Tutorial Unbound

From NREN
Revision as of 17:11, 25 July 2024 by Indiver (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Unbound is a FOSS (Free and Open-source software) validating, recursive, and caching DNS resolver product from NLnet Labs.

Features

  • Caching resolver with prefetching of popular items before they expire
  • DNS over TLS forwarding and server, with domain-validation[2]
  • DNS over HTTPS[3][4]
  • Query Name Minimization[5]
  • Aggressive Use of DNSSEC-Validated Cache[6]
  • Authority zones, for a local copy of the root zone[7]
  • DNS64
  • DNSCrypt[8]
  • DNSSEC validating
  • EDNS Client Subnet


TL;DR

sudo apt install -y unbound

Step-by-step Tutorial

  • Login to your server
  • Install package Unbound
sudo apt install -y unbound

Testing

Checking configuration: 

sudo unbound-checkconf

If the output is not like this, there is some error: 

unbound-checkconf: no errors in /etc/unbound/unbound.conf

Run a few queries, eg.: 

dig @127.0.0.1 yahoo.com

Go through the output: 

labuser@labmachine:~$ dig @localhost yahoo.com

; <<>> DiG 9.18.24-1-Debian <<>> @localhost yahoo.com
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26347
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;yahoo.com.			IN	A

;; ANSWER SECTION:
yahoo.com.		1428	IN	A	74.6.143.25
yahoo.com.		1428	IN	A	74.6.231.21
yahoo.com.		1428	IN	A	98.137.11.164
yahoo.com.		1428	IN	A	98.137.11.163
yahoo.com.		1428	IN	A	74.6.143.26
yahoo.com.		1428	IN	A	74.6.231.20

;; Query time: 0 msec
;; SERVER: ::1#53(localhost) (UDP)
;; WHEN: Thu Jul 25 11:01:56 UTC 2024
;; MSG SIZE  rcvd: 134

Additional Config

By default, it only allows query from localhost. To enable query from your networks, setup appropiately in /etc/unbound/unbound.conf.d/local.conf file: 

$ cat local.conf
server:
    # specify the interface to answer queries from by ip-address.
    interface: 0.0.0.0
    # interface: ::0

    # addresses from the IP range that are allowed to connect to the resolver
    access-control: 10.0.0.0/8 allow
    # access-control: 192.168.0.0/16 allow
    # access-control: 2001:DB8/64 allow

Sources and External Links

Retrieved from "https://training.nren.net.np/index.php?title=Tutorial_Unbound&oldid=67"