I’ve used dnsmasq for many years, more than a decade even, and I have no complaints. I think it works well as a lightweight DNS forwarding and caching server. But I have also been experimenting with unbound for a couple of years and recently decided to switch over my home network to use it. This is on an Ubuntu 12.04 server but it was pretty easy:

Remove dnsmasq:

apt-get remove --purge dnsmasq

Install unbound:

apt-get install unbound ldnsutils

Ensure DNSSEC is working (could use dig (dnsutils package) instead of drill):

drill com. SOA +dnssec | grep flags
drill sigfail.verteiltesysteme.net | grep SERVFAIL
drill sigok.verteiltesysteme.net | grep NOERROR

Here’s the config options I added to unbound.conf, other than settings specific to my network. I am testing with all harden options enabled to see if there’s any problems but YMMV:

harden-large-queries: yes
harden-short-bufsize: yes
harden-glue: yes
harden-dnssec-stripped: yes
harden-below-nxdomain: yes
harden-referral-path: yes
hide-identity: yes
hide-version: yes
prefetch: yes
prefetch-key: yes
root-hints: /etc/unbound/root.hints

To get the root hints I created a script in cron.monthly that looks like this:

#!/bin/sh

/usr/bin/curl -sS -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache

So no root hints will be updated every month. The only other thing I may consider at some point is running in chroot but for now this was pretty quick and easy. Also to look at the stats:

watch unbound-control stats_noreset