The main documentation repository for the 🍭☁️ https://lollipopcloud.solutions
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

unbound.md 3.5KB

Unbound

Caching DNS that uses the roots instead of ISP/other DNS servers

Inspiration / Further Reading

Install / Base Setup


apt update
apt install unbound unbound-host

mkdir /etc/unbound/local_zone
curl -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache
cat > /etc/unbound/root.key <<EOF
. IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
EOF
cat > /etc/unbound/unbound.conf <<EOF
server:
    interface: 127.0.0.1
    port: 53
    hide-identity: yes
    hide-version: yes
    num-threads: 1
    root-hints: "/etc/unbound/root.hints"
    cache-min-ttl: 60
    logfile: /var/log/unbound
    use-syslog: yes
    do-ip4: yes
    #do-ip6: no
    do-udp: yes
    do-tcp: yes
    domain-insecure: * # Comment this out if you have a proper RTC
    verbosity: 1
    minimal-responses: yes
    prefetch: yes
    rrset-roundrobin: yes
    use-caps-for-id: yes
    harden-glue: yes
    harden-dnssec-stripped: yes
    auto-trust-anchor-file: "/etc/unbound/root.key"
    val-clean-additional: yes
    local-zone: domain.tld typetransparent
    private-domain: "[domain.tld]"
    private-address: 192.168.0.0/16
    private-address: 172.16.0.0/12
    private-address: 10.0.0.0/8
    access-control: 172.30.0.0/16 allow
    access-control: 172.16.16.0/24 allow
    access-control: 172.17.17.0/24 allow
    access-control: 172.18.18.0/24 allow

include: /etc/unbound/local_zone/*.conf

EOF

chown unbound /etc/unbound
systemctl enable unbound
systemctl start unbound

unbound-host -C /etc/unbound/unbound.conf -v sigok.verteiltesysteme.net
unbound-host -C /etc/unbound/unbound.conf -v sigfail.verteiltesysteme.net

cat > /etc/systemd/system/roothints.service <<EOF
[Unit]
Description=Update root hints for unbound
After=network.target

[Service]
ExecStart=/usr/bin/curl -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache
EOF

cat > /etc/systemd/system/roothints.timer <<EOF
[Unit]
Description=Run root.hints monthly

[Timer]
OnCalendar=monthly
Persistent=true

[Install]
WantedBy=timers.target
EOF

systemctl daemon-reload
systemctl enable roothints.timer
systemctl start roothints.timer

Setup Unbound to start after Docker

See here (link) for more details.

This is mainly here to ensure that unbound starts after the Docker network comes up as it’s configured to listen on the Docker network. It’ll fail to load/restart if the bind address isn’t present when it is started.


mkdir -p /etc/systemd/system/unbound.service.d/
cat > /etc/systemd/system/unbound.service.d/00-after-docker.conf <<EOF
[Unit]
Requires=docker.socket docker.service
After=docker.socket docker.service
Restart=always
RestartSec=5
EOF
systemctl daemon-reload

Setup all WAN connections to use this for dns cache

WiFi


nmcli con modify wan-wifi \
    ipv4.ignore-auto-dns yes \
    ipv6.ignore-auto-dns yes
nmcli con modify wan-wifi \
    ipv4.dns "127.0.0.1"

Ethernet


nmcli con modify wan-eth \
    ipv4.ignore-auto-dns yes \
    ipv6.ignore-auto-dns yes
nmcli con modify wan-eth \
    ipv4.dns "127.0.0.1"

USB 3G/LTE


nmcli con modify wan-wwan-1 \
    ipv4.ignore-auto-dns yes \
    ipv6.ignore-auto-dns yes
nmcli con modify wan-wwan-1 \
    ipv4.dns "127.0.0.1"