====== Networking - DNS - Unbound - Install Unbound ====== Unbound, a secure open-source recursive DNS server, will be used to: * Listen for queries on port 53. * Listen for both UDP and TCP requests. * Verify DNSSEC signatures, discarding BOGUS domains. * Apply a few security and privacy tricks. ---- ===== Install Unbound ===== sudo apt update sudo apt install unbound **NOTE:** This should install the **/var/lib/unbound/root.hints** file automatically too. The root.hints file, is a list of primary root servers. If Unbound is **not** installed from a package manager: * The root.hints file may not be installed by default. * In this case, download the current root hints file by running: wget https://www.internic.net/domain/named.root -qO- | sudo tee /var/lib/unbound/root.hints * If you do this optional step, you will need to uncomment the **root-hints:** line in the Unbound configuration file defined in the next step. * This file changes infrequently, but it is recommended to have it updated every six months or so. ---- ===== Configure Unbound ===== server: # If no logfile is specified, syslog is used. # logfile: "/var/log/unbound/unbound.log" verbosity: 0 interface: 127.0.0.1 port: 53 do-ip4: yes do-udp: yes do-tcp: yes # May be set to yes if you have IPv6 connectivity. do-ip6: no # You want to leave this to no unless you have *native* IPv6. With 6to4 and # Terredo tunnels your web browser should favor IPv4 for the same reasons. prefer-ip6: no # Use this only when you downloaded the list of primary root servers! # If you use the default dns-root-data package, unbound will find it automatically. #root-hints: "/var/lib/unbound/root.hints" # Trust glue only if it is within the server's authority harden-glue: yes # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS. harden-dnssec-stripped: yes # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes. # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details. use-caps-for-id: no # Reduce EDNS reassembly buffer size. # Suggested by the unbound man page to reduce fragmentation reassembly problems. edns-buffer-size: 1472 # Perform prefetching of close to expired message cache entries. # This only applies to domains that have been frequently queried. prefetch: yes # One thread should be sufficient, can be increased on beefy machines. # In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1. num-threads: 1 # Ensure kernel buffer is large enough to not lose messages in traffic spikes. so-rcvbuf: 1m # Ensure privacy of local IP ranges. private-address: 192.168.0.0/16 private-address: 169.254.0.0/16 private-address: 172.16.0.0/12 private-address: 10.0.0.0/8 private-address: fd00::/8 private-address: fe80::/10 **NOTE:** Unbound is configured to listen on port 53. This is the standard DNS port. However, often port 53 may already be in use, which will prevent Unbound starting up. * In this case, it may be useful to use an alternative port for unbound, say 5335 and have the other service point to the Unbound service running on this alternative port 5335. * Alternatively, keep Unbound configured to port 53, and disable that other service. If the **root-hints** file was installed separately in the previous step, then uncomment the **root-hints:** configuration line in this config file. See [[Networking:DNS:Unbound:Logging|Logging]] about increasing logging verbosity. ---- ===== Restart Unbound ===== sudo service unbound restart ---- ===== Test that Unbound can resolve ===== dig pi-hole.net @127.0.0.1 -p 5335 **NOTE:** The first query may be quite slow, but subsequent queries should be faster due to caching. ---- ===== Test DNSSEC validation ===== dig sigfail.verteiltesysteme.net @127.0.0.1 -p 5335 dig sigok.verteiltesysteme.net @127.0.0.1 -p 5335 **NOTE:** * The first command should give a status report of SERVFAIL and no IP address. * The second should give NOERROR plus an IP address. ----