TLFor interested unbound users - with RFC7706(bis-00), also dubbed hyperlocal concept but its coiner prefers it not yet to be called as such , it is possible to mitigate the amount of DNS upstream queries and thereby increasing privacy and decreasing query response times.
In essence it is the transfer (AXFR/IXFR) of the internet root zone (.) and its top-level domains (TLD) referrals to the router. Thus queries for the root domain and TLD are resolved locally.
Since the settings cannot be parsed by UCI it requires 2 steps to implement the necessary settings
First add to “/etc/config/resolver”
config resolver 'unbound_includes'
list include_path "/etc/unbound/unbound_ext.conf"
and then create the file “/etc/unbound/unbound_ext.conf” and insert
auth-zone:
name: .
for-downstream: no
fallback-enabled: yes
master: 198.41.0.4
master: 199.9.14.201
master: 192.33.4.12
master: 199.7.91.13
master: 192.203.230.10
master: 192.5.5.241
master: 192.112.36.4
master: 198.97.190.53
master: 192.36.148.17
master: 192.58.128.30
master: 193.0.14.129
master: 199.7.83.42
master: 202.12.27.33
Finally restart the resolver to apply the settings.
Word of caution - the aforementioned ipv4 addresses represent the world’s root domain servers and thus might change over time, though likely not very frequently. Changes should be monitored and updated in the config thus.
Furthermore not all root servers as of date permit the zone transfer and the permission for the root zone transfer could be revoked entirely at any time.
Users with a preference to ipv6 can utilise the corresponding addresses or hostnames instead (which have to be resolved first), e.g. master: b.root-servers.net
Instead of the master
directive the url directive can be utilized url: https://www.internic.net/domain/root.zone
, which is probably the most convenient way but not RFC7706 since the root zone is not transferred but downloaded and thus are difference semantics.