Marown/hosts
1
0
Fork 0
mirror of https://github.com/StevenBlack/hosts.git synced 2024-06-09 15:35:31 +02:00
Code Issues Packages Projects Releases Wiki Activity
Page: Unbound
Pages
AutoUpdate on OpenWRT based box (also works on LEDE) Bind DNS Server Dropping Support for Python 2 Home Unbound
9 Unbound
iam-py-test edited this page 2023-03-05 10:58:27 -05:00
Table of Contents

Unbound

This wiki will be split in two, one for linux users and one for Windows users

Why should i setup Unbound?

Read this thread to determine if this is for you, but as the writer I would recommend it.

Linux

First you have to do the install of Unbound, and that can be done by the built-in package manager (apt, apt-get, yum etc) But what would be better is to simply compile it your self by following this guide. The rest of this guide is in reference from a Kubuntu 19.04 Disco. apt-get install unbound ca-certificates dnsutils -yqq

Linux file structure

The files and dirs of interest would be:

/etc/unbound/                     # Main config dir
/etc/unbound/unbound.conf         # Default config file
/etc/unbound/unbound.conf.d/      # Sub config dir for automatically include *.conf files
/etc/unbound/zones/               # Where we will put our files for blocking
/etc/unbound/zones/adblock.local  # Your own private rules
/etc/unbound/rpz.conf             # The place to add imported blocklist.
/var/lib/unbound/                 # Dir for imported hosts formated list to convert to rpz
/root/update_unbound.sh           # The import/update scripts to keep imported list up to date

Let's start with the worst possible to do in a linux, switch to root in your favorite terminal. default shortcut would be alt+shift+t

Next is switching to the root users with sudo -s

Install the Unbound in you preferred way and update the list above to fit yours.

first let's setup unbounds remote-control to enable reload new configurations and updated zones

unbound-control-setup

Next check that you have the corresponding in you unbound.conf file

python:
remote-control:
        control-enable: yes
        control-use-cert: yes
        control-key-file: /etc/unbound/unbound_control.key
        control-cert-file: /etc/unbound/unbound_control.pem
        server-key-file: /etc/unbound/unbound_server.key
        server-cert-file: /etc/unbound/unbound_server.pem

Next you need to do some configurations in the unbound.conf to tweak it to our need and to help you keep the DNS query times down (= faster browsing, gaming etc) Nut first a little important note to the server: and python: lines as these are very important to notice.

  • server: This is chapter where all server directives have to be below
  • python: This is where all python scripted directive lies below, this includes any forward-zone: which lack a bit of explanation from the man files, and probably not note at first read.

Let edit the config shall we? blindly add the following as you would by copy pasting anyway 😃 Don't worry you'' learn the meaning of the config later, especially if anything fails....

    verbosity: 2 # Later when things are working, set this to 1 or 0
        interface-automatic: yes # Tell unbound to bind to any available interface at anytime
        num-threads: 4 # The number of cores on your CPU, but more than 2 or 4 is way overkill on a home network
        do-ip4: yes
        do-ip6: yes
        do-udp: yes
        do-tcp: yes
        do-daemonize: yes
        # This should for most users be set to reflect the home network C-class network ([RFC:1918](https://tools.ietf.org/html/rfc1918#section-3)). Uncomment the line that match you IP address to allow other devices on your network to query this device.
        #access-control: 0.0.0.0/0 allow # Bad choice for most common home users
        #access-control: 10.0.0.0/8 allow # Bad choice as IBM holds Public facing IP addresses in this range
        #access-control: 172.16.0.0/12 allow # Pretty huge network.....
        #access-control: 192.168.0.0/16 allow # More common
        hide-identity: yes
        hide-version: yes
        identity: "DNS secured by www.mypdns.org"

        prefetch: yes # Keeps previously queries warm and ready in the cache for next time the query is made
        prefetch-key: yes # On slow <=ADSL lines this is more a good idea than on a faster connection like fiber

        qname-minimisation: yes # lesser information is pasted on to next hop = better privacy protection
        qname-minimisation-strict: no # Would be nice if all DNS server respected qname-minimization, but the big suckers out there hate this feature as it is ruing the sad business models of collecting data about you, so unless you realy going deeeeeeep into privacy leave this as NO

        #private-domain: what.ever.local # set this to match you local network name

        serve-expired: yes
        serve-expired-ttl: 5
        serve-expired-ttl-reset: yes

