sterlenjohnson
827f8bbf9d
- Multi-arch support (x86_64 and ARM64) - ~50MB image size vs ~500MB for Ubuntu version - DNSSEC validation with root hints - Health checks and resource limits - Security hardening (hide identity/version, harden-glue, etc.) - Build script for easy single/multi-arch builds
Alpine Unbound DNS Server
A lightweight Alpine-based Unbound DNS resolver container, optimized for homelab use.
Features
- 🪶 Lightweight: ~50MB image size (vs ~500MB+ for Ubuntu-based)
- 🔒 DNSSEC Validation: Full DNSSEC support with automatic root trust anchor updates
- 🏗️ Multi-Architecture: Native support for x86_64 and ARM64 (Raspberry Pi, Apple Silicon)
- ❤️ Health Checks: Built-in health monitoring
- 🔧 Hardened Config: Security best practices out of the box
- 📊 Resource Efficient: Memory limits of 128MB (typically uses ~30-50MB)
Quick Start
Using Docker Compose
docker-compose up -d
Building Manually
# For x86_64/AMD64
docker build -f Dockerfile.amd64 -t alpine-unbound:amd64 .
# For ARM64 (Raspberry Pi 4/5, Apple Silicon)
docker build -f Dockerfile.arm64 -t alpine-unbound:arm64 .
# Multi-arch build (if using buildx)
./build.sh multiarch
Architecture-Specific Dockerfiles
| File | Architecture | Use Case |
|---|---|---|
Dockerfile |
Auto-detect | General use, multi-arch builds |
Dockerfile.amd64 |
x86_64 | Intel/AMD servers, desktop PCs |
Dockerfile.arm64 |
ARM64 | Raspberry Pi 4/5, Apple Silicon, AWS Graviton |
Configuration
The default configuration (unbound.conf) includes:
- Listening on port 5335 (to avoid conflicts with other DNS services)
- Access allowed from all RFC1918 private networks
- DNSSEC validation enabled
- Query name minimization for privacy
- Aggressive caching for performance
- Security hardening options
Custom Configuration
Mount your own config files:
volumes:
- ./my-unbound.conf:/etc/unbound/unbound.conf:ro
- ./conf.d/:/etc/unbound/unbound.conf.d/:ro
Integration with Pi-hole
Use as upstream DNS for Pi-hole:
# In Pi-hole's docker-compose.yml
environment:
- PIHOLE_DNS_=172.17.0.1#5335
Comparison with Ubuntu Version
| Aspect | Alpine | Ubuntu |
|---|---|---|
| Image Size | ~50MB | ~500MB+ |
| Memory Usage | ~30-50MB | ~100-200MB |
| SSH Access | ❌ | ✅ |
| Dev Tools | ❌ | ✅ |
| Shell | ash | zsh (oh-my-zsh) |
| Init System | tini | supervisord |
| Startup Time | <1s | ~5s |
Choose Alpine for: Production DNS, resource-constrained devices, simple deployments.
Choose Ubuntu for: Development, debugging, when you need SSH access or interactive shell.
Ports
| Port | Protocol | Description |
|---|---|---|
| 5335 | TCP/UDP | Unbound DNS |
Environment Variables
| Variable | Default | Description |
|---|---|---|
TZ |
UTC |
Timezone |
Health Check
The container includes automatic health checks using drill:
drill @127.0.0.1 -p 5335 google.com
Troubleshooting
Check if Unbound is running
docker exec alpine_unbound drill @127.0.0.1 -p 5335 google.com
View logs
docker logs alpine_unbound
Test DNSSEC validation
docker exec alpine_unbound drill -D sigok.verteiltesysteme.net @127.0.0.1 -p 5335
License
MIT