2018-06-08 02:33:45 +00:00
# Unbound
Caching DNS that uses the roots instead of ISP/other DNS servers
## Inspiration / Further Reading
- [https://wiki.archlinux.org/index.php/Unbound ](https://wiki.archlinux.org/index.php/Unbound )
## Install / Base Setup
``` bash
apt update
apt install unbound unbound-host
mkdir /etc/unbound/local_zone
curl -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache
cat > /etc/unbound/root.key < < EOF
. IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
EOF
cat > /etc/unbound/unbound.conf < < EOF
server:
interface: 127.0.0.1
port: 53
hide-identity: yes
hide-version: yes
num-threads: 1
root-hints: "/etc/unbound/root.hints"
cache-min-ttl: 60
logfile: /var/log/unbound
use-syslog: yes
do-ip4: yes
#do -ip6: no
do-udp: yes
do-tcp: yes
domain-insecure: * # Comment this out if you have a proper RTC
verbosity: 1
minimal-responses: yes
prefetch: yes
rrset-roundrobin: yes
use-caps-for-id: yes
harden-glue: yes
harden-dnssec-stripped: yes
auto-trust-anchor-file: "/etc/unbound/root.key"
val-clean-additional: yes
2019-01-15 21:07:15 +00:00
local-zone: domain.tld typetransparent
2018-06-08 02:33:45 +00:00
private-domain: "[domain.tld]"
private-address: 192.168.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
access-control: 172.30.0.0/16 allow
access-control: 172.16.16.0/24 allow
access-control: 172.17.17.0/24 allow
access-control: 172.18.18.0/24 allow
include: /etc/unbound/local_zone/*.conf
EOF
2018-09-17 20:29:55 +00:00
chown unbound /etc/unbound
2018-06-08 02:33:45 +00:00
systemctl enable unbound
systemctl start unbound
unbound-host -C /etc/unbound/unbound.conf -v sigok.verteiltesysteme.net
unbound-host -C /etc/unbound/unbound.conf -v sigfail.verteiltesysteme.net
cat > /etc/systemd/system/roothints.service < < EOF
[Unit]
Description=Update root hints for unbound
After=network.target
[Service]
ExecStart=/usr/bin/curl -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache
EOF
cat > /etc/systemd/system/roothints.timer < < EOF
[Unit]
Description=Run root.hints monthly
[Timer]
OnCalendar=monthly
Persistent=true
[Install]
WantedBy=timers.target
EOF
systemctl daemon-reload
systemctl enable roothints.timer
systemctl start roothints.timer
```
2018-08-08 15:28:09 +00:00
## Setup Unbound to start *after* Docker
*See [here (link) ](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/sect-Managing_Services_with_systemd-Unit_Files#brid-Managing_Services_with_systemd-Extending_Unit_Config ) for more details.*
This is mainly here to ensure that unbound starts *after* the Docker network comes up as it's configured to listen on the Docker network. It'll fail to load/restart if the bind address isn't present when it is started.
``` bash
mkdir -p /etc/systemd/system/unbound.service.d/
cat > /etc/systemd/system/unbound.service.d/00-after-docker.conf < < EOF
[Unit]
Requires=docker.socket docker.service
After=docker.socket docker.service
Restart=always
RestartSec=5
EOF
systemctl daemon-reload
```
2018-06-08 02:33:45 +00:00
## Setup all WAN connections to use this for dns cache
### WiFi
``` bash
nmcli con modify wan-wifi \
ipv4.ignore-auto-dns yes \
ipv6.ignore-auto-dns yes
nmcli con modify wan-wifi \
ipv4.dns "127.0.0.1"
```
### Ethernet
``` bash
nmcli con modify wan-eth \
ipv4.ignore-auto-dns yes \
ipv6.ignore-auto-dns yes
nmcli con modify wan-eth \
ipv4.dns "127.0.0.1"
```
### USB 3G/LTE
``` bash
nmcli con modify wan-wwan-1 \
ipv4.ignore-auto-dns yes \
ipv6.ignore-auto-dns yes
nmcli con modify wan-wwan-1 \
ipv4.dns "127.0.0.1"
```
