Authoritative, validating, recursive caching DNS with DNSSEC - Security & Cryptography
Users browsing this thread: 4 Guest(s)
|
|||
Today I'm going to walk you through the installation of Unbound. Unbound is a validating, recursive, and caching DNS resolver. Unbound is designed as a set of modular components, so that also DNSSEC (secure DNS) validation and stub-resolvers (that do not run as a server, but are linked into an application) are easily possible. In addition to setting up Unbound with DNSSEC I'm going to show you how to use Unbound to block ads, spyware, and otherwise nasty stuff. Doing so saves you bandwidth and browser speed since unlike Adblock Plus you are never communicating with the ad's server at all.
Getting started you're going to want to of course install Unbound! On Debian based distros: Code: sudo apt-get install unbound On BSD based systems as root: Code: cd /usr/ports/dns/unbound && make install clean] Code: pkg_add -r unbound You can even install from source, but alas I'm not going to walk you through installing something from source, sorry! Okay now you've got unbound installed there are some steps we need to take before we start configuration. Root-hints: is the file which contains the listing of primary root DNS servers. Unbound does have a listing of root DNS servers in its code, but if you want to make sure you are completely up to date we should obtain our own. It's up to you, but I normally update my root-hints every couple months. To query a hostname Unbound has to start at the top at the root DNS servers and work its way down to the authoritative servers (see the definition of a resolving DNS server above). Download a copy of the root hints from Internic and place it in the /etc/unbound/root.hints file. This file will be called by the root-hints: directive in the unbound.conf file. To obtain this file we will use wget! Must run as root or use sudo! Code: wget ftp://FTP.INTERNIC.NET/domain/named.cache -O /etc/unbound/root.hints Next the auto-trust-anchor! This file which contains the key for the root server so DNSSEC can be validated. We need to tell Unbound that we trust the root server so it can start to develop a chain of trust down to the hostname we want resolved and validated using DNSSEC. Again this command must be run with root privileges! Unbound has a tool to get a trust anchor just run: Code: unbound-anchor Are we there yet? NO! You don't want a non configured, non ad blocking Domain Name Server that does not even map your internal LAN DO YOU!? Did no think so, hold on to your neckbeards and read on! Next we are going to head over to Github and grab the unbound-block-hosts script. "Dan Pollock (http://someonewhocares.org/) maintains a hosts file that can be used by individual users to block hosts that contain advertisements, spyware, web trackers and other unpleasant, annoying or malicious content. This script converts this file into a format that can be loaded into the Unbound DNS server, allowing this list to be consumed by an entire network, or by devices (such as smart phones and tablets) which don't support a local hosts file." To use this script just run it with root privileges and it will convert the host file to the correct format and place it where it needs to be /etc/unbound/local-blocking-data.conf. Code: unbound-block-hosts Okay guys only two more steps before you can call yourself awesome! Now on to the configuration file! I don't have to tell you to have root again do I? Code: cd /etc/unbound && touch unbound.conf Now I'm only going to explain a few things the rest is commented or you can research on your own. My configuration includes a lot of performance optimization so don't worry if you are planning on putting this on a production server. unbound.conf Read through and change to fit your network settings as needed, it is commented pretty well. As you can see I have set up Unbound to run with lower privileges and so it cannot access anything outside of /etc/unbound if compromised, and will only have normal user rights. During the install it should have created a user named "unbound" if not adduser and create one. Make sure to chown -R unbound /etc/unbound once all files are in the right place. Now take a look at the configuration in the private-domain area. Here you can give out domain names to any computer in you LAN. Change the private-domain to what you want make sure to change the local-zone to match. As you can see mine is "home.lan" Now Code: local-data: "tardis.home.lan. IN A 192.168.1.11" Code: local-data-ptr: "192.168.1.111 tardis.home.lan" The last step! We want to be able to do more than start and stop Unbound! To be able to view it's stats etc we need to set up remote-control. Even if you just want to control it from the server itself you still need to do this step. In unbound.conf you will see Code: # Enable remote-control Code: unbound-control-setup to generate the necessary TLS key files (they are put in the default install directory) NOW YOU ARE READY MY SON! Start Unbound and configure your firewall to allow port 53 out! Point the nodes you want to use your DNS to your IP address and BAM! DNSSEC and no more annoying ads! By the way this is very low resource. I have this running on my desktop along with a web server with no discernible performance loss. It has boosted my internet browsing speed though! |
|||
|
|||
Man.... kopri, this is excellent! Very high quality post. It's clear, concise and yet very descriptive; just the right amount of information :)
Brilliant job, I'll absolutely be implementing this on my firewall/router once I have it built. |
|||
|
|||
Unixhub really makes me considering a selfbuilt firewallmodemrouteraccesspointbox with BSD. Thanks kopri!
|
|||
|
|||
Good tutorial!
It's true that blocking ads/spyware/adwares by hosts does speed up the browsing. I run adsuck on my machine and it has considerably changed the browsing experience. Adsuck supports regex and it is suppose, from the man page, to be faster than the normal hosts file. The hosts file that I have is huge, pretty experimental, and blocks hosts that some individuals might want to visit. It's radical but it's a better solution for me to unblock the hosts that I really want little by little. (You can find it on GH if you want to try it) I also wanted to have a cookie whitelist until I found that it was already implemented in Firefox. On a side note, lifting the weight from the browser can have it's good point. Let the browser do the browsing and only that. For adblocking you can use a DNS server like kopri did or use adsuck, for downloading you can use external download managers like aria2 and axel, for viewing sources you can use your favorite text editor, for web request analysis you can use burpsuite, and so on... Keep up the awesomeness! |
|||
|
|||
I agree with Venam, a browser is for surfing, and it will do it better if that's what it focuses on. Thanks for the compliments guys!
|
|||
|
|||
Very good post kopri :)
|
|||
|
|||
Good job! Kopri, I love this article :-)
|
|||
|
|||
Is there any interest in a tutorial on Lighttpd. it's a light secure webserver, I could write a tutorial on setting up and securing it.
|
|||
|
|||
You know we read nearly everything.
|
|||
|
|||
That's true haha.
|
|||
|
|||
great post,
I've took some pointers and using a larger resource to block ads ( http://hosts.eladkarako.com/hosts.txt ) it also removes YouTube commercials.. |
|||
|
|||
(19-09-2014, 02:30 AM)eladkarako Wrote: great post, I'm getting a 403 error (Forbidden). |
|||
|
|||
(19-09-2014, 02:42 AM)venam Wrote: I'm getting a 403 error (Forbidden).should be ok now, b.t.w you can now also access it on github (much faster), I update it at the same time as when I'm uploading the update to http://hosts.eladkarako.com and here it is: https://github.com/eladkarako/hosts.eladkarako.com |
|||