Haack's Wiki

User Tools

Site Tools

Trace: dokuwiki piholeonblack
computing:unbounddns

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
computing:unbounddns [2025/09/20 18:31] oemb1905computing:unbounddns [2025/09/20 18:37] (current) oemb1905
Line 68: Line 68:
     edns-buffer-size: 4096     edns-buffer-size: 4096
     # Block private address ranges (excluding guest subnet)     # Block private address ranges (excluding guest subnet)
-    private-address: 192.168.0.0/16+    private-address: 172.0.0.0/8
     private-address: 169.254.0.0/16     private-address: 169.254.0.0/16
     private-address: 10.0.0.0/8     private-address: 10.0.0.0/8
Line 131: Line 131:
 {{ :computing:screenshot_from_2025-09-20_12-23-05.png?400 |}} {{ :computing:screenshot_from_2025-09-20_12-23-05.png?400 |}}
  
-Alrightand in case you don't need LAN-based DNSbut just want public facing virtual appliance to use its own DNSjust install unbound and enter the following in ''/etc/unbound/unbound.conf'':+Okaythat concludes the steps for setting up pihole+unbound within an openWRT environment. Howeverone might also want to leverage unbound for public-facing machines. For those use-casesenter the following config in ''/etc/unbound/unbound.conf'':
  
   server:   server:
Line 203: Line 203:
   #    forward-addr: 8.8.8.8  # Google   #    forward-addr: 8.8.8.8  # Google
  
-After that, navigate to ''/etc/resolv.conf'' and enter the following:+After that, navigate to ''/etc/resolv.conf'' and enter the following:
  
   nameserver ::1   nameserver ::1
   nameserver 127.0.0.1   nameserver 127.0.0.1
  
-Ifinstead, you are trying to setup unbound to work locallythen you would adopt something more like the following. This configuration is a valid starting point whether you are doing a pihole+unbound or unbound on its own (or with other DNS management).+Andas we already discussedif you are using unbound without a pihole per se, you would simply adapt the lan-side configuration above and tweak where necessary.
  
