In today’s digital landscape, the Domain Name System (DNS) is essential for translating human-readable domain names into IP addresses that computers use. While most people rely on their Internet Service Provider’s (ISP) DNS resolver, there are compelling reasons to set up your own DNS resolver. This guide will walk you through the process of configuring Unbound, a lightweight, secure, and efficient recursive DNS resolver, on Ubuntu 22.04 LTS.
What is a DNS Resolver?
Before diving into the setup, it’s essential to understand what a DNS resolver is. A DNS resolver, also known as a recursive DNS server or DNS recursor, is a service that resolves domain names into their corresponding IP addresses.
Key Points:
- Public DNS resolvers like 8.8.8.8 (Google DNS) and 1.1.1.1 (Cloudflare DNS) are examples of DNS resolvers that handle DNS queries for clients.
- The stub resolver, often used by your computer or router, is a DNS resolver that forwards queries to a recursive resolver for resolution.
DNS Resolution Process:
A DNS resolver performs the task of recursively querying various DNS servers until it finds the correct IP address for a domain. The resolver essentially acts as a middleman between the client (your device) and authoritative DNS servers.
Why Set Up Your Own DNS Resolver?
Running your own DNS resolver offers several benefits, making it a worthwhile setup for your home lab:
1. Faster DNS Lookups:
- By running a local DNS resolver, results are cached, improving response times for repeated queries.
- Latency is minimized since the resolver is local to your network, reducing the delay between your device and the DNS resolver.
2. Enhanced Privacy:
- Using your own resolver ensures third-party services don’t log your browsing activity.
- This eliminates the potential privacy concerns associated with relying on ISP-managed DNS servers.
3. Reduced Dependency on ISPs:
- By operating your own resolver, you are no longer dependent on your ISP’s DNS servers, which may not always be as fast or reliable.
4. Better Control:
- Running a personal DNS resolver gives you more control, especially if you run a mail server or other network services.
- You can integrate DNS blacklists to block unwanted traffic, such as spam or malware.
5. Security Benefits:
- Unbound supports DNSSEC (DNS Security Extensions), which helps protect against DNS cache poisoning by ensuring the authenticity of DNS responses.
What is Unbound?
Unbound is a fast, secure, and open-source DNS resolver designed for simplicity and performance. Unlike authoritative DNS servers, which provide answers for specific domains, Unbound is a recursive resolver that queries multiple DNS servers to resolve a domain.
Key Features of Unbound:
- Lightweight and Fast:
- Unbound is more memory-efficient than traditional DNS software like BIND9, offering faster resolution.
- DNSSEC Validation:
- Unbound supports DNSSEC, which validates DNS responses to prevent manipulation or tampering.
- Encrypted DNS (DoT & DoH) Support:
- Unbound supports both DNS over TLS (DoT) and DNS over HTTPS (DoH), ensuring encrypted queries for enhanced security and privacy.
- Prefetching and Caching:
- Unbound caches DNS queries and prefetches soon-to-expire records to improve performance and minimize lookup delays.
- Privacy-Focused:
- Implements query name minimization, which reduces the amount of identifying information sent to upstream DNS servers, offering an added layer of privacy.
Now, let’s get into the step-by-step guide on setting up Unbound on Ubuntu.
Step 1: Install Unbound DNS Resolver on Ubuntu
First, you need to install Unbound on your Ubuntu 22.04 or 20.04 server.
- Update Your Package List: Open a terminal and run the following commands to update your package list:
sudo apt update- Install Unbound: Next, install the Unbound package from the default Ubuntu repositories:
sudo apt install unbound- Check the Version: Verify that Unbound has been successfully installed by checking the version:
unbound -V - This will display the version of Unbound installed on your system.
- Start Unbound Service: By default, Unbound starts automatically after installation. If for any reason it isn’t running, start it manually:
sudo systemctl start unbound- Enable Unbound to Start on Boot: To ensure Unbound starts automatically after a reboot, use the following command:
sudo systemctl enable unbound- Check Unbound’s Status: Confirm that the service is running:
systemctl status unbound- If there’s another service listening on UDP port 53 (the default DNS port), Unbound may fail to start. To find out what service is using port 53, run:
sudo ss -lnptu | grep 53 - If another service like BIND9 is using the port, stop it:
sudo systemctl stop bind9
sudo systemctl disable bind9Step 2: Configure Unbound
Unbound’s main configuration file is located at /etc/unbound/unbound.conf. You’ll need to configure it for optimal performance.
