Unbound: Difference between revisions

(9 intermediate revisions by 3 users not shown)

Line 1:

~~{{Expansion}}~~

[https://www.nlnetlabs.nl/projects/unbound/about/ Unbound] is a DNS server. Quoting the official project page:

Unbound is a DNS server. Quoting the official project page:

Unbound is a validating, recursive, caching DNS resolver. It is designed to be fast and lean and incorporates modern features based on open standards.~~<ref>https://www~~.~~nlnetlabs~~.~~nl/projects/unbound/about/</ref>~~

Unbound is a validating, recursive, caching DNS resolver. It is designed to be fast and lean and incorporates modern features based on open standards.

== Minimal configuration. DNS resolver ==

In this case our DNS queries are not encrypted upstream because the internet root name servers do not support DNS-over-TLS (DoT) or DNS-over-HTTPS (DoH).

~~== Example configuration ==~~

services.unbound = {

enable = true;

settings ~~= {~~

# next line is optional (RFC7816)

server ~~= {~~

settings.server.qname-minimisation = true;

~~# When only using Unbound as DNS, make sure to replace 127~~.~~0.0.1 with your ip address~~

};

~~# When using Unbound in combination with pi~~-~~hole or Adguard, leave 127.0.0.1, and point Adguard to 127.0.0.1:PORT~~

</syntaxhighlight>

~~interface~~ = ~~[ "127.0.0.1" ]~~;

~~port = 5335~~;

Test if it's working

~~access-control = [ "127~~.0.0.~~1 allow" ];~~

~~# Based on recommended settings in https:~~/~~/docs~~.~~pi-hole~~.~~net~~/~~guides~~/~~dns~~/~~unbound~~/~~#configure-unbound~~

~~harden-glue = true;~~

$ nslookup nixos.org localhost

~~harden-dnssec-stripped = true;~~

$ systemctl status unbound.service

~~use-caps-for-id = false;~~

$ cat /etc/unbound/unbound.conf

~~prefetch = true;~~

</syntaxhighlight>

~~edns-buffer-size = 1232;~~

If during the configuration our computer stops resolving DNS and we lose connectivity, we can manually set the line <code>nameserver 9.9.9.9</code> doing <code>sudo nano /etc/resolv.conf</code>. Now we can rebuild our system.

~~# Custom settings~~

== DNS forwarder with blocklists ==

~~hide~~-~~identity~~ = ~~true;~~

~~hide-version~~ = true;

In this configuration we are using DoT to reach Quad9 and Cloudflare public DNS resolvers, in addition, we are filtering the results with a list that blocks adds and improves privacy and security (as Pi-hole does).

};

~~forward-zone~~ = [

# ~~Example config with quad9~~

services.unbound = {

{

enable = true;

~~name~~ = ".";

~~forward~~-~~addr~~ = [

settings.server = {

~~"9.9.9.9#dns.quad9.net~~"

# Our Unbound server IP

~~"149.112.112~~.~~112#dns~~.~~quad9~~.~~net~~"

interface = [ "192.168.1.2" ];

];

# IPs allowed to query

~~forward-tls-upstream = true;~~ # ~~Protected DNS~~

access-control = [ "192.168.1.0/24 allow" ];

}

# Enable RPZ

];

module-config = "'respip validator iterator'";

};

settings.rpz = [{

name = "hageziPro";

url = "https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/rpz/pro.txt";

}];

settings.forward-zone = [{

name = ".";

forward-tls-upstream = true;

forward-addr = [

"9.9.9.9@853#dns.quad9.net"

"149.112.112.112@853#dns.quad9.net"

"1.1.1.1@853#cloudflare-dns.com"

"1.0.0.1@853#cloudflare-dns.com"

];

}];

};

</syntaxhighlight>

Line 46:

Line 65:

* https://unbound.docs.nlnetlabs.nl/en/latest/

* [https://wiki.archlinux.org/title/Unbound ArchWiki page]

~~== References ==~~

[[Category:Networking]]

[[Category:Server]]

