Unbound: A great tool for a secure fast local DNS

This article is a quick howto into installing Unbound. While the archwiki  page has it all; There were little tweaks that needed you get further and explained in laymens’ terms for a successful set-up.

Prerequisites

The following are presumed to be present while so the unbound package is so versatile and agnostic:

  • Archlinux OS (your laptop in this case)
  • Access to the yaourt repo ( All major distros do include the package in their base )
  • Packages to deal with: unbound,dnssec-trigger,openresolv,drill and dig

The Goal

To have a caching and recursive DNS service which circumvent the MITM and ISP’s meddeling in DNS querries in a censor-opt countries like mine: Iran. Oh, yes beleive me it is a great deal to have a tool as such. It is fast easy to set-up and once done you can all the way forget that such service at all existed. Lets get started. The service will serve the localhost all the querries in my case being my laptop.

Installation

Install the unbound and dnssec with:

$ yaourt -S unbound dnssec-trigger

Do not worry abou the openresolv which will be installed and used by DNSSEC to modify the /etc/resolv.conf.

Go to the /etc/NetworkManager/NetworkManager and add this snippet:

[Main]
dns=unbound

Once done we need to do some modification on the unbound config file which resides on /etc/unbound/unbound.conf there is a fully explained config lines FYI. There is a reference file /etc/unbound/unbound.conf.example for your further reading. Here is my config explained for get you going:

$ cat /etc/unbound/unbound.conf

server:
use-syslog: yes                                  # Sends the logs to the syslog
username: “unbound”                         # App user account which is created at the installation step…you can further chroot it for security if you want
directory: “/etc/unbound”                   # Root directory of the app
trust-anchor-file: trusted-key.key         # Location to look for the trusted root servers key; the file is auto generated

root-hints: root.hints                          #root servers list
interface: 127.0.0.1                             # unbound listens on this interface for DNS querries; a word of caution if you are like me with KVM and Docker service better not to set the   interface value to 0.0.0.0 otherwise you need to do mroe config changes for dnsmasq and port it listens to.

prefer-ip6: no                                     # I learned it the hard way that this entry does a great deal of help as most of the out-there-networks are not yet IPV6 enabled so keep it off

It is now time for the DNSSEC directives population:

$ curl -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache

We now set a systemd task for monthly update of this file like below:

$ sudo vim /etc/systemd/system/roothints.service

[Unit]
Description=Update root hints for unbound
After=network.target

[Service]
ExecStart=/usr/bin/curl -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache

$ sudo vim /etc/systemd/system/roothints.timer

[Unit]
Description=Update root hints for unbound
After=network.target

[Service]
ExecStart=/usr/bin/curl -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache
[hsafe@thinkt470 ~]$ cat /etc/systemd/system/roothints.timer
[Unit]
Description=Run root.hints monthly

[Timer]
OnCalendar=monthly
Persistent=true

[Install]
WantedBy=timers.target

Time to save everything and enable and start the services:

$ sudo systemctl enable dnssec-triggerd && sudo systemctl start dnssec-triggerd

$ sudo systemctl enable unbound && sudo systemctl start unbound

$ sudo systemctl restart NetworkManager

Check if everything is fine with below commands…The first one must return empty while the second must be successful:

$ drill sigfail.verteiltesysteme.net

$ drill sigok.verteiltesysteme.net

$ dig google.com

 

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.