Family‑Centric DNS Schedules with Unbound (IPv4/IPv6) — Profiles, Times & WireGuard Identity
Scroll note: “Guard the gates with wisdom; give rest its hour, and joy returns to every room.”
Homes flourish when access is right‑sized by person and by time.
Introduction
Every home longs for peace at the table, laughter in the rooms, and screens that serve the family—not rule it. Some households already enjoy that rhythm; in others, the internet never sleeps and young hands steer the evening. This guide offers a gentle course correction: clear boundaries set with care, technology that quietly supports them, and rest returned to parents and children alike.
The approach is simple and unobtrusive. A small Linux box sits beside the modem or ONT. After first setup, no keyboard, mouse, or monitor are needed—administration happens over SSH. From there, time-based DNS schedules shape what can be reached and when, tied to who is asking. Adults keep the access needed for work and life. Young children receive a small, safe window. Juniors and teens gain broader access by day and quiet hours by night. Guests are welcomed. A child-minder can be granted the right keys during date-night hours, then everything returns to normal. Quiet, predictable, and fair.
This pattern respects both freedom and trust. It does not pry into private content; it simply decides which names resolve, at what times, and for which profiles. It works for IPv4 and IPv6, integrates naturally with WireGuard (per-device /128 or per-household routed /64), and extends cleanly to DNS64/NAT64 where needed. The pieces are modest, the outcome is strong: a house of faith and love that also honors discipline and rest.
If screens have started to set the pace of the home, there is another way.
Purpose
Extend the Unbound scheduling pattern to real household roles:
- Adults, Guests, Child‑minder, Teens (13–17), Juniors (9–13), Young Children (3–9).
- Works for IPv6 and IPv4. Identity comes from source IP/prefix: WireGuard peer
/128or routed/64, static DHCP (v4/v6), or VLAN subnets.
Requirements: Linux router (Alpine/Arch examples), Unbound, wireguard‑tools; optional Jool/Tayga for NAT64. Editor: vim.
Identity: how “who is who” is determined
DNS sees source addresses, not MACs or usernames. Map people → stable addresses, then key Unbound views on those addresses.
Good, durable mappings
- WireGuard peers
- Per device: tunnel
/128(e.g.,2001:db8:1234:babe::23/128). - Per household behind a peer: routed
/64(e.g.,2001:db8:1234:cafe::/64).
- Per device: tunnel
- LAN devices
- IPv4: DHCP reservation (MAC → fixed
10.10.10.x). - IPv6: DHCPv6 reservation (by DUID) or per‑VLAN prefix.
- Group devices with VLANs, then assign each VLAN’s subnet to a view.
- IPv4: DHCP reservation (MAC → fixed
MAC/username aren’t visible to Unbound. Convert identity → IP or prefix via WG, DHCP/DHCPv6, or VLANs/802.1X. Then Unbound views do the rest.
Unbound base (IPv6 + IPv4)
Install and enable control:
apk add unbound # Arch: pacman -S unbound
unbound-control-setup
/etc/unbound/unbound.conf (core server + views):
server:
interface: 0.0.0.0
interface: ::0
do-ip4: yes
do-ip6: yes
prefer-ip6: yes
module-config: "validator iterator"
verbosity: 1
# Map source networks to views (examples; add your own)
# Adults: individual tunnel /128 and home LAN admin PC
access-control-view: 2001:db8:1234:beef::23/128 adults
access-control-view: 10.10.10.10/32 adults
# Teens: routed /64 behind a peer, and a teen’s LAN IP
access-control-view: 2001:db8:1234:cafe::/64 teens
access-control-view: 10.10.10.50/32 teens
# Juniors (9–13)
access-control-view: 2001:db8:1234:feed::/64 juniors
access-control-view: 10.10.10.60/32 juniors
# Young children (3–9)
access-control-view: 2001:db8:1234:babe::/64 kids
access-control-view: 10.10.10.70/32 kids
# Guests (Wi‑Fi VLAN/subnet)
access-control-view: 2001:db8:1234:ge50::/64 guests
access-control-view: 10.10.40.0/24 guests
# Child‑minder profile (temporary elevated access on schedule)
access-control-view: 2001:db8:1234:ca5e::/64 carer
access-control-view: 10.10.30.0/24 carer
view:
name: "adults"
include: "/etc/unbound/policy/common.conf"
include: "/etc/unbound/policy/adults.conf"
view:
name: "teens"
include: "/etc/unbound/policy/common.conf"
include: "/etc/unbound/policy/teens_active.conf"
# symlink flips day/night
view:
name: "juniors"
include: "/etc/unbound/policy/common.conf"
include: "/etc/unbound/policy/juniors_active.conf"
view:
name: "kids"
include: "/etc/unbound/policy/common.conf"
include: "/etc/unbound/policy/kids_active.conf"
view:
name: "guests"
include: "/etc/unbound/policy/common.conf"
include: "/etc/unbound/policy/guests.conf"
view:
name: "carer"
include: "/etc/unbound/policy/common.conf"
include: "/etc/unbound/policy/carer_active.conf"
If DNS64 is used, keep it in the server: block so all views inherit it; NAT64 (Jool/Tayga) needs only a matching prefix.
