Goldbolt at 14:35, 3 January 2019

2019-01-03T14:35:24Z

Goldbolt: Created page with "Unbound is a validating, recursive and caching DNS server designed for high performance. It was released on May 20, 2008 (version 1.0.0) as free software licensed under the BS..."

2019-01-03T14:31:24Z

Created page with "Unbound is a validating, recursive and caching DNS server designed for high performance. It was released on May 20, 2008 (version 1.0.0) as free software licensed under the BS..."

New page

Unbound is a validating, recursive and caching DNS server designed for high performance. It was released on May 20, 2008 (version 1.0.0) as free software licensed under the BSD license by NLnet Labs, Verisign Inc., Nominet, and Kirei. It is installed as part of the base system in FreeBSD starting with version 10.0, and in NetBSD with version 8.0. A version is also available in OpenBSD version 5.6 and beyond. (Previous versions of FreeBSD shipped with BIND.) The default config file is <code>/usr/local/etc/unbound/unbound.conf</code> in FreeBSD and <code>/etc/unbound/unbound.conf</code> in Linux. Port 53 needs to be open in your router and in the local firewall.

=DNS Resolving Cache=

This can be used as a DNS cache to serve local or external DNS queries. It can also be used to block advertisements.

Custom DNS domains can be set within Unbound as well. This is a basic A record:

local-data: "xboxone.local IN A 192.168.1.139"

A PTR record can also be set for external queries. Please note that your ISP may block these.

local-data-ptr: "68.225.35.119 server.domain.com"

A root hints file is required as well. You can <code>wget</code> this [https://www.internic.net/domain/named.root here]

In order to block most advertisements, <code>include:</code> is needed. [https://tbpchan.cz/blackhole.zone Here] is the TBP blackhole.zone file for download. Be sure to include it in the <code>/usr/local/etc/unbound/unbound.conf</code> file. Here's a complete config setup:

## Unbound config file
server:
# Zone file
include: /usr/local/etc/unbound/blackhole.zone
# List of valid clients
port: 53
include: /usr/local/etc/unbound/users.conf
# Enable IPv4, "yes" or "no".
do-ip4: yes
# Enable IPv6, "yes" or "no".
do-ip6: yes
# Enable UDP, "yes" or "no".
do-udp: yes
do-tcp: yes
harden-dnssec-stripped: yes
rrset-cache-size: 2048m
msg-cache-size: 1024m
so-rcvbuf: 1m
val-permissive-mode: yes
# Verbosity to zero - we don't log
verbosity: 0
use-syslog: no
# Specify interfaces
interface: 0.0.0.0
interface: ::0
# Our root hints file
root-hints: /usr/local/etc/unbound/root.hints
auto-trust-anchor-file: "root.key"
# Hide/block identity and version
hide-identity: yes
hide-version: yes
# Trust glue only if it is within the servers authority.
harden-glue: yes
# Require DNSSEC data for trust-anchored zones
harden-dnssec-stripped: yes
# Use 0x20-encoded random bits in the query to help prevent spoofs
use-caps-for-id: yes
# Specify caching TTLs
cache-min-ttl: 360
cache-max-ttl: 8640
# Perform prefetching of close to expired message cache entries.
prefetch: yes
minimal-responses: yes
qname-minimisation: yes
rrset-roundrobin: yes
num-threads: 8
# Do not allow localhost to use the forwarder
do-not-query-localhost: yes
ssl-upstream: yes
# Specify servers for forwarding to
forward-zone:
name:"."
forward-addr: 1.1.1.1@853 #Cloudflare DNS over TLS
forward-addr: 1.0.0.1@853 #Cloudflare DNS over TLS
forward-addr: 9.9.9.9@853 #IBM IPv6 Quad9 over TLS
forward-addr: 149.112.112.112@853 #IBM IPv6 Quad9 over TLS
forward-addr: 2606:4700:4700::1111@853 #IPv6 Cloudflare DNS over TLS
forward-addr: 2606:4700:4700::1001@853 #IPv6 Cloudflare DNS over TLS

