How to setup Unbound DNS on a Debian-based server
Installation
We 're going too install unbound on the server running the command below:
apt install unbound
Configuration as local DNS server
We are going to create a configuration file which will be located in the following directory: /etc/unbound/unbound.conf.d/
It is always a good idea to take copy of the original config-file, if present. So let's create this first:
cp /etc/unbound/unbound.conf.d/unbound.conf /etc/unbound/unbound.conf.d/unbound.conf.origNow we are ready to edit/create the config file.
nano /etc/unbound/unbound.conf.d/unbound.confAdd the following lines to the file and comment/uncommemt and/or change paths to your local situation.
server:
# If no logfile is specified, syslog is used
logfile: "/var/log/unbound/unbound.log"
verbosity: 3
log-time-ascii: yes
extended-statistics: yes
# specify the interfaces to answer queries from by ip-address. The default
# is to listen to localhost (127.0.0.1 and ::1). specify 0.0.0.0 and ::0 to
# bind to all available interfaces. specify every interface[@port] on a new
# 'interface:' labeled line. The listen interfaces are not changed on
# reload, only on restart.
interface: 127.0.0.1
port: 5335
do-ip4: yes
do-udp: yes
do-tcp: yes
#Dns over HTTPS
#tls-service-key: "key.pem"
#tls-service-pem: "cert.pem"
#May be set to yes if you have IPv6 connectivity
do-ip6: no
# You want to leave this to no unless you have *native* IPv6. With 6to4 and
# Terredo tunnels your web browser should favor IPv4 for the same reasons
prefer-ip6: no
# Use this only when you downloaded the list of primary root servers!
# If you use the default dns-root-data package, unbound will find it automatically
#root-hints: "/var/lib/unbound/root.hints"
# Read the root hints from this file. Default is nothing, using built in
# hints for the IN class. The file has the format of zone files, with root
# nameserver names and addresses only. The default may become outdated,
# when servers change, therefore it is good practice to use a root-hints
# file. get one from ftp://FTP.INTERNIC.NET/domain/named.cache
chroot: ""
root-hints: "/usr/local/etc/unbound/root.hints"