Policy files by role
Create the folder:
install -d -m 0755 /etc/unbound/policy
common.conf (shared everywhere)
# Internal names, split‑horizon, etc.
local-zone: "home.breath." static
local-data: "vault.home.breath. IN A 10.10.10.2"
local-data: "vault.home.breath. IN AAAA 2001:db8:1234:0000::10"
Adults — /etc/unbound/policy/adults.conf
# Typically no blocks; optionally protect obvious malware zones
# local-zone: "malware.example." always_nxdomain
Teens (13–17) — day/night sets
# /etc/unbound/policy/teens_day.conf
local-zone: "adult.example." always_nxdomain
local-zone: "gambling.example." always_nxdomain
# /etc/unbound/policy/teens_night.conf
include: "/etc/unbound/policy/teens_day.conf"
local-zone: "tiktok.com." always_nxdomain
local-zone: "facebook.com." always_nxdomain
local-zone: "youtube.com." always_nxdomain
Symlink:
ln -sf /etc/unbound/policy/teens_day.conf /etc/unbound/policy/teens_active.conf
Juniors (9–13) — earlier quiet hours, tighter list
# /etc/unbound/policy/juniors_day.conf
local-zone: "adult.example." always_nxdomain
local-zone: "gambling.example." always_nxdomain
local-zone: "social.example." always_nxdomain # optional catch‑all via RPZ if used
# /etc/unbound/policy/juniors_night.conf
include: "/etc/unbound/policy/juniors_day.conf"
local-zone: "youtube.com." always_nxdomain
local-zone: "tiktok.com." always_nxdomain
local-zone: "roblox.com." always_nxdomain
Symlink:
ln -sf /etc/unbound/policy/juniors_day.conf /etc/unbound/policy/juniors_active.conf
Young Children (3–9) — whitelist first approach (recommended)
# /etc/unbound/policy/kids_day.conf
# Default deny; allow only named sites/apps (examples)
local-zone: "." refuse
local-zone: "allowed.kids." nodefault
local-data: "bbc.kids.allowed.kids. IN A 10.10.10.100"
local-data: "bbc.kids.allowed.kids. IN AAAA 2001:db8:1234:0000::100"
# Add explicit public domains allowed:
# local-zone: "cbeebies.co.uk." transparent
# /etc/unbound/policy/kids_night.conf
include: "/etc/unbound/policy/kids_day.conf" # often identical; or even stricter
Symlink:
ln -sf /etc/unbound/policy/kids_day.conf /etc/unbound/policy/kids_active.conf
Guests — /etc/unbound/policy/guests.conf
# Light safety; no internal zones leaked
local-zone: "home.akadata." refuse
# Optionally block heavy streaming/workload domains to preserve bandwidth
# local-zone: "speedtest.net." always_nxdomain
Child‑minder — day/evening toggle (grants adult‑like access only during care hours)
# /etc/unbound/policy/carer_day.conf
# conservative defaults; similar to guests
include: "/etc/unbound/policy/guests.conf"
# /etc/unbound/policy/carer_evening.conf
# temporarily inherit adults (date‑night window)
include: "/etc/unbound/policy/adults.conf"
Symlink:
ln -sf /etc/unbound/policy/carer_day.conf /etc/unbound/policy/carer_active.conf
Scheduling (Europe/London) — weekdays vs weekends
Use cron to flip multiple groups at different hours; weekends can be looser.
crontab -e
Weekdays (Mon–Fri):
CRON_TZ=Europe/London
# Kids (3–9): night 18:30, day 07:30
30 18 * * 1-5 ln -sf /etc/unbound/policy/kids_night.conf /etc/unbound/policy/kids_active.conf && unbound-control reload
30 07 * * 1-5 ln -sf /etc/unbound/policy/kids_day.conf /etc/unbound/policy/kids_active.conf && unbound-control reload
# Juniors (9–13): night 20:30, day 07:00
30 20 * * 1-5 ln -sf /etc/unbound/policy/juniors_night.conf /etc/unbound/policy/juniors_active.conf && unbound-control reload
0 7 * * 1-5 ln -sf /etc/unbound/policy/juniors_day.conf /etc/unbound/policy/juniors_active.conf && unbound-control reload
# Teens (13–17): night 21:30, day 07:00
30 21 * * 1-5 ln -sf /etc/unbound/policy/teens_night.conf /etc/unbound/policy/teens_active.conf && unbound-control reload
0 7 * * 1-5 ln -sf /etc/unbound/policy/teens_day.conf /etc/unbound/policy/teens_active.conf && unbound-control reload
# Carer: elevate 18:00–23:00 when parents are out
0 18 * * 1-5 ln -sf /etc/unbound/policy/carer_evening.conf /etc/unbound/policy/carer_active.conf && unbound-control reload
0 23 * * 1-5 ln -sf /etc/unbound/policy/carer_day.conf /etc/unbound/policy/carer_active.conf && unbound-control reload
Weekends (Sat–Sun):
# Slightly later
0 20 * * 6-7 ln -sf /etc/unbound/policy/juniors_night.conf /etc/unbound/policy/juniors_active.conf && unbound-control reload
0 21 * * 6-7 ln -sf /etc/unbound/policy/teens_night.conf /etc/unbound/policy/teens_active.conf && unbound-control reload
Adjust times for household rhythms. “A couple’s date night” belongs on the calendar—healthy marriages strengthen the home.
