Unbound

From TBP Wiki
Jump to: navigation, search

Unbound is a validating, recursive and caching DNS server designed for high performance. It was released on May 20, 2008 (version 1.0.0) as free software licensed under the BSD license by NLnet Labs, Verisign Inc., Nominet, and Kirei. It is installed as part of the base system in FreeBSD starting with version 10.0, and in NetBSD with version 8.0. A version is also available in OpenBSD version 5.6 and beyond. (Previous versions of FreeBSD shipped with BIND.) The default config file is /usr/local/etc/unbound/unbound.conf in FreeBSD and /etc/unbound/unbound.conf in Linux. Port 53 needs to be open in your router and in the local firewall. A better walkthrough is located here.


DNS Resolving Cache

This can be used as a DNS cache to serve local or external DNS queries. It can also be used to block advertisements.

Custom DNS domains can be set within Unbound as well. This is a basic A record:

      local-data: "xboxone.local IN A 192.168.1.139"

A PTR record can also be set for external queries. Please note that your ISP may block these.

  local-data-ptr: "68.225.35.119 server.domain.com"

A root hints file is required as well. You can wget this here

In order to block most advertisements, include: is needed. Here is the TBP blackhole.zone file for download. Be sure to include it in the /usr/local/etc/unbound/unbound.conf file. Here's a complete config setup:

   ## Unbound config file
   server:
       # Zone file
   	include: /usr/local/etc/unbound/blackhole.zone
       # List of valid clients 
   	port: 53
   	include: /usr/local/etc/unbound/users.conf
   	# Enable IPv4, "yes" or "no".
   	do-ip4: yes
   	# Enable IPv6, "yes" or "no".
   	do-ip6: yes
   	# Enable UDP, "yes" or "no".
   	do-udp: yes
   	do-tcp: yes
   	harden-dnssec-stripped: yes
   	rrset-cache-size: 2048m
   	msg-cache-size: 1024m
   	so-rcvbuf: 1m
   	val-permissive-mode: yes
       # Verbosity to zero - we don't log
   	verbosity: 0
   	use-syslog: no
       # Specify interfaces
   	interface: 0.0.0.0
   	interface: ::0
       # Our root hints file
   	root-hints: /usr/local/etc/unbound/root.hints
       auto-trust-anchor-file: "root.key"
       # Hide/block identity and version
   	hide-identity: yes
   	hide-version: yes
       # Trust glue only if it is within the servers authority.
   	harden-glue: yes
       # Require DNSSEC data for trust-anchored zones
   	harden-dnssec-stripped: yes
       # Use 0x20-encoded random bits in the query to help prevent spoofs
   	use-caps-for-id: yes
       # Specify caching TTLs
   	cache-min-ttl: 360
   	cache-max-ttl: 8640
       # Perform prefetching of close to expired message cache entries.
   	prefetch: yes
   	minimal-responses: yes
   	qname-minimisation: yes
   	rrset-roundrobin: yes
   	num-threads: 8
       # Do not allow localhost to use the forwarder
   	do-not-query-localhost: yes
   	ssl-upstream: yes
       # Specify servers for forwarding to
   	forward-zone:
   		name:"."
          	forward-addr: 1.1.1.1@853 	#Cloudflare DNS over TLS
   	forward-addr: 1.0.0.1@853	#Cloudflare DNS over TLS
   	forward-addr: 9.9.9.9@853 	#IBM IPv6 Quad9 over TLS
   	forward-addr: 149.112.112.112@853 	#IBM IPv6 Quad9 over TLS
   	forward-addr: 2606:4700:4700::1111@853 		#IPv6  Cloudflare DNS over TLS
   	forward-addr: 2606:4700:4700::1001@853 		#IPv6  Cloudflare DNS over TLS
   
   #		forward-addr: 68.1.16.108
   #		forward-addr: 68.1.16.107
    #               forward-addr: 208.67.222.222
    #               forward-addr: 208.67.220.220
    #               forward-addr: 172.98.193.42
    #               forward-addr: 192.99.85.244
    #             forward-addr: 1.1.1.1        # Cloudflare
    #             forward-addr: 1.0.0.1        # Cloudflare
    #             forward-addr: 8.8.4.4        # Google
    #             forward-addr: 8.8.8.8        # Google
    #             forward-addr: 37.235.1.174   # FreeDNS
   #             forward-addr: 37.235.1.177   # FreeDNS
   #              forward-addr: 64.6.64.6      # Verisign
   #              forward-addr: 64.6.65.6      # Verisign
   #              forward-addr: 74.82.42.42    # Hurricane Electric
   #              forward-addr: 84.200.69.80   # DNS Watch
   #              forward-addr: 84.200.70.40   # DNS Watch
   #              forward-addr: 91.239.100.100 # censurfridns.dk
   #              forward-addr: 109.69.8.51    # puntCAT
   #              forward-addr: 208.67.222.220 # OpenDNS
   #              forward-addr: 208.67.222.222 # OpenDNS
   #              forward-addr: 216.146.35.35  # Dyn Public
   #              forward-addr: 216.146.36.36  # Dyn Public
   remote-control:
       # Enable remote control with unbound-control(8) here.
       # set up the keys and certificates with unbound-control-setup.
       control-enable: yes
      
       # what interfaces are listened to for remote control.
       # give 0.0.0.0 and ::0 to listen to all interfaces.
       control-interface: 127.0.0.1
      
       # port number for remote control operations.
       control-port: 8953
      
       # unbound server key file.
       server-key-file: "/usr/local/etc/unbound/unbound_server.key"
      
       # unbound server certificate file.
       server-cert-file: "/usr/local/etc/unbound/unbound_server.pem"
      
       # unbound-control key file.
       control-key-file: "/usr/local/etc/unbound/unbound_control.key"
      
       # unbound-control certificate file.
       control-cert-file: "/usr/local/etc/unbound/unbound_control.pem"