From Fedora Project Wiki

Manual configuration via Unbound


Local zones


Global zone


Using dnssec-trigger (for testing only)

dnssec-trigger configures /etc/resolv.conf to use a local unbound instance on and Unbound to use a secure global zone with nameservers submitted through dnssec-trigger-control or, if those aren't suitable, using public nameservers run by Fedora or the upstream project.

It also performs captive portal (hotspot) detection and temporarily changes /etc/resolv.conf to include the nameservers of the local network directly. That unfortunately breaks the local zones used with any network interfaces including those that have nothing to do with the captive portal connection.

NetworkManager integration



Show connection zones configuration in unbound:

$ unbound-control list_forwards

To check NetworkManager's view of the configuration, use:

$ nmcli connection show --active
$ nmcli connection show --active <id/uuid>