Difference between revisions of "Tutorial Unbound"
From NREN
(unbound) |
|||
| Line 23: | Line 23: | ||
=== Testing === | === Testing === | ||
| − | + | Checking configuration: | |
| + | <pre>sudo unbound-checkconf</pre> | ||
| + | If the output is not like this, there is some error: | ||
| + | <pre>unbound-checkconf: no errors in /etc/unbound/unbound.conf</pre> | ||
| + | |||
| + | Run a few queries, eg.: | ||
<pre>dig @127.0.0.1 yahoo.com</pre> | <pre>dig @127.0.0.1 yahoo.com</pre> | ||
| Line 56: | Line 61: | ||
</pre> | </pre> | ||
| − | <code></code> | + | === Additional Config === |
| + | By default, it only allows query from localhost. To enable query from your networks, setup appropiately in <code>/etc/unbound/unbound.conf.d/local.conf</code> file: | ||
| + | <pre>$ cat local.conf | ||
| + | server: | ||
| + | # specify the interface to answer queries from by ip-address. | ||
| + | interface: 0.0.0.0 | ||
| + | # interface: ::0 | ||
| + | |||
| + | # addresses from the IP range that are allowed to connect to the resolver | ||
| + | access-control: 10.0.0.0/8 allow | ||
| + | # access-control: 192.168.0.0/16 allow | ||
| + | # access-control: 2001:DB8/64 allow | ||
| + | </pre> | ||
=== Sources and External Links === | === Sources and External Links === | ||
* [https://en.wikipedia.org/wiki/Unbound_(DNS_server) Unbound entry in Wikipedia] | * [https://en.wikipedia.org/wiki/Unbound_(DNS_server) Unbound entry in Wikipedia] | ||
| + | * [https://unbound.docs.nlnetlabs.nl/en/latest/getting-started/configuration.html Unbound configuration at NLNet Labs] | ||
* [https://www.techrepublic.com/article/how-to-install-unbound-dns/ Digital Ocean article on Unbound installation] | * [https://www.techrepublic.com/article/how-to-install-unbound-dns/ Digital Ocean article on Unbound installation] | ||
[[Category:Workshops]] | [[Category:Workshops]] | ||
Latest revision as of 17:11, 25 July 2024
Unbound is a FOSS (Free and Open-source software) validating, recursive, and caching DNS resolver product from NLnet Labs.
Features
- Caching resolver with prefetching of popular items before they expire
- DNS over TLS forwarding and server, with domain-validation[2]
- DNS over HTTPS[3][4]
- Query Name Minimization[5]
- Aggressive Use of DNSSEC-Validated Cache[6]
- Authority zones, for a local copy of the root zone[7]
- DNS64
- DNSCrypt[8]
- DNSSEC validating
- EDNS Client Subnet
TL;DR
sudo apt install -y unbound
Step-by-step Tutorial
- Login to your server
- Install package Unbound
sudo apt install -y unbound
Testing
Checking configuration:
sudo unbound-checkconf
If the output is not like this, there is some error:
unbound-checkconf: no errors in /etc/unbound/unbound.conf
Run a few queries, eg.:
dig @127.0.0.1 yahoo.com
Go through the output:
labuser@labmachine:~$ dig @localhost yahoo.com ; <<>> DiG 9.18.24-1-Debian <<>> @localhost yahoo.com ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26347 ;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;yahoo.com. IN A ;; ANSWER SECTION: yahoo.com. 1428 IN A 74.6.143.25 yahoo.com. 1428 IN A 74.6.231.21 yahoo.com. 1428 IN A 98.137.11.164 yahoo.com. 1428 IN A 98.137.11.163 yahoo.com. 1428 IN A 74.6.143.26 yahoo.com. 1428 IN A 74.6.231.20 ;; Query time: 0 msec ;; SERVER: ::1#53(localhost) (UDP) ;; WHEN: Thu Jul 25 11:01:56 UTC 2024 ;; MSG SIZE rcvd: 134
Additional Config
By default, it only allows query from localhost. To enable query from your networks, setup appropiately in /etc/unbound/unbound.conf.d/local.conf file:
$ cat local.conf
server:
# specify the interface to answer queries from by ip-address.
interface: 0.0.0.0
# interface: ::0
# addresses from the IP range that are allowed to connect to the resolver
access-control: 10.0.0.0/8 allow
# access-control: 192.168.0.0/16 allow
# access-control: 2001:DB8/64 allow
