Differences

This shows you the differences between two versions of the page.

--- computing:unbounddns [2024/11/01 04:29] – oemb1905
+++ computing:unbounddns [2025/09/20 18:37] (current) – oemb1905
@@ Line 14: / Line 14: @@
   sudo apt install unbound
-  sudo nano /etc/unbound/unbound.conf.d/pi-hole.conf
+  sudo nano /etc/unbound/unbound.conf.d/pi-hole.conf # I use for lan-side pihole+unbound installations
+  sudo nano /etc/unbound/unbound.conf #I use this for lan- or wan-side non-pihole installations
 In that file, enter something like the following, adjusting as necessary for your use-case.
   server:
-      logfile: "/var/log/unbound/unbound.log"
+    # Logging (minimal)
-      log-time-ascii: yes
+    use-syslog: yes
-      use-syslog: yes
+    verbosity: 1
-      directory: "/etc/unbound"
+    directory: "/etc/unbound"
-      username: unbound
+    username: unbound
-      tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
+    # Bind to all interfaces, non-standard port
-      verbosity: 3
+    interface: 0.0.0.0
-      interface: 0.0.0.0
+    interface: ::0
-      interface: ::0
+    port: 5335
-      port: 5335
+    do-ip4: yes
-      do-ip4: yes
+    do-ip6: yes
-      do-udp: yes
+    prefer-ip6: no
-      do-tcp: yes
+    do-udp: yes
-      module-config: "validator iterator"
+    do-tcp: yes
-      do-ip6: yes
+    # Module configuration
-      prefer-ip6: no
+    module-config: "validator iterator"
-      harden-glue: yes
+    # Security and DNSSEC
-      harden-dnssec-stripped: yes
+    harden-glue: yes
-      use-caps-for-id: no
+    harden-dnssec-stripped: yes
-      edns-buffer-size: 1232
+    use-caps-for-id: no
-      prefetch: yes
+    aggressive-nsec: yes
-      num-threads: 8
+    hide-identity: yes
-      msg-cache-slabs: 16
+    hide-version: yes
-      rrset-cache-slabs: 16
+    qname-minimisation: yes
-      infra-cache-slabs: 16
+    harden-large-queries: yes
-      key-cache-slabs: 16
+    # Cache settings
-      rrset-cache-size: 512m
+    cache-max-ttl: 86400
-      msg-cache-size: 256m
+    cache-min-ttl: 3600
-      outgoing-range: 32768
+    rrset-cache-size: 256m
-      num-queries-per-thread: 8192
+    msg-cache-size: 128m
-      infra-cache-numhosts: 100000
+    key-cache-size: 64m
-      #so-rcvbuf: 1m
+    neg-cache-size: 16m
-      #so-sndbuf: 2m
+    # Performance tweaks
-      so-reuseport: yes
+    num-threads: 8
-      private-address: 192.168.0.0/16
+    msg-cache-slabs: 8
-      private-address: 169.254.0.0/16
+    rrset-cache-slabs: 8
-      private-address: 172.16.0.0/12
+    infra-cache-slabs: 8
-      private-address: 10.0.0.0/8
+    key-cache-slabs: 8
-      private-address: fd00::/8
+    outgoing-range: 4096
-      private-address: fe80::/10
+    num-queries-per-thread: 1024
-      #access-control: 127.0.0.1/32 allow_snoop
+    infra-cache-numhosts: 10000
-      #access-control: ::1 allow_snoop
+    prefetch: yes
-      #access-control: 127.0.0.0/8 allow
+    prefetch-key: yes
-      access-control: 192.168.0.0/16 allow
+    serve-expired: yes
-      access-control: 10.0.0.0/8 allow
+    serve-expired-ttl: 3600
-      access-control: 127.0.0.1/24 allow
+    so-reuseport: yes
-      access-control: 2001:DB8::/64 allow
+    edns-buffer-size: 4096
-      aggressive-nsec: yes
+    # Block private address ranges (excluding guest subnet)
-      hide-identity: yes
+    private-address: 172.0.0.0/8
-      hide-version: yes
+    private-address: 169.254.0.0/16
-      cache-max-ttl: 14400
+    private-address: 10.0.0.0/8
-      cache-min-ttl: 11000
+    private-address: fd00::/8
+    private-address: fe80::/10
+    # Access control for guest subnet
+    access-control: 127.0.0.1/32 allow
+    access-control: ::1 allow
+    access-control: 192.168.1.0/24 allow
+If using unbound with a pihole, let ''/etc/resolv.conf'' on the pihole host be populated by your router. It will fill in with something like:
+  domain domain.com
