Differences

This shows you the differences between two versions of the page.

--- computing:unbounddns [2025/05/04 06:01] – oemb1905
+++ computing:unbounddns [2025/09/20 18:37] (current) – oemb1905
@@ Line 14: / Line 14: @@
   sudo apt install unbound
-  sudo nano /etc/unbound/unbound.conf.d/pi-hole.conf
+  sudo nano /etc/unbound/unbound.conf.d/pi-hole.conf # I use for lan-side pihole+unbound installations
+  sudo nano /etc/unbound/unbound.conf #I use this for lan- or wan-side non-pihole installations
 In that file, enter something like the following, adjusting as necessary for your use-case.
+  server:
+    # Logging (minimal)
+    use-syslog: yes
+    verbosity: 1
+    directory: "/etc/unbound"
+    username: unbound
+    # Bind to all interfaces, non-standard port
+    interface: 0.0.0.0
+    interface: ::0
+    port: 5335
+    do-ip4: yes
+    do-ip6: yes
+    prefer-ip6: no
+    do-udp: yes
+    do-tcp: yes
+    # Module configuration
+    module-config: "validator iterator"
+    # Security and DNSSEC
+    harden-glue: yes
+    harden-dnssec-stripped: yes
+    use-caps-for-id: no
+    aggressive-nsec: yes
+    hide-identity: yes
+    hide-version: yes
+    qname-minimisation: yes
+    harden-large-queries: yes
+    # Cache settings
+    cache-max-ttl: 86400
+    cache-min-ttl: 3600
+    rrset-cache-size: 256m
+    msg-cache-size: 128m
+    key-cache-size: 64m
+    neg-cache-size: 16m
+    # Performance tweaks
+    num-threads: 8
+    msg-cache-slabs: 8
+    rrset-cache-slabs: 8
+    infra-cache-slabs: 8
+    key-cache-slabs: 8
+    outgoing-range: 4096
+    num-queries-per-thread: 1024
+    infra-cache-numhosts: 10000
+    prefetch: yes
+    prefetch-key: yes
+    serve-expired: yes
+    serve-expired-ttl: 3600
+    so-reuseport: yes
+    edns-buffer-size: 4096
+    # Block private address ranges (excluding guest subnet)
+    private-address: 172.0.0.0/8
+    private-address: 169.254.0.0/16
+    private-address: 10.0.0.0/8
+    private-address: fd00::/8
+    private-address: fe80::/10
+    # Access control for guest subnet
+    access-control: 127.0.0.1/32 allow
+    access-control: ::1 allow
+    access-control: 192.168.1.0/24 allow
+If using unbound with a pihole, let ''/etc/resolv.conf'' on the pihole host be populated by your router. It will fill in with something like:
-  server:
+  domain domain.com
-      logfile: "/var/log/unbound/unbound.log"
+  search domain.com
-      log-time-ascii: yes
+  nameserver 192.168.1.254
-      use-syslog: yes
-      directory: "/etc/unbound"
-      username: unbound
-      tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
-      verbosity: 3
-      interface: 0.0.0.0
-      interface: ::0
-      port: 5335
-      do-ip4: yes
-      do-udp: yes
-      do-tcp: yes
-      module-config: "validator iterator"
-      do-ip6: yes
-      prefer-ip6: no
-      harden-glue: yes
-      harden-dnssec-stripped: yes
-      use-caps-for-id: no
-      edns-buffer-size: 1232
-      prefetch: yes
-      num-threads: 8
-      msg-cache-slabs: 16
-      rrset-cache-slabs: 16
-      infra-cache-slabs: 16
-      key-cache-slabs: 16
-      rrset-cache-size: 512m
-      msg-cache-size: 256m
-      outgoing-range: 32768
-      num-queries-per-thread: 8192
-      infra-cache-numhosts: 100000
-      #so-rcvbuf: 1m
-      #so-sndbuf: 2m
-      so-reuseport: yes
