Unbound: Difference between revisions

From Deathbybandaid Wiki
Jump to navigation Jump to search
VisualWikitext
(Created page with " =Opening Disclaimers= ==Proxmox== This Guide is written based on the use of Proxmox-VE version 7.0 and more specifically Proxmox_LXC. These instructions should be adaptable to other situations. ===Container Creation=== ====General==== *Unpriviliged container: checked *Nesting: unchecked ====Template==== *Template: ubuntu-21.04-standard_21.04-1_amd64 ====Disks==== *Disk Size (GiB): 4 ====CPU==== Cores: 1 ====Memory==== *Memory (MiB): 256 *Swap (MiB): 512 ====Netw...")
 
Line 52: Line 52:
  <nowiki>DNS=127.0.0.1</nowiki>
  <nowiki>DNS=127.0.0.1</nowiki>
===For Use With Pi-Hole===
===For Use With Pi-Hole===
====Root Hints Updating====
 
==== Root Hints from Package Manager ====
If you have `dns-root-data` installed skip the below script.
 
====Root Hints Updating By Script====
  <nowiki>nano /home/root_hints_update.sh</nowiki>
  <nowiki>nano /home/root_hints_update.sh</nowiki>


Line 114: Line 118:
  <nowiki>nano /etc/unbound/unbound.conf.d/pi-hole.conf</nowiki>
  <nowiki>nano /etc/unbound/unbound.conf.d/pi-hole.conf</nowiki>


<nowiki>
server:
    # If no logfile is specified, syslog is used
    # logfile: "/var/log/unbound/unbound.log"
    verbosity: 0
   
    # all interfaces
    interface: 0.0.0.0
    interface: ::0
    port: 53
    do-ip4: yes
    do-udp: yes
    do-tcp: yes
    # May be set to yes if you have IPv6 connectivity
    do-ip6: no
    # Use this only when you downloaded the list of primary root servers!
    root-hints: "/var/lib/unbound/root.hints"
    # Trust glue only if it is within the servers authority
    harden-glue: yes
   
   
    # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
  server:
    harden-dnssec-stripped: yes
      # If no logfile is specified, syslog is used
      # logfile: "/var/log/unbound/unbound.log"
      verbosity: 0
     
      # all interfaces
      interface: 0.0.0.0
      interface: ::0
 
      port: 53
      do-ip4: yes
      do-udp: yes
      do-tcp: yes
 
      # May be set to yes if you have IPv6 connectivity
      do-ip6: no
 
      # Use this only when you downloaded the list of primary root servers!
      root-hints: "/var/lib/unbound/root.hints" # If using above script
      #/usr/share/dns/root.hints from package maintainer
   
   
    # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
      # Trust glue only if it is within the servers authority
    # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
      harden-glue: yes
    use-caps-for-id: no
 
      # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
    # Reduce EDNS reassembly buffer size.
      harden-dnssec-stripped: yes
    # Suggested by the unbound man page to reduce fragmentation reassembly problems
 
    edns-buffer-size: 1472
      # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
      # see <nowiki>https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378</nowiki> for further details
    # TTL bounds for cache
      use-caps-for-id: no
    cache-min-ttl: 3600
 
    cache-max-ttl: 86400
      # Reduce EDNS reassembly buffer size.
      # Suggested by the unbound man page to reduce fragmentation reassembly problems
    # Perform prefetching of close to expired message cache entries
      edns-buffer-size: 1472
    # This only applies to domains that have been frequently queried
 
    prefetch: yes
      # TTL bounds for cache
      cache-min-ttl: 3600
    # One thread should be sufficient, can be increased on beefy machines
      cache-max-ttl: 86400
    num-threads: 1
 
      # Perform prefetching of close to expired message cache entries
    # Ensure kernel buffer is large enough to not loose messages in traffic spikes
      # This only applies to domains that have been frequently queried
    so-rcvbuf: 1m
      prefetch: yes
 
    # Ensure privacy of local IP ranges
      # One thread should be sufficient, can be increased on beefy machines
    private-address: 192.168.0.0/16
      num-threads: 1
    private-address: 169.254.0.0/16
 
    private-address: 172.16.0.0/12
      # Ensure kernel buffer is large enough to not loose messages in traffic spikes
    private-address: 10.0.0.0/8
      so-rcvbuf: 1m
    private-address: fd00::/8
 
    private-address: fe80::/10
      # Ensure privacy of local IP ranges
      private-address: 192.168.0.0/16
</nowiki>
      private-address: 169.254.0.0/16
      private-address: 172.16.0.0/12
      private-address: 10.0.0.0/8
      private-address: fd00::/8
      private-address: fe80::/10
 
 
If you run into issues with Plex Rebind feel free to add
If you run into issues with Plex Rebind feel free to add
  <nowiki>
  <nowiki>

Revision as of 17:40, 9 December 2021

Opening Disclaimers

Proxmox

This Guide is written based on the use of Proxmox-VE version 7.0 and more specifically Proxmox_LXC. These instructions should be adaptable to other situations.

