers. This breaks recursion entirely. Workaround: configure Unbound on a non-standard outbound port or use DNS over HTTPS as a fallback.
Pitfall two: Pi-hole updates wiping custom config. Always back up /etc/unbound/unbound.conf.d/. Automation via Ansible or simple cron jobs prevents configuration drift.
Pitfall three: DHCP conflicts. If your router reassigns the Pi's IP, every device on your network loses internet access. Use a router reservation, not just static configuration on the Pi. Router reservations take precedence.
The Verdict: Who Should Run Recursive DNS?
This setup is not for casual users seeking a weekend project. It demands ongoing maintenance: monitoring cache performance, troubleshooting network issues, updating blocklists. But for privacy-focused prosumers, the payoff justifies the effort. You gain genuine sovereignty over your DNS traffic. No trust required in corporate privacy policies. No blind reliance on 'no logs' claims.
Pair this with a VPN on your router and local DNS becomes invisible to your ISP entirely. Pro tip: add the excellent Unbound visualization to Grafana for real-time cache metrics. The satisfaction of watching ad requests evaporate before they touch your devices? Worth every minute spent on setup.
Does Pi-hole with Unbound work for custom local domain names?
Yes. Configure a private reverse zone in Unbound for local domains like *.home.arpa. Add entries to /etc/hosts on the Pi for static mappings. Pi-hole's Conditional Forwarding feature also delegates local resolution to your router if it handles DHCP for local devices. This lets you ping 'nas.home' instead of remembering 192.168.1.50.
Why is recursive DNS slower than using Cloudflare or Quad9?
Third-party resolvers maintain massive caches spanning millions of users. When you query Cloudflare, the domain is probably already cached. Unbound starts with an empty cache and queries root servers directly. After 24-48 hours of use, your local cache catches up. The first week feels sluggish. Week two feels faster because popular domains hit instantly. Long term, recursive is comparable since edge caches only save a few milliseconds anyway.
What happens if the Raspberry Pi goes offline?
Your entire network loses DNS resolution. Devices cannot resolve domain names to IP addresses. Configure a fallback DNS server on your router, ideally the DHCP server that hands out the Pi-hole IP. Most routers support primary and secondary DNS. Set Cloudflare as the secondary. Devices will failover automatically when the Pi is down. For redundancy, run two Pi-hole instances on separate hardware. Keepalived or a simple floating IP provides failover within seconds.
