Setting up unbound DNS server: Difference between revisions

From Alpine Linux
m (split zone into it's own file)
(See also: Using Unbound as an Ad-blocker)
 
(55 intermediate revisions by 11 users not shown)
Line 1: Line 1:
Unbound is a validating, recursive, and caching DNS resolver that supports DNSSEC.
[https://nlnetlabs.nl/projects/unbound/about/ Unbound] is a validating, recursive, and caching DNS resolver that supports DNSSEC.


= Install =
= Install =


At the time of writing, unbound is only available in the Edge/Testing repository.  To install the package on a system that doesn't already have the edge/testing repository configured:
Install the {{Pkg|unbound}} package:
{{Cmd|apk add -X http://nl.alpinelinux.org/alpine/edge/testing -U unbound}}
{{Cmd|apk add unbound}}
 
= Setup =
 
<code>unbound</code> can be set up to run as a service and started with:


If your system already has the edge/testing repository, the following command will work:
rc-update add unbound default
{{Cmd|apk add unbound}}
service unbound start


= Configure =
= Configure =


The following configuration is an example of a server that is authoritative for a zone (alpinelinux.org in the example below with a subset of the records for alpinelinux.org), but is not (yet) setup with that zone signed for DNSSEC support.
The following configuration is an example of a caching name server (in a production server, it's recommended to adjust the access-control parameter to limit access to your network).  The forward-zone(s) section will forward all DNS queries to the specified servers. Don't forget to change the 'interface' parameter to that of your local interface IP address (or 0.0.0.0 to listen on all local IPv4 interfaces).  The following is a minimal example with many options commented out.
* /etc/unbound/unbound.conf
 
{{Path|/etc/unbound/unbound.conf}}
<pre>
<pre>
server:
server:
         verbosity: 1
         verbosity: 1
         interface: 64.56.207.219
## Specify the interface address to listen on:
         interface: 10.0.0.1
## To listen on all interfaces use:
#      interface: 0.0.0.0
         do-ip4: yes
         do-ip4: yes
         do-ip6: no
         do-ip6: yes
         do-udp: yes
         do-udp: yes
         do-tcp: yes
         do-tcp: yes
         do-daemonize: yes
         do-daemonize: yes
         access-control: 0.0.0.0/0 allow
         access-control: 0.0.0.0/0 allow
         include: /etc/unbound/alpinelinux.org.conf
## Other access control examples
#access-control: 192.168.1.0/24 action
## 'action' should be replaced by any one of:
#deny (drop message)
#refuse (sends  a  DNS  rcode REFUSED error message back)
#allow (recursive ok)
#allow_snoop (recursive and nonrecursive ok).
## Minimum lifetime of cache entries in seconds.  Default is 0.
#cache-min-ttl: 60
## Maximum lifetime of cached entries. Default is 86400 seconds (1  day).
#cache-max-ttl: 172800
## enable to prevent answering id.server and hostname.bind queries.
        hide-identity: yes
## enable to prevent answering version.server and version.bind queries.
         hide-version: yes
## default is to use syslog, which will log to /var/log/messages.
use-syslog: yes
## to log elsewhere, set 'use-syslog' to 'no' and set the log file location below:
#logfile: /var/log/unbound
python:
python:
remote-control:
remote-control:
         control-enable: no
         control-enable: no
## Stub zones are like forward-zones (see below) but must contain only the authority server (no recursive servers)
#stub-zone:
#        name: "my.test.com"
# stub-addr: 172.16.1.1
# stub-addr: 172.16.1.2
## Note: for forward-zones, the destination servers must be able to handle recursion to other DNS servers
## Forward all *.example.com queries to the server at 192.168.1.1
#forward-zone:
#        name: "example.com"
#        forward-addr: 192.168.1.1
## Forward all other queries to the Verizon DNS servers
forward-zone:     
        name: "."
## Level3 Verizon
        forward-addr: 4.2.2.1
        forward-addr: 4.2.2.4
</pre>
</pre>
* /etc/unbound/alpinelinux.org.conf
 
== root-hints ==
Instead of forwarding queries to a public DNS server, you may prefer to query the root DNS servers.  To do this, comment out the forwarding entries ("forward-zone" sections) in the config.  Then, grab the latest root hints file using wget:
{{Cmd|wget -S https://www.internic.net/domain/named.cache -O /etc/unbound/root.hints}}
And finally point unbound to the root hints file by adding the following line to the server section of the unbound config file:
<pre>
<pre>
      # Getting things started
root-hints: "/etc/unbound/root.hints"
        local-zone: "alpinelinux.org." static
</pre>
        local-data: "alpinelinux.org. 10800 IN NS ns1.alpinelinux.org."
Restart unbound to ensure the changes take effectYou may wish to setup a [[Alpine_Linux:FAQ#Why_don't_my_cron_jobs_run?|cron job]] to update the root hints file occasionally.
        local-data: "alpinelinux.org. 10800 IN SOA alpinelinux.orgwebmaster.alpinelinux.org. 1 3600 1200 604800 10800"
        local-data: "ns1.alpinelinux.org. 1080 IN A 64.56.207.219"
        local-data: "alpinelinux.org. 1080 IN MX 10 mail.alpinelinux.org."
        local-data: "lists.alpinelinux.org. 1080 IN MX 10 mail.alpinelinux.org."


