diff --git a/net/unbound/Makefile b/net/unbound/Makefile
index a7171e59d..5c7c10ca2 100644
--- a/net/unbound/Makefile
+++ b/net/unbound/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=unbound
 PKG_VERSION:=1.6.2
-PKG_RELEASE:=2
+PKG_RELEASE:=3
 
 PKG_LICENSE:=BSD-3-Clause
 PKG_LICENSE_FILES:=LICENSE
diff --git a/net/unbound/files/dnsmasq.sh b/net/unbound/files/dnsmasq.sh
index 079208613..32e5f2355 100644
--- a/net/unbound/files/dnsmasq.sh
+++ b/net/unbound/files/dnsmasq.sh
@@ -37,8 +37,7 @@ dnsmasq_local_zone() {
     UNBOUND_D_WAN_FQDN=$wan_fqdn
   fi
 
-
-  if [ -n "$fwd_domain" -a -n "$fwd_port" -a ! "$fwd_port" -eq 53 ] ; then
+  if [ -n "$fwd_domain" -a -n "$fwd_port" -a ! "${fwd_port:-53}" -eq 53 ] ; then
     # dnsmasq localhost listening ports (possible multiple instances)
     UNBOUND_N_FWD_PORTS="$UNBOUND_N_FWD_PORTS $fwd_port"
     UNBOUND_TXT_FWD_ZONE="$UNBOUND_TXT_FWD_ZONE $fwd_domain"
diff --git a/net/unbound/files/unbound.sh b/net/unbound/files/unbound.sh
index 197a06d97..7defd8db4 100644
--- a/net/unbound/files/unbound.sh
+++ b/net/unbound/files/unbound.sh
@@ -394,32 +394,11 @@ create_domain_insecure() {
 ##############################################################################
 
 unbound_mkdir() {
-  local resolvsym=0
   local dhcp_origin=$( uci_get dhcp.@odhcpd[0].leasefile )
   local dhcp_dir=$( dirname $dhcp_origin )
   local filestuff
 
 
-  if [ ! -x /usr/sbin/dnsmasq -o ! -x /etc/init.d/dnsmasq ] ; then
-    resolvsym=1
-  else
-    /etc/init.d/dnsmasq enabled || resolvsym=1
-  fi
-
-
-  if [ "$resolvsym" -gt 0 ] ; then
-    rm -f /tmp/resolv.conf
-
-
-    {
-      # Set resolver file to local but not if /etc/init.d/dnsmasq will do it.
-      echo "nameserver 127.0.0.1"
-      echo "nameserver ::1"
-      echo "search $UNBOUND_TXT_DOMAIN"
-    } > /tmp/resolv.conf
-  fi
-
-
   if [ "$UNBOUND_D_DHCP_LINK" = "odhcpd" -a ! -d "$dhcp_dir" ] ; then
     # make sure odhcpd has a directory to write (not done itself, yet)
     mkdir -p "$dhcp_dir"
@@ -1027,29 +1006,71 @@ unbound_uci() {
 
   if [ "$UNBOUND_N_EDNS_SIZE" -lt 512 \
     -o 4096 -lt "$UNBOUND_N_EDNS_SIZE" ] ; then
-    # exceeds range, back to default
+    logger -t unbound -s "edns_size exceeds range, using default"
     UNBOUND_N_EDNS_SIZE=1280
   fi
 
 
-  if [ "$UNBOUND_N_RX_PORT" -lt 1024 \
-    -o 10240 -lt "$UNBOUND_N_RX_PORT" ] ; then
-    # special port or in 5 digits, back to default
+  if [ "$UNBOUND_N_RX_PORT" -ne 53 ] \
+  && [ "$UNBOUND_N_RX_PORT" -lt 1024 -o 10240 -lt "$UNBOUND_N_RX_PORT" ] ; then
+    logger -t unbound -s "privileged port or in 5 digits, using default"
     UNBOUND_N_RX_PORT=53
   fi
 
 
   if [ "$UNBOUND_TTL_MIN" -gt 1800 ] ; then
-    # that could have had awful side effects
+    logger -t unbound -s "ttl_min could have had awful side effects, using 300"
     UNBOUND_TTL_MIN=300
   fi
 }
 
 ##############################################################################
 
+_resolv_setup() {
+  if [ "$UNBOUND_N_RX_PORT" != "53" ] ; then
+    return
+  fi
+
+  if [ -x /etc/init.d/dnsmasq ] && /etc/init.d/dnsmasq enabled \
+  && nslookup localhost 127.0.0.1#53 >/dev/null 2>&1 ; then
+    # unbound is configured for port 53, but dnsmasq is enabled and a resolver
+    #   listens on localhost:53, lets assume dnsmasq manages the resolver file.
+    # TODO:
+    #   really check if dnsmasq runs a local (main) resolver in stead of using
+    #   nslookup that times out when no resolver listens on localhost:53.
+    return
+  fi
+
+  # unbound is designated to listen on 127.0.0.1#53,
+  #   set resolver file to local.
+  rm -f /tmp/resolv.conf
+  {
+    echo "# /tmp/resolv.conf generated by Unbound UCI $( date )"
+    echo "nameserver 127.0.0.1"
+    echo "nameserver ::1"
+    echo "search $UNBOUND_TXT_DOMAIN"
+  } > /tmp/resolv.conf
+}
+
+##############################################################################
+
+_resolv_teardown() {
+  case $( cat /tmp/resolv.conf ) in
+  *"generated by Unbound UCI"*)
+    # our resolver file, reset to auto resolver file.
+    rm -f /tmp/resolv.conf
+    ln -s /tmp/resolv.conf.auto /tmp/resolv.conf
+    ;;
+  esac
+}
+
+##############################################################################
+
 unbound_start() {
   config_load unbound
   config_foreach unbound_uci unbound
+
+
   unbound_mkdir
 
 
@@ -1067,28 +1088,18 @@ unbound_start() {
 
     unbound_control
   fi
+
+
+  _resolv_setup
 }
 
 ##############################################################################
 
 unbound_stop() {
-  local resolvsym=0
+  _resolv_teardown
 
-  rootzone_update
-
-
-  if [ ! -x /usr/sbin/dnsmasq -o ! -x /etc/init.d/dnsmasq ] ; then
-    resolvsym=1
-  else
-    /etc/init.d/dnsmasq enabled || resolvsym=1
-  fi
 
-
-  if [ "$resolvsym" -gt 0 ] ; then
-    # set resolver file to normal, but don't stomp on dnsmasq
-    rm -f /tmp/resolv.conf
-    ln -s /tmp/resolv.conf.auto /tmp/resolv.conf
-  fi
+  rootzone_update
 }
 
 ##############################################################################