# Trust glue only if it is within the server's authority
# Harden against out of zone rrsets, to avoid spoofing attempts.
# Hardening queries multiple name servers for the same data to make
# spoofing significantly harder and does not mandate dnssec.
harden-glue: yes
# Ignore very large queries.
harden-large-queries: yes
# Harden against algorithm downgrade when multiple algorithms are
# advertised in the DS record.
harden-algo-downgrade: yes
# Ignore very small EDNS buffer sizes from queries.
harden-short-bufsize: yes
# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
# Require DNSSEC data for trust-anchored zones, if such data is absent, the
# zone becomes bogus. Harden against receiving dnssec-stripped data. If you
# turn it off, failing to validate dnskey data for a trustanchor will trigger
# insecure mode for that zone (like without a trustanchor). Default on,
# which insists on dnssec data for trust-anchored zones.
harden-dnssec-stripped: yes
# enable to not answer id.server and hostname.bind queries.
hide-identity: yes
# enable to not answer version.server and version.bind queries.
hide-version: yes
# Rotates RRSet order in response (the pseudo-random
# number is taken from Ensure privacy of local IP
# ranges the query ID, for speed and thread safety).
# private-address: 192.168.0.0/16
rrset-roundrobin: yes
#ssl-upstream: yes
# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
use-caps-for-id: no
# Reduce EDNS reassembly buffer size.
# Suggested by the unbound man page to reduce fragmentation reassembly problems
edns-buffer-size: 1472
# Perform prefetching of close to expired message cache entries
# This only applies to domains that have been frequently queried
prefetch: yes
# Fetch the DNSKEYs earlier in the validation process, when a DS record is
# encountered. This lowers the latency of requests at the expense of little
# more CPU usage.
prefetch-key: yes
# One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
# number of threads to create. 1 disables threading. This should equal the number
# of CPU cores in the machine. Our example machine has 4 CPU cores.
num-threads: 1
# Ensure kernel buffer is large enough to not lose messages in traffic spikes
#so-rcvbuf: 1m
# Send minimum amount of information to upstream servers to enhance privacy
qname-minimisation: yes
# Deny queries of type ANY with an empty response.
# Works only on version 1.8 and above
deny-any: yes
# Set the total number of unwanted replies to keep track of in every thread.
# When it reaches the threshold, a defensive action of clearing the rrset
# and message caches is taken, hopefully flushing away any poison.
# Unbound suggests a value of 10 million.
unwanted-reply-threshold: 100000
# Ensure privacy of local IP ranges
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
private-address: 127.0.0.0/8
private-address: fd00::/8
private-address: fe80::/10
#DNSsec
# auto-trust-anchor-file: /usr/local/etc/unbound/test
auto-trust-anchor-file: "/usr/local/etc/unbound/root.key"
# Forward to upstream server
# forward-zone:
# name: "."
#forward-addr: 145.100.185.15@443#dnsovertls.sinodun.com
#forward-addr: 145.100.185.16@443#dnsovertls1.sinodun.com
#forward-addr: 2001:610:1:40ba:145:100:185:15@443#dnsovertls.sinodun.com
#forward-addr: 2001:610:1:40ba:145:100:185:16@443#dnsovertls1.sinodun.com
#forward-addr: 185.49.141.37@853#getdnsapi.net
#forward-addr: 2a04:b900:0:100::37@853#getdnsapi.net
#forward-addr: 91.239.100.100@853
#forward-addr: 89.233.43.71@853
#forward-addr: 84.200.69.80@853#DNS.watch
#forward-addr: 84.200.70.40@853#DNS.watch
#forward-addr: 2a01:3a0:53:53::0@853#unicast.censurfridns.dk
#forward-addr: 158.64.1.29@853#kaitain.restena.lu
#forward-addr: 2001:a18:1::29@853#kaitain.restena.lu
#forward-tls-upstream: yes
# forward-addr: 84.200.69.80
## Unbound Optimization and Speed Tweaks ###
# the number of slabs to use for cache and must be a power of 2 times the
# number of num-threads set above. more slabs reduce lock contention, but
# fragment memory usage.
msg-cache-slabs: 8
rrset-cache-slabs: 8
infra-cache-slabs: 8
key-cache-slabs: 8
## cache size ##
# Increase the memory size of the cache. Use roughly twice as much rrset cache
# memory as you use msg cache memory. Due to malloc overhead, the total memory
# usage is likely to rise to double (or 2.5x) the total cache memory. The test
# box has 4gig of ram so 256meg for rrset allows a lot of room for cacheed objects.
rrset-cache-size: 256m
msg-cache-size: 128m
# buffer size for UDP port 53 incoming (SO_RCVBUF socket option). This sets
# the kernel buffer larger so that no messages are lost in spikes in the traffic.
# so-rcvbuf: 8m
## Unbound Optimization and Speed Tweaks ###
#####################################################################################################
