How does rDNS compare to Unbound?

rDNS measures 1.3-1.5x faster than Unbound 1.19 on cached query throughput in identical hardware tests. Both are recursive resolvers with DNSSEC and DoT; rDNS adds an authoritative mode, a PostgreSQL backend, and is memory-safe by construction (Rust).

Can rDNS replace BIND?

For most authoritative and recursive workloads, yes. rDNS supports RFC 1035 zone files, DNSSEC, DoT, and RPZ. BIND has more decades of features (e.g. complex view ACLs, full RFC catalog); rDNS targets the common 95% in a far smaller, safer codebase.

Is rDNS a Pi-hole alternative?

Yes for the DNS layer. rDNS handles upstream encryption (DoT), DNSSEC validation, caching, and RPZ-based blocking with standards-compliant blocklists. It does not ship a web admin UI.

Is rDNS production ready?

rDNS is at v1.17.5 and includes privilege dropping, sandboxing, rate limiting, Prometheus metrics, and serve-stale (RFC 8767) for graceful degradation. The project is open source under MIT and welcomes evaluation feedback.

rDNS vs Unbound, BIND, PowerDNS, CoreDNS, Pi-hole

Feature	rDNS	Unbound	BIND	PowerDNS	CoreDNS	Pi-hole
Language	Rust	C	C	C++	Go	PHP / dnsmasq
Memory-safe by construction	✓	—	—	—	✓	partial
Recursive resolver	✓	✓	✓	yes (Recursor)	✓	via dnsmasq
Authoritative server	✓	—	✓	✓	✓	—
DNS-over-TLS	✓	✓	✓	✓	✓	—
DNSSEC validation	✓	✓	✓	✓	✓	—
RPZ filtering	✓	✓	✓	via Lua	via plugin	lists only
PostgreSQL backend	✓	—	—	✓	via plugin	—
Prometheus metrics	✓	—	via patch	✓	✓	via exporter
Capsicum sandbox (FreeBSD)	✓	partial	—	—	—	—
Single binary	✓	—	—	—	✓	—
License	MIT	BSD	MPL-2.0	GPLv2	Apache 2.0	EUPL

vs Unbound

Unbound is the gold standard for recursive resolution. It's mature, fast, and battle-tested. rDNS measures 1.3-1.5× faster on cached query throughput in identical hardware tests, and adds an authoritative mode that Unbound doesn't have.

Choose Unbound if you want the most-deployed recursive resolver on the internet and your team already operates it.

Choose rDNS if you want higher performance per core, a memory-safe codebase, and the option to serve authoritative zones too.

vs BIND

BIND is the universal DNS server — it does everything. It also has decades of CVEs and a code surface to match.

Choose BIND if you need a niche feature (split-horizon ACLs, dynamic updates, specific RFC corner) that rDNS hasn't implemented.

Choose rDNS if you want 90% of BIND's real-world functionality in a far smaller, memory-safe binary.

vs PowerDNS

PowerDNS is a strong authoritative server with database backends and a separate Recursor product. rDNS unifies recursive and authoritative in one binary and is memory-safe.

Choose PowerDNS if you're invested in their Lua scripting model or specific database backends rDNS doesn't yet support.

Choose rDNS if you want one binary, one config file, and Rust safety guarantees.

vs CoreDNS

CoreDNS is Go and plugin-driven, popular in Kubernetes. It's not designed as a high-throughput recursive resolver for general internet workloads — its strength is the plugin model.

Choose CoreDNS for cluster DNS / service discovery.

Choose rDNS for performance-critical recursive or authoritative serving at the network edge.

vs Pi-hole

Pi-hole is a DNS-based ad blocker. Under the hood it uses dnsmasq or Unbound; the UI is the product. rDNS implements RPZ-based blocking and DoT but doesn't ship a web admin interface.

Choose Pi-hole if you want a turnkey home-network blocker with a friendly dashboard.

Choose rDNS if you want a real DNS server doing blocking via standards-compliant RPZ files, scriptable from your config-management tool.

Get rDNS running in 60 seconds.

Single static binary. TOML config. MIT licensed. Linux, FreeBSD, and macOS.

Install → View on GitHub