Unbound – Your own DNS Server

unbound dns server logoIf you have your own server to protect your privacy or to give you full control and ownership of your data and traffic, well you probably already have your own DNS Server….if not, this article is a must!

 

DNS Server plays a key role on internet, for those who are unfamiliar with this service, a website is host on a specific IP (Static or dynamic) and in short, need a DNS Server to redirect an URL to the corresponding IP. For example, the DNS Server will make sure when you type google.co.uk, you are redirected to the correct IP (173.194.72.94)

Most of the ISP have their own DNS Server and even Google provides for “free” 2 DNS Server (8.8.8.8 and 8.8.4.4).

The interest for the ISP is mainly to speed up the access of webpages to their customers, by having a robust DNS Server within their own infrastructure or actually to slower down some bandwidth consuming websites (Like Youtube or Netflix).

For Google, it is probably to better track which websites you visit and sell highly targeted advertisement. (rough guess xD)

And in some cases (Probably too often IMO), governments might even force your ISP to modify their DNS Server to block the connection to a website. (Like blocking ThePirateBay, etc…)

So, as you can understand, having is own DNS Server is a critical step to take if you want to have the more control over your traffic and data.

The most popular DNS Server is surely Bind, but I personally find it too complicated to configure and some OS are starting to switch to others solutions, less complicated. It seems to be the case with FreeBSD 10, that recently moved to Unbound.

 

Unbound is an opensource (BSD License), secure validating, recursive, and caching DNS server written in C. Most distributions have Unbound binaries which make it very simple to install, while the have been written with a high security focus. It support IPv6, DNSSEC, a client resolver library API, and many more. It also runs on my OS such as Windows, Linux, BSD-type and MacOS.

For me, the main advantages to have my own DNS Server are:

-Fasten the response time within my local network to access my server (No need to use an external DNS Server that my go through different intermediaries)

– Improve my internet neutrality (Won’t suffer the censorship of my ISP or further protect my privacy)

– And although this might be against the net neutrality, I can block most of google/yahoo,etc…ads, by blocking their IPs/subdomain sending them. (Well at least, I’m free to do it)
So here we go.

Installation

Unbound DNS Server comes with the majority of Linux distributions. So the installation will be straightforward and I’ll share my configuration file that should work out of the box for you.

 

1) Install Unbound

In root (Or with sudo), run:

apt-get update
apt-get install unbound
2) Download the list of Root DNS Server

You will need to download and copy the official named.cache file from InterNIC (The Internet’s Network Information Center) that contains the information on the root name servers needed to initialize to cache of your DNS Server.

Still in root, run:

wget ftp://FTP.INTERNIC.NET/domain/named.cache -O /var/lib/unbound/root.hints
3) Configure Unbound

Here is the config file I’m using, feel free to take it as it is. I’ve put some comments to explain some important features.

nano /etc/unbound/unbound.conf

You can remove all (CTRL+K for example) and paste:

# Unbound configuration file for Debian.
#
# See the unbound.conf(5) man page.
#
# See /usr/share/doc/unbound/examples/unbound.conf for a commented
# reference config file.
server:
# Use the root servers key for DNSSEC
auto-trust-anchor-file: "/var/lib/unbound/root.key"
# Enable logs
verbosity: 1
# Respond to DNS requests on all interfaces
interface: 0.0.0.0
# DNS request port, IP and protocol
port: 53
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes

# Authorized IPs to access the DNS Server
#access-control: 127.0.0.0/8 allow
#access-control: 192.168.1.0/24 allow
#access-control: 192.168.1.26

# Root servers information (To download here: ftp://ftp.internic.net/domain/named.cache)
root-hints: "/var/lib/unbound/root.hints"

# Hide DNS Server info
hide-identity: yes
hide-version: yes

# Improve the security of your DNS Server (Limit DNS Fraud and use DNSSEC)
harden-glue: yes
harden-dnssec-stripped: yes

# Rewrite URLs written in CAPS 
use-caps-for-id: yes

# TTL Min (Seconds)
cache-min-ttl: 3600
# TTL Max (Seconds)
cache-max-ttl: 86400
# Enable the prefetch
prefetch: yes

# Number of maximum threads to use
num-threads: 2

### Tweaks and optimizations
# Number of slabs to use (Must be a multiple of num-threads value)
msg-cache-slabs: 8
rrset-cache-slabs: 8
infra-cache-slabs: 8
key-cache-slabs: 8
# Cache and buffer size (in mb)
rrset-cache-size: 51m
msg-cache-size: 25m
so-rcvbuf: 1m

# Make sure your DNS Server treat your local network requests
private-address: 192.168.0.1/24

# Add an unwanted reply threshold to clean the cache and avoid when possible a DNS Poisoning
unwanted-reply-threshold: 10000

# Authorize or not the localhost requests
do-not-query-localhost: no

# Use the root.key file for DNSSEC
#auto-trust-anchor-file: "/var/lib/unbound/root.key"

val-clean-additional: yes

### Block popular advertising companies
local-zone: "doubleclick.net" redirect
local-data: "doubleclick.net A 127.0.0.1"
local-zone: "googlesyndication.com" redirect
local-data: "googlesyndication.com A 127.0.0.1"
local-zone: "googleadservices.com" redirect
local-data: "googleadservices.com A 127.0.0.1"
local-zone: "google-analytics.com" redirect
local-data: "google-analytics.com A 127.0.0.1"
local-zone: "ads.youtube.com" redirect
local-data: "ads.youtube.com A 127.0.0.1"
local-zone: "adserver.yahoo.com" redirect
local-data: "adserver.yahoo.com A 127.0.0.1"

Save (CTRL +X), restart your unbound service

/etc/init.d/unbound restart

and you’re good to go.

 

4) Configure your client machines to directly use your local DNS Server

Now that you have a working DNS Server, you need to tell all your equipment to use your DNS Server. It obviously depends on the OS of your equipment, but it is usually straightforward. Note that you will probably have to restart your clients.

In my case, I’ve directly added my DNS Server into my Router, to make sure all my equipment use my own DNS Server!

If you want to make sure your Linux system is using your DNS Server, you give check which DNS Server you are using with the following command:

cat /etc/resolv.conf

 

Note that you may have slower experience for the first connection to your website, but it will drastically improve afterward, thanks to your local cache.

 

If you want to know more about Unbound, I suggest you to check this link (EN) and that one too (FR) that helped me write my own article.

Gravatar

Loves to discover web-based apps to install on his own server@home and write articles about it

0 Comments:

Add a comment