Recursive DNS w/ Unbound

Haack's Networkingdns / sysadminLeave a comment
  • Recursive DNS w/ Unbound
  • Jonathan Haack
  • Haack’s Networking
  • webmaster@haacksnetworking.org

//openwrtmt6000//

Latest Updates: https://wiki.haacksnetworking.org/doku.php?id=computing:unbounddns

This tutorial is for users of Debian GNU/Linux who want to run their own recursive DNS server using the Unbound project. In this scenario, I am using GL.iNet MT6000 router and a separate AP. The router handles all dhcp/dns for the LAN / private subnet. In the openWRT config on the router’s dhcp server, I specify a custom DNS servers in Interfaces / LAN / DHCP Server / Advanced / 6,10.1.1.100. This DNS servers can either be on a Debian VM or on bare metal. After much tinkering, I find the performance is better on the bare metal. Accordingly, I use a Dell 8700 off site backup server as the pihole host. The pihole-FTL takes care of adblocking and DNS sinkhole duties on port 53. If left with default settings, the pihole uses your specified third-party DNS servers for upstream requests (Level 3, Cloudflare, etc.). This tutorial is how to replace those third-party DNS servers with Unbound, running locally on the pihole on port 5335 (since pihole-FTL is already on 53). It should be noted that a pihole is not required to run Unbound, and if you would like to simply run Unbound with openWRT, follow this same setup and replace Interfaces / WAN / Use Custom DNS Servers / 10.1.1.100. Alright, here’s the recipe I used, which was based on pihole docs, unbound docs, some Linux Babe posts, and handful of 10 or so forums I found while hunting various issues with the initial setup.

sudo apt install unbound
sudo nano /etc/unbound/unbound.conf.d/pi-hole.conf

After installing package and opening/creating the pi-hole.conf file, enter something like the following into it, adapting to your use case as needed:

server:
    logfile: "/var/log/unbound/unbound.log"
    log-time-ascii: yes
    use-syslog: yes
    directory: "/etc/unbound"
    username: unbound
    tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
    verbosity: 3
    interface: 0.0.0.0
    interface: ::0
    port: 5335
    do-ip4: yes
    do-udp: yes
    do-tcp: yes
    module-config: "validator iterator"
    do-ip6: yes
    prefer-ip6: no
    harden-glue: yes
    harden-dnssec-stripped: yes
    use-caps-for-id: no
    edns-buffer-size: 1232
    prefetch: yes
    num-threads: 8
    msg-cache-slabs: 16
    rrset-cache-slabs: 16
    infra-cache-slabs: 16
    key-cache-slabs: 16
    rrset-cache-size: 512m
    msg-cache-size: 256m
    outgoing-range: 32768
    num-queries-per-thread: 8192
    infra-cache-numhosts: 100000
    #so-rcvbuf: 1m
    #so-sndbuf: 2m
    so-reuseport: yes
    private-address: 192.168.0.0/16
    private-address: 169.254.0.0/16
    private-address: 172.16.0.0/12
    private-address: 10.0.0.0/8
    private-address: fd00::/8
    private-address: fe80::/10
    #access-control: 127.0.0.1/32 allow_snoop
    #access-control: ::1 allow_snoop
    #access-control: 127.0.0.0/8 allow
    access-control: 192.168.0.0/16 allow
    access-control: 10.0.0.0/8 allow
    access-control: 127.0.0.1/24 allow
    access-control: 2001:DB8::/64 allow
    aggressive-nsec: yes
    hide-identity: yes
    hide-version: yes
    cache-max-ttl: 14400
    cache-min-ttl: 11000

I use rsyslog for logging as follows:

sudo apt install rsyslog
sudo nano /etc/rsyslog.d/unbound.conf

In the config file, enter:

if $programname == 'unbound' then /var/log/unbound/unbound.log
& stop

Now that rsyslog is configured to log data for unbound, we need to setup a log rotation to ensure out log files don’t become too large. This is especially important when verbosity is set to 3 or higher as in the configuration above.

nano /etc/logrotate.d/unbound

In the logrotate file, enter something like:

/var/log/unbound/unbound.log {
daily
rotate 7
missingok
create 0640 root adm
postrotate
/usr/lib/rsyslog/rsyslog-rotate
endscript
}

There’s a few more things to setup to ensure logs are in working order:

nano /etc/apparmor.d/local/usr.sbin.unbound

In the config file, enter:

/var/log/unbound/unbound.log rw,

Now, let’s update app armor to be aware of the change, and create the directory, log file, and grant proper permissions.

sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.unbound
sudo service apparmor restart
sudo mkdir -p /var/log/unbound
sudo touch /var/log/unbound/unbound.log
sudo chown unbound /var/log/unbound/unbound.log

The resolvconf package and systemd unit is known to overwrite changes to resolv.conf and is not recommended for Debian-based systems. Disable and purge files as follows:

systemctl disable --now unbound-resolvconf.service
sed -Ei 's/^unbound_conf=/#unbound_conf=/' /etc/resolvconf.conf
rm /etc/unbound/unbound.conf.d/resolvconf_resolvers.conf

Lastly, let’s enforce the edns packet size specified in the config as follows:

nano /etc/dnsmasq.d/99-edns.conf

In that config, simply enter:

edns-packet-max=1232

This setup and config is designed for a small business and/or home office with 30-40 clients on the network utilizing the pihole and unbound server. For smaller setups, adjust your config file above as necessary.

Happy Hacking!
– oemb1905

Leave a Reply

Your email address will not be published. Required fields are marked *

Close
JavaScript licenses