Ubuntu

Comprehensive Guide to Setting Up Unbound as a Local DNS Resolver on Ubuntu 22.04

HomeUbuntuComprehensive Guide to Setting Up Unbound as a Local DNS Resolver on Ubuntu 22.04

Setting up a local DNS resolver is crucial for efficient network communication and security. Unbound is a free and open-source DNS server software that can be used for validating, recursive, and caching DNS resolvers. It prioritizes privacy and security without compromising speed and performance. In this guide, we will walk you through the process of setting up Unbound on your Ubuntu 22.04 server as a local DNS resolver with additional features such as DNSSEC, DNS cache, local domain names and sub-domains, and DNS-over-TLS (DoT).

Prerequisites

Before we begin, make sure you have the following requirements:

  1. An Ubuntu 22.04 server – This guide assumes you have an Ubuntu server with the hostname ‘unbound-server’ and IP address ‘192.168.5.100’.
  2. A non-root user with sudo/root administrator privileges.

Installing Unbound DNS Server

The first step is to install Unbound on your Ubuntu 22.04 server. Luckily, Unbound is available in the default Ubuntu repository, making the installation process straightforward. Start by updating and refreshing your Ubuntu package index using the following command:

sudo apt update

Once the update is complete, you can check the details of the Unbound package using the following command:

sudo apt info unbound

At the time of writing, the default Ubuntu repository provides Unbound version 1.13. To install Unbound, use the following command:

sudo apt install unbound

During the installation process, you will be prompted to confirm. Type ‘y’ and press ENTER to proceed. Once the installation is complete, verify the status of the Unbound service using the following command:

sudo systemctl is-enabled unbound
sudo systemctl status unbound

If the output shows ‘enabled’ and ‘active (running)’, it means Unbound is successfully installed and running on your server.

Configuring Unbound as a Local DNS Server

Now that Unbound is installed, it’s time to configure it as a local DNS server. The default Unbound configuration file is located at ‘/etc/unbound/unbound.conf’. Open this file with your preferred text editor. In this guide, we will use nano as the text editor:

sudo nano /etc/unbound/unbound.conf

Basic Configuration

In the Unbound configuration file, you will find various sections that allow you to customize the behavior of the DNS server. Let’s start with the basic configuration. Add the following lines to the file:

server:
use-syslog: yes
username: "unbound"
directory: "/etc/unbound"
tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
do-ip6: no
interface: 192.168.5.100
port: 53
prefetch: yes
root-hints: /usr/share/dns/root.hints
harden-dnssec-stripped: yes

Here’s a breakdown of the parameters:

  • use-syslog: yes enables logging to Syslog messages.
  • username: "unbound" sets the user as ‘unbound’, the default user for Unbound.
  • directory: "/etc/unbound" specifies the default working directory for Unbound.
  • tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt points to the certificates used to authenticate upstream connections.
  • do-ip6: no disables IPv6.
  • interface: 192.168.5.100 sets the network interface or IP address on which Unbound will run.
  • port: 53 specifies the port on which Unbound will listen for client connections.
  • prefetch: yes enables prefetching of almost expired message cache entries.
  • root-hints: /usr/share/dns/root.hints points to the file that contains root DNS server details.
  • harden-dnssec-stripped: yes hardens against receiving DNSSEC-stripped data.

Enable DNS Cache

Enabling the DNS cache can significantly improve the performance of your Unbound DNS server. Add the following lines to your Unbound configuration file:

cache-max-ttl: 14400
cache-min-ttl: 11000

Here’s what these parameters mean:

  • cache-max-ttl: 14400 sets the Time To Live (TTL) for RRSets and messages in the DNS cache. The value is in seconds.
  • cache-min-ttl: 11000 sets the minimal TTL for the cache. The default is 0, but it’s recommended not to set it for more than 1 hour to avoid stale data.

Unbound Privacy and Security

Unbound provides several options to enhance privacy and security. Add the following lines to your Unbound configuration file:

aggressive-nsec: yes
hide-identity: yes
hide-version: yes
use-caps-for-id: yes

Here’s what these parameters do:

  • aggressive-nsec: yes enables aggressive NSEC, which uses the DNSSEC NSEC chain to synthesize NXDOMAIN and other denials.
  • hide-identity: yes disables answers from bind queries about id.server or hostname.bind.
  • hide-version: yes disables version.server and version.bind queries.
  • use-caps-for-id: yes enables the use of ‘0x100-encoded’ in the query to foil spoof attempts.

