Unbound

From Deathbybandaid Wiki
Jump to navigation Jump to search

Opening Disclaimers

Proxmox

This Guide is written based on the use of Proxmox-VE version 7.0 and more specifically Proxmox_LXC. These instructions should be adaptable to other situations.

Container Creation

General

  • Unpriviliged container: checked
  • Nesting: unchecked

Template

  • Template: ubuntu-21.04-standard_21.04-1_amd64

Disks

  • Disk Size (GiB): 4

CPU

Cores: 1

Memory

  • Memory (MiB): 256
  • Swap (MiB): 512

Network

  • IPv4 Static
  • IPv4 Gateway

DNS

  • DNS Servers: 8.8.8.8 (Change to 127.0.0.1 post-install)

Confirm

  • Start After Created: unchecked

Container Tweaks

Options

  • Start at boot: yes

Container First Run Steps

Run Updates 

apt update && apt full-upgrade -y

Add a sudo user 

adduser sysop
usermod -aG sudo sysop

Cleanup The Container for some easy space savings. 

apt autoremove -y && apt clean -y

Unbound Installation

My Insights

  • It's good practice to have both 2 instances of Unbound, so you can update one at a time, and still have DNS for your home network. You can either follow this guide twice, or clone the container.

Prerequisite Guide(s)

Dependency Installs

Unbound Installation

apt install unbound

Let's free up port 53 from systemd-resolved 

nano /etc/systemd/resolved.conf

Change 

#DNSStubListener=yes

To 

DNSStubListener=no

Change 

#DNS=

To 

DNS=127.0.0.1

For Use With Pi-Hole

Root Hints from Package Manager

If you have `dns-root-data` installed skip the below script.

Root Hints Updating By Script

nano /home/root_hints_update.sh

 
 #!/bin/bash
 
 ROOTSURL=https://www.internic.net/domain/named.root
 CURRENTROOTS=/var/lib/unbound/root.hints
 TEMPROOTS=/tmp/root.hints
 DOWNLOADFRESH=false
 
 if [[ -f $CURRENTROOTS ]]
 then
   echo "Checking existing file"
   SOURCEMODIFIEDLAST=$(curl --silent --head $ROOTSURL | awk -F: '/^Last-Modified/ { print $2 }')
   SOURCEMODIFIEDTIME=$(date --date="$SOURCEMODIFIEDLAST" +%s)
   LOCALFILEMODIFIEDLAST=$(stat -c %z "$CURRENTROOTS")
   LOCALFILEMODIFIEDTIME=$(date --date="$LOCALFILEMODIFIEDLAST" +%s)
   if [[ $LOCALFILEMODIFIEDTIME -lt $SOURCEMODIFIEDTIME ]]
   then
     DOWNLOADFRESH=true
     echo "File updated online"
   else
     echo "File not updated online"
   fi
 else
   DOWNLOADFRESH=true
   echo "File Missing"
 fi
 
 
 if [[ $DOWNLOADFRESH = true ]]
 then
   echo "Attempting to download file"
   wget -O $TEMPROOTS $ROOTSURL
   FETCHFILESIZE=$(stat -c%s $TEMPROOTS)
   if [[ $FETCHFILESIZE -gt 0 ]]
   then
      mv $TEMPROOTS $CURRENTROOTS
   else
     echo "File download failed"
   fi
 else
   echo "Not downloading file"
 fi
 
 # restart unbound
 if [[ $DOWNLOADFRESH = true ]]
 then
   service unbound restart
 fi
 

bash /home/root_hints_update.sh

crontab -e

0 0 * * 0 /bin/bash /home/root_hints_update.sh

Conf file

nano /etc/unbound/unbound.conf.d/pi-hole.conf



 server:
     # If no logfile is specified, syslog is used
     # logfile: "/var/log/unbound/unbound.log"
     verbosity: 0
     
     # all interfaces
     interface: 0.0.0.0
     interface:e::0
 
     port: 53
     do-ip4: yes
     do-udp: yes
     do-tcp: yes
 
     # May be set to yes if you have IPv6 connectivity
     do-ip6: no
 
     # Use this only when you downloaded the list of primary root servers!
     root-hints: "/var/lib/unbound/root.hints" # If using above script
     #/usr/share/dns/root.hints from package maintainer

     # Trust glue only if it is within the servers authority
     harden-glue: yes
 
     # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
     harden-dnssec-stripped: yes
 
     # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
     # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
     use-caps-for-id: no
 
     # Reduce EDNS reassembly buffer size.
     # Suggested by the unbound man page to reduce fragmentation reassembly problems
     edns-buffer-size: 1472
 
     # TTL bounds for cache
     cache-min-ttl: 3600
     cache-max-ttl: 86400
 
     # Perform prefetching of close to expired message cache entries
     # This only applies to domains that have been frequently queried
     prefetch: yes
 
     # One thread should be sufficient, can be increased on beefy machines
     num-threads: 1
 
     # Ensure kernel buffer is large enough to not loose messages in traffic spikes
     so-rcvbuf: 1m
 
     # Ensure privacy of local IP ranges
     private-address: 192.168.0.0/16
     private-address: 169.254.0.0/16
     private-address: 172.16.0.0/12
     private-address: 10.0.0.0/8
     private-address: fd00::/8
     private-address: fe80::/10
 
     # Allow access from local IP ranges
     access-control: 192.168.0.0/16 allow
     access-control: 169.254.0.0/16 allow
     access-control: 172.16.0.0/12 allow
     access-control: 10.0.0.0/8 allow
     access-control: fd00::/8 allow
     access-control: fe80::/10 allow
 
     # Allow access all IP ranges
     #access-control: 0.0.0.0/0 allow

If you run into issues with Plex Rebind feel free to add 

     # Plex Rebind fix
     private-domain: plex.direct
 

service unbound restart
Retrieved from "https://wiki.deathbybandaid.net/index.php?title=Unbound&oldid=82"