Prevent DNS bypass (IPv4 + IPv6)
Lock DNS to your resolver(s) only.
table inet filter {
set dns_ok4 { type ipv4_addr; elements = { 10.10.10.1 } }
set dns_ok6 { type ipv6_addr; elements = { 2001:db8:1234:babe::1 } }
chain forward {
type filter hook forward priority 0;
udp dport 53 ip daddr != @dns_ok4 drop
tcp dport 53 ip daddr != @dns_ok4 drop
udp dport 53 ip6 daddr != @dns_ok6 drop
tcp dport 53 ip6 daddr != @dns_ok6 drop
}
}
Optional: block common DoH endpoints, and/or enforce resolver settings via device management.
What “DoH” means
Some apps send DNS inside HTTPS (DNS over HTTPS) or over TLS on port 853 (DNS over TLS). Keep DNS on your own resolver by allowing port 53 only to your DNS, blocking port 853, and optionally blocking well-known public DNS services (e.g., Cloudflare, Google, Quad9).
A sister idea: “DoT”
Some apps send DNS lookups over TLS on port 853. That’s DNS over TLS. It’s not HTTPS, but it’s still encrypted and can bypass basic DNS rules if port 853 is open.
Why this matters at home
Your family policies live at the DNS server you control. If a device uses DNS-over-HTTPS or DNS-over-TLS to talk to someone else’s DNS on the internet, it can sidestep those policies.
How to keep things simple and under your roof
- Keep DNS to your box only (already in the guide): allow DNS (port 53) only to your resolver’s IPs (IPv4 and IPv6).
- Stop DNS-over-TLS: block outbound port 853.
- Trim the big public resolvers (optional belt-and-braces): block access to well-known DNS services often used by apps for encrypted DNS, for example:
- Cloudflare:
1.1.1.1,1.0.0.1,2606:4700:4700::1111, hostnames likecloudflare-dns.com - Google:
8.8.8.8,8.8.4.4,2001:4860:4860::8888, hostnamedns.google - Quad9:
9.9.9.9,149.112.112.112,2620:fe::fe, hostnamedns.quad9.net
(Add or remove to suit your home.)
- Cloudflare:
- Set devices to use your DNS: where possible, turn off “Secure DNS”/“Encrypted DNS” in browsers and phones, or push a managed profile that locks DNS to your resolver.
- Firefox tip (optional): returning NXDOMAIN for
use-application-dns.netsignals a “managed network” and Firefox will disable its encrypted DNS automatically.
Jool/Tayga (NAT64) interaction
No changes: when a domain is NXDOMAIN in a view, DNS64 will not synthesize AAAA, so NAT64 traffic never starts. Ensure Unbound’s dns64-prefix matches the NAT64 pool.
Testing and audit
# Which view is used? (query from a mapped address)
dig @2001:db8:1234:babe::1 example.com AAAA +short
# Flip one group to night and reload
ln -sf /etc/unbound/policy/juniors_night.conf /etc/unbound/policy/juniors_active.conf && unbound-control reload
# A site expected to be blocked now
dig @2001:db8:1234:babe::1 youtube.com A +nodnssec +nocomments
# Stats (optional)
unbound-control stats_noreset | grep -E 'num.queries|num.reply.*'
Closing thought
Children need guardrails, parents need rest, guests need welcome, and carers need the right keys at the right hour. With clear identity and scheduled policy, the network serves the home—quietly, faithfully, and well.
Your Call to Action
A house full of love thrives when good boundaries bring rest. If this feels like a lot to tackle alone, support is available.
Breath Technology can provide setup, configuration, and ongoing management for this design:
- Remote setup over SSH, or turn-key hardware supplied with Linux preinstalled.
- Delivery to your door ready to plug in, or remote access granted for on-site equipment.
- Clear, one-off setup fee for homes—simple installations often fit into half a day’s service; more complex needs may take longer.
- No lock-in or extortionate costs—transparent scope and pricing. The same approach scales to small businesses without the thousands of pound price tags others may demand.
- Think of it as the cost as little as a couple of date nights or a family meal out—an investment that returns peace to evenings and sleep to younger ones.
Freedom to browse, without the freedom to abuse trust. The gates are set, the hours are fair, and the home keeps its peace.