OpenBSD manual page server

Manual Page Search Parameters

UNWIND(8) System Manager's Manual UNWIND(8)

unwindvalidating DNS resolver

unwind [-dnv] [-f file] [-s socket]

unwind is a validating DNS resolver. It is intended to run on client machines like workstations or laptops and only listens on localhost.

unwind sends DNS queries to nameservers to answer queries. If it detects that DNS queries are blocked by the local network, it can switch to resolvers learned through autoconfiguration. It periodically probes if DNS is no longer blocked and switches back to querying nameservers itself. A list of sources for proposals learned through autoconfiguration is documented in resolvd(8).

unwind keeps the DNS answers in a cache shared by the different DNS name server types. unwind manages the cache size by deleting oldest entries when needed. The cache is non-configurable and is lost upon process restart.

To have unwind enabled at boot time, use “rcctl enable unwind”, which sets


in rc.conf.local(8).

A running unwind can be controlled with the unwindctl(8) utility.

The options are as follows:

Do not daemonize. If this option is specified, unwind will run in the foreground and log to stderr.
Specify an alternative configuration file.
Configtest mode. Only check the configuration file for validity.
Use an alternate location for the default control socket.
Produce more verbose output. Multiple -v options increase the verbosity. Debug output from libunbound is only available when logging to stderr.

Default unwind configuration file.
Trust anchor for DNSSEC validation.
UNIX-domain socket used for communication with unwindctl(8).

unwind.conf(5), unbound(8), unwindctl(8)

P. Mockapetris, DOMAIN NAMES - CONCEPTS AND FACILITIES, RFC 1034, November 1987.


The unwind program first appeared in OpenBSD 6.5.

The unwind program was written by Florian Obser <>.

February 21, 2023 OpenBSD-current