Wiki

User Tools

Site Tools

Trace: minimal_gui configure_encrypted_dns_with_caching
networking:dns:unbound:configure_encrypted_dns_with_caching

This is an old revision of the document!

Networking - DNS - Unbound - Configure Encrypted DNS with Caching

To prevent recording and tracking of your DNS requests.

Benefits of this setup are:

  • The connection is encrypted so responses cannot be observed or modified.
  • DNSSEC is used to assure that the responses are correct.
  • Results are cached by Unbound to improve the responsiveness of your network activity.

Configure Unbound

/etc/unbound/unbound.conf
server:
    # Provide unencrypted DNS services on port 53.
    interface: 127.0.0.1@53
    interface: ::1@53
    port: 53
 
    # Provide TLS protected dns services on port 853.
    # **NOTE:  This is generally not needed for local use.
    tls-service-key: "/etc/pki/tls/private/privkey.pem"
    tls-service-pem: "/etc/pki/tls/certs/fullchain.pem"
    interface: 127.0.0.1@853
    interface: ::1@853
    tls-port: 853
 
    # Support both IPv6 and TCP.
    do-ip4: yes
    do-ip6: yes
    do-udp: yes
    do-tcp: yes
 
    # Only allow access from localhost.
    access-control: 0.0.0.0/0 refuse
    access-control: 127.0.0.0/8 allow
    access-control: ::0/0 refuse
    access-control: ::1 allow
 
    # Enable DNSSEC.
    auto-trust-anchor-file: "/var/lib/unbound/root.key"
 
    # Certificate authorities needed to authenticate upstream servers.
    tls-cert-bundle: "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"
 
forward-zone:
    name: "."
    forward-tls-upstream: yes
 
    # Cloudflare DNS.
    forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
    forward-addr: 1.1.1.1@853#cloudflare-dns.com
    forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
    forward-addr: 1.0.0.1@853#cloudflare-dns.com
 
    # NordVPN.
    forward-addr: 103.86.96.100@853#dns1.nordvpn.com
    forward-addr: 103.86.99.100@853#dns2.nordvpn.com
 
    # Quad9.
    forward-addr: 2620:fe::fe@853#dns.quad9.net
    forward-addr: 9.9.9.9@853#dns.quad9.net
    forward-addr: 2620:fe::9@853#dns.quad9.net
    forward-addr: 149.112.112.112@853#dns.quad9.net

NOTE: To generate the trust-anchor file for DNSSEC you need to run unbound-anchor or you can get it from https://www.internic.net/domain/named.cache.

The “.” passed to name in forward-zone matches all names and so specifies that all requests should be sent to the configured resolvers. You can have multiple forward-zone sections, but then each should have different names.

The companies that provide the configured servers (Cloudflare, NordVPN, and Cloud9) all claim to be privacy oriented and so do not normally log your IP address.

Unbound distributes its requests evenly to all configured servers, so the more servers that are configured the fewer of your requests any one actually sees, making it more difficult to for them to get a complete picture of your activities even if they tried.

networking/dns/unbound/configure_encrypted_dns_with_caching.1607252982.txt.gz · Last modified: 2020/12/06 11:09 by peter
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki