Unbound: Difference between revisions

(4 intermediate revisions by one other user not shown)

Line 5:

== Minimal configuration. DNS resolver ==

In this case our DNS queries ~~upstream~~ are not encrypted.

In this case our DNS queries are not encrypted upstream because the internet root name servers do not support DNS-over-TLS (DoT) or DNS-over-HTTPS (DoH).

services.unbound = {

enable = true;

settings.server.qname-minimisation = true; ~~# optional~~

# next line is optional (RFC7816)

settings.server.qname-minimisation = true;

};

</syntaxhighlight>

Line 17:

Line 18:

$ nslookup nixos.org localhost

$ systemctl status unbound.service

$ ~~nslookup nixos~~.~~org localhost~~

$ cat /etc/unbound/unbound.conf

</syntaxhighlight>

If during the configuration our computer stops resolving DNS and we lose connectivity, we can manually set the line <code>nameserver 9.9.9.9</code> doing <code>sudo nano /etc/resolv.conf</code>. Now we can rebuild our system.

== DNS forwarder with blocklists ==

In this ~~case~~ we are using ~~DoH~~ to Quad9 and Cloudflare public DNS resolvers ~~and~~ filtering with a ~~blocklist~~ as Pi-~~Hole~~ does.

In this configuration we are using DoT to reach Quad9 and Cloudflare public DNS resolvers, in addition, we are filtering the results with a list that blocks adds and improves privacy and security (as Pi-hole does).

services.unbound = {

enable = true;

settings.server.module.config = "'respip validator iterator'"; ~~# RPZ~~

settings.server = {

# Our Unbound server IP

interface = [ "192.168.1.2" ];

# IPs allowed to query

access-control = [ "192.168.1.0/24 allow" ];

# Enable RPZ

module-config = "'respip validator iterator'";

};

settings.rpz = [{

name = "~~blocklist_hageziPro~~";

name = "hageziPro";

url = "https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/rpz/pro.txt";

}]

}];

settings.forward-zone = [{

name = ".";

forward-tls-upstream = true;

forward-addr = [

"9.9.9.9@853#dns.quad9.net";

"9.9.9.9@853#dns.quad9.net"

"149.112.112.112@853#dns.quad9.net"

"1.1.1.1@853#cloudflare-dns.com";

"1.1.1.1@853#cloudflare-dns.com"

"1.0.0.1@853#cloudflare-dns.com";

"1.0.0.1@853#cloudflare-dns.com"

]

];

}];

};

</syntaxhighlight>

@@ Line 5: / Line 5: @@
 == Minimal configuration. DNS resolver ==
-In this case our DNS queries upstream are not encrypted.
+In this case our DNS queries are not encrypted upstream because the internet root name servers do not support DNS-over-TLS (DoT) or DNS-over-HTTPS (DoH).
 <syntaxhighlight lang="nixos">
 services.unbound = {
-    enable = true;
+  enable = true;
-    settings.server.qname-minimisation = true;   # optional
+  # next line is optional (RFC7816)
+  settings.server.qname-minimisation = true;
 };
 </syntaxhighlight>
@@ Line 17: / Line 18: @@
 <syntaxhighlight>
+$ nslookup nixos.org localhost
 $ systemctl status unbound.service
-$ nslookup nixos.org localhost
+$ cat /etc/unbound/unbound.conf
 </syntaxhighlight>
+If during the configuration our computer stops resolving DNS and we lose connectivity, we can manually set the line <code>nameserver 9.9.9.9</code> doing <code>sudo nano /etc/resolv.conf</code>. Now we can rebuild our system.
 == DNS forwarder with blocklists ==
-In this case we are using DoH to Quad9 and Cloudflare public DNS resolvers and filtering with a blocklist as Pi-Hole does.
+In this configuration we are using DoT to reach Quad9 and Cloudflare public DNS resolvers, in addition, we are filtering the results with a list that blocks adds and improves privacy and security (as Pi-hole does).
 <syntaxhighlight lang="nixos">
 services.unbound = {
-    enable = true;
+  enable = true;
-    settings.server.module.config = "'respip validator iterator'"; # RPZ
+  settings.server = {
+    # Our Unbound server IP
+    interface = [ "192.168.1.2" ];
+    # IPs allowed to query
+    access-control = [ "192.168.1.0/24 allow" ];
+    # Enable RPZ
+    module-config = "'respip validator iterator'";
+  };
-    settings.rpz = [{
+  settings.rpz = [{
-        name = "blocklist_hageziPro";
+    name = "hageziPro";
-        url = "https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/rpz/pro.txt";
+    url = "https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/rpz/pro.txt";
-    }]
+  }];
-    settings.forward-zone = [{
+  settings.forward-zone = [{
-        name = ".";
+    name = ".";
-        forward-tls-upstream = true;
+    forward-tls-upstream = true;
-        forward-addr = [
+    forward-addr = [
-            "9.9.9.9@853#dns.quad9.net";
+      "9.9.9.9@853#dns.quad9.net"
-            "149.112.112.112@853#dns.quad9.net"
+      "149.112.112.112@853#dns.quad9.net"
-            "1.1.1.1@853#cloudflare-dns.com";
+      "1.1.1.1@853#cloudflare-dns.com"
-            "1.0.0.1@853#cloudflare-dns.com";
+      "1.0.0.1@853#cloudflare-dns.com"
-        ]
+    ];
-    }];
+  }];
 };
 </syntaxhighlight>