Setting up unbound DNS server: Difference between revisions

From Alpine Linux
m (added Pi-hole wikilink)
 
(14 intermediate revisions by 7 users not shown)
Line 1: Line 1:
[http://unbound.net/ Unbound] is a validating, recursive, and caching DNS resolver that supports DNSSEC.
[https://nlnetlabs.nl/projects/unbound/about/ Unbound] is a validating, recursive, and caching DNS resolver that supports DNSSEC.


= Install =
== Installation ==


Install the {{Pkg|unbound}} package:
Install the {{Pkg|unbound}} package: {{Cmd|# apk add unbound}}
{{Cmd|apk add unbound}}


= Configure =
== Configuration ==


The following configuration is an example of a caching name server (in a production server, it's recommended to adjust the access-control parameter to limit access to your network).  The forward-zone(s) section will forward all DNS queries to the specified servers.  Don't forget to change the 'interface' parameter to that of your local interface IP address (or 0.0.0.0 to listen on all local IPv4 interfaces).  The following is a minimal example with many options commented out.
The following configuration is an example of a caching name server (in a production server, it's recommended to adjust the access-control parameter to limit access to your network).  The forward-zone(s) section will forward all DNS queries to the specified servers.  Don't forget to change the 'interface' parameter to that of your local interface IP address (or 0.0.0.0 to listen on all local IPv4 interfaces).  The following is a minimal example with many options commented out:{{Cat|/etc/unbound/unbound.conf|<nowiki>server:
 
{{Path|/etc/unbound/unbound.conf}}
<pre>
server:
         verbosity: 1
         verbosity: 1
## Specify the interface address to listen on:
## Specify the interface address to listen on:
Line 62: Line 57:
         forward-addr: 4.2.2.1
         forward-addr: 4.2.2.1
         forward-addr: 4.2.2.4
         forward-addr: 4.2.2.4
</pre>
</nowiki>
}}
 
== Service management ==
 
Check the configuration file for errors:{{Cmd|$ unbound-checkconf}}
 
If no errors are reported, add the {{ic|unbound}} service to auto-start using [[OpenRC]]: {{Cmd|# rc-update add unbound default}}
 
{{ic|unbound}} service can be managed using standard start|stop|restart [[OpenRC]] commands. To start the service immediately:{{Cmd|# rc-service unbound start}}
 
== Testing ==
 
Test the working of DNS service as follows: {{Cmd|$ nslookup www.google.cz 10.0.0.1}}
or:
use {{ic|dig}} command from {{Pkg|bind-tools}} package:{{Cmd|$ dig dl-cdn.alpinelinux.org @10.0.0.1}}
or:
use {{ic|drill}} command from the {{Pkg|drill}} package: {{Cmd|$ drill www.bbc.co.uk @10.0.0.1}}


== root-hints ==
== root-hints ==
Instead of forwarding queries to a public DNS server, you may prefer to query the root DNS servers.  To do this, comment out the forwarding entries ("forward-zone" sections) in the config. Then, grab the latest root hints file using wget:
 
{{Cmd|wget -S -N https://www.internic.net/domain/named.cache -O /etc/unbound/root.hints}}
Instead of forwarding queries to a public DNS server, you may prefer to query the root DNS servers.  To do this, comment out the forwarding entries ("forward-zone" sections) in the config.  
And finally point unbound to the root hints file by adding the following line to the server section of the unbound config file:
 
=== Download root hints ===
 
Grab the latest root hints file using wget and place it the at {{Path|/etc/unbound/root.hints}} as follows: {{Cmd|# wget -S https://www.internic.net/domain/named.cache -O /etc/unbound/root.hints}}
 
=== Enable root hints ===
 
Point unbound to the root hints file by adding the following line to the server section of the unbound config file:
<pre>
<pre>
root-hints: "/etc/unbound/root.hints"
root-hints: "/etc/unbound/root.hints"
</pre>
</pre>
Restart unbound to ensure the changes take effect. You may wish to setup a [[FAQ#My cron jobs don.27t run.3F|cron job]] to update the root hints file occasionally.
[[#Service management|Restart unbound]] to ensure the changes take effect. You may wish to setup a [[Alpine_Linux:FAQ#Why_don't_my_cron_jobs_run?|cron job]] to update the root hints file occasionally.


