I've built a secure and trustworthy NLnetLabs Unbound Docker image as the most images didn't meet my standards on a zero trust policy. It supports DNSSEC, is sealed with chroot, runs with a non-root user and exposes only unprivileged ports. It is intended to provide a hyperlocal setup holding a local copy of the DNS root zone using zone transfers though but it will also run perfectly with your own unbound.conf if you'd rather like to use an upstream server which provides DoT or DoH features. So if your ISP's DNS servers having issues, you won't be affected at all. This setup will also add a plus on circumventing censorship using blocked DNS entries and adds a little more privacy but your ISP will still be able to see what you did there anyway.

The image is built entirely online using workflows with GitHub Action and not locally on my systems at home. All downloads, even the downloads of the root files, are verified with PGP keys and the respective PGP armored signature files where available to provide maximum trust.

It's a quite tiny Alpine Linux multiarch image and the architectures are on par with the architectures Pi-hole uses. In fact, it is a perfect complement for Pi-hole as an upstream server if you are already running Pi-hole for ad blocking and tracking prevention. As I wrote on my GitHub page, it was created with Pi-hole in mind. And with lots of love.

I hope you enjoy the image and forgive me my shameless promotion^^ of my open source project. :)

Just come and visit my GitHub repository https://github.com/madnuttah/unbound-docker if you'd like to learn more about this project. If you'd like to contribute, you're very welcome.

Cheers and wishing all the best, madnuttah