Unbound: Difference between revisions

(3 intermediate revisions by one other user not shown)

Line 5:

== Minimal configuration. DNS resolver ==

In this case our DNS queries are not encrypted upstream because the root servers do not support DNS-over-TLS (DoT) or DNS-over-HTTPS (DoH).

In this case our DNS queries are not encrypted upstream because the internet root name servers do not support DNS-over-TLS (DoT) or DNS-over-HTTPS (DoH).

services.unbound = {

enable = true;

# ~~nex~~ line is optional (RFC7816)

# next line is optional (RFC7816)

settings.server.qname-minimisation = true;

};

Line 27:

== DNS forwarder with blocklists ==

In this configuration we are using DoT to Quad9 and Cloudflare public DNS resolvers, ~~plus~~, we are ~~applying an Ad blocker~~ list (as Pi-hole does).

In this configuration we are using DoT to reach Quad9 and Cloudflare public DNS resolvers, in addition, we are filtering the results with a list that blocks adds and improves privacy and security (as Pi-hole does).

Line 37:

interface = [ "192.168.1.2" ];

# IPs allowed to query

access-control = [ "192.168.1.0/24" ~~allow~~ ];

access-control = [ "192.168.1.0/24 allow" ];

# Enable RPZ

module.config = "'respip validator iterator'";

module-config = "'respip validator iterator'";

};

Line 45:

name = "hageziPro";

url = "https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/rpz/pro.txt";

}]

}];

settings.forward-zone = [{

Line 51:

forward-tls-upstream = true;

forward-addr = [

"9.9.9.9@853#dns.quad9.net";

"9.9.9.9@853#dns.quad9.net"

"149.112.112.112@853#dns.quad9.net"

"1.1.1.1@853#cloudflare-dns.com";

"1.1.1.1@853#cloudflare-dns.com"

"1.0.0.1@853#cloudflare-dns.com";

"1.0.0.1@853#cloudflare-dns.com"

]

];

}];

};

@@ Line 5: / Line 5: @@
 == Minimal configuration. DNS resolver ==
-In this case our DNS queries are not encrypted upstream because the root servers do not support DNS-over-TLS (DoT) or DNS-over-HTTPS (DoH).
+In this case our DNS queries are not encrypted upstream because the internet root name servers do not support DNS-over-TLS (DoT) or DNS-over-HTTPS (DoH).
 <syntaxhighlight lang="nixos">
 services.unbound = {
    enable = true;
-   # nex line is optional (RFC7816)
+   # next line is optional (RFC7816)
    settings.server.qname-minimisation = true;
 };
@@ Line 27: / Line 27: @@
 == DNS forwarder with blocklists ==
-In this configuration we are using DoT to Quad9 and Cloudflare public DNS resolvers, plus, we are applying an Ad blocker list (as Pi-hole does).
+In this configuration we are using DoT to reach Quad9 and Cloudflare public DNS resolvers, in addition, we are filtering the results with a list that blocks adds and improves privacy and security (as Pi-hole does).
 <syntaxhighlight lang="nixos">
@@ Line 37: / Line 37: @@
      interface = [ "192.168.1.2" ];
      # IPs allowed to query
-     access-control = [ "192.168.1.0/24" allow ];
+     access-control = [ "192.168.1.0/24 allow" ];
      # Enable RPZ
-     module.config = "'respip validator iterator'";
+     module-config = "'respip validator iterator'";
    };
@@ Line 45: / Line 45: @@
      name = "hageziPro";
      url = "https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/rpz/pro.txt";
-   }]
+   }];
    settings.forward-zone = [{
@@ Line 51: / Line 51: @@
      forward-tls-upstream = true;
      forward-addr = [
-       "9.9.9.9@853#dns.quad9.net";
+       "9.9.9.9@853#dns.quad9.net"
        "149.112.112.112@853#dns.quad9.net"
-       "1.1.1.1@853#cloudflare-dns.com";
+       "1.1.1.1@853#cloudflare-dns.com"
-       "1.0.0.1@853#cloudflare-dns.com";
+       "1.0.0.1@853#cloudflare-dns.com"
-     ]
+     ];
    }];
 };