+  search domain.com
+  nameserver 192.168.1.254
 In my case, I prefer traditional rotated logs with rsyslog, so I do the following:
@@ Line 108: / Line 120: @@
   sudo chown unbound /var/log/unbound/unbound.log
-Enforce edns settings specified in config:
+Enforce edns settings specified in config (pihole-only installations):
   nano /etc/dnsmasq.d/99-edns.conf
   <edns-packet-max=1232>
-The last step is configuring the unbound server in the pihole GUI. Alternately, you can do this without a pihole by simply specifying this address as your WAN's upstream DNS server in openWRT.
+The last step is configuring the unbound server in the pihole GUI. Go to DNS > Custom and then add ''127.0.0.1#5335'' as a server and disable all the rest. Additionally, don't forget to forward requests to the pihole within openWRT. If you do everything in this tutorial: [[https://tech.haacksnetworking.org/2024/09/28/openwrt-on-two-gl-inet-mt6000s/|openWRT on GL.Inet MT6000]], you can easily add pihole support to both ipv4 and ipv6. Below, please find pics of the pihole custom DNS, and ipv4 and ipv6 settings for pihole in openWRT:
+{{ :computing:screenshot_from_2025-09-20_12-30-26.png?400 |}}
+{{ :computing:screenshot_from_2025-09-20_12-28-46.png?400 |}}
+{{ :computing:screenshot_from_2025-09-20_12-23-05.png?400 |}}
+Okay, that concludes the steps for setting up pihole+unbound within an openWRT environment. However, one might also want to leverage unbound for public-facing machines. For those use-cases, I enter the following config in ''/etc/unbound/unbound.conf'':
+  server:
+    # Bind to localhost only
+    interface: 127.0.0.1
+    interface: ::1
+    port: 53
+    do-ip4: yes
+    do-ip6: yes
+    prefer-ip6: yes
+    access-control: 127.0.0.0/8 allow
+    access-control: 0.0.0.0/0 refuse
+    access-control: ::0/0 refuse
+    # Optimize for 8 cores
+    num-threads: 4
+    msg-cache-slabs: 4
+    rrset-cache-slabs: 4
+    infra-cache-slabs: 4
+    key-cache-slabs: 4
+    # Cache settings for high query volume
+    cache-max-ttl: 86400
+    cache-min-ttl: 3600
+    rrset-cache-size: 128m
+    msg-cache-size: 64m
+    key-cache-size: 32m
+    neg-cache-size: 8m
+    # Enable prefetch and expired responses
+    prefetch: yes
+    prefetch-key: yes
+    serve-expired: yes
+    serve-expired-ttl: 3600
+    # DNSSEC validation for DANE
+    #do-dnssec: yes
+    harden-dnssec-stripped: yes
+    harden-referral-path: yes
+    harden-below-nxdomain: yes
+    harden-algo-downgrade: no
+    # Performance tweaks
+    #so-rcvbuf: 4m
+    #so-sndbuf: 4m
+    edns-buffer-size: 1232
+    outgoing-range: 4096
+    num-queries-per-thread: 1024
+    jostle-timeout: 200
+    #low-resolver-mem: no
+    # Logging (minimal)
+    verbosity: 1
+    log-queries: no
+    log-replies: no
+    use-syslog: yes
+    # Security and privacy
+    hide-identity: yes
+    hide-version: yes
+    use-caps-for-id: yes
+    qname-minimisation: yes
+    harden-large-queries: yes
+    harden-glue: yes
+    aggressive-nsec: yes
+    # Protocol settings
+    do-tcp: yes
+    do-udp: yes
+    # Enable full recursion - no longer needed, retained for history
+    # do-not-query-localhost: no
+    # root-hints: "/usr/share/dns/root.hints"
+    # Disable subnetcache
+    module-config: "validator iterator"
+  # Forward to upstream resolvers
+  # forward-zone:
+  #    name: "."
+  #    forward-addr: 1.1.1.1  # Cloudflare
+  #    forward-addr: 8.8.8.8  # Google
+After that, I navigate to ''/etc/resolv.conf'' and enter the following:
+  nameserver ::1
+  nameserver 127.0.0.1
+And, as we already discussed, if you are using unbound without a pihole per se, you would simply adapt the lan-side configuration above and tweak where necessary.
- --- //[[webmaster@haacksnetworking.org|oemb1905]] 2024/11/01 03:59//
+ --- //[[alerts@haacksnetworking.org|oemb1905]] 2025/09/20 18:31//

Haack's Wiki

User Tools

Site Tools

Differences

Page Tools