# Allow the domain (and its subdomains) to contain private addresses.
# local-data statements are allowed to contain private addresses too.
# private-domain: "home.lan"
# If nonzero, unwanted replies are not only reported in statistics, but also
# a running total is kept per thread. If it reaches the threshold, a warning
# is printed and a defensive action is taken, the cache is cleared to flush
# potential poison out of it. A suggested value is 10000000, the default is
# 0 (turned off). We think 10K is a good value.
# unwanted-reply-threshold: 10000
# IMPORTANT FOR TESTING: If you are testing and setup NSD or BIND on
# localhost you will want to allow the resolver to send queries to localhost.
# Make sure to set do-not-query-localhost: yes . If yes, the above default
# do-not-query-address entries are present. if no, localhost can be queried
# (for testing and debugging).
# do-not-query-localhost: no
# File with trusted keys, kept up to date using RFC5011 probes, initial file
# like trust-anchor-file, then it stores metadata. Use several entries, one
# per domain name, to track multiple zones. If you use forward-zone below to
# query the Google DNS servers you MUST comment out this option or all DNS
# queries will fail.
# auto-trust-anchor-file: "/var/unbound/etc/root.key"
# Should additional section of secure message also be kept clean of unsecure
# data. Useful to shield the users of this validator from potential bogus
# data in the additional section. All unsigned data in the additional section
# is removed from secure messages.
val-clean-additional: yes
# Blocking Ad Server domains. Google's AdSense, DoubleClick and Yahoo
# account for a 70 percent share of all advertising traffic. Block them.
# local-zone: "doubleclick.net" redirect
# local-data: "doubleclick.net A 127.0.0.1"
# local-zone: "googlesyndication.com" redirect
# local-data: "googlesyndication.com A 127.0.0.1"
# local-zone: "googleadservices.com" redirect
# local-data: "googleadservices.com A 127.0.0.1"
# local-zone: "google-analytics.com" redirect
# local-data: "google-analytics.com A 127.0.0.1"
# local-zone: "ads.youtube.com" redirect
# local-data: "ads.youtube.com A 127.0.0.1"
# local-zone: "adserver.yahoo.com" redirect
# local-data: "adserver.yahoo.com A 127.0.0.1"
# locally served zones can be configured for the machines on the LAN.
# local-zone: "home.lan." static
local-data: "www.rooselaers.be. IN A 192.168.1.45"
# local-data: "laptop.home.lan. IN A 10.0.0.2"
# local-data: "xbox360.home.lan. IN A 10.0.0.3"
# local-data: "ps3.home.lan. IN A 10.0.0.4"
# local-data: "dhcp5.home.lan. IN A 10.0.0.5"
# local-data-ptr: "10.0.0.2 laptop.home.lan"
# local-data-ptr: "10.0.0.3 xbox360.home.lan"
# local-data-ptr: "10.0.0.4 ps3.home.lan"
# local-data-ptr: "10.0.0.5 dhcp5.home.lan"
# Unbound can query your NSD or BIND server for private domain queries too.
# On our NSD page we have NSD configured to serve the private domain,
# "home.lan". Here we can tell Unbound to connect to the NSD server when it
# needs to resolve a *.home.lan hostname or IP.
#
# private-domain: "home.lan"
# local-zone: "0.0.10.in-addr.arpa." nodefault
# stub-zone:
# name: "home.lan"
# stub-addr: 10.0.0.111@53
# If you do not want to use the root DNS servers you can use the following
# forward-zone to forward all queries to Google DNS, OpenDNS.com or your
# local ISP's dns servers for example. If use use forward-zone you must make
# sure to comment out the auto-trust-anchor-file directive above or else all
# DNS queries will fail. We highly suggest using Google DNS as it is
# extremely fast.
#
# forward-zone:
# name: "."
# forward-addr: 8.8.8.8 # Google Public DNS
# forward-addr: 4.2.2.4 # Level3 Verizon
# forward-addr: 74.207.247.4 # OpenNIC DNS
#
#
## Authoritative, validating, recursive caching DNS
## unbound.conf -- https://DNSwatch.COM
After editing, save the file.
Next step is to edit the unbound.conf located in /etc/unbound/
Rember to take a copy of the original unbound.conf
cp /etc/unbound/unbound.conf /etc/unbound/unbound.conf.origAfter we created te backup-file, we need to edit the file.
nano /etc/unbound/unbound.confChange the path to were the first configuration file was made.
# Unbound configuration file for Debian.
#
# See the unbound.conf(5) man page.
#
# See /usr/share/doc/unbound/examples/unbound.conf for a commented
# reference config file.
#
# The following line includes additional configuration files from the
# /etc/unbound/unbound.conf.d directory.
#include: "/etc/unbound/unbound.conf.d/*.conf"
include: "/etc/unbound/unbound.conf.d/unbound.conf"
# Block popular advertising companies
#include: /etc/unbound/unbound.conf.d/blocklist.conf
#
Check the unbound configuration
sudo unbound-checkconfIf the output of the above generates no errors, you can restart the unbound.service on your machine.
sudo systemctl restart unbound.service