== 0x20 bit ==
== 0x20 bit ==
Use of the [https://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00.html 0x20 bit] is considered experimental.  It makes use of an otherwise unused bit in a DNS packet to ask an authoritative server to respond with an answer mimicking the case used in the query.
 
Use of the [https://datatracker.ietf.org/doc/html/draft-vixie-dnsext-dns0x20-00.html 0x20 bit] is considered experimental.  It makes use of an otherwise unused bit in a DNS packet to ask an authoritative server to respond with an answer mimicking the case used in the query.
    
    
For example, when using this feature a query for www.google.com could appear in the request as www.google.com or Www.GoogLe.coM or WWW.GoOGlE.cOm or any other conbination of upper and lower case.  The authoritative server should respond with the same case.  This helps prevent DNS spoofing attacks.   
For example, when using this feature a query for www.google.com could appear in the request as www.google.com or Www.GoogLe.coM or WWW.GoOGlE.cOm or any other conbination of upper and lower case.  The authoritative server should respond with the same case.  This helps prevent DNS spoofing attacks.   
Line 83: Line 103:
</pre>
</pre>


= Set auto-start, start and test the daemon =
== See also ==
 
Check the configuration for errors:
{{Cmd|unbound-checkconf}}
if no errors are reported, set to auto-start then start unbound:
{{Cmd|rc-update add unbound
rc-service unbound start}}
Test. For example:
{{Cmd|dig nl.alpinelinux.org @10.0.0.1}}
or:
{{Cmd|nslookup www.google.cz 10.0.0.1}}
or use {{Pkg|drill}}:
{{Cmd|drill www.bbc.co.uk @10.0.0.1}}
 
= Further information =
unbound.conf man page [http://linux.die.net/man/5/unbound.conf here] or [http://unbound.net/documentation/unbound.conf.html here]
 
[http://unbound.net/documentation/howto_optimise.html unbound optimization guide]


[https://calomel.org/unbound_dns.html excellent unbound tutorial at calomel.org]
* [https://unbound.docs.nlnetlabs.nl/en/latest/ Official website]
* [[Using Unbound as an Ad-blocker]]
* [[Using Pi-hole with Unbound]]
* [https://linux.die.net/man/5/unbound.conf unbound.conf man page]
* [https://web.archive.org/web/20180508133447/https://unbound.net/documentation/howto_optimise.html unbound optimization guide]
* [https://calomel.org/unbound_dns.html excellent unbound tutorial at calomel.org]
* Wikipedia pages
** [https://en.wikipedia.org/wiki/Domain_Name_System DNS]
** [https://en.wikipedia.org/wiki/List_of_DNS_record_types record types]
** [https://en.wikipedia.org/wiki/Dns_zone zones]
** [https://en.wikipedia.org/wiki/Name_server name servers]
** [https://en.wikipedia.org/wiki/Dnssec DNSsec]  


General information via the Wikipedia pages on [https://en.wikipedia.org/wiki/Domain_Name_System DNS], [https://en.wikipedia.org/wiki/List_of_DNS_record_types record types], [https://en.wikipedia.org/wiki/Dns_zone zones], [https://en.wikipedia.org/wiki/Name_server name servers] and [https://en.wikipedia.org/wiki/Dnssec DNSsec]


[[Category:Networking]]
[[Category:Networking]]

Latest revision as of 07:55, 3 November 2025

Unbound is a validating, recursive, and caching DNS resolver that supports DNSSEC.