Container Creation

General

  • Unpriviliged container: checked
  • Nesting: unchecked

Template

  • Template: ubuntu-21.04-standard_21.04-1_amd64

Disks

  • Disk Size (GiB): 4

CPU

Cores: 1

Memory

  • Memory (MiB): 256
  • Swap (MiB): 512

Network

  • IPv4 Static
  • IPv4 Gateway

DNS

  • DNS Servers: 8.8.8.8 (Change to 127.0.0.1 post-install)

Confirm

  • Start After Created: unchecked

Container Tweaks

Options

  • Start at boot: yes

Container First Run Steps

Run Updates 

apt update && apt full-upgrade -y

Add a sudo user 

adduser sysop
usermod -aG sudo sysop

Cleanup The Container for some easy space savings. 

apt autoremove -y && apt clean -y

Unbound Installation

My Insights

  • It's good practice to have both 2 instances of Unbound, so you can update one at a time, and still have DNS for your home network. You can either follow this guide twice, or clone the container.

Prerequisite Guide(s)

Dependency Installs

Unbound Installation

apt install unbound

Let's free up port 53 from systemd-resolved 

nano /etc/systemd/resolved.conf

Change 

#DNSStubListener=yes

To 

DNSStubListener=no

Change 

#DNS=

To 

DNS=127.0.0.1

For Use With Pi-Hole

Root Hints from Package Manager

If you have `dns-root-data` installed skip the below script.

Root Hints Updating By Script

nano /home/root_hints_update.sh

 
 #!/bin/bash
 
 ROOTSURL=https://www.internic.net/domain/named.root
 CURRENTROOTS=/var/lib/unbound/root.hints
 TEMPROOTS=/tmp/root.hints
 DOWNLOADFRESH=false
 
 if [[ -f $CURRENTROOTS ]]
 then
   echo "Checking existing file"
   SOURCEMODIFIEDLAST=$(curl --silent --head $ROOTSURL | awk -F: '/^Last-Modified/ { print $2 }')
   SOURCEMODIFIEDTIME=$(date --date="$SOURCEMODIFIEDLAST" +%s)
   LOCALFILEMODIFIEDLAST=$(stat -c %z "$CURRENTROOTS")
   LOCALFILEMODIFIEDTIME=$(date --date="$LOCALFILEMODIFIEDLAST" +%s)
   if [[ $LOCALFILEMODIFIEDTIME -lt $SOURCEMODIFIEDTIME ]]
   then
     DOWNLOADFRESH=true
     echo "File updated online"
   else
     echo "File not updated online"
   fi
 else
   DOWNLOADFRESH=true
   echo "File Missing"
 fi
 
 
 if [[ $DOWNLOADFRESH = true ]]
 then
   echo "Attempting to download file"
   wget -O $TEMPROOTS $ROOTSURL
   FETCHFILESIZE=$(stat -c%s $TEMPROOTS)
   if [[ $FETCHFILESIZE -gt 0 ]]
   then
      mv $TEMPROOTS $CURRENTROOTS
   else
     echo "File download failed"
   fi
 else
   echo "Not downloading file"
 fi
 
 # restart unbound
 if [[ $DOWNLOADFRESH = true ]]
 then
   service unbound restart
 fi
 

bash /home/root_hints_update.sh

crontab -e

0 0 * * 0 /bin/bash /home/root_hints_update.sh

Conf file

nano /etc/unbound/unbound.conf.d/pi-hole.conf



 server:
     # If no logfile is specified, syslog is used
     # logfile: "/var/log/unbound/unbound.log"
     verbosity: 0
     
     # all interfaces
     interface: 0.0.0.0
     interface: ::0
 
     port: 53
     do-ip4: yes
     do-udp: yes
     do-tcp: yes
 
     # May be set to yes if you have IPv6 connectivity
     do-ip6: no
 
     # Use this only when you downloaded the list of primary root servers!
     root-hints: "/var/lib/unbound/root.hints" # If using above script
     #/usr/share/dns/root.hints from package maintainer

     # Trust glue only if it is within the servers authority
     harden-glue: yes
 
     # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
     harden-dnssec-stripped: yes
 
     # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
     # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
     use-caps-for-id: no
 
     # Reduce EDNS reassembly buffer size.
     # Suggested by the unbound man page to reduce fragmentation reassembly problems
     edns-buffer-size: 1472
 
     # TTL bounds for cache
     cache-min-ttl: 3600
     cache-max-ttl: 86400
 
     # Perform prefetching of close to expired message cache entries
     # This only applies to domains that have been frequently queried
     prefetch: yes
 
     # One thread should be sufficient, can be increased on beefy machines
     num-threads: 1
 
     # Ensure kernel buffer is large enough to not loose messages in traffic spikes
     so-rcvbuf: 1m
 
     # Ensure privacy of local IP ranges
     private-address: 192.168.0.0/16
     private-address: 169.254.0.0/16
     private-address: 172.16.0.0/12
     private-address: 10.0.0.0/8
     private-address: fd00::/8
     private-address: fe80::/10

If you run into issues with Plex Rebind feel free to add 

     # Plex Rebind fix
     private-domain: plex.direct
 

service unbound restart
Retrieved from "https://wiki.deathbybandaid.net/index.php?title=Unbound&oldid=81"