        #cache-min-ttl: 3600 # Only enable this on <=ADSL connection and set it reasonable, this value however have never cost me trouble.... yet.
        infra-cache-numhosts: 1000000 # How much do we keep in the cache

        aggressive-nsec: yes
        rrset-roundrobin: yes
        do-not-query-localhost: no
        neg-cache-size: 4M
        harden-algo-downgrade: yes
        harden-below-nxdomain: yes
        harden-glue: yes
        harden-large-queries: yes
        harden-referral-path: no
        harden-short-bufsize: yes
        unwanted-reply-threshold: 10000
        use-caps-for-id: yes
        val-clean-additional: yes
        num-queries-per-thread: 4096
        outgoing-range: 8192
        minimal-responses: yes
        so-reuseport: yes

        harden-below-nxdomain: yes # If you have example.com in the zone list, then www.example.com would be replied with nxdomain too

        disable-dnssec-lame-check: yes
        tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt

Linux zone update

First we creates the rpz.conf and throw the two needed lines into it...

mkdir -p /etc/unbound/zones/
printf "#Settings for nxdomain zones\n\ninclude: /etc/unbound/zones/adblock.local\t# My own additions\n\ninclude: /etc/unbound/zones/rpz.db\t# The sum of all imported zones\n" > /etc/unbound/rpz.conf
printf "# My personal additions\n" > /etc/unbound/zones/adblock.local

We now uses this extremely simplified import script to load data into /etc/unbound/zones/rpz.db. We do that by adding this script in a safe location like the /root/ folder

wget -qO /root/update_unbound.sh 'https://gitlab.com/rpz-zones/toolbox/raw/master/unbound/update_unbound.sh'
chmod +x /root/update_unbound.sh
bash /root/update_unbound.sh

After these commands you should have a bunch of files in /var/lib/unbound/ like *.db and a hole lot of data in /etc/unbound/zones/rpz.db. Let's test that by

head /etc/unbound/zones/rpz.db
wc -l < /etc/unbound/zones/rpz.db

Now we test all of this configuration stuff with unbound-checkconf in the terminal and you should get this result

unbound-checkconf: no errors in /etc/unbound/unbound.conf

If this was the reply... good it's time to kill the damned systemd-resolved to get the control back from ubuntu and restart unbound to get our new recursor up and running

systemctl disable systemd-resolved
systemctl restart unbound.service

Put the script to the crontab for automatic zone update

crontab -e
07 * * * * bash /root/update_unbound.sh > /dev/null 2>&1
@reboot bash /root/update_unbound.sh > /dev/null 2>&1

..note: Feel free to add an updated version here, as this was just written to do some fast import for testing.

Final chapter

Now you have to change the DNS server setup on you network configuration. How this is done varies, but on kubuntu (KDE) and Ubuntu GD you have a network icon you can click on, and you should be able to find the right solution, else do a search

Forwarders

As unbound is THE fastest recursor (resolver) you shouldn't need this, however having a upfront updated DNS server to increasing privacy and security against bad boys, it can make sense, and here is a simple copy paste, no explanations.

printf "\ninclude: \"/etc/unbound/unbound.conf.d/forward.default\"\n" >> /etc/unbound/unbound.conf
wget -qO '/etc/unbound/unbound.conf.d/forward.default' 'https://gitlab.com/rpz-zones/toolbox/blob/master/unbound/unbound.conf.d/forward.default'

Windows

As I really haven't touched a Windows the last 6 years I'm properly not the right guy to write this chapter...

However you have to get the referrals in the service.conf to look a bit like these...

Windows installer

You find the latest EXE installer for Windows here

Conf options

To find current options please refer to https://nlnetlabs.nl/documentation/unbound/unbound.conf/

About Unound

Unbound is a DNS recursor developed by NLnet Labs, who also have developed the NCD whick is used as root servers for the TLD .nl.

Why this little wiki?

The idea is born in several ways, but from two more significance like the hosts files grows to be to big to be in the %path%/hosts files. Second this thread started by @tgy and followed heavily by other like @martii and @scriptTiger, shows that is could be a good idea to make simplified how to install and setup a very basic alternative to hosts-files and pi-hole which requires either a very powerful PC or a separate installation.

As I have found Unbound to be working well in simple setups on both *nix and windows 10 Home this might be a well alternative to refer to as the one "all round", which can be install on the default running computer in your household, which then will become the default DNS "server" you add to either the routers DHCP or better forced manually setup in every clients by hand.