# forward-addr: 68.1.16.108
# forward-addr: 68.1.16.107
# forward-addr: 208.67.222.222
# forward-addr: 208.67.220.220
# forward-addr: 172.98.193.42
# forward-addr: 192.99.85.244
# forward-addr: 1.1.1.1 # Cloudflare
# forward-addr: 1.0.0.1 # Cloudflare
# forward-addr: 8.8.4.4 # Google
# forward-addr: 8.8.8.8 # Google
# forward-addr: 37.235.1.174 # FreeDNS
# forward-addr: 37.235.1.177 # FreeDNS
# forward-addr: 64.6.64.6 # Verisign
# forward-addr: 64.6.65.6 # Verisign
# forward-addr: 74.82.42.42 # Hurricane Electric
# forward-addr: 84.200.69.80 # DNS Watch
# forward-addr: 84.200.70.40 # DNS Watch
# forward-addr: 91.239.100.100 # censurfridns.dk
# forward-addr: 109.69.8.51 # puntCAT
# forward-addr: 208.67.222.220 # OpenDNS
# forward-addr: 208.67.222.222 # OpenDNS
# forward-addr: 216.146.35.35 # Dyn Public
# forward-addr: 216.146.36.36 # Dyn Public
remote-control:
# Enable remote control with unbound-control(8) here.
# set up the keys and certificates with unbound-control-setup.
control-enable: yes

# what interfaces are listened to for remote control.
# give 0.0.0.0 and ::0 to listen to all interfaces.
control-interface: 127.0.0.1

# port number for remote control operations.
control-port: 8953

# unbound server key file.
server-key-file: "/usr/local/etc/unbound/unbound_server.key"

# unbound server certificate file.
server-cert-file: "/usr/local/etc/unbound/unbound_server.pem"

# unbound-control key file.
control-key-file: "/usr/local/etc/unbound/unbound_control.key"

# unbound-control certificate file.
control-cert-file: "/usr/local/etc/unbound/unbound_control.pem"

← Older revision		Revision as of 14:35, 3 January 2019
Line 1:		Line 1:
−	Unbound is a validating, recursive and caching DNS server designed for high performance. It was released on May 20, 2008 (version 1.0.0) as free software licensed under the BSD license by NLnet Labs, Verisign Inc., Nominet, and Kirei. It is installed as part of the base system in FreeBSD starting with version 10.0, and in NetBSD with version 8.0. A version is also available in OpenBSD version 5.6 and beyond. (Previous versions of FreeBSD shipped with BIND.) The default config file is <code>/usr/local/etc/unbound/unbound.conf</code> in FreeBSD and <code>/etc/unbound/unbound.conf</code> in Linux. Port 53 needs to be open in your router and in the local firewall.	+	Unbound is a validating, recursive and caching DNS server designed for high performance. It was released on May 20, 2008 (version 1.0.0) as free software licensed under the BSD license by NLnet Labs, Verisign Inc., Nominet, and Kirei. It is installed as part of the base system in FreeBSD starting with version 10.0, and in NetBSD with version 8.0. A version is also available in OpenBSD version 5.6 and beyond. (Previous versions of FreeBSD shipped with BIND.) The default config file is <code>/usr/local/etc/unbound/unbound.conf</code> in FreeBSD and <code>/etc/unbound/unbound.conf</code> in Linux. Port 53 needs to be open in your router and in the local firewall. A better walkthrough is located [https://calomel.org/unbound_dns.html here].

Unbound - Revision history

Goldbolt at 14:35, 3 January 2019

Goldbolt: Created page with "Unbound is a validating, recursive and caching DNS server designed for high performance. It was released on May 20, 2008 (version 1.0.0) as free software licensed under the BS..."