- Edit the Configuration File: Open the configuration file using a text editor like Nano:
sudo nano /etc/unbound/unbound.conf- Add Custom Configuration: Below is a minimal configuration that you can add to the file to enhance Unbound’s functionality. Add this under the
serversection:
server:
# Set the working directory.
directory: "/etc/unbound"
# Run as the unbound user.
username: unbound
# Verbosity level for logging.
verbosity: 2
# Listen on all interfaces and answer queries from local subnet.
interface: 0.0.0.0
interface: ::0
# Prefetching of DNS cache entries.
prefetch: yes
# Allow DNS queries from local network range.
access-control: 10.0.0.0/8 allow
access-control: 127.0.0.1/24 allow
access-control: 2001:DB8::/64 allow
# Hide server identity and version.
hide-identity: yes
hide-version: yes
remote-control:
# Disable remote control.
control-enable: no
control-interface: 127.0.0.1
control-port: 8953- Disable systemd-resolved: By default, Ubuntu uses systemd-resolved for DNS resolution. You need to disable it so that Unbound can listen on port 53:
sudo systemctl disable systemd-resolved --now- Restart Unbound: After saving the configuration, restart Unbound for the changes to take effect:
sudo systemctl restart unbound- Check Unbound’s Status Again: Confirm that Unbound is running:
systemctl status unboundStep 3: Set Unbound as the Default DNS Resolver
For Ubuntu to use Unbound as the default DNS resolver, you must configure it to point to 127.0.0.1, which is the local address for the Unbound server.
- Create a Custom Service for
resolvconf: Create a service to ensureresolvconfuses Unbound:
sudo nano /etc/systemd/system/unbound-resolvconf.service- Add the following content:
[Unit]
Description=local unbound via resolvconf
After=unbound.service
ConditionFileIsExecutable=/sbin/resolvconf
[Service] Type=oneshot RemainAfterExit=yes
ExecStart=/bin/sh -c 'echo nameserver 127.0.0.1 | /sbin/resolvconf -a lo.unbound'
ExecStop=/sbin/resolvconf -d lo.unbound
[Install] WantedBy=unbound.service- Reload systemd: Reload systemd to register the new service:
sudo systemctl daemon-reload- Install
resolvconf: Ifresolvconfis not installed on your system, install it:
sudo apt install openresolv- Restart the
unbound-resolvconfService: Restart the service:
sudo systemctl restart unbound-resolvconf.service- Verify the DNS Resolver: Check the contents of
/etc/resolv.confto verify that127.0.0.1is now listed as the DNS server:
cat /etc/resolv.confStep 4: Additional Configuration
Disabling / Enable IPv6 (Optional)
If your server doesn’t use IPv6, it’s a good idea to disable it to save resources and prevent unnecessary lookups. To do this, add the following line to your unbound.conf file:
do-ip6: noEnabling DNSSEC
DNSSEC is enabled by default on Ubuntu, ensuring that DNS queries are authenticated. You can test it by running a query using the dig tool:
dig A google.comIf DNSSEC is working, the response will include
something like ad (Authenticated Data) in the flags section.
Step 5: Testing and Troubleshooting
- Test DNS Resolution: You can use
digornslookupto test your Unbound server:
dig @127.0.0.1 example.com- Check Unbound Logs: If you encounter issues, check Unbound’s logs for troubleshooting:
sudo journalctl -u unbound - Verify DNSSEC: Use
digto verify DNSSEC support by querying a domain that uses DNSSEC:
dig +dnssec +short example.comConclusion
By following these steps, you’ve successfully set up Unbound as a recursive DNS resolver on your Ubuntu server. This setup offers faster, more secure, and private DNS resolution, ensuring both performance and protection for your network. You can always tweak Unbound’s settings to further fine-tune your resolver based on specific requirements.
Leave a Reply