[[Category:DNS]]

@@ Line 1: / Line 1: @@
-{{Expansion}}
+[https://www.nlnetlabs.nl/projects/unbound/about/ Unbound] is a DNS server. Quoting the official project page:
-Unbound is a DNS server. Quoting the official project page:
-Unbound is a validating, recursive, caching DNS resolver. It is designed to be fast and lean and incorporates modern features based on open standards.<ref>https://www.nlnetlabs.nl/projects/unbound/about/</ref>
+Unbound is a validating, recursive, caching DNS resolver. It is designed to be fast and lean and incorporates modern features based on open standards.
+== Minimal configuration. DNS resolver ==
+In this case our DNS queries are not encrypted upstream because the internet root name servers do not support DNS-over-TLS (DoT) or DNS-over-HTTPS (DoH).
-== Example configuration ==
 <syntaxhighlight lang="nixos">
 services.unbound = {
-    enable = true;
+  enable = true;
-    settings = {
+  # next line is optional (RFC7816)
-      server = {
+  settings.server.qname-minimisation = true;
-        # When only using Unbound as DNS, make sure to replace 127.0.0.1 with your ip address
+};
-        # When using Unbound in combination with pi-hole or Adguard, leave 127.0.0.1, and point Adguard to 127.0.0.1:PORT
+</syntaxhighlight>
-        interface = [ "127.0.0.1" ];
-        port = 5335;
+Test if it's working
-        access-control = [ "127.0.0.1 allow" ];
-        # Based on recommended settings in https://docs.pi-hole.net/guides/dns/unbound/#configure-unbound
+<syntaxhighlight>
-        harden-glue = true;
+$ nslookup nixos.org localhost
-        harden-dnssec-stripped = true;
+$ systemctl status unbound.service
-        use-caps-for-id = false;
+$ cat /etc/unbound/unbound.conf
-        prefetch = true;
+</syntaxhighlight>
-        edns-buffer-size = 1232;
+If during the configuration our computer stops resolving DNS and we lose connectivity, we can manually set the line <code>nameserver 9.9.9.9</code> doing <code>sudo nano /etc/resolv.conf</code>. Now we can rebuild our system.
-        # Custom settings
+== DNS forwarder with blocklists ==
-        hide-identity = true;
-        hide-version = true;
+In this configuration we are using DoT to reach Quad9 and Cloudflare public DNS resolvers, in addition, we are filtering the results with a list that blocks adds and improves privacy and security (as Pi-hole does).
-      };
-      forward-zone = [
+<syntaxhighlight lang="nixos">
-        # Example config with quad9
+services.unbound = {
-        {
+  enable = true;
-          name = ".";
-          forward-addr = [
+  settings.server = {
-            "9.9.9.9#dns.quad9.net"
+    # Our Unbound server IP
-            "149.112.112.112#dns.quad9.net"
+    interface = [ "192.168.1.2" ];
-          ];
+    # IPs allowed to query
-          forward-tls-upstream = true;  # Protected DNS
+    access-control = [ "192.168.1.0/24 allow" ];
-        }
+    # Enable RPZ
-      ];
+     module-config = "'respip validator iterator'";
-     };
    };
+  settings.rpz = [{
+    name = "hageziPro";
+    url = "https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/rpz/pro.txt";
+  }];
+  settings.forward-zone = [{
+    name = ".";
+    forward-tls-upstream = true;
+    forward-addr = [
+      "9.9.9.9@853#dns.quad9.net"
+      "149.112.112.112@853#dns.quad9.net"
+      "1.1.1.1@853#cloudflare-dns.com"
+      "1.0.0.1@853#cloudflare-dns.com"
+    ];
+  }];
+};
 </syntaxhighlight>
@@ Line 46: / Line 65: @@
 * https://unbound.docs.nlnetlabs.nl/en/latest/
 * [https://wiki.archlinux.org/title/Unbound ArchWiki page]
-== References ==
 [[Category:Networking]]
 [[Category:Server]]
 [[Category:DNS]]