------------------------------------------- * **unbounddns** * **Jonathan Haack** * **Haack's Networking** * **netcmnd@jonathanhaack.com** ------------------------------------------- //unbounddns// ------------------------------------------- This tutorial is for users of Debian GNU/Linux who want to run their own recursive DNS server using the [[https://unbound.docs.nlnetlabs.nl/en/latest/index.html|Unbound project]]. In this scenario, I am using GL.iNet MT6000 router and a separate AP. The router handles all dhcp/dns for the LAN / private subnet. In the openWRT config on the router's dhcp server, I specify two custom DNS servers in Interfaces / LAN / DHCP Server / Advanced / ''6,10.1.1.100,10.1.1.101''. These DNS servers are Debian VMs on two different production servers in the home office space; each of them is running a pihole server. The pihole-FTL takes care of adblocking and DNS sinkhole duties. If left with default settings, it uses your specified third-party DNS servers for upstream requests (Level 3, Cloudflare, etc.). This tutorial is how to replace those third-party DNS servers with Unbound, running locally on each pihole and on port 5335 instead of port 53, which is already used by pihole-FTL. sudo apt install unbound sudo nano /etc/unbound/unbound.conf.d/pi-hole.conf In that file, enter something like the following, adjusting as necessary for your use-case. server: logfile: "/var/log/unbound/unbound.log" log-time-ascii: yes use-syslog: yes directory: "/etc/unbound" username: unbound tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt verbosity: 3 interface: 0.0.0.0 interface: ::0 port: 5335 do-ip4: yes do-udp: yes do-tcp: yes module-config: "validator iterator" do-ip6: yes prefer-ip6: no harden-glue: yes harden-dnssec-stripped: yes use-caps-for-id: no edns-buffer-size: 1232 prefetch: yes num-threads: 8 msg-cache-slabs: 16 rrset-cache-slabs: 16 infra-cache-slabs: 16 key-cache-slabs: 16 rrset-cache-size: 512m msg-cache-size: 256m outgoing-range: 32768 num-queries-per-thread: 8192 infra-cache-numhosts: 100000 #so-rcvbuf: 1m #so-sndbuf: 2m so-reuseport: yes private-address: 192.168.0.0/16 private-address: 169.254.0.0/16 private-address: 172.16.0.0/12 private-address: 10.0.0.0/8 private-address: fd00::/8 private-address: fe80::/10 #access-control: 127.0.0.1/32 allow_snoop #access-control: ::1 allow_snoop #access-control: 127.0.0.0/8 allow access-control: 192.168.0.0/16 allow access-control: 10.0.0.0/8 allow access-control: 127.0.0.1/24 allow access-control: 2001:DB8::/64 allow aggressive-nsec: yes hide-identity: yes hide-version: yes cache-max-ttl: 14400 cache-min-ttl: 11000 In my case, I prefer traditional rotated logs with rsyslog, so I do the following: sudo apt install rsyslog sudo nano /etc/rsyslog.d/unbound.conf <& stop> nano /etc/logrotate.d/unbound In the log rotate file, enter the following: /var/log/unbound/unbound.log { daily rotate 7 missingok create 0640 root adm postrotate /usr/lib/rsyslog/rsyslog-rotate endscript } Additionally, some Debian systems have resolvconf installed, so many install recipes recommend disabling that service so that it does not overwrite the DNS settings we are making here. systemctl disable --now unbound-resolvconf.service sed -Ei 's/^unbound_conf=/#unbound_conf=/' /etc/resolvconf.conf rm /etc/unbound/unbound.conf.d/resolvconf_resolvers.conf To make sure logs are working properly: nano /etc/apparmor.d/local/usr.sbin.unbound sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.unbound sudo service apparmor restart sudo mkdir -p /var/log/unbound sudo touch /var/log/unbound/unbound.log sudo chown unbound /var/log/unbound/unbound.log Enforce edns settings specified in config: nano /etc/dnsmasq.d/99-edns.conf The last step is configuring the unbound server in the pihole GUI. Alternately, you can do this without a pihole by simply specifying this address as your WAN's upstream DNS server in openWRT. --- //[[webmaster@haacksnetworking.org|oemb1905]] 2024/11/01 03:59//