-      private-address: 192.168.0.0/16
-      private-address: 169.254.0.0/16
-      private-address: 172.16.0.0/12
-      private-address: 10.0.0.0/8
-      private-address: fd00::/8
-      private-address: fe80::/10
-      #access-control: 127.0.0.1/32 allow_snoop
-      #access-control: ::1 allow_snoop
-      #access-control: 127.0.0.0/8 allow
-      access-control: 192.168.0.0/16 allow
-      access-control: 10.0.0.0/8 allow
-      access-control: 127.0.0.1/24 allow
-      access-control: 2001:DB8::/64 allow
-      aggressive-nsec: yes
-      hide-identity: yes
-      hide-version: yes
-      cache-max-ttl: 14400
-      cache-min-ttl: 11000
 In my case, I prefer traditional rotated logs with rsyslog, so I do the following:
@@ Line 108: / Line 120: @@
   sudo chown unbound /var/log/unbound/unbound.log
-Enforce edns settings specified in config:
+Enforce edns settings specified in config (pihole-only installations):
   nano /etc/dnsmasq.d/99-edns.conf
   <edns-packet-max=1232>
-The last step is configuring the unbound server in the pihole GUI. Alternately, you can do this without a pihole by simply specifying this address as your WAN's upstream DNS server in openWRT. Alright, and in case you don't need LAN-based DNS, but just want a public facing virtual appliance to use its own DNS, just install unbound and enter the following in ''/etc/unbound/unbound.conf'':
+The last step is configuring the unbound server in the pihole GUI. Go to DNS > Custom and then add ''127.0.0.1#5335'' as a server and disable all the rest. Additionally, don't forget to forward requests to the pihole within openWRT. If you do everything in this tutorial: [[https://tech.haacksnetworking.org/2024/09/28/openwrt-on-two-gl-inet-mt6000s/|openWRT on GL.Inet MT6000]], you can easily add pihole support to both ipv4 and ipv6. Below, please find pics of the pihole custom DNS, and ipv4 and ipv6 settings for pihole in openWRT:
-  server:
+{{ :computing:screenshot_from_2025-09-20_12-30-26.png?400 |}}
-      interface: 127.0.0.1
+{{ :computing:screenshot_from_2025-09-20_12-28-46.png?400 |}}
-      cache-max-ttl: 14400
+{{ :computing:screenshot_from_2025-09-20_12-23-05.png?400 |}}
-      cache-min-ttl: 1200
-      num-threads: 4
-      msg-cache-slabs: 8
-      rrset-cache-slabs: 8
-      infra-cache-slabs: 8
-      key-cache-slabs: 8
-      rrset-cache-size: 256m
-      msg-cache-size: 128m
-      #prefetch: yes
-      harden-dnssec-stripped: yes
-      use-syslog: yes
-      aggressive-nsec: yes
-      hide-identity: yes
-      hide-version: yes
-      use-caps-for-id: yes
-      do-tcp: yes
-      do-udp: yes
-Then, just add ''nameserver 127.0.0.1'' to /etc/resolv.conf. This latter step only works on classic/minimal Debian. Use netplan properly and/or resolvconf package and the correct ''.d'' directory if not using proper DNS management.The latest wan-based is:
+Okay, that concludes the steps for setting up pihole+unbound within an openWRT environment. However, one might also want to leverage unbound for public-facing machines. For those use-cases, I enter the following config in ''/etc/unbound/unbound.conf'':
-  include-toplevel: "/etc/unbound/unbound.conf.d/*.conf"
   server:
     # Bind to localhost only
@@ Line 149: / Line 143: @@
     access-control: 127.0.0.0/8 allow
     access-control: 0.0.0.0/0 refuse
