Setting up the .home.arpa domain with OpenBSD's unbound

Page started: 2026-03-12
Page published: 2026-03-14
Updated: 2026-03-22

Note: This page was originally about setting up *.local domains. But that was a mistake and at least one of my computers was not able to resolve them, see: systemd-resolved global DNS vs link DNS. The .local domain name is intended for multicast DNS (mDNS) and "zeroconf" networking.

OpenBSD comes with unbound(8) (openbsd.ord), which is a caching DNS resolver. The purpose of unbound is to perform local caching and it wasn’t originally intended to serve as an authoritative DNS server for zones.

Having said that, you can tell unbound to resolve specific addresses, which is very handy with a small number of local computers you’d like to specify by DNS name resolution.

Note that as of version 1.7.0 (in the year 2018), unbound was given the ability to serve as a zone authority. Here’s the mailing list announcement (lists.nlnetlabs.nl). This article looks helpful for understanding how to set them up and I will probably try it out at some point. This looks like a good guide: Using Unbound as an Authoritative Nameserver (aricodes.net).

.home.arpa domains

The domain home.arpa is a "special-use" domain specifically set aside for residential home networks by IETF RFC 8375 (rfc-editor.org) in the year 2018. It may not be the most aesthetically pleasing domain, but it’s correct and it works!

To set up a hard-coded address with unbound, you can use the following directives:

  • local-zone specifies how the matched zone should be handled. static says that the answer will come from local-data. However, home.arpa. is already set up for you by default, so we will not be using this directive.

  • local-data serves up a single hard-coded DNS record in response to a query.

  • local-data-ptr sets up DNS PTR records for reverse address lookups (often used in email delivery and probably not needed here, but I don’t see any harm in setting them up.)

For way more details, there’s the massive man page for unbound’s configuration: unbound.conf(5) (openbsd.org).

Here’s the relevant portion of my /var/unbound/etc/unbound.conf file:

...
# treebeard: .home.arpa name resolution
# No need to set local-zone for .arpa.home zone since it is a default
# zone:
# 	arpa.home.
# See man unbound.conf
local-data: "treebeard.home.arpa. IN A 10.0.0.1"
local-data-ptr: "10.0.0.1 treebeard.home.arpa"
local-data: "phobos2.home.arpa. IN A 10.0.0.144"
local-data-ptr: "10.0.0.144 phobos2.home.arpa"
...

This sets up two *.home.arpa domains:

  • treebeard.home.arpa (self!) which points to 10.0.0.1

  • phobos2.home.arpa which points to 10.0.0.144

Since my gateway computer tells connected computers to use it as the DNS resolver via DHCP (see My home network observes bedtime with OpenBSD and pf), this automatically works across my whole home network. Nice!