Unbound¶

Einleitung¶

Unser Hosting System wird folgende Dienste umfassen.

Unbound 1.16.1 (DNScrypt, DNS over TLS)

Voraussetzungen¶

Zu den Voraussetzungen für dieses HowTo siehe bitte: Hosting System

Installation¶

Wir installieren dns/unbound und dessen Abhängigkeiten.

Bash

mkdir -p /var/db/ports/devel_libevent
cat > /var/db/ports/devel_libevent/options << "EOF"
_OPTIONS