        # Services
== 0x20 bit ==
        local-data: "alpinelinux.org. 10800 IN A 81.175.82.11"
Use of the [https://datatracker.ietf.org/doc/html/draft-vixie-dnsext-dns0x20-00.html 0x20 bit] is considered experimental. It makes use of an otherwise unused bit in a DNS packet to ask an authoritative server to respond with an answer mimicking the case used in the query.
        local-data: "mail.alpinelinux.org. 1080 IN A 64.56.207.219"
 
        local-data: "www.alpinelinux.org. 1080 IN A 81.175.82.11"
For example, when using this feature a query for www.google.com could appear in the request as www.google.com or Www.GoogLe.coM or WWW.GoOGlE.cOm or any other conbination of upper and lower case. The authoritative server should respond with the same case. This helps prevent DNS spoofing attacks.
        local-data: "www-prd.alpinelinux.org. 1080 IN A 74.117.189.132"
        local-data: "wiki.alpinelinux.org. 1080 IN A 74.117.189.132"
        local-data: "lists.alpinelinux.org. 1080 IN A 64.56.207.219"
        local-data: "monitor.alpinelinux.org. 1080 IN A 213.234.126.133"
        local-data: "bugs.alpinelinux.org. 1080 IN A 81.175.82.11"


        # Package mirrors
In some cases a very small number of old or misconfigured servers may return an error (less than 1% of servers will respond incorrectly). To turn on this feature, simply add the following line to the 'server' section of {{Path|/etc/unbound/unbound.conf}} and restart the server:
        local-data: "nl.alpinelinux.org. 1080 IN A 81.175.82.11"
<pre>
        local-data: "dl-2.alpinelinux.org. 1080 IN A 208.74.141.33"
use-caps-for-id: yes
        local-data: "dl-3.alpinelinux.org. 1080 IN A 74.117.189.132"
        local-data: "dl-4.alpinelinux.org. 1080 IN A 64.56.207.216"
 
        # Build Infra
        local-data: "rsync.alpinelinux.org. 1080 IN A 81.175.82.11"
        local-data: "distfiles.alpinelinux.org. 1080 IN A 91.220.88.29"
        local-data: "build-edge.alpinelinux.org. 1080 IN A 91.220.88.23"
        local-data: "build64-edge.alpinelinux.org. 1080 IN A 204.152.221.26"
        local-data: "build-2-2.alpinelinux.org. 1080 IN A 91.220.88.34"
        local-data: "build64-2-2.alpinelinux.org. 1080 IN A 91.220.88.35"
        local-data: "build-2-1.alpinelinux.org. 1080 IN A 91.220.88.32"
        local-data: "build-2-0.alpinelinux.org. 1080 IN A 91.220.88.31"
        local-data: "build-1-10.alpinelinux.org. 1080 IN A 91.220.88.26"
</pre>
</pre>


= Set auto-start, start and test the daemon =
= Set auto-start, start and test the daemon =


Set to auto-start then start unbound:
Check the configuration for errors:
{{Cmd|unbound-checkconf}}
if no errors are reported, set to auto-start then start unbound:
{{Cmd|rc-update add unbound
{{Cmd|rc-update add unbound
/etc/init.d/unbound start}}
rc-service unbound start}}
Test:
Test. For example:
{{Cmd|dig nl.alpinelinux.org @64.56.207.219}}
{{Cmd|dig dl-cdn.alpinelinux.org @10.0.0.1}}
or:
{{Cmd|nslookup www.google.cz 10.0.0.1}}
or use {{Pkg|drill}}:
{{Cmd|drill www.bbc.co.uk @10.0.0.1}}
 
= Additional information =
unbound.conf man page [https://linux.die.net/man/5/unbound.conf here] or [https://unbound.docs.nlnetlabs.nl/en/latest/ here]
 
[https://web.archive.org/web/20180508133447/https://unbound.net/documentation/howto_optimise.html unbound optimization guide]
 
[https://calomel.org/unbound_dns.html excellent unbound tutorial at calomel.org]
 
General information via the Wikipedia pages on [https://en.wikipedia.org/wiki/Domain_Name_System DNS], [https://en.wikipedia.org/wiki/List_of_DNS_record_types record types], [https://en.wikipedia.org/wiki/Dns_zone zones], [https://en.wikipedia.org/wiki/Name_server name servers] and [https://en.wikipedia.org/wiki/Dnssec DNSsec]
 
== See also ==
 
* [[Using Unbound as an Ad-blocker]]
 
[[Category:Networking]]

Latest revision as of 09:07, 7 July 2024

Unbound is a validating, recursive, and caching DNS resolver that supports DNSSEC.

