-
-
Notifications
You must be signed in to change notification settings - Fork 2.2k
Unbound
This wiki will be split in two, one for linux users and one for Windows users
Read this thread to determine if this is for you, but as the writer I would recommend it.
First you have to do the install of Unbound, and that can be done by the built-in package manager (apt, apt-get, yum etc)
But what would be better is to simply compile it your self by following this guide. The rest of this guide is in reference from a Kubuntu 19.04 Disco. apt-get install unbound ca-certificates dnsutils -yqq
The files and dirs of interest would be:
/etc/unbound/ # Main config dir
/etc/unbound/unbound.conf # Default config file
/etc/unbound/unbound.conf.d/ # Sub config dir for automatically include *.conf files
/etc/unbound/zones/ # Where we will put our files for blocking
/etc/unbound/zones/adblock.local # Your own private rules
/etc/unbound/rpz.conf # The place to add imported blocklist.
/var/lib/unbound/ # Dir for imported hosts formated list to convert to rpz
/root/update_unbound.sh # The import/update scripts to keep imported list up to date
Let's start with the worst possible to do in a linux, switch to root in your favorite terminal. default shortcut would be alt+shift+t
Next is switching to the root users with sudo -s
Install the Unbound in you preferred way and update the list above to fit yours.
first let's setup unbounds remote-control to enable reload new configurations and updated zones
unbound-control-setupNext check that you have the corresponding in you unbound.conf file
python:
remote-control:
control-enable: yes
control-use-cert: yes
control-key-file: /etc/unbound/unbound_control.key
control-cert-file: /etc/unbound/unbound_control.pem
server-key-file: /etc/unbound/unbound_server.key
server-cert-file: /etc/unbound/unbound_server.pemNext you need to do some configurations in the unbound.conf to tweak it to our need and to help you keep the DNS query times down (= faster browsing, gaming etc)
Nut first a little important note to the server: and python: lines as these are very important to notice.
-
server:This is chapter where all server directives have to be below -
python:This is where all python scripted directive lies below, this includes anyforward-zone:which lack a bit of explanation from the man files, and probably not note at first read.
Let edit the config shall we? blindly add the following as you would by copy pasting anyway 😃 Don't worry you'' learn the meaning of the config later, especially if anything fails....
verbosity: 2 # Later when things are working, set this to 1 or 0
interface-automatic: yes # Tell unbound to bind to any available interface at anytime
num-threads: 4 # The number of cores on your CPU, but more than 2 or 4 is way overkill on a home network
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes
do-daemonize: yes
# This should for most users be set to reflect the home network C-class network ([RFC:1918](https://tools.ietf.org/html/rfc1918#section-3)). Uncomment the line that match you IP address to allow other devices on your network to query this device.
#access-control: 0.0.0.0/0 allow # Bad choice for most common home users
#access-control: 10.0.0.0/8 allow # Bad choice as IBM holds Public facing IP addresses in this range
#access-control: 172.16.0.0/12 allow # Pretty huge network.....
#access-control: 192.168.0.0/16 allow # More common
hide-identity: yes
hide-version: yes
identity: "DNS secured by www.mypdns.org"
prefetch: yes # Keeps previously queries warm and ready in the cache for next time the query is made
prefetch-key: yes # On slow <=ADSL lines this is more a good idea than on a faster connection like fiber
qname-minimisation: yes # lesser information is pasted on to next hop = better privacy protection
qname-minimisation-strict: no # Would be nice if all DNS server respected qname-minimization, but the big suckers out there hate this feature as it is ruing the sad business models of collecting data about you, so unless you realy going deeeeeeep into privacy leave this as NO
#private-domain: what.ever.local # set this to match you local network name
serve-expired: yes
serve-expired-ttl: 5
serve-expired-ttl-reset: yes
#cache-min-ttl: 3600 # Only enable this on <=ADSL connection and set it reasonable, this value however have never cost me trouble.... yet.