Define Private Network and Access Control Lists (ACLs)

Next, you need to define your private network and access control lists (ACLs). Replace the example subnets with your own private network subnets. Add the following lines to your Unbound configuration file:

private-address: 192.168.0.0/16
private-address: 192.168.5.0/24
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
private-address: fd00::/8
private-address: fe80::/10

access-control: 127.0.0.1/32 allow_snoop
access-control: ::1 allow_snoop
access-control: 127.0.0.0/8 allow
access-control: 192.168.5.0/24 allow

Here’s what these parameters do:

  • private-address defines the private network subnets on your infrastructure. Only ‘private-domain’ and ‘local-data’ names are allowed to have these private addresses.
  • access-control defines the access control for clients allowed to make recursive queries to the Unbound server. The ‘allow’ parameter enables recursive queries, while ‘allow_snoop’ enables both recursive and non-recursive queries.

Setup Local Domain

To set up a local domain for your network, you can define a local zone in Unbound. This allows you to easily access self-hosted applications on your local network. Replace the example domain and sub-domains with your own. Add the following lines to your Unbound configuration file:

local-zone: "home.lan." static

local-data: "firewall.home.lan. IN A 10.0.0.1"
local-data: "vault.home.lan. IN A 10.0.0.2"
local-data: "media.home.lan. IN A 10.0.0.3"
local-data: "docs.home.lan. IN A 10.0.0.4"
local-data: "wiki.home.lan. IN A 10.0.0.5"

local-data-ptr: "10.0.0.1 firewall.home.lan"
local-data-ptr: "10.0.0.2 vault.home.lan"
local-data-ptr: "10.0.0.3 media.home.lan"
local-data-ptr: "10.0.0.4 docs.home.lan"
local-data-ptr: "10.0.0.5 wiki.home.lan"

Here’s what these parameters mean:

  • local-zone: "home.lan." static defines the local zone with the domain name ‘home.lan.’ as a static zone.
  • local-data: "subdomain.home.lan. IN A x.x.x.x" sets up an A record for each sub-domain and specifies the IP address that will be resolved.
  • local-data-ptr: "x.x.x.x subdomain.home.lan" creates PTR records for the sub-domains.

Unbound Performance Tuning and Tweaks

To optimize Unbound’s performance, you can adjust certain parameters. Add the following lines to your Unbound configuration file:

num-threads: 4
msg-cache-slabs: 8
rrset-cache-slabs: 8
infra-cache-slabs: 8
key-cache-slabs: 8
rrset-cache-size: 256m
msg-cache-size: 128m
so-rcvbuf: 8m

Here’s what these parameters do:

  • num-threads specifies the number of threads Unbound will create. The value should match the number of CPU cores on your server.
  • msg-cache-slabs sets the number of slabs to use for the message cache.
  • rrset-cache-slabs sets the number of slabs to use for the RRset cache.
  • infra-cache-slabs sets the number of slabs to use for the Infrastructure cache.
  • key-cache-slabs sets the number of slabs to use for the key cache.
  • rrset-cache-size specifies the amount of memory allocated for the RRset cache.
  • msg-cache-size specifies the amount of memory allocated for the message cache.
  • so-rcvbuf sets the buffer size for DNS port 53/udp.

Setting up Unbound as a DNS Resolver with DNS-over-TLS (DoT)

To enhance the security of your DNS communications, you can configure Unbound to use DNS-over-TLS (DoT). Add the following lines to your Unbound configuration file:

forward-zone:
name: "."
forward-ssl-upstream: yes
forward-addr: 9.9.9.9@853#dns.quad9.net
forward-addr: 149.112.112.112@853#dns.quad9.net

Here’s what these parameters do:

  • forward-zone sets up Unbound as a DNS resolver for your local networks.
  • name: "." forwards all DNS queries.
  • forward-ssl-upstream: yes enables DNS-over-TLS (DoT).
  • forward-addr specifies the forwarders for DNS queries. In this example, we use Quad9 DNS servers with DoT enabled.

Save and exit the Unbound configuration file when you’re finished.

Restart and Verify Unbound Configuration

After modifying the Unbound configuration file, it’s essential to restart the Unbound service to apply the changes. Use the following commands:

sudo unbound-checkconf
sudo systemctl restart unbound

The unbound-checkconf command checks the configuration for any errors. If the output shows no errors, you can proceed with restarting the Unbound service. Verify the list of open ports on your system using the following command:

ss -tulpn

Make sure the default DNS UDP port 53 is used by the Unbound service.

Setting up UFW Firewall

To protect your server, it’s recommended to set up a firewall. Ubuntu uses UFW (Uncomplicated Firewall) as the default firewall. If UFW is not enabled, you can start by enabling it using the following command:

sudo ufw enable

By default, UFW allows only SSH connections. To allow DNS traffic on port 53, run the following command:

sudo ufw allow 53/udp

If you’re running any other services that require access from the internet, make sure to open the necessary ports using the ufw allow command.