Install

Install the unbound package:

apk add unbound

Setup

unbound can be set up to run as a service and started with:

rc-update add unbound default
service unbound start

Configure

The following configuration is an example of a caching name server (in a production server, it's recommended to adjust the access-control parameter to limit access to your network). The forward-zone(s) section will forward all DNS queries to the specified servers. Don't forget to change the 'interface' parameter to that of your local interface IP address (or 0.0.0.0 to listen on all local IPv4 interfaces). The following is a minimal example with many options commented out.

/etc/unbound/unbound.conf

server:
        verbosity: 1
## Specify the interface address to listen on:
        interface: 10.0.0.1
## To listen on all interfaces use:
#       interface: 0.0.0.0
        do-ip4: yes
        do-ip6: yes
        do-udp: yes
        do-tcp: yes
        do-daemonize: yes
        access-control: 0.0.0.0/0 allow
## Other access control examples
#access-control: 192.168.1.0/24 action
## 'action' should be replaced by any one of:
#deny (drop message)
#refuse (sends  a  DNS  rcode REFUSED error message back)
#allow (recursive ok)
#allow_snoop (recursive and nonrecursive ok).
## Minimum lifetime of cache entries in seconds.  Default is 0.
#cache-min-ttl: 60
## Maximum lifetime of cached entries. Default is 86400 seconds (1  day).
#cache-max-ttl: 172800
## enable to prevent answering id.server and hostname.bind queries. 
        hide-identity: yes
## enable to prevent answering version.server and version.bind queries. 
        hide-version: yes
## default is to use syslog, which will log to /var/log/messages.
use-syslog: yes
## to log elsewhere, set 'use-syslog' to 'no' and set the log file location below:
#logfile: /var/log/unbound
python:
remote-control:
        control-enable: no
## Stub zones are like forward-zones (see below) but must contain only the authority server (no recursive servers)
#stub-zone: 
#        name: "my.test.com"
#		 stub-addr: 172.16.1.1
#		 stub-addr: 172.16.1.2
## Note: for forward-zones, the destination servers must be able to handle recursion to other DNS servers
## Forward all *.example.com queries to the server at 192.168.1.1
#forward-zone:
#        name: "example.com"
#        forward-addr: 192.168.1.1
## Forward all other queries to the Verizon DNS servers
forward-zone:      
        name: "."
## Level3 Verizon
        forward-addr: 4.2.2.1
        forward-addr: 4.2.2.4

root-hints

Instead of forwarding queries to a public DNS server, you may prefer to query the root DNS servers. To do this, comment out the forwarding entries ("forward-zone" sections) in the config. Then, grab the latest root hints file using wget:

wget -S https://www.internic.net/domain/named.cache -O /etc/unbound/root.hints

And finally point unbound to the root hints file by adding the following line to the server section of the unbound config file:

root-hints: "/etc/unbound/root.hints"

Restart unbound to ensure the changes take effect. You may wish to setup a cron job to update the root hints file occasionally.

0x20 bit

Use of the 0x20 bit is considered experimental. It makes use of an otherwise unused bit in a DNS packet to ask an authoritative server to respond with an answer mimicking the case used in the query.

For example, when using this feature a query for www.google.com could appear in the request as www.google.com or Www.GoogLe.coM or WWW.GoOGlE.cOm or any other conbination of upper and lower case. The authoritative server should respond with the same case. This helps prevent DNS spoofing attacks.

In some cases a very small number of old or misconfigured servers may return an error (less than 1% of servers will respond incorrectly). To turn on this feature, simply add the following line to the 'server' section of /etc/unbound/unbound.conf and restart the server:

use-caps-for-id: yes

Set auto-start, start and test the daemon

Check the configuration for errors:

unbound-checkconf

if no errors are reported, set to auto-start then start unbound:

rc-update add unbound rc-service unbound start

Test. For example:

dig dl-cdn.alpinelinux.org @10.0.0.1

or:

nslookup www.google.cz 10.0.0.1

or use drill:

drill www.bbc.co.uk @10.0.0.1

Additional information

unbound.conf man page here or here

unbound optimization guide

excellent unbound tutorial at calomel.org

General information via the Wikipedia pages on DNS, record types, zones, name servers and DNSsec

See also