-  server: + --- //[[alerts@haacksnetworking.org|oemb1905]] 2025/09/20 18:31//
-    # Bind to localhost only +
-    interface: 127.0.0.1 +
-    interface: ::1 +
-    port: 53 +
-    do-ip4: yes +
-    do-ip6: yes +
-    prefer-ip6: yes +
-    access-control: 127.0.0.0/8 allow +
-    access-control: 0.0.0.0/0 refuse +
-    access-control: ::0/0 refuse   +
-    # Optimize for 8 cores +
-    num-threads:+
-    msg-cache-slabs:+
-    rrset-cache-slabs:+
-    infra-cache-slabs:+
-    key-cache-slabs:+
-    # Cache settings for high query volume +
-    cache-max-ttl: 86400 +
-    cache-min-ttl: 3600 +
-    rrset-cache-size: 128m +
-    msg-cache-size: 64m +
-    key-cache-size: 32m +
-    neg-cache-size: 8m +
-    # Enable prefetch and expired responses +
-    prefetch: yes +
-    prefetch-key: yes +
-    serve-expired: yes +
-    serve-expired-ttl: 3600 +
-    # DNSSEC validation for DANE +
-    #do-dnssec: yes +
-    harden-dnssec-stripped: yes +
-    harden-referral-path: yes +
-    harden-below-nxdomain: yes +
-    harden-algo-downgrade: no +
-    # Performance tweaks +
-    #so-rcvbuf: 4m +
-    #so-sndbuf: 4m +
-    edns-buffer-size: 1232 +
-    outgoing-range: 4096 +
-    num-queries-per-thread: 1024 +
-    jostle-timeout: 200 +
-    #low-resolver-mem: no +
-    # Logging (minimal) +
-    verbosity: 1 +
-    log-queries: no +
-    log-replies: no +
-    use-syslog: yes +
-    # Security and privacy +
-    hide-identity: yes +
-    hide-version: yes +
-    use-caps-for-id: yes +
-    qname-minimisation: yes +
-    harden-large-queries: yes +
-    harden-glue: yes +
-    aggressive-nsec: yes +
-    # Protocol settings +
-    do-tcp: yes +
-    do-udp: yes +
-    # Enable full recursion - no longer needed, retained for history +
-    # do-not-query-localhost: no +
-    # root-hints: "/usr/share/dns/root.hints" +
-    # Disable subnetcache +
-    module-config: "validator iterator" +
-    # Forward to upstream resolvers +
-    # forward-zone: +
-    #    name: "." +
-    #    forward-addr: 1.1.1.1  # Cloudflare +
-    #    forward-addr: 8.8.8.8  # Google +
-    #legacy +
-    #server: +
-    #    interface: 127.0.0.1 +
-    #    cache-max-ttl: 14400 +
-    #    cache-min-ttl: 1200 +
-    #    num-threads:+
-    #    msg-cache-slabs:+
-    #    rrset-cache-slabs:+
-    #    infra-cache-slabs:+
-    #    key-cache-slabs:+
-    #    rrset-cache-size: 256m +
-    #    msg-cache-size: 128m +
-    #    #prefetch: yes +
-    #    harden-dnssec-stripped: yes +
-    #    use-syslog: yes +
-    #    aggressive-nsec: yes +
-    #    hide-identity: yes +
-    #    hide-version: yes +
-    #    use-caps-for-id: yes +
-    #    do-tcp: yes +
-    #    do-udp: yes +
-    #    do-ip4: yes +
-    #    do-ip6: yes +
-    #    prefer-ip6: no +
-   +
-And now, the current lan-based config, in ''sudo nano /etc/unbound/unbound.conf.d/pi-hole.conf'' is: +
- +
-  server: +
-    # Logging (minimal) +
-    use-syslog: yes +
-    verbosity: 1 +
-    directory: "/etc/unbound" +
-    username: unbound   +
-    # Bind to all interfaces, non-standard port +
-    interface: 0.0.0.0 +
-    interface: ::0 +
-    port: 5335 +
-    do-ip4: yes +
-    do-ip6: yes +
-    prefer-ip6: no +
-    do-udp: yes +
-    do-tcp: yes +
-    # Module configuration +
-    module-config: "validator iterator" +
-    # Security and DNSSEC +
-    harden-glue: yes +
-    harden-dnssec-stripped: yes +
-    use-caps-for-id: no +
-    aggressive-nsec: yes +
-    hide-identity: yes +
-    hide-version: yes +
-    qname-minimisation: yes +
-    harden-large-queries: yes +
-    # Cache settings +
-    cache-max-ttl: 86400 +
-    cache-min-ttl: 3600 +
-    rrset-cache-size: 256m +
-    msg-cache-size: 128m +
-    key-cache-size: 64m +
-    neg-cache-size: 16m +
-    # Performance tweaks +
-    num-threads:+
-    msg-cache-slabs:+
-    rrset-cache-slabs:+
-    infra-cache-slabs:+
-    key-cache-slabs:+
-    outgoing-range: 4096 +
-    num-queries-per-thread: 1024 +
-    infra-cache-numhosts: 10000 +
-    prefetch: yes +
-    prefetch-key: yes +
-    serve-expired: yes +
-    serve-expired-ttl: 3600 +
-    so-reuseport: yes +
-    edns-buffer-size: 4096 +
-    # Block private address ranges (excluding own subnets) +
-    private-address: 192.168.0.0/16 +
-    private-address: 169.254.0.0/16 +
-    private-address: 172.16.0.0/12 +
-    private-address: fd00::/8 +
-    private-address: fe80::/10 +
-    # Access control for LAN and VPN subnets +
-    access-control: 127.0.0.1/32 allow +
-    access-control: ::1 allow +
-    access-control: 10.67.67.0/24 allow +
-    access-control: 10.99.99.0/24 allow +
- +
- --- //[[alerts@haacksnetworking.org|oemb1905]] 2025/04/04 03:20//+
computing/unbounddns.1758393066.txt.gz · Last modified: by oemb1905

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
GNU Free Documentation License 1.3 Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki