Table of Contents

Networking - DNS - Unbound - Install Unbound

Unbound, a secure open-source recursive DNS server, will be used to:

Install Unbound

sudo apt update
sudo apt install unbound

NOTE: This should install the /var/lib/unbound/root.hints file automatically too.

The root.hints file, is a list of primary root servers.

If Unbound is not installed from a package manager:

  • The root.hints file may not be installed by default.
  • In this case, download the current root hints file by running: 
    wget https://www.internic.net/domain/named.root -qO- | sudo tee /var/lib/unbound/root.hints
  • If you do this optional step, you will need to uncomment the root-hints: line in the Unbound configuration file defined in the next step.
  • This file changes infrequently, but it is recommended to have it updated every six months or so.

Configure Unbound

/etc/unbound/unbound.conf.d/pi-hole.conf
server:
    # If no logfile is specified, syslog is used.
    # logfile: "/var/log/unbound/unbound.log"
    verbosity: 0
 
    interface: 127.0.0.1
    port: 53
    do-ip4: yes
    do-udp: yes
    do-tcp: yes
 
    # May be set to yes if you have IPv6 connectivity.
    do-ip6: no
 
    # You want to leave this to no unless you have *native* IPv6. With 6to4 and
    # Terredo tunnels your web browser should favor IPv4 for the same reasons.
    prefer-ip6: no
 
    # Use this only when you downloaded the list of primary root servers!
    # If you use the default dns-root-data package, unbound will find it automatically.
    #root-hints: "/var/lib/unbound/root.hints"
 
    # Trust glue only if it is within the server's authority
    harden-glue: yes
 
    # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS.
    harden-dnssec-stripped: yes
 
    # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes.
    # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details.
    use-caps-for-id: no
 
    # Reduce EDNS reassembly buffer size.
    # Suggested by the unbound man page to reduce fragmentation reassembly problems.
    edns-buffer-size: 1472
 
    # Perform prefetching of close to expired message cache entries.
    # This only applies to domains that have been frequently queried.
    prefetch: yes
 
    # One thread should be sufficient, can be increased on beefy machines.
    # In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
    num-threads: 1
 
    # Ensure kernel buffer is large enough to not lose messages in traffic spikes.
    so-rcvbuf: 1m
 
    # Ensure privacy of local IP ranges.
    private-address: 192.168.0.0/16
    private-address: 169.254.0.0/16
    private-address: 172.16.0.0/12
    private-address: 10.0.0.0/8
    private-address: fd00::/8
    private-address: fe80::/10

NOTE: Unbound is configured to listen on port 53.

This is the standard DNS port.

However, often port 53 may already be in use, which will prevent Unbound starting up.

  • In this case, it may be useful to use an alternative port for unbound, say 5335 and have the other service point to the Unbound service running on this alternative port 5335.
  • Alternatively, keep Unbound configured to port 53, and disable that other service.

If the root-hints file was installed separately in the previous step, then uncomment the root-hints: configuration line in this config file.

See Logging about increasing logging verbosity.

Restart Unbound

sudo service unbound restart

Test that Unbound can resolve

dig pi-hole.net @127.0.0.1 -p 5335

NOTE: The first query may be quite slow, but subsequent queries should be faster due to caching.

Test DNSSEC validation

dig sigfail.verteiltesysteme.net @127.0.0.1 -p 5335
dig sigok.verteiltesysteme.net @127.0.0.1 -p 5335

NOTE:

  • The first command should give a status report of SERVFAIL and no IP address.
  • The second should give NOERROR plus an IP address.