Unbound: Difference between revisions
DNS resolver and DNS forwarder with a blocklist |
Correcting typos, improving explanations and adding options |
||
| Line 5: | Line 5: | ||
== Minimal configuration. DNS resolver == | == Minimal configuration. DNS resolver == | ||
In this case our DNS queries | In this case our DNS queries are not encrypted upstream because the root servers do not support DNS-over-TLS (DoT) or DNS-over-HTTPS (DoH). | ||
<syntaxhighlight lang="nixos"> | <syntaxhighlight lang="nixos"> | ||
services.unbound = { | services.unbound = { | ||
enable = true; | |||
# nex line is optional (RFC7816) | |||
settings.server.qname-minimisation = true; | |||
}; | }; | ||
</syntaxhighlight> | </syntaxhighlight> | ||
| Line 17: | Line 18: | ||
<syntaxhighlight> | <syntaxhighlight> | ||
$ nslookup nixos.org localhost | |||
$ systemctl status unbound.service | $ systemctl status unbound.service | ||
$ | $ cat /etc/unbound/unbound.conf | ||
</syntaxhighlight> | </syntaxhighlight> | ||
If during the configuration our computer stops resolving DNS and we lose connectivity, we can manually set the line <code>nameserver 9.9.9.9</code> doing <code>sudo nano /etc/resolv.conf</code>. Now we can rebuild our system. | |||
== DNS forwarder with blocklists == | == DNS forwarder with blocklists == | ||
In this | In this configuration we are using DoT to Quad9 and Cloudflare public DNS resolvers, plus, we are applying an Ad blocker list (as Pi-hole does). | ||
<syntaxhighlight lang="nixos"> | <syntaxhighlight lang="nixos"> | ||
services.unbound = { | services.unbound = { | ||
enable = true; | |||
settings.server = { | |||
# Our Unbound server IP | |||
interface = [ "192.168.1.2" ]; | |||
# IPs allowed to query | |||
access-control = [ "192.168.1.0/24" allow ]; | |||
# Enable RPZ | |||
module.config = "'respip validator iterator'"; | |||
}; | |||
settings.rpz = [{ | |||
name = "hageziPro"; | |||
url = "https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/rpz/pro.txt"; | |||
}] | |||
settings.forward-zone = [{ | |||
name = "."; | |||
forward-tls-upstream = true; | |||
forward-addr = [ | |||
"9.9.9.9@853#dns.quad9.net"; | |||
"149.112.112.112@853#dns.quad9.net" | |||
"1.1.1.1@853#cloudflare-dns.com"; | |||
"1.0.0.1@853#cloudflare-dns.com"; | |||
] | |||
}]; | |||
}; | }; | ||
</syntaxhighlight> | </syntaxhighlight> | ||
Revision as of 11:27, 24 March 2026
Unbound is a DNS server. Quoting the official project page:
Unbound is a validating, recursive, caching DNS resolver. It is designed to be fast and lean and incorporates modern features based on open standards.
Minimal configuration. DNS resolver
In this case our DNS queries are not encrypted upstream because the root servers do not support DNS-over-TLS (DoT) or DNS-over-HTTPS (DoH).
services.unbound = {
enable = true;
# nex line is optional (RFC7816)
settings.server.qname-minimisation = true;
};
Test if it's working
$ nslookup nixos.org localhost
$ systemctl status unbound.service
$ cat /etc/unbound/unbound.confIf during the configuration our computer stops resolving DNS and we lose connectivity, we can manually set the line nameserver 9.9.9.9 doing sudo nano /etc/resolv.conf. Now we can rebuild our system.
DNS forwarder with blocklists
In this configuration we are using DoT to Quad9 and Cloudflare public DNS resolvers, plus, we are applying an Ad blocker list (as Pi-hole does).
services.unbound = {
enable = true;
settings.server = {
# Our Unbound server IP
interface = [ "192.168.1.2" ];
# IPs allowed to query
access-control = [ "192.168.1.0/24" allow ];
# Enable RPZ
module.config = "'respip validator iterator'";
};
settings.rpz = [{
name = "hageziPro";
url = "https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/rpz/pro.txt";
}]
settings.forward-zone = [{
name = ".";
forward-tls-upstream = true;
forward-addr = [
"9.9.9.9@853#dns.quad9.net";
"149.112.112.112@853#dns.quad9.net"
"1.1.1.1@853#cloudflare-dns.com";
"1.0.0.1@853#cloudflare-dns.com";
]
}];
};