What's new

Unbound - Authoritative Recursive Caching DNS Server

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Status
Not open for further replies.
The servers-file points to the WAN DNS servers
Just do not understand what will be the name resolution for unbound. If so /etc/resolv.conf?, the no-resolv igonora option.
 
yes so in practice, if port is configured properly and forward zones set right and private, DNSMASQ can be left to do it's own local thang, and Unbound can do its job.
 
yes so in practice, if port is configured properly and forward zones set right and private, DNSMASQ can be left to do it's own local thang, and Unbound can do its job.
Very good. Will it give for use Diversion?
 
Just do not understand what will be the name resolution for unbound. If so /etc/resolv.conf?, the no-resolv igonora option.
Unbound (in my setup without forward-zone) resolves directly with the root DNS servers and any authoritative name server for the names requested by my devices. There is no single DNS server that will get my queries. This is what a recursive resolver does versus a forwarding resolver. You become your own Google DNS, Cloudflare DNS, Level 3 DNS.
 
There is no single DNS server that will get my queries. This is what a recursive resolver does versus a forwarding resolver. You become your own Google DNS, Cloudflare DNS, Level 3 DNS.
Have you checked for this traffic? Just didn't understand why you chose to add dnssec to dnsmasq. The unbound-anchor is robust.
Add your full configuration here for me to do the tests?
 
Have you checked for this traffic? Just didn't understand why you chose to add dnssec to dnsmasq. The unbound-anchor is robust.
Add your full configuration here for me to do the tests?
Here's a log of a query to asuswrt.lostrealm.ca (since snbforums.com and asuswrt-merlin.net were already cached).
[1569509914] unbound[21345:1] info: 127.0.1.1 asuswrt.lostrealm.ca. A IN
[1569509914] unbound[21345:1] info: resolving asuswrt.lostrealm.ca. A IN
[1569509914] unbound[21345:1] info: resolving . DNSKEY IN
[1569509914] unbound[21345:1] info: response for asuswrt.lostrealm.ca. A IN
[1569509914] unbound[21345:1] info: reply from <.> 192.112.36.4#53
[1569509914] unbound[21345:1] info: query response was REFERRAL
[1569509914] unbound[21345:1] info: resolving ca. DNSKEY IN
[1569509914] unbound[21345:1] info: response for asuswrt.lostrealm.ca. A IN
[1569509914] unbound[21345:1] info: reply from <ca.> 185.159.196.2#53
[1569509914] unbound[21345:1] info: query response was REFERRAL
[1569509914] unbound[21345:1] info: resolving lostrealm.ca. DNSKEY IN
[1569509914] unbound[21345:1] info: response for ca. DNSKEY IN
[1569509914] unbound[21345:1] info: reply from <ca.> 185.159.196.2#53
[1569509914] unbound[21345:1] info: query response was ANSWER
[1569509914] unbound[21345:1] info: response for lostrealm.ca. DNSKEY IN
[1569509914] unbound[21345:1] info: reply from <lostrealm.ca.> 173.245.58.130#53
[1569509914] unbound[21345:1] info: query response was ANSWER
[1569509914] unbound[21345:1] info: response for asuswrt.lostrealm.ca. A IN
[1569509914] unbound[21345:1] info: reply from <lostrealm.ca.> 173.245.58.130#53
[1569509914] unbound[21345:1] info: query response was ANSWER
[1569509914] unbound[21345:1] info: validated DS ca. DS IN
[1569509914] unbound[21345:1] info: resolving ca. DNSKEY IN
[1569509914] unbound[21345:1] info: validated DNSKEY ca. DNSKEY IN
[1569509914] unbound[21345:1] info: validated DS lostrealm.ca. DS IN
[1569509914] unbound[21345:1] info: resolving lostrealm.ca. DNSKEY IN
[1569509914] unbound[21345:1] info: validated DNSKEY lostrealm.ca. DNSKEY IN
[1569509914] unbound[21345:1] info: validate(positive): sec_status_secure
[1569509914] unbound[21345:1] info: validation success asuswrt.lostrealm.ca. A IN
[1569509914] unbound[21345:1] info: 127.0.1.1 asuswrt.lostrealm.ca. A IN NOERROR 0.082847 0 173
 
