Unbound DNS resolver, cache & adblocker

July 28, 2023

Setting up a Unbound DNS resolver, cache & adblocker.

Optional: Rebuild source to enable cachedb & redis support.

Install necessary packages.

apt update && apt upgrade -y
apt install unbound unbound-anchor openresolv -y

Get latest list of root DNS servers.

curl --output /var/lib/unbound/root.hints \
https://www.internic.net/domain/named.cache

Create root.key

unbound-anchor -a /var/lib/unbound/root.key

Init cryptographic keys for unbound-control.

unbound-control-setup

unbound.conf

tee /etc/unbound/unbound.conf << EOF > /dev/null
server:
# listen on all devices (IPv4, IPv6)
interface: 0.0.0.0
interface: ::0
# access control <subnet> <action>
access-control: 127.0.0.0/8 allow
access-control: 192.168.0.0/16 allow
use-systemd: yes
do-daemonize: no
chroot: "/var/lib/unbound"
username: "unbound"
directory: "/var/lib/unbound"
root-hints: "root.hints"
auto-trust-anchor-file: "root.key"
use-syslog: yes
num-threads: 1
outgoing-range: 950
num-queries-per-thread: 475
msg-cache-slabs: 2
rrset-cache-slabs: 2
infra-cache-slabs: 2
key-cache-slabs: 2
hide-identity: yes
hide-version: yes
unwanted-reply-threshold: 10000000
prefetch: yes
prefetch-key: yes
serve-expired: yes
serve-expired-reply-ttl: 0

# enabled for unbound-control
remote-control:
control-enable: yes

########################################
### next entries for local service only.
########################################

server:
# change local domain name. 
private-domain: "home.lan"
private-address: 10.0.0.0/8
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
private-address: fd00::/8
private-address: fe80::/10

# static entries (change IP, local domain name and hostname)
local-zone: "home.lan." static
local-data: "example.home.lan. IN A 192.168.112.1"
local-data-ptr: "192.168.112.1 example.home.lan"

# upstream DNS servers (IPv4). feel free to change.
# you can add IPv6 upstream addresses.
forward-zone:
name: "."
forward-addr: 1.1.1.1
forward-addr: 8.8.8.8
# or another LAN server.
# forward-addr: 192.168.10.1

# DNS over TLS (IPv4, IPv6) not enabled!
# forward-tls-upstream: yes
# tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"
# forward-address: 1.1.1.1@853
# forward-address: 2606:4700:4700::1111@853

# DNS blocklist(s) (periodically download via systemd) 
# & whitelist (configure manually)
server:
include: "/etc/unbound/dnsbl/*.conf"
include: "/etc/unbound/dnswl/*.conf"
EOF

Update root DNS servers monthly.

tee /etc/systemd/system/roothints.service << EOF > /dev/null
[Unit]
Description=Update root hints for unbound
After=network.target
[Service]
ExecStart=/usr/bin/curl -o /var/lib/unbound/root.hints https://www.internic.net/domain/named.cache
EOF
tee /etc/systemd/system/roothints.timer << EOF > /dev/null
[Unit]
Description=Run root.hints monthly
[Timer]
OnCalendar=monthly
Persistent=true
[Install]
WantedBy=timers.target
EOF

Enable service.

systemctl enable roothints.timer

Make directories for block & whitelist.

mkdir /etc/unbound/dnsbl /etc/unbound/dnswl

Create script to get latest DNS blocklist by Steven Black.

tee /etc/unbound/unbound_get_dnsbl.sh << EOF > /dev/null
curl -s https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts | \
  grep ^0.0.0.0 - | \
  sed 's/ #.*$//;s/^0.0.0.0 \(.*\)/local-zone: "\1" always_null/' \
  >>/etc/unbound/dnsbl/stevenblack.conf
EOF

Make script executable.

chmod +x /etc/unbound/unbound_get_dnsbl.sh

Execute it.

/etc/unbound/unbound_get_dnsbl.sh

Create DNS whitelist (optional).

tee /etc/unbound/dnswl/wl.conf << EOF > /dev/null
local-zone: "example.com" always_transparent
EOF

Update DNS blocklist weekly.

tee /etc/systemd/system/unbound-blocklist.service << EOF > /dev/null
[Unit]
Description=Update DNS blocklistc for unbound
After=network.target
[Service]
ExecStart=/etc/unbound/unbound_get_dnsbl.sh && unbound-control -q reload_keep_cache
EOF
tee /etc/systemd/system/unbound-blocklist.timer << EOF > /dev/null
[Unit]
Description=Run unbound-blocklist weekly
[Timer]
OnCalendar=weekly
Persistent=true
[Install]
WantedBy=timers.target
EOF

Enable service.

systemctl enable unbound-blocklist.timer

Add local DNS service to resolvconf.conf.

tee /etc/resolvconf.conf << EOF > /dev/null
name_servers="::1 127.0.0.1"
resolv_conf_options="trust-ad"
EOF

Inform the system about the DNS update.

resolvconf -u

Restart Unbound.

systemctl enable unbound && systemctl restart unbound

Useful commands. Use “unbound-control -h”.

unbound-control stats | reload_keep_cache | dump_cache

Unbound DNS resolver with CacheDB & Redis

Build Unbound from Debian sources.

apt-get install build-essential libhiredis-dev
apt-get source unbound
apt-get build-dep unbound

cd unbound-1.17.1

sed -i '/--with-pythonmodule/ i --enable-cachedb \\\n--with-libhiredis \\' debian/rules

dpkg-buildpackage -rfakeroot -uc -b

You can install the packages right now. Personally, I’m moving it to another LXC/VM.

apt install libpython3.11 libhiredis0.14 libevent-2.1-7

dpkg -i ../unbound_1.17.1-2_amd64.deb
dpkg -i ../libunbound8_1.17.1-2_amd64.deb
dpkg -i ../unbound-anchor_1.17.1-2_amd64.deb
dpkg -i ../python3-unbound_1.17.1-2_amd64.deb

Add entries to /etc/unbound/unbound.conf

server:
module-config: "subnetcache validator cachedb iterator"

cachedb:
backend: "redis"
redis-server-host: 127.0.0.1
redis-server-port: 6379
redis-timeout: 100
redis-expire-records: no