If you have your own server to protect your privacy or to give you full control and ownership of your data and traffic, well you probably already have your own DNS Server….if not, this article is a must!
DNS Server plays a key role on internet, for those who are unfamiliar with this service, a website is host on a specific IP (Static or dynamic) and in short, need a DNS Server to redirect an URL to the corresponding IP. For example, the DNS Server will make sure when you type google.co.uk, you are redirected to the correct IP (22.214.171.124)
Most of the ISP have their own DNS Server and even Google provides for “free” 2 DNS Server (126.96.36.199 and 188.8.131.52).
The interest for the ISP is mainly to speed up the access of webpages to their customers, by having a robust DNS Server within their own infrastructure or actually to slower down some bandwidth consuming websites (Like Youtube or Netflix).
For Google, it is probably to better track which websites you visit and sell highly targeted advertisement. (rough guess xD)
And in some cases (Probably too often IMO), governments might even force your ISP to modify their DNS Server to block the connection to a website. (Like blocking ThePirateBay, etc…)
So, as you can understand, having is own DNS Server is a critical step to take if you want to have the more control over your traffic and data.
The most popular DNS Server is surely Bind, but I personally find it too complicated to configure and some OS are starting to switch to others solutions, less complicated. It seems to be the case with FreeBSD 10, that recently moved to Unbound.
Unbound is an opensource (BSD License), secure validating, recursive, and caching DNS server written in C. Most distributions have Unbound binaries which make it very simple to install, while the have been written with a high security focus. It support IPv6, DNSSEC, a client resolver library API, and many more. It also runs on my OS such as Windows, Linux, BSD-type and MacOS.
For me, the main advantages to have my own DNS Server are:
-Fasten the response time within my local network to access my server (No need to use an external DNS Server that my go through different intermediaries)
– Improve my internet neutrality (Won’t suffer the censorship of my ISP or further protect my privacy)
– And although this might be against the net neutrality, I can block most of google/yahoo,etc…ads, by blocking their IPs/subdomain sending them. (Well at least, I’m free to do it)
So here we go.
Unbound DNS Server comes with the majority of Linux distributions. So the installation will be straightforward and I’ll share my configuration file that should work out of the box for you.
1) Install Unbound
In root (Or with sudo), run:
apt-get update apt-get install unbound
2) Download the list of Root DNS Server
You will need to download and copy the official named.cache file from InterNIC (The Internet’s Network Information Center) that contains the information on the root name servers needed to initialize to cache of your DNS Server.
Still in root, run:
wget ftp://FTP.INTERNIC.NET/domain/named.cache -O /var/lib/unbound/root.hints
3) Configure Unbound
Here is the config file I’m using, feel free to take it as it is. I’ve put some comments to explain some important features.
You can remove all (CTRL+K for example) and paste:
# Unbound configuration file for Debian. # # See the unbound.conf(5) man page. # # See /usr/share/doc/unbound/examples/unbound.conf for a commented # reference config file. server: # Use the root servers key for DNSSEC auto-trust-anchor-file: "/var/lib/unbound/root.key" # Enable logs verbosity: 1 # Respond to DNS requests on all interfaces interface: 0.0.0.0 # DNS request port, IP and protocol port: 53 do-ip4: yes do-ip6: no do-udp: yes do-tcp: yes # Authorized IPs to access the DNS Server #access-control: 127.0.0.0/8 allow #access-control: 192.168.1.0/24 allow #access-control: 192.168.1.26 # Root servers information (To download here: ftp://ftp.internic.net/domain/named.cache) root-hints: "/var/lib/unbound/root.hints" # Hide DNS Server info hide-identity: yes hide-version: yes # Improve the security of your DNS Server (Limit DNS Fraud and use DNSSEC) harden-glue: yes harden-dnssec-stripped: yes # Rewrite URLs written in CAPS use-caps-for-id: yes # TTL Min (Seconds) cache-min-ttl: 3600 # TTL Max (Seconds) cache-max-ttl: 86400 # Enable the prefetch prefetch: yes # Number of maximum threads to use num-threads: 2 ### Tweaks and optimizations # Number of slabs to use (Must be a multiple of num-threads value) msg-cache-slabs: 8 rrset-cache-slabs: 8 infra-cache-slabs: 8 key-cache-slabs: 8 # Cache and buffer size (in mb) rrset-cache-size: 51m msg-cache-size: 25m so-rcvbuf: 1m # Make sure your DNS Server treat your local network requests private-address: 192.168.0.1/24 # Add an unwanted reply threshold to clean the cache and avoid when possible a DNS Poisoning unwanted-reply-threshold: 10000 # Authorize or not the localhost requests do-not-query-localhost: no # Use the root.key file for DNSSEC #auto-trust-anchor-file: "/var/lib/unbound/root.key" val-clean-additional: yes ### Block popular advertising companies local-zone: "doubleclick.net" redirect local-data: "doubleclick.net A 127.0.0.1" local-zone: "googlesyndication.com" redirect local-data: "googlesyndication.com A 127.0.0.1" local-zone: "googleadservices.com" redirect local-data: "googleadservices.com A 127.0.0.1" local-zone: "google-analytics.com" redirect local-data: "google-analytics.com A 127.0.0.1" local-zone: "ads.youtube.com" redirect local-data: "ads.youtube.com A 127.0.0.1" local-zone: "adserver.yahoo.com" redirect local-data: "adserver.yahoo.com A 127.0.0.1"
Save (CTRL +X), restart your unbound service
and you’re good to go.
4) Configure your client machines to directly use your local DNS Server
Now that you have a working DNS Server, you need to tell all your equipment to use your DNS Server. It obviously depends on the OS of your equipment, but it is usually straightforward. Note that you will probably have to restart your clients.
In my case, I’ve directly added my DNS Server into my Router, to make sure all my equipment use my own DNS Server!
If you want to make sure your Linux system is using your DNS Server, you give check which DNS Server you are using with the following command:
Note that you may have slower experience for the first connection to your website, but it will drastically improve afterward, thanks to your local cache.