Authoritative, validating, recursive caching DNS with DNSSEC - Security & Cryptography

Users browsing this thread: 1 Guest(s)
Long time nixers
Today I'm going to walk you through the installation of Unbound. Unbound is a validating, recursive, and caching DNS resolver. Unbound is designed as a set of modular components, so that also DNSSEC (secure DNS) validation and stub-resolvers (that do not run as a server, but are linked into an application) are easily possible. In addition to setting up Unbound with DNSSEC I'm going to show you how to use Unbound to block ads, spyware, and otherwise nasty stuff. Doing so saves you bandwidth and browser speed since unlike Adblock Plus you are never communicating with the ad's server at all.

Getting started you're going to want to of course install Unbound!

On Debian based distros:
sudo apt-get install unbound

On BSD based systems as root:
cd /usr/ports/dns/unbound && make install clean]
pkg_add -r unbound

You can even install from source, but alas I'm not going to walk you through installing something from source, sorry!

Okay now you've got unbound installed there are some steps we need to take before we start configuration. Root-hints: is the file which contains the listing of primary root DNS servers. Unbound does have a listing of root DNS servers in its code, but if you want to make sure you are completely up to date we should obtain our own. It's up to you, but I normally update my root-hints every couple months.

To query a hostname Unbound has to start at the top at the root DNS servers and work its way down to the authoritative servers (see the definition of a resolving DNS server above). Download a copy of the root hints from Internic and place it in the /etc/unbound/root.hints file. This file will be called by the root-hints: directive in the unbound.conf file. To obtain this file we will use wget! Must run as root or use sudo!
wget ftp://FTP.INTERNIC.NET/domain/named.cache -O /etc/unbound/root.hints

Next the auto-trust-anchor! This file which contains the key for the root server so DNSSEC can be validated. We need to tell Unbound that we trust the root server so it can start to develop a chain of trust down to the hostname we want resolved and validated using DNSSEC. Again this command must be run with root privileges! Unbound has a tool to get a trust anchor just run:

Are we there yet? NO! You don't want a non configured, non ad blocking Domain Name Server that does not even map your internal LAN DO YOU!? Did no think so, hold on to your neckbeards and read on!

Next we are going to head over to Github and grab the unbound-block-hosts script.

"Dan Pollock ( maintains a hosts file that can be used by individual users to block hosts that contain advertisements, spyware, web trackers and other unpleasant, annoying or malicious content.

This script converts this file into a format that can be loaded into the Unbound DNS server, allowing this list to be consumed by an entire network, or by devices (such as smart phones and tablets) which don't support a local hosts file." To use this script just run it with root privileges and it will convert the host file to the correct format and place it where it needs to be /etc/unbound/local-blocking-data.conf.

Okay guys only two more steps before you can call yourself awesome! Now on to the configuration file! I don't have to tell you to have root again do I?
cd /etc/unbound && touch unbound.conf

Now I'm only going to explain a few things the rest is commented or you can research on your own. My configuration includes a lot of performance optimization so don't worry if you are planning on putting this on a production server.

Read through and change to fit your network settings as needed, it is commented pretty well.

As you can see I have set up Unbound to run with lower privileges and so it cannot access anything outside of /etc/unbound if compromised, and will only have normal user rights. During the install it should have created a user named "unbound" if not adduser and create one. Make sure to chown -R unbound /etc/unbound once all files are in the right place.

Now take a look at the configuration in the private-domain area. Here you can give out domain names to any computer in you LAN. Change the private-domain to what you want make sure to change the local-zone to match. As you can see mine is "home.lan" Now
local-data:     "tardis.home.lan.   IN A"
and match that with
local-data-ptr: "      tardis.home.lan"
Obviously change the tardis.home.lan to your hostname.home.lan and match your ip address as well. Continue this step with all the hosts you want to have domain names on you LAN. Viola I can now type router.home.lan to bring up my router interface etc.

The last step! We want to be able to do more than start and stop Unbound! To be able to view it's stats etc we need to set up remote-control. Even if you just want to control it from the server itself you still need to do this step. In unbound.conf you will see
# Enable remote-control

control-enable: yes
Under that change "control-interface:" to the remote IP address you want to allow control too. I keep it at so I can control it from the server itself. Now run

to generate the necessary TLS key files (they are put in the default install directory)

NOW YOU ARE READY MY SON! Start Unbound and configure your firewall to allow port 53 out! Point the nodes you want to use your DNS to your IP address and BAM! DNSSEC and no more annoying ads!

By the way this is very low resource. I have this running on my desktop along with a web server with no discernible performance loss. It has boosted my internet browsing speed though!

Messages In This Thread
Authoritative, validating, recursive caching DNS with DNSSEC - by kopri - 22-08-2013, 09:10 PM