How to Set Up Unbound DNS Resolver on Debian 11

Introduction

This guide explains how to Set Up Unbound DNS Resolver on Debian 11 on Debian 11 Bullseye. Debian Bullseye uses systemd for service management, nftables as the underlying packet filter (with ufw or iptables front-ends still available), and AppArmor for mandatory access control. Every command is designed for a minimal Debian 11 install with the standard repositories enabled.

Prerequisites

You will need a registered Debian 11 Bullseye host with sudo access and the main, contrib, and non-free-firmware repository components enabled. Verify with cat /etc/apt/sources.list. If you are working inside a VM or container, ensure overlayfs or a compatible storage driver is configured. For network-facing services, have a domain name or static IP ready so certificate issuance and DNS records can be set up immediately after installation.

Step 1: Update Debian 11 Package Lists

Always refresh the APT package cache before installing anything on Debian 11 Bullseye. This ensures dpkg resolves to the latest available version in the repository and avoids conflicts caused by stale metadata. Take note of any conffile prompts that apt shows during the install — these indicate that the package maintainer has a newer version of the config and you will need to manually merge your changes later.

sudo apt update
sudo apt upgrade -y

Step 2: Install Required Packages

Install the necessary packages using APT. Debian Bullseye resolves dependencies automatically, so a single install command is usually sufficient. Any configuration prompts from debconf can usually be answered with the defaults for a first install — you will customise the configuration in subsequent steps. If you are running this inside an LXC container or Docker image, note that some systemd features (like cgroup management) may require additional capabilities; run systemd-detect-virt to confirm your environment.

sudo apt install -y unbound

Step 3: Apply the Initial Configuration

Edit the configuration file for your environment. On Debian, package maintainers install sane defaults in /etc/default/ and the main config in /etc/servicename/. Keep a backup copy before making changes so rolling back is trivial. On Debian 11 Bullseye this step benefits from the APT pinning system: if you need a specific package version, add an /etc/apt/preferences.d/ snippet to pin it before upgrading the rest of the system.

sudo cp /etc/unbound/unbound.conf /etc/unbound/unbound.conf.bak
sudo nano /etc/unbound/unbound.conf

Step 4: Enable and Start the unbound Service

Use systemd to start the service immediately and enable it so it relaunches automatically after a reboot. Check the status output for any errors or deprecation warnings before moving on. Take note of any conffile prompts that apt shows during the install — these indicate that the package maintainer has a newer version of the config and you will need to manually merge your changes later.

sudo systemctl enable --now unbound
sudo systemctl status unbound --no-pager

Step 5: Open the Required Firewall Port

Debian 11 ships with ufw available and nftables as the kernel packet filter. Open only the port required by this service. If you are using a cloud provider, update the security group rules too. On Debian 11 Bullseye this step benefits from the APT pinning system: if you need a specific package version, add an /etc/apt/preferences.d/ snippet to pin it before upgrading the rest of the system.

sudo ufw allow 53/tcp
sudo ufw reload
sudo ufw status

Step 6: AppArmor Profile Check

AppArmor is the MAC system on Debian 11 Bullseye. Many packages ship with a bundled AppArmor profile in /etc/apparmor.d/. Verify the profile is loaded in enforce mode and, if your service writes to non-standard paths, update the profile accordingly. Take note of any conffile prompts that apt shows during the install — these indicate that the package maintainer has a newer version of the config and you will need to manually merge your changes later.

sudo aa-status | grep unbound
# if profile is in complain mode:
sudo aa-enforce /etc/apparmor.d/*

Step 7: Monitor Logs

Debian 11 services log to the systemd journal. Use journalctl to tail logs in real time and investigate startup errors. Take note of any conffile prompts that apt shows during the install — these indicate that the package maintainer has a newer version of the config and you will need to manually merge your changes later.

sudo journalctl -u unbound -e --no-pager
sudo journalctl -u unbound -f

Additional Configuration Options

Once the basic deployment is stable on Debian 11 Bullseye, there are several optional settings worth reviewing. First, if the service produces structured log output (JSON, syslog-style key=value), configure a Fluentd or Promtail input to ship it to your central log store — this takes roughly ten minutes and pays off immediately during incident investigations. Second, review the service’s TLS settings if it exposes an HTTPS endpoint: enforce TLS 1.3 with a modern cipher suite, disable SSLv3, TLSv1, and TLSv1.1, and use a certificate issued by Let’s Encrypt or your internal CA so the connection is trusted by all clients without manual certificate distribution. Third, if the service manages persistent data (databases, message queues, file stores), configure a retention policy and a backup job on day one — restoring from a backup you have never tested is an unpleasant surprise during a production outage.

sudo nano /etc/servicename/conf.d/tls.conf
# Example: enable TLS 1.3 only and specify cert paths
# tls_min_version = TLS13
# cert_file = /etc/ssl/certs/servicename.pem
# key_file  = /etc/ssl/private/servicename.key

Troubleshooting Common Issues

If the service fails to start, check the journal immediately: journalctl -u servicename -b. A common root cause on Debian is a missing or mis-labelled AppArmor profile — switch to complain mode temporarily with aa-complain /etc/apparmor.d/servicename to confirm. Another frequent issue is a conflicting port already bound by a different service: use ss -tulpn | grep :PORT to identify it. For package dependency errors, run sudo apt install -f to let dpkg attempt an automatic repair. When in doubt, run dpkg-reconfigure packagename to reset the package to its post-install defaults.

sudo journalctl -b --priority=err
sudo ss -tulpn
sudo dpkg -l | grep -i servicename

Best Practices and Hardening

For any production deployment on Debian 11 Bullseye: enable unattended-upgrades for the security suite (sudo dpkg-reconfigure unattended-upgrades); restrict SSH to key-based authentication only; enforce the AppArmor profile for every third-party service you install; rotate credentials regularly; centralise log shipping with Fluentd or Fluent Bit so that a compromised host cannot delete its own audit trail. Run a Lynis audit periodically (sudo lynis audit system) to catch configuration drift against the CIS Debian benchmark.

sudo dpkg-reconfigure unattended-upgrades
sudo lynis audit system --quick
sudo aa-status

Verification

Run this quick checklist after every deployment on Debian 11 Bullseye: confirm the systemd unit is active and enabled, check that no high-severity journal entries were logged at startup, verify the listening socket is bound to the expected interface and port, and make an end-to-end client request. A green result on all four checks means the deployment is ready for production traffic.

sudo systemctl is-enabled servicename && sudo systemctl is-active servicename
sudo journalctl -b -p warning --no-pager | tail -20
sudo ss -tulpn
curl -sv http://localhost:PORT/ 2>&1 | head -20

Conclusion

By following this guide you now have a working set up unbound dns resolver on debian 11 setup on Debian 11 Bullseye that boots automatically via systemd, logs to the journal, and is reachable only through the ports you explicitly allowed. Back up the relevant configuration directories to a remote host with restic or rsync, and document the procedure in your runbook so any team member can reproduce it.

As a next step, consider encoding this setup as an Ansible role with idempotent tasks so it can be applied to an entire Debian fleet without manual intervention. Add Prometheus exporters for the service so your Grafana dashboards reflect its health, and include the relevant directories in your restic or borgbackup job so data is protected from the first moment the service is in production.