Authoritative, validating, recursive caching DNS with DNSSEC - Security & Cryptography

Users browsing this thread: 4 Guest(s)
kopri
Long time nixers
Today I'm going to walk you through the installation of Unbound. Unbound is a validating, recursive, and caching DNS resolver. Unbound is designed as a set of modular components, so that also DNSSEC (secure DNS) validation and stub-resolvers (that do not run as a server, but are linked into an application) are easily possible. In addition to setting up Unbound with DNSSEC I'm going to show you how to use Unbound to block ads, spyware, and otherwise nasty stuff. Doing so saves you bandwidth and browser speed since unlike Adblock Plus you are never communicating with the ad's server at all.

Getting started you're going to want to of course install Unbound!

On Debian based distros:
Code:
sudo apt-get install unbound

On BSD based systems as root:
Code:
cd /usr/ports/dns/unbound && make install clean]
Or
Code:
pkg_add -r unbound

You can even install from source, but alas I'm not going to walk you through installing something from source, sorry!

Okay now you've got unbound installed there are some steps we need to take before we start configuration. Root-hints: is the file which contains the listing of primary root DNS servers. Unbound does have a listing of root DNS servers in its code, but if you want to make sure you are completely up to date we should obtain our own. It's up to you, but I normally update my root-hints every couple months.

To query a hostname Unbound has to start at the top at the root DNS servers and work its way down to the authoritative servers (see the definition of a resolving DNS server above). Download a copy of the root hints from Internic and place it in the /etc/unbound/root.hints file. This file will be called by the root-hints: directive in the unbound.conf file. To obtain this file we will use wget! Must run as root or use sudo!
Code:
wget ftp://FTP.INTERNIC.NET/domain/named.cache -O /etc/unbound/root.hints

Next the auto-trust-anchor! This file which contains the key for the root server so DNSSEC can be validated. We need to tell Unbound that we trust the root server so it can start to develop a chain of trust down to the hostname we want resolved and validated using DNSSEC. Again this command must be run with root privileges! Unbound has a tool to get a trust anchor just run:
Code:
unbound-anchor

Are we there yet? NO! You don't want a non configured, non ad blocking Domain Name Server that does not even map your internal LAN DO YOU!? Did no think so, hold on to your neckbeards and read on!

Next we are going to head over to Github and grab the unbound-block-hosts script.

"Dan Pollock (http://someonewhocares.org/) maintains a hosts file that can be used by individual users to block hosts that contain advertisements, spyware, web trackers and other unpleasant, annoying or malicious content.

This script converts this file into a format that can be loaded into the Unbound DNS server, allowing this list to be consumed by an entire network, or by devices (such as smart phones and tablets) which don't support a local hosts file." To use this script just run it with root privileges and it will convert the host file to the correct format and place it where it needs to be /etc/unbound/local-blocking-data.conf.
Code:
unbound-block-hosts

Okay guys only two more steps before you can call yourself awesome! Now on to the configuration file! I don't have to tell you to have root again do I?
Code:
cd /etc/unbound && touch unbound.conf

Now I'm only going to explain a few things the rest is commented or you can research on your own. My configuration includes a lot of performance optimization so don't worry if you are planning on putting this on a production server.
unbound.conf

Read through and change to fit your network settings as needed, it is commented pretty well.

As you can see I have set up Unbound to run with lower privileges and so it cannot access anything outside of /etc/unbound if compromised, and will only have normal user rights. During the install it should have created a user named "unbound" if not adduser and create one. Make sure to chown -R unbound /etc/unbound once all files are in the right place.

Now take a look at the configuration in the private-domain area. Here you can give out domain names to any computer in you LAN. Change the private-domain to what you want make sure to change the local-zone to match. As you can see mine is "home.lan" Now
Code:
local-data:     "tardis.home.lan.   IN A 192.168.1.11"
and match that with
Code:
local-data-ptr: "192.168.1.111      tardis.home.lan"
Obviously change the tardis.home.lan to your hostname.home.lan and match your ip address as well. Continue this step with all the hosts you want to have domain names on you LAN. Viola I can now type router.home.lan to bring up my router interface etc.

The last step! We want to be able to do more than start and stop Unbound! To be able to view it's stats etc we need to set up remote-control. Even if you just want to control it from the server itself you still need to do this step. In unbound.conf you will see
Code:
# Enable remote-control
remote-control:

control-enable: yes
Under that change "control-interface: 127.0.0.1" to the remote IP address you want to allow control too. I keep it at 127.0.0.1 so I can control it from the server itself. Now run
Code:
unbound-control-setup

to generate the necessary TLS key files (they are put in the default install directory)

NOW YOU ARE READY MY SON! Start Unbound and configure your firewall to allow port 53 out! Point the nodes you want to use your DNS to your IP address and BAM! DNSSEC and no more annoying ads!

By the way this is very low resource. I have this running on my desktop along with a web server with no discernible performance loss. It has boosted my internet browsing speed though!
Phyrne
Long time nixers
Man.... kopri, this is excellent! Very high quality post. It's clear, concise and yet very descriptive; just the right amount of information :)

Brilliant job, I'll absolutely be implementing this on my firewall/router once I have it built.
shtols
Long time nixers
Unixhub really makes me considering a selfbuilt firewallmodemrouteraccesspointbox with BSD. Thanks kopri!
venam
Administrators
Good tutorial!
It's true that blocking ads/spyware/adwares by hosts does speed up the browsing. I run adsuck on my machine and it has considerably changed the browsing experience. Adsuck supports regex and it is suppose, from the man page, to be faster than the normal hosts file. The hosts file that I have is huge, pretty experimental, and blocks hosts that some individuals might want to visit. It's radical but it's a better solution for me to unblock the hosts that I really want little by little. (You can find it on GH if you want to try it)
I also wanted to have a cookie whitelist until I found that it was already implemented in Firefox.

On a side note, lifting the weight from the browser can have it's good point. Let the browser do the browsing and only that. For adblocking you can use a DNS server like kopri did or use adsuck, for downloading you can use external download managers like aria2 and axel, for viewing sources you can use your favorite text editor, for web request analysis you can use burpsuite, and so on...

Keep up the awesomeness!
kopri
Long time nixers
I agree with Venam, a browser is for surfing, and it will do it better if that's what it focuses on. Thanks for the compliments guys!
yrmt
Grey Hair Nixers
Very good post kopri :)
Hans Hackett
Members
Good job! Kopri, I love this article :-)
kopri
Long time nixers
Is there any interest in a tutorial on Lighttpd. it's a light secure webserver, I could write a tutorial on setting up and securing it.
shtols
Long time nixers
You know we read nearly everything.
kopri
Long time nixers
That's true haha.
eladkarako
Registered
great post,
I've took some pointers and using a larger resource to block ads ( http://hosts.eladkarako.com/hosts.txt )
it also removes YouTube commercials..
venam
Administrators
(19-09-2014, 02:30 AM)eladkarako Wrote: great post,
I've took some pointers and using a larger resource to block ads ( http://hosts.eladkarako.com/hosts.txt )
it also removes YouTube commercials..

I'm getting a 403 error (Forbidden).
eladkarako
Registered
(19-09-2014, 02:42 AM)venam Wrote: I'm getting a 403 error (Forbidden).
should be ok now,
b.t.w you can now also access it on github (much faster), I update it at the same time as when I'm uploading the update to http://hosts.eladkarako.com and here it is: https://github.com/eladkarako/hosts.eladkarako.com