infra-cache-numhosts: 1000000 # How much do we keep in the cache
aggressive-nsec: yes
rrset-roundrobin: yes
do-not-query-localhost: no
neg-cache-size: 4M
harden-algo-downgrade: yes
harden-below-nxdomain: yes
harden-glue: yes
harden-large-queries: yes
harden-referral-path: no
harden-short-bufsize: yes
unwanted-reply-threshold: 10000
use-caps-for-id: yes
val-clean-additional: yes
num-queries-per-thread: 4096
outgoing-range: 8192
minimal-responses: yes
so-reuseport: yes
harden-below-nxdomain: yes # If you have example.com in the zone list, then www.example.com would be replied with nxdomain too
disable-dnssec-lame-check: yes
tls-cert-bundle: /etc/ssl/certs/ca-certificates.crtFirst we creates the rpz.conf and throw the two needed lines into it...
mkdir -p /etc/unbound/zones/
printf "#Settings for nxdomain zones\n\ninclude: /etc/unbound/zones/adblock.local\t# My own additions\n\ninclude: /etc/unbound/zones/rpz.db\t# The sum of all imported zones\n" > /etc/unbound/rpz.conf
printf "# My personal additions\n" > /etc/unbound/zones/adblock.localWe now uses this extremely simplified import script to load data into /etc/unbound/zones/rpz.db. We do that by adding this script in a safe location like the /root/ folder
wget -qO /root/update_unbound.sh 'https://gitlab.com/rpz-zones/toolbox/raw/master/unbound/update_unbound.sh'
chmod +x /root/update_unbound.sh
bash /root/update_unbound.sh
After these commands you should have a bunch of files in /var/lib/unbound/ like *.db and a hole lot of data in /etc/unbound/zones/rpz.db. Let's test that by
head /etc/unbound/zones/rpz.db
wc -l < /etc/unbound/zones/rpz.db
Now we test all of this configuration stuff with unbound-checkconf in the terminal and you should get this result
unbound-checkconf: no errors in /etc/unbound/unbound.conf
If this was the reply... good it's time to kill the damned systemd-resolved to get the control back from ubuntu and restart unbound to get our new recursor up and running
systemctl disable systemd-resolved
systemctl restart unbound.service
Put the script to the crontab for automatic zone update
crontab -e
07 * * * * bash /root/update_unbound.sh > /dev/null 2>&1
@reboot bash /root/update_unbound.sh > /dev/null 2>&1
..note: Feel free to add an updated version here, as this was just written to do some fast import for testing.
Now you have to change the DNS server setup on you network configuration. How this is done varies, but on kubuntu (KDE) and Ubuntu GD you have a network icon you can click on, and you should be able to find the right solution, else do a search
As unbound is THE fastest recursor (resolver) you shouldn't need this, however having a upfront updated DNS server to increasing privacy and security against bad boys, it can make sense, and here is a simple copy paste, no explanations.
printf "\ninclude: \"/etc/unbound/unbound.conf.d/forward.default\"\n" >> /etc/unbound/unbound.conf
wget -qO '/etc/unbound/unbound.conf.d/forward.default' 'https://gitlab.com/rpz-zones/toolbox/blob/master/unbound/unbound.conf.d/forward.default'
As I really haven't touched a Windows the last 6 years I'm properly not the right guy to write this chapter...
However you have to get the referrals in the service.conf to look a bit like these...
You find the latest EXE installer for Windows here
To find current options please refer to https://nlnetlabs.nl/documentation/unbound/unbound.conf/
Unbound is a DNS recursor developed by NLnet Labs, who also have developed the NCD whick is used as root servers for the TLD .nl.
The idea is born in several ways, but from two more significance like the hosts files grows to be to big to be in the %path%/hosts files. Second this thread started by @tgy and followed heavily by other like @martii and @scriptTiger, shows that is could be a good idea to make simplified how to install and setup a very basic alternative to hosts-files and pi-hole which requires either a very powerful PC or a separate installation.
As I have found Unbound to be working well in simple setups on both *nix and windows 10 Home this might be a well alternative to refer to as the one "all round", which can be install on the default running computer in your household, which then will become the default DNS "server" you add to either the routers DHCP or better forced manually setup in every clients by hand.