Have you checked for this traffic? Just didn't understand why you chose to add dnssec to dnsmasq. The unbound-anchor is robust.
Add your full configuration here for me to do the tests?
I added proxy-dnssec to dnsmasq.conf so that Unbound's secure reply will be passed down to dnsmasq without it being ignored by dnsmasq.
Here's my unbound config at the moment:
Code:
server:
# port to answer queries from
port: 53
verbosity: 2
logfile: "/opt/var/lib/unbound/unbound.log"
log-queries: yes
log-replies: yes

do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes

# don't be picky about interfaces but consider your firewall
interface: 127.0.1.1
access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: 10.0.0.0/24 allow
access-control: 192.168.1.0/24 allow

# private networks:
private-address: 127.0.0.0/8
private-address: 169.254.0.0/16
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16

# no threads and no memory slabs for threads
num-threads: 2
msg-cache-slabs: 4
rrset-cache-slabs: 4
infra-cache-slabs: 4
key-cache-slabs: 4
so-reuseport: yes

# tiny memory cache
key-cache-size: 16m
msg-cache-size: 8m
rrset-cache-size: 8m
cache-min-ttl: 3600
cache-max-ttl: 86400
cache-max-negative-ttl: 0
infra-host-ttl: 60
edns-buffer-size: 1472

# prefetch
prefetch: yes
prefetch-key: yes
minimal-responses: yes

# gentle on recursion
hide-identity: yes
hide-version: yes
do-not-query-localhost: no
qname-minimisation: yes
rrset-roundrobin: yes
harden-glue: yes
harden-referral-path: no
harden-below-nxdomain: yes
harden-algo-downgrade: yes

# Self jail Unbound with user "unbound" to /var/lib/unbound
username: "nobody"
directory: "/opt/var/lib/unbound"
chroot: "/opt/var/lib/unbound"
root-hints: "/opt/var/lib/unbound/root.hints"

# The pid file
pidfile: "/opt/var/run/unbound.pid"

# DNSSEC and DNS-over-TLS
tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
auto-trust-anchor-file: "/root.key"

remote-control:
control-enable: yes
control-interface: 127.0.0.1
control-port: 953
server-key-file: "/opt/var/lib/unbound/unbound_server.key"
server-cert-file: "/opt/var/lib/unbound/unbound_server.pem"
control-key-file: "/opt/var/lib/unbound/unbound_control.key"
control-cert-file: "/opt/var/lib/unbound/unbound_control.pem"
 
I added proxy-dnssec to dnsmasq.conf so that Unbound's secure reply will be passed down to dnsmasq without it being ignored by dnsmasq.
Here's my unbound config at the moment:
Code:
server:
# port to answer queries from
port: 53
verbosity: 2
logfile: "/opt/var/lib/unbound/unbound.log"
log-queries: yes
log-replies: yes

do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes

# don't be picky about interfaces but consider your firewall
interface: 127.0.1.1
access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: 10.0.0.0/24 allow
access-control: 192.168.1.0/24 allow

# private networks:
private-address: 127.0.0.0/8
private-address: 169.254.0.0/16
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16

# no threads and no memory slabs for threads
num-threads: 2
msg-cache-slabs: 4
rrset-cache-slabs: 4
infra-cache-slabs: 4
key-cache-slabs: 4
so-reuseport: yes

# tiny memory cache
key-cache-size: 16m
msg-cache-size: 8m
rrset-cache-size: 8m
cache-min-ttl: 3600
cache-max-ttl: 86400
cache-max-negative-ttl: 0
infra-host-ttl: 60
edns-buffer-size: 1472

# prefetch
prefetch: yes
prefetch-key: yes
minimal-responses: yes

# gentle on recursion
hide-identity: yes
hide-version: yes
do-not-query-localhost: no
qname-minimisation: yes
rrset-roundrobin: yes
harden-glue: yes
harden-referral-path: no
harden-below-nxdomain: yes
harden-algo-downgrade: yes

# Self jail Unbound with user "unbound" to /var/lib/unbound
username: "nobody"
directory: "/opt/var/lib/unbound"
chroot: "/opt/var/lib/unbound"
root-hints: "/opt/var/lib/unbound/root.hints"

