This gist is how I personally deploy an arm64 version of unbound (for running on Raspberry Pi) configured as a recursive DNS resolver.
Use case is setting this up as the upstream resolver in PiHole (also running in K8S) in order to eliminate the need of a 3rd-party resolver (i.e. Cloudflare, Quad9), potentially avoiding DNS spoofing / poisoning / etc.
Service is exposed with a ClusterIP under 10.43.0.53 listening to both TCP/UDP on port 53.
TODO / Considerations:
- This still does not hide your DNS traffic from your ISP since root nameservers do not use DoH/DoT. Ultimately, this should run somewhere in the cloud (for example AWS EC2/ECS) and configured in DoH/DoT mode. This is also a fantastic opportunity to use ZeroTier for tying it all together to your local LAN without exposing your cloud resources to the public, while increasing security (ZT is encrypted).