Below is a small tutorial on how you can create your own recursive DNS server using Unbound , adding custom records to block ads (plus fakenews, porn and/or social websites), on Apple macOS. Also, you can use DNS over TLS if needed/wanted.

Installation

Unbound is already in Homebrew so installing it is just a matter of running:

$ brew install unbound

Configuration

Find a free unique id for the unbound user in the 1-500 range (reserved for system accounts). For example, 444.

$ dscl . -list /Groups PrimaryGroupID | grep 444
$ dscl . -list /Users PrimaryGroupID | grep 444

If you have no output for those two commands, you can proceed to actually create the user and group.

$ sudo dscl . -create /Groups/_unbound
$ sudo dscl . -create /Groups/_unbound PrimaryGroupID 444
$ sudo dscl . -create /Users/_unbound
$ sudo dscl . -create /Users/_unbound RecordName _unbound unbound
$ sudo dscl . -create /Users/_unbound RealName "Unbound DNS server"
$ sudo dscl . -create /Users/_unbound UniqueID 444
$ sudo dscl . -create /Users/_unbound PrimaryGroupID 444
$ sudo dscl . -create /Users/_unbound UserShell /usr/bin/false
$ sudo dscl . -create /Users/_unbound Password '*'
$ sudo dscl . -create /Groups/_unbound GroupMembership _unbound

Fetch the root key required for DNSSEC validation:

$ sudo unbound-anchor -a /usr/local/etc/unbound/root.key

Create the certificates needed:

$ sudo unbound-control-setup -d /usr/local/etc/unbound

Here is a single-line command that will download the StevenBlack hosts list (fakenews + gambling + porn + social, so keep that in mind), convert it for unbound and save it in /usr/local/etc/unbound/zone-block-general.conf. Unbound will respond with NXDOMAIN to all the domains in this list.

$ (curl --silent https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews-gambling-porn-social/hosts | grep '^0\.0\.0\.0' | sort) | awk '{print "local-zone: \""$2"\" refuse"}' > /usr/local/etc/unbound/zone-block-general.conf

Let’s configure unbound as an authoritative, validating, recursive caching DNS server . The lines below go to your /usr/local/etc/unbound/unbound.conf:

server:
	# log verbosity
	verbosity: 1
	interface: 127.0.0.1
	access-control: 127.0.0.1/8 allow
	chroot: ""
	username: "_unbound"
	auto-trust-anchor-file: "/usr/local/etc/unbound/root.key"
	# answer DNS queries on this port
	port: 53
	# enable IPV4
	do-ip4: yes
	# disable IPV6
	do-ip6: no
	# enable UDP
	do-udp: yes
	# enable TCP, you could disable this if not needed, UDP is quicker
	do-tcp: yes
	# which client IPs are allowed to make (recursive) queries to this server
	access-control: 10.0.0.0/8 allow
	access-control: 127.0.0.0/8 allow
	access-control: 192.168.0.0/16 allow
	root-hints: "/usr/local/etc/unbound/root.hints"
	# do not answer id.server and hostname.bind queries
	hide-identity: yes
	# do not answer version.server and version.bind queries
	hide-version: yes
	# will trust glue only if it is within the servers authority
	harden-glue: yes
	# require DNSSEC data for trust-anchored zones, if such data
	# is absent, the zone becomes  bogus
	harden-dnssec-stripped: yes
	# use 0x20-encoded random bits in the query to foil spoof attempts
	use-caps-for-id: yes
	# the time to live (TTL) value lower bound, in seconds
	cache-min-ttl: 3600
	# the time to live (TTL) value cap for RRsets and messages in the cache
	cache-max-ttl: 86400
	# perform prefetching of close to expired message cache entries
    prefetch: yes
    num-threads: 4
    msg-cache-slabs: 8
    rrset-cache-slabs: 8
    infra-cache-slabs: 8
    key-cache-slabs: 8
    rrset-cache-size: 256m
    msg-cache-size: 128m
    so-rcvbuf: 1m
    private-address: 192.168.0.0/16
    private-address: 172.16.0.0/12
    private-address: 10.0.0.0/8
    private-domain: "home.lan"
    unwanted-reply-threshold: 10000
    val-clean-additional: yes
    # additional blocklist (Steven Black hosts file, read above)
    include: /usr/local/etc/unbound/zone-block-general.conf
remote-control:
    control-enable: yes
    control-interface: 127.0.0.1
    server-key-file: "/usr/local/etc/unbound/unbound_server.key"
    server-cert-file: "/usr/local/etc/unbound/unbound_server.pem"
    control-key-file: "/usr/local/etc/unbound/unbound_control.key"
    control-cert-file: "/usr/local/etc/unbound/unbound_control.pem"

If you want to use DNS over TLS, you can forward requests to a TLS-capable recursive server, for example Cloudflare (1.1.1.1) or Quad9 (9.9.9.9). Add the lines below to your /usr/local/etc/unbound.conf:

forward-zone:
    name:"."
    # use Quad9
    forward-addr:9.9.9.9@853
    # or Cloudflare
    # forward-addr:1.1.1.1@853
    forward-ssl-upstream:yes

The unbound process needs read and write permissions for the configuration directory, use staff as group so the user can use unbound-control:

$ sudo chown -R _unbound:staff /usr/local/etc/unbound
$ sudo chmod 640 /usr/local/etc/unbound/*

If you want to start unbound at boot, you need to create the /Library/LaunchDaemons/net.unbound.plist file and place those lines in it:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>Label</key>
        <string>net.unbound</string>
        <key>ProgramArguments</key>
        <array>
            <string>/usr/local/sbin/unbound</string>
            <string>-d</string>
            <string>-c</string>
            <string>/usr/local/etc/unbound/unbound.conf</string>
        </array>
        <key>KeepAlive</key>
        <true/>
        <key>RunAtLoad</key>
        <true/>
    </dict>
</plist>

Start the Unbound daemon:

$ sudo launchctl load /Library/LaunchDaemons/net.unbound.plist

Stop (when needed) the Unbound daemon:

$ sudo launchctl unload /Library/LaunchDaemons/net.unbound.plist

Set your local DNS server as default for the Wi-Fi connection:

$ networksetup -setdnsservers Wi-Fi 127.0.0.1

Check if DNS was set and everything is ok:

$ networksetup -getdnsservers Wi-Fi
127.0.0.1

Testing DNSSEC for your new DNS resolver is easy, using dig:

$ dig org. SOA +dnssec @127.0.0.1                                                         
; <<>> DiG 9.10.6 <<>> org. SOA +dnssec @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8381
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 1
...

The ad flag is short for Authenticated Data and means DNSSEC is working.