Unbound: Difference between revisions

(7 intermediate revisions by 2 users not shown)

Line 3:

Unbound is a validating, recursive, caching DNS resolver. It is designed to be fast and lean and incorporates modern features based on open standards.

== ~~Example~~ configuration ==

== Minimal configuration. DNS resolver ==

In this case our DNS queries are not encrypted upstream because the internet root name servers do not support DNS-over-TLS (DoT) or DNS-over-HTTPS (DoH).

services.unbound = {

enable = true;

settings = {

# next line is optional (RFC7816)

~~server = {~~

settings.server.qname-minimisation = true;

~~# When only using Unbound as DNS, make sure to replace 127~~.0.0.~~1 with your ip address~~

};

~~# When using Unbound in combination with pi-hole or Adguard~~, ~~leave 127~~.0.0.~~1, and point Adguard to 127~~.0.0.~~1:PORT~~

</syntaxhighlight>

~~interface~~ = ~~[ "127.0.0~~.~~1" ];~~

~~port = 5335;~~

Test if it's working

~~access-control~~ = [ "~~127.0.0.1 allow~~" ];

~~# See `man~~ unbound~~.conf`~~

~~prefetch~~ = ~~true;~~

$ nslookup nixos.org localhost

~~hide-identity = true;~~

$ systemctl status unbound.service

~~hide-version~~ = true;

$ cat /etc/unbound/unbound.conf

};

</syntaxhighlight>

~~forward-zone~~ = [

# ~~Example config with quad9~~

If during the configuration our computer stops resolving DNS and we lose connectivity, we can manually set the line <code>nameserver 9.9.9.9</code> doing <code>sudo nano /etc/resolv.conf</code>. Now we can rebuild our system.

{

~~name~~ = ".";

== DNS forwarder with blocklists ==

~~forward~~-~~addr~~ = [

"~~9.9~~.9.~~9#dns~~.~~quad9.net"~~

In this configuration we are using DoT to reach Quad9 and Cloudflare public DNS resolvers, in addition, we are filtering the results with a list that blocks adds and improves privacy and security (as Pi-hole does).

~~"149.112.112.112#dns.quad9.net~~"

];

~~forward-tls-upstream = true;~~ # ~~Protected DNS~~

services.unbound = {

}

enable = true;

];

};

settings.server = {

# Our Unbound server IP

interface = [ "192.168.1.2" ];

# IPs allowed to query

access-control = [ "192.168.1.0/24 allow" ];

# Enable RPZ

module-config = "'respip validator iterator'";

};

settings.rpz = [{

name = "hageziPro";

url = "https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/rpz/pro.txt";

}];

settings.forward-zone = [{

name = ".";

forward-tls-upstream = true;

forward-addr = [

"9.9.9.9@853#dns.quad9.net"

"149.112.112.112@853#dns.quad9.net"

"1.1.1.1@853#cloudflare-dns.com"

"1.0.0.1@853#cloudflare-dns.com"

];

}];

};

</syntaxhighlight>

@@ Line 3: / Line 3: @@
 Unbound is a validating, recursive, caching DNS resolver. It is designed to be fast and lean and incorporates modern features based on open standards.
-== Example configuration ==
+== Minimal configuration. DNS resolver ==
+In this case our DNS queries are not encrypted upstream because the internet root name servers do not support DNS-over-TLS (DoT) or DNS-over-HTTPS (DoH).
 <syntaxhighlight lang="nixos">
 services.unbound = {
-    enable = true;
+  enable = true;
-    settings = {
+  # next line is optional (RFC7816)
-      server = {
+  settings.server.qname-minimisation = true;
-        # When only using Unbound as DNS, make sure to replace 127.0.0.1 with your ip address
+};
-        # When using Unbound in combination with pi-hole or Adguard, leave 127.0.0.1, and point Adguard to 127.0.0.1:PORT
+</syntaxhighlight>
-        interface = [ "127.0.0.1" ];
-        port = 5335;
+Test if it's working
-        access-control = [ "127.0.0.1 allow" ];
-        # See `man unbound.conf`
+<syntaxhighlight>
-        prefetch = true;
+$ nslookup nixos.org localhost
-        hide-identity = true;
+$ systemctl status unbound.service
-        hide-version = true;
+$ cat /etc/unbound/unbound.conf
-      };
+</syntaxhighlight>
-      forward-zone = [
-        # Example config with quad9
+If during the configuration our computer stops resolving DNS and we lose connectivity, we can manually set the line <code>nameserver 9.9.9.9</code> doing <code>sudo nano /etc/resolv.conf</code>. Now we can rebuild our system.
-        {
-          name = ".";
+== DNS forwarder with blocklists ==
-          forward-addr = [
-            "9.9.9.9#dns.quad9.net"
+In this configuration we are using DoT to reach Quad9 and Cloudflare public DNS resolvers, in addition, we are filtering the results with a list that blocks adds and improves privacy and security (as Pi-hole does).
-            "149.112.112.112#dns.quad9.net"
-          ];
+<syntaxhighlight lang="nixos">
-          forward-tls-upstream = true;  # Protected DNS
+services.unbound = {
-        }
+  enable = true;
-      ];
-     };
+  settings.server = {
+    # Our Unbound server IP
+    interface = [ "192.168.1.2" ];
+    # IPs allowed to query
+    access-control = [ "192.168.1.0/24 allow" ];
+    # Enable RPZ
+     module-config = "'respip validator iterator'";
    };
+  settings.rpz = [{
+    name = "hageziPro";
+    url = "https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/rpz/pro.txt";
+  }];
+  settings.forward-zone = [{
+    name = ".";
+    forward-tls-upstream = true;
+    forward-addr = [
+      "9.9.9.9@853#dns.quad9.net"
+      "149.112.112.112@853#dns.quad9.net"
+      "1.1.1.1@853#cloudflare-dns.com"
+      "1.0.0.1@853#cloudflare-dns.com"
+    ];
+  }];
+};
 </syntaxhighlight>