# The pid file
pidfile: "/opt/var/run/unbound.pid"

# DNSSEC and DNS-over-TLS
tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
auto-trust-anchor-file: "/root.key"

remote-control:
control-enable: yes
control-interface: 127.0.0.1
control-port: 953
server-key-file: "/opt/var/lib/unbound/unbound_server.key"
server-cert-file: "/opt/var/lib/unbound/unbound_server.pem"
control-key-file: "/opt/var/lib/unbound/unbound_control.key"
control-cert-file: "/opt/var/lib/unbound/unbound_control.pem"
Very good setup organization. I tested it here.
Prefer not to enable IPV6? How about DNS-over-TLS on Unbound?
Awaiting contributions from the @SomeWhereOverTheRainBow
 
Prefer not to enable IPV6? How about DNS-over-TLS on Unbound?
I’m taking small baby steps. I don’t use IPv6 today on my network. DoT is only useful if you have a forward-zone configured, which I do not. So all my recursive queries to authoritative servers are cleartext.
 
I added proxy-dnssec to dnsmasq.conf so that Unbound's secure reply will be passed down to dnsmasq without it being ignored by dnsmasq.
Here's my unbound config at the moment:
Code:
server:
# port to answer queries from
port: 53
verbosity: 2
logfile: "/opt/var/lib/unbound/unbound.log"
log-queries: yes
log-replies: yes

do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes

# don't be picky about interfaces but consider your firewall
interface: 127.0.1.1
access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: 10.0.0.0/24 allow
access-control: 192.168.1.0/24 allow

# private networks:
private-address: 127.0.0.0/8
private-address: 169.254.0.0/16
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16

# no threads and no memory slabs for threads
num-threads: 2
msg-cache-slabs: 4
rrset-cache-slabs: 4
infra-cache-slabs: 4
key-cache-slabs: 4
so-reuseport: yes

# tiny memory cache
key-cache-size: 16m
msg-cache-size: 8m
rrset-cache-size: 8m
cache-min-ttl: 3600
cache-max-ttl: 86400
cache-max-negative-ttl: 0
infra-host-ttl: 60
edns-buffer-size: 1472

# prefetch
prefetch: yes
prefetch-key: yes
minimal-responses: yes

# gentle on recursion
hide-identity: yes
hide-version: yes
do-not-query-localhost: no
qname-minimisation: yes
rrset-roundrobin: yes
harden-glue: yes
harden-referral-path: no
harden-below-nxdomain: yes
harden-algo-downgrade: yes

# Self jail Unbound with user "unbound" to /var/lib/unbound
username: "nobody"
directory: "/opt/var/lib/unbound"
chroot: "/opt/var/lib/unbound"
root-hints: "/opt/var/lib/unbound/root.hints"

# The pid file
pidfile: "/opt/var/run/unbound.pid"

# DNSSEC and DNS-over-TLS
tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
auto-trust-anchor-file: "/root.key"

remote-control:
control-enable: yes
control-interface: 127.0.0.1
control-port: 953
server-key-file: "/opt/var/lib/unbound/unbound_server.key"
server-cert-file: "/opt/var/lib/unbound/unbound_server.pem"
control-key-file: "/opt/var/lib/unbound/unbound_control.key"
control-cert-file: "/opt/var/lib/unbound/unbound_control.pem"

Works really well. Waiting to see how this unfolds. Any idea how to add DNS OVER TLS with this setup?

-update : I added rgnldo DoT config and it works well .
Code:
forward-zone:
   name: "."
   forward-tls-upstream: yes
   forward-addr: 1.1.1.1@853#cloudflare-dns.com
   forward-addr: 1.0.0.1@853#cloudflare-dns.com
 
Last edited:
Any idea how to add DNS OVER TLS with this setup?
Code:
forward-zone:
    name: "."
    forward-tls-upstream: yes
    forward-addr: 185.222.222.222@853#dns.sb
    forward-addr: 2a09::@853#dns.sb
    forward-addr: 185.184.222.222@853#dns.sb
    forward-addr: 2a09::1@853#dns.sb
Only add forward-zone at the end of the configuration file. Note that recursive will no longer be via root server's, but on forward-zone servers.
 
Code:
forward-zone:
    name: "."
    forward-tls-upstream: yes
    forward-addr: 185.222.222.222@853#dns.sb
    forward-addr: 2a09::@853#dns.sb
    forward-addr: 185.184.222.222@853#dns.sb
    forward-addr: 2a09::1@853#dns.sb
Only add forward-zone at the end of the configuration file. Note that recursive will no longer be via root server's, but on forward-zone servers.