     access-control: ::0/0 refuse
     # Optimize for 8 cores
     num-threads: 4
@@ Line 203: / Line 197: @@
     # Disable subnetcache
     module-config: "validator iterator"
-    # Forward to upstream resolvers
+  # Forward to upstream resolvers
-    # forward-zone:
+  # forward-zone:
-    #    name: "."
+  #    name: "."
-    #    forward-addr: 1.1.1.1  # Cloudflare
+  #    forward-addr: 1.1.1.1  # Cloudflare
-    #    forward-addr: 8.8.8.8  # Google
+  #    forward-addr: 8.8.8.8  # Google
-    #legacy
-    #server:
-    #    interface: 127.0.0.1
-    #    cache-max-ttl: 14400
-    #    cache-min-ttl: 1200
-    #    num-threads: 4
-    #    msg-cache-slabs: 8
-    #    rrset-cache-slabs: 8
-    #    infra-cache-slabs: 8
-    #    key-cache-slabs: 8
-    #    rrset-cache-size: 256m
-    #    msg-cache-size: 128m
-    #    #prefetch: yes
-    #    harden-dnssec-stripped: yes
-    #    use-syslog: yes
-    #    aggressive-nsec: yes
-    #    hide-identity: yes
-    #    hide-version: yes
-    #    use-caps-for-id: yes
-    #    do-tcp: yes
-    #    do-udp: yes
-    #    do-ip4: yes
-    #    do-ip6: yes
-    #    prefer-ip6: no
-And now, the current lan-based config, in ''sudo nano /etc/unbound/unbound.conf.d/pi-hole.conf'' is:
-  server:
+After that, I navigate to ''/etc/resolv.conf'' and enter the following:
-    # Logging (minimal)
-    use-syslog: yes
+  nameserver ::1
-    verbosity: 1
+  nameserver 127.0.0.1
-    directory: "/etc/unbound"
-    username: unbound
+And, as we already discussed, if you are using unbound without a pihole per se, you would simply adapt the lan-side configuration above and tweak where necessary.
-    # Bind to all interfaces, non-standard port
-    interface: 0.0.0.0
-    interface: ::0
-    port: 5335
-    do-ip4: yes
-    do-ip6: yes
-    prefer-ip6: no
-    do-udp: yes
-    do-tcp: yes
-    # Module configuration
-    module-config: "validator iterator"
-    # Security and DNSSEC
-    harden-glue: yes
-    harden-dnssec-stripped: yes
-    use-caps-for-id: no
-    aggressive-nsec: yes
-    hide-identity: yes
-    hide-version: yes
-    qname-minimisation: yes
-    harden-large-queries: yes
-    # Cache settings
-    cache-max-ttl: 86400
-    cache-min-ttl: 3600
-    rrset-cache-size: 256m
-    msg-cache-size: 128m
-    key-cache-size: 64m
-    neg-cache-size: 16m
-    # Performance tweaks
-    num-threads: 8
-    msg-cache-slabs: 8
-    rrset-cache-slabs: 8
-    infra-cache-slabs: 8
-    key-cache-slabs: 8
-    outgoing-range: 4096
-    num-queries-per-thread: 1024
-    infra-cache-numhosts: 10000
-    prefetch: yes
-    prefetch-key: yes
-    serve-expired: yes
-    serve-expired-ttl: 3600
-    so-reuseport: yes
-    edns-buffer-size: 4096
-    # Block private address ranges (excluding own subnets)
-    private-address: 192.168.0.0/16
-    private-address: 169.254.0.0/16
-    private-address: 172.16.0.0/12
-    private-address: fd00::/8
-    private-address: fe80::/10
-    # Access control for LAN and VPN subnets
-    access-control: 127.0.0.1/32 allow
-    access-control: ::1 allow
-    access-control: 10.67.67.0/24 allow
-    access-control: 10.99.99.0/24 allow
- --- //[[alerts@haacksnetworking.org|oemb1905]] 2025/04/04 03:20//
+ --- //[[alerts@haacksnetworking.org|oemb1905]] 2025/09/20 18:31//

Haack's Wiki

User Tools

Site Tools

Differences

Page Tools