Setting up Unbound Log via Rsyslog and Logrotate

To keep track of Unbound logs and manage log rotation, you can set up Rsyslog and Logrotate. Rsyslog will create a specific log file for Unbound, and Logrotate will rotate the log file on a daily basis. Start by creating a new Rsyslog configuration file using the following command:

sudo nano /etc/rsyslog.d/unbound.conf

Add the following line to the file:

# Log messages generated by unbound application
if $programname == 'unbound' then /var/log/unbound.log
& stop

Save and exit the file. Next, create the Logrotate configuration file using the following command:

sudo nano /etc/logrotate.d/unbound

Add the following lines to the file:

/var/log/unbound.log {
daily
rotate 7
missingok
create 0640 root adm
postrotate
/usr/lib/rsyslog/rsyslog-rotate
endscript
}

Save and exit the file. Now, restart the Rsyslog and Logrotate services using the following commands:

sudo systemctl restart rsyslog logrotate

Setting up DNS Resolver on Client

To use your Unbound DNS resolver on client machines, you need to configure the DNS resolver settings. The process differs slightly between Ubuntu Desktop and Ubuntu Server.

For Ubuntu Desktop

Ubuntu Desktop uses NetworkManager to handle networking. You can set up the DNS resolver using the nmcli command-line tool or the NetworkManager GUI.

To set up the DNS resolver via the command line, use the following command:

sudo nmcli connection modify eth0 ipv4.dns "192.168.5.100"

Replace eth0 with the name of your network interface, and 192.168.5.100 with the IP address of your Unbound DNS server.

If you prefer using the NetworkManager GUI, open the NetworkManager application, edit the interface you want to modify, go to the ‘IPv4 Settings’ tab, and enter your local DNS server IP address. Save the changes.

For Generic Ubuntu Server

On a generic Ubuntu Server, networking is handled by netplan and systemd-networkd. The DNS resolver configuration is managed by systemd-resolved. To set up the DNS resolver, open the systemd-resolved configuration file:

sudo nano /etc/systemd/resolved.conf

Uncomment the DNS parameter and specify the IP address of your local DNS server:

[Resolve]
DNS=192.168.5.100

Save and exit the file. Restart the systemd-resolved service to apply the changes:

sudo systemctl restart systemd-resolved

Verify the status of the DNS resolver using the following command:

sudo resolvectl status

If successful, you should see the Unbound DNS server IP address as the default resolver.

Testing Unbound DNS Server

To ensure that your Unbound DNS server is working correctly, you can perform some tests. Start by using the dig command to query external/internet domain names. For example, run the following command to query the domain name ‘google.com’:

dig google.com

If the command returns DNS records for the domain, it means your Unbound DNS server is successfully resolving external domain names.

Next, you can verify the local domain and sub-domains you configured earlier. For example, run the following command to query the sub-domain ‘firewall.home.lan’:

dig firewall.home.lan +short

If the command returns the correct IP address associated with the sub-domain, it means your Unbound DNS server is successfully resolving local domain names.

You can also check reverse DNS (PTR) records by querying the IP address associated with a sub-domain. For example, run the following command to query the IP address ‘10.0.0.1’:

dig -x 10.0.0.1 +short

If the command returns the correct domain name associated with the IP address, it means your Unbound DNS server is successfully resolving reverse DNS records.

To test DNS-over-TLS (DoT), you can use the tcpdump command to monitor the traffic. Install the tcpdump package on your Unbound server using the following command:

sudo apt install tcpdump

Once installed, run the following tcpdump command to monitor traffic on the interface eth0 with DoT port 853:

sudo tcpdump -vv -x -X -s 1500 -i eth0 'port 853'

Move to the client machine and perform DNS queries using the dig command. For example:

dig google.com

If the tcpdump output shows DNS traffic on port 853, it means your Unbound DNS server is successfully using DNS-over-TLS.

Conclusion

By following this guide, you have successfully installed and configured Unbound as a local DNS resolver on your Ubuntu 22.04 server. You have learned how to customize the Unbound configuration file, enable DNS cache, enhance privacy and security, optimize Unbound performance, and set up DNS resolver on client machines. Unbound provides reliable and efficient DNS resolution while prioritizing privacy and security. With your local DNS resolver in place, you can enjoy faster and more secure network communication.

For reliable and scalable cloud hosting solutions, consider Shape.host’s Cloud VPS services. With Shape.host, you can enjoy high-performance virtual private servers with flexible resource allocation and robust security features. Visit Shape.host to learn more about their services.

Remember to regularly update and maintain your Unbound DNS server to ensure optimal performance and security.

Tags:
Christian Wells

Older Post

Optimize Data Management: Install and Configure Neo4j on Ubuntu 22.04

Next Post

Optimize Communication: Install Cerb on Ubuntu 22.04 for Collaboration and Email Automation

Related Product

How to Install BoxBilling on AlmaLinux 9

How to Install BoxBilling on Ubuntu 24.04