Installation

Install the unbound package:

# apk add unbound

Configuration

The following configuration is an example of a caching name server (in a production server, it's recommended to adjust the access-control parameter to limit access to your network). The forward-zone(s) section will forward all DNS queries to the specified servers. Don't forget to change the 'interface' parameter to that of your local interface IP address (or 0.0.0.0 to listen on all local IPv4 interfaces). The following is a minimal example with many options commented out:

Contents of /etc/unbound/unbound.conf

server: verbosity: 1 ## Specify the interface address to listen on: interface: 10.0.0.1 ## To listen on all interfaces use: # interface: 0.0.0.0 do-ip4: yes do-ip6: yes do-udp: yes do-tcp: yes do-daemonize: yes access-control: 0.0.0.0/0 allow ## Other access control examples #access-control: 192.168.1.0/24 action ## 'action' should be replaced by any one of: #deny (drop message) #refuse (sends a DNS rcode REFUSED error message back) #allow (recursive ok) #allow_snoop (recursive and nonrecursive ok). ## Minimum lifetime of cache entries in seconds. Default is 0. #cache-min-ttl: 60 ## Maximum lifetime of cached entries. Default is 86400 seconds (1 day). #cache-max-ttl: 172800 ## enable to prevent answering id.server and hostname.bind queries. hide-identity: yes ## enable to prevent answering version.server and version.bind queries. hide-version: yes ## default is to use syslog, which will log to /var/log/messages. use-syslog: yes ## to log elsewhere, set 'use-syslog' to 'no' and set the log file location below: #logfile: /var/log/unbound python: remote-control: control-enable: no ## Stub zones are like forward-zones (see below) but must contain only the authority server (no recursive servers) #stub-zone: # name: "my.test.com" # stub-addr: 172.16.1.1 # stub-addr: 172.16.1.2 ## Note: for forward-zones, the destination servers must be able to handle recursion to other DNS servers ## Forward all *.example.com queries to the server at 192.168.1.1 #forward-zone: # name: "example.com" # forward-addr: 192.168.1.1 ## Forward all other queries to the Verizon DNS servers forward-zone: name: "." ## Level3 Verizon forward-addr: 4.2.2.1 forward-addr: 4.2.2.4

Service management

Check the configuration file for errors:

$ unbound-checkconf

If no errors are reported, add the unbound service to auto-start using OpenRC:

# rc-update add unbound default

unbound service can be managed using standard start|stop|restart OpenRC commands. To start the service immediately:

# rc-service unbound start

Testing

Test the working of DNS service as follows:

$ nslookup www.google.cz 10.0.0.1

or:

use dig command from bind-tools package:

$ dig dl-cdn.alpinelinux.org @10.0.0.1

or:

use drill command from the drill package:

$ drill www.bbc.co.uk @10.0.0.1

root-hints

Instead of forwarding queries to a public DNS server, you may prefer to query the root DNS servers. To do this, comment out the forwarding entries ("forward-zone" sections) in the config.

Download root hints

Grab the latest root hints file using wget and place it the at /etc/unbound/root.hints as follows:

# wget -S https://www.internic.net/domain/named.cache -O /etc/unbound/root.hints

Enable root hints

Point unbound to the root hints file by adding the following line to the server section of the unbound config file: 

root-hints: "/etc/unbound/root.hints"

Restart unbound to ensure the changes take effect. You may wish to setup a cron job to update the root hints file occasionally.

0x20 bit

Use of the 0x20 bit is considered experimental. It makes use of an otherwise unused bit in a DNS packet to ask an authoritative server to respond with an answer mimicking the case used in the query.

For example, when using this feature a query for www.google.com could appear in the request as www.google.com or Www.GoogLe.coM or WWW.GoOGlE.cOm or any other conbination of upper and lower case. The authoritative server should respond with the same case. This helps prevent DNS spoofing attacks.

In some cases a very small number of old or misconfigured servers may return an error (less than 1% of servers will respond incorrectly). To turn on this feature, simply add the following line to the 'server' section of /etc/unbound/unbound.conf and restart the server: 

use-caps-for-id: yes

See also

Retrieved from "https://wiki.alpinelinux.org/w/index.php?title=Setting_up_unbound_DNS_server&oldid=31373"