Code:
unbound-control -c /opt/var/lib/unbound/unb
ound.conf stats_noreset | grep total.num
total.num.queries=674
total.num.queries_ip_ratelimited=0
total.num.cachehits=56
total.num.cachemiss=618
total.num.prefetch=0
total.num.zero_ttl=0
total.num.recursivereplies=618

"Note that recursive will no longer be via root server's, but on forward-zone servers" is this a bad thing?
I don't really know what it means..hahh . Better leave it without DoT?
Do I loose something doing it this way?
If there is a better way, I will try
 
If there is a better way, I will try

Not entirely sure, but the debate is interesting. Source: https://discourse.pi-hole.net/t/unbound-or-stubby/15432/2
pi-hole.png
 
Not entirely sure, but the debate is interesting. Source: https://discourse.pi-hole.net/t/unbound-or-stubby/15432/2

I also have an issue with adblocking script you put here. It creates an empty adblock server list. Can I make it work with dave's setup ( without DoT) ? (I know I need to add "include: blacklist_path.txt" but your script for some reason creates an empty blacklist.txt)

It works.. my mistake
 
Last edited:
From what I notice, DoT or DoH solutions in DNS queries serve as palliatives on public networks, lessen phishing issues, and so on. From a network security standpoint, no. So much so that just a user on the network change the DNS on your device. A proxy, yes, solves it.
 
(I know I need to add "include: blacklist_path.txt" but your script for some reason creates an empty blacklist.txt)
Code:
#!/bin/bash
destinationIP="0.0.0.0"
tempoutlist="/jffs/Adblock/adlist.tmp"
outlist='/jffs/Adblock/tmp.host'
finalist='/jffs/Adblock/tmp.finalhost'
permlist='/jffs/Adblock/adpermitidos.txt'
adlist='/jffs/Adblock/adservers.txt'

echo "Removing Possible Temporary Files.."
[ -f /jffs/Adblock/adlist.tmp ] && rm -f /jffs/Adblock/adlist.tmp
[ -f /jffs/Adblock/tmp.host ] && rm -f /jffs/Adblock/tmp.host
[ -f /jffs/Adblock/tmp.finalhost ] && rm -f /jffs/Adblock/tmp.finalhost

echo "Downloading StevenBlack ad list..."
curl --progress-bar https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts | grep -v "#" | grep -v "::1" | grep -v "0.0.0.0 0.0.0.0" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $2}' | grep -v '^\\' | grep -v '\\$'| sort >> $tempoutlist

echo "Removing Duplicate Domain list formats..."
cat $tempoutlist | sed -r -e 's/[[:space:]]+/\t/g' | sed -e 's/\t*#.*$//g' | sed -e 's/[^a-zA-Z0-9\.\_\t\-]//g' | sed -e 's/\t$//g' | sed -e '/^#/d' | sort -u | sed '/^$/d' | awk -v "IP=$destinationIP" '{sub(/\r$/,""); print IP" "$0}' > $outlist
numberOfAdsBlocked=$(cat $outlist | wc -l | sed 's/^[ \t]*//')
echo "$numberOfAdsBlocked suspicious and blocked domains"

echo "Edit list of allowed domains..."
fgrep -vf $permlist $outlist  > $finalist

echo "Generating Unbound Adlist..."
cat $finalist | grep '^0\.0\.0\.0' | awk '{print "local-zone: \""$2"\" static"}' > $adlist
numberOfAdsBlocked=$(cat $adlist | wc -l | sed 's/^[ \t]*//')
echo "$numberOfAdsBlocked suspicious and blocked domains"

echo "Removing temporary files.."
[ -f /jffs/Adblock/adlist.tmp ] && rm -f /jffs/Adblock/adlist.tmp
[ -f /jffs/Adblock/tmp.host ] && rm -f /jffs/Adblock/tmp.host
[ -f /jffs/Adblock/tmp.finalhost ] && rm -f /jffs/Adblock/tmp.finalhost

echo "Restarting DNS servers..."
/opt/etc/init.d/S61unbound restart
 
Last edited:
I believe it would be ideal to create a fixed post, just with unbound and delete the others. The solution organized by @dave14305 is the most suitable
 
Status
Not open for further replies.

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top