Wiki

User Tools

Site Tools

Trace: install_unbound
networking:dns:unbound:install_unbound

This is an old revision of the document!

Table of Contents

Networking - DNS - Unbound - Install Unbound

Install the recursive DNS resolver 

sudo apt update
sudo apt install unbound

NOTE: This should install the /var/lib/unbound/root.hints file automatically too.

The root.hints file, is a list of primary root servers.

If Unbound is not installed from a package manager:

  • The root.hints file may not be installed by default.
  • In this case, download the current root hints file by running: 
    wget https://www.internic.net/domain/named.root -qO- | sudo tee /var/lib/unbound/root.hints
  • If you do this optional step, you will need to uncomment the root-hints: configuration line in the suggested config file.
  • This file changes infrequently, but it is recommended to have it updated every six months or so.

Configure Unbound

/etc/unbound/unbound.conf.d/pi-hole.conf
server:
    # If no logfile is specified, syslog is used.
    # logfile: "/var/log/unbound/unbound.log"
    verbosity: 0
 
    interface: 127.0.0.1
    port: 5335
    do-ip4: yes
    do-udp: yes
    do-tcp: yes
 
    # May be set to yes if you have IPv6 connectivity.
    do-ip6: no
 
    # You want to leave this to no unless you have *native* IPv6. With 6to4 and
    # Terredo tunnels your web browser should favor IPv4 for the same reasons.
    prefer-ip6: no
 
    # Use this only when you downloaded the list of primary root servers!
    # If you use the default dns-root-data package, unbound will find it automatically.
    #root-hints: "/var/lib/unbound/root.hints"
 
    # Trust glue only if it is within the server's authority
    harden-glue: yes
 
    # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS.
    harden-dnssec-stripped: yes
 
    # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes.
    # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details.
    use-caps-for-id: no
 
    # Reduce EDNS reassembly buffer size.
    # Suggested by the unbound man page to reduce fragmentation reassembly problems.
    edns-buffer-size: 1472
 
    # Perform prefetching of close to expired message cache entries.
    # This only applies to domains that have been frequently queried.
    prefetch: yes
 
    # One thread should be sufficient, can be increased on beefy machines.
    # In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
    num-threads: 1
 
    # Ensure kernel buffer is large enough to not lose messages in traffic spikes.
    so-rcvbuf: 1m
 
    # Ensure privacy of local IP ranges.
    private-address: 192.168.0.0/16
    private-address: 169.254.0.0/16
    private-address: 172.16.0.0/12
    private-address: 10.0.0.0/8
    private-address: fd00::/8
    private-address: fe80::/10

NOTE: Unbound will listen on port 5335.

If the root-hints file was installed separately in the previous step, then uncomment the root-hints: configuration line in this config file.

See Logging about increasing logging verbosity.

Restart Unbound

sudo service unbound restart

Test that Unbound can resolve

dig pi-hole.net @127.0.0.1 -p 5335

NOTE: The first query may be quite slow, but subsequent queries should be faster due to caching.

Test DNSSEC validation

dig sigfail.verteiltesysteme.net @127.0.0.1 -p 5335
dig sigok.verteiltesysteme.net @127.0.0.1 -p 5335

NOTE:

  • The first command should give a status report of SERVFAIL and no IP address.
  • The second should give NOERROR plus an IP address.
networking/dns/unbound/install_unbound.1611879125.txt.gz · Last modified: 2021/01/29 00:12 by peter
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki