Haack's Wiki

User Tools

Site Tools

Trace: preseed piholeonblack nextcloud
computing:unbounddns

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
computing:unbounddns [2024/11/01 04:23] oemb1905computing:unbounddns [2025/09/20 18:37] (current) oemb1905
Line 14: Line 14:
  
   sudo apt install unbound   sudo apt install unbound
-  sudo nano /etc/unbound/unbound.conf.d/pi-hole.conf+  sudo nano /etc/unbound/unbound.conf.d/pi-hole.conf # I use for lan-side pihole+unbound installations 
 +  sudo nano /etc/unbound/unbound.conf #I use this for lan- or wan-side non-pihole installations
      
 In that file, enter something like the following, adjusting as necessary for your use-case. In that file, enter something like the following, adjusting as necessary for your use-case.
 +                                                                                                                                                                                                                      
   server:   server:
-      logfile: "/var/log/unbound/unbound.log" +    # Logging (minimal) 
-      log-time-ascii: yes +    use-syslog: yes 
-      use-syslog: yes +    verbosity:
-      directory: "/etc/unbound" +    directory: "/etc/unbound" 
-      username: unbound +    username: unbound 
-      tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt +    # Bind to all interfaces, non-standard port 
-      verbosity: 3 +    interface: 0.0.0.0 
-      interface: 0.0.0.0 +    interface: ::0 
-      interface: ::0 +    port: 5335 
-      port: 5335 +    do-ip4: yes 
-      do-ip4: yes +    do-ip6: yes 
-      do-udp: yes +    prefer-ip6: no 
-      do-tcp: yes +    do-udp: yes 
-      module-config: "validator iterator" +    do-tcp: yes 
-      do-ip6: yes +    # Module configuration 
-      prefer-ip6: no +    module-config: "validator iterator" 
-      harden-glue: yes +    # Security and DNSSEC 
-      harden-dnssec-stripped: yes +    harden-glue: yes 
-      use-caps-for-id: no +    harden-dnssec-stripped: yes 
-      edns-buffer-size1232 +    use-caps-for-id: no 
-      prefetch: yes +    aggressive-nsec: yes 
-      num-threads8 +    hide-identityyes 
-      msg-cache-slabs16 +    hide-version: yes 
-      rrset-cache-slabs16 +    qname-minimisationyes 
-      infra-cache-slabs16 +    harden-large-queries: yes 
-      key-cache-slabs16 +    # Cache settings 
-      rrset-cache-size: 512m +    cache-max-ttl86400 
-      msg-cache-size256m +    cache-min-ttl: 3600 
-      outgoing-range: 32768 +    rrset-cache-size256m 
-      num-queries-per-thread: 8192 +    msg-cache-size128m 
-      infra-cache-numhosts: 100000 +    key-cache-size64m 
-      #so-rcvbuf1m +    neg-cache-size: 16m 
-      #so-sndbuf2m +    # Performance tweaks 
-      so-reuseport: yes +    num-threads:
-      private-address: 192.168.0.0/16 +    msg-cache-slabs8 
-      private-address: 169.254.0.0/16 +    rrset-cache-slabs:
-      private-address: 172.16.0.0/12 +    infra-cache-slabs:
-      private-address: 10.0.0.0/+    key-cache-slabs:
-      private-address: fd00::/8 +    outgoing-range: 4096 
-      private-address: fe80::/10 +    num-queries-per-thread: 1024 
-      #access-control: 127.0.0.1/32 allow_snoop +    infra-cache-numhosts: 10000 
-      #access-control: ::1 allow_snoop +    prefetch: yes 
-      #access-control: 127.0.0.0/allow +    prefetch-keyyes 
-      access-control: 192.168.0.0/16 allow +    serve-expiredyes 
-      access-control: 10.0.0.0/8 allow +    serve-expired-ttl: 3600 
-      access-control: 127.0.0.1/24 allow +    so-reuseport: yes 
-      access-control: 2001:DB8::/64 allow +    edns-buffer-size: 4096 
-      aggressive-nsec: yes +    # Block private address ranges (excluding guest subnet) 
-      hide-identity: yes +    private-address: 172.0.0.0/8 
-      hide-version: yes +    private-address: 169.254.0.0/16 
-      cache-max-ttl: 14400 +    private-address: 10.0.0.0/
-      cache-min-ttl: 11000+    private-address: fd00::/8 
 +    private-address: fe80::/10 
 +    Access control for guest subnet 
 +    access-control: 127.0.0.1/32 allow 
 +    access-control: ::1 allow 
 +    access-control: 192.168.1.0/24 allow 
 +     
 +If using unbound with a pihole, let ''/etc/resolv.conf'' on the pihole host be populated by your routerIt will fill in with something like: 
 + 
 +  domain domain.com 
 +  search domain.com 
 +  nameserver 192.168.1.254
      
 In my case, I prefer traditional rotated logs with rsyslog, so I do the following: In my case, I prefer traditional rotated logs with rsyslog, so I do the following:
Line 78: Line 90:
   <if $programname == 'unbound' then /var/log/unbound/unbound.log>   <if $programname == 'unbound' then /var/log/unbound/unbound.log>
   <& stop>   <& stop>
 +  nano /etc/logrotate.d/unbound
 +  
 +In the log rotate file, enter the following:
 +
 +  /var/log/unbound/unbound.log {
 +  daily
 +  rotate 7
 +  missingok
 +  create 0640 root adm
 +  postrotate
 +  /usr/lib/rsyslog/rsyslog-rotate
 +  endscript
 +  }
  
 Additionally, some Debian systems have resolvconf installed, so many install recipes recommend disabling that service so that it does not overwrite the DNS settings we are making here. Additionally, some Debian systems have resolvconf installed, so many install recipes recommend disabling that service so that it does not overwrite the DNS settings we are making here.
Line 95: Line 120:
   sudo chown unbound /var/log/unbound/unbound.log   sudo chown unbound /var/log/unbound/unbound.log
      
-Enforce edns settings specified in config:+Enforce edns settings specified in config (pihole-only installations):
  
   nano /etc/dnsmasq.d/99-edns.conf   nano /etc/dnsmasq.d/99-edns.conf
   <edns-packet-max=1232>   <edns-packet-max=1232>
  
-The last step is configuring the unbound server in the pihole GUI. Alternately, you can do this without a pihole by simply specifying this address as your WAN's upstream DNS server in openWRT.+The last step is configuring the unbound server in the pihole GUI. Go to DNS > Custom and then add ''127.0.0.1#5335'' as a server and disable all the rest. Additionallydon't forget to forward requests to the pihole within openWRT. If you do everything in this tutorial: [[https://tech.haacksnetworking.org/2024/09/28/openwrt-on-two-gl-inet-mt6000s/|openWRT on GL.Inet MT6000]], you can easily add pihole support to both ipv4 and ipv6. Below, please find pics of the pihole custom DNS, and ipv4 and ipv6 settings for pihole in openWRT
 + 
 +{{ :computing:screenshot_from_2025-09-20_12-30-26.png?400 |}} 
 +{{ :computing:screenshot_from_2025-09-20_12-28-46.png?400 |}} 
 +{{ :computing:screenshot_from_2025-09-20_12-23-05.png?400 |}} 
 + 
 +Okay, that concludes the steps for setting up pihole+unbound within an openWRT environment. However, one might also want to leverage unbound for public-facing machines. For those use-cases, I enter the following config in ''/etc/unbound/unbound.conf'': 
 + 
 +  server: 
 +    # Bind to localhost only 
 +    interface: 127.0.0.1 
 +    interface: ::1 
 +    port: 53 
 +    do-ip4: yes 
 +    do-ip6: yes 
 +    prefer-ip6: yes 
 +    access-control: 127.0.0.0/8 allow 
 +    access-control: 0.0.0.0/0 refuse 
 +    access-control: ::0/0 refuse 
 +    # Optimize for 8 cores 
 +    num-threads:
 +    msg-cache-slabs:
 +    rrset-cache-slabs:
 +    infra-cache-slabs:
 +    key-cache-slabs:
 +    # Cache settings for high query volume 
 +    cache-max-ttl: 86400 
 +    cache-min-ttl: 3600 
 +    rrset-cache-size: 128m 
 +    msg-cache-size: 64m 
 +    key-cache-size: 32m 
 +    neg-cache-size: 8m 
 +    # Enable prefetch and expired responses 
 +    prefetch: yes 
 +    prefetch-key: yes 
 +    serve-expired: yes 
 +    serve-expired-ttl: 3600 
 +    # DNSSEC validation for DANE 
 +    #do-dnssec: yes 
 +    harden-dnssec-stripped: yes 
 +    harden-referral-path: yes 
 +    harden-below-nxdomain: yes 
 +    harden-algo-downgrade: no 
 +    # Performance tweaks 
 +    #so-rcvbuf: 4m 
 +    #so-sndbuf: 4m 
 +    edns-buffer-size: 1232 
 +    outgoing-range: 4096 
 +    num-queries-per-thread: 1024 
 +    jostle-timeout: 200 
 +    #low-resolver-mem: no 
 +    # Logging (minimal) 
 +    verbosity: 1 
 +    log-queries: no 
 +    log-replies: no 
 +    use-syslog: yes 
 +    # Security and privacy 
 +    hide-identity: yes 
 +    hide-version: yes 
 +    use-caps-for-id: yes 
 +    qname-minimisation: yes 
 +    harden-large-queries: yes 
 +    harden-glue: yes 
 +    aggressive-nsec: yes 
 +    # Protocol settings 
 +    do-tcp: yes 
 +    do-udp: yes 
 +    # Enable full recursion - no longer needed, retained for history 
 +    # do-not-query-localhost: no 
 +    # root-hints: "/usr/share/dns/root.hints" 
 +    # Disable subnetcache 
 +    module-config: "validator iterator" 
 +  # Forward to upstream resolvers 
 +  # forward-zone: 
 +  #    name: "." 
 +  #    forward-addr: 1.1.1.1  # Cloudflare 
 +  #    forward-addr: 8.8.8.8  # Google 
 + 
 +After that, I navigate to ''/etc/resolv.conf'' and enter the following: 
 + 
 +  nameserver ::1 
 +  nameserver 127.0.0.1 
 + 
 +And, as we already discussed, if you are using unbound without a pihole per se, you would simply adapt the lan-side configuration above and tweak where necessary.
  
- --- //[[webmaster@haacksnetworking.org|oemb1905]] 2024/11/01 03:59//+ --- //[[alerts@haacksnetworking.org|oemb1905]] 2025/09/20 18:31//
computing/unbounddns.1730435001.txt.gz · Last modified: by oemb1905

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
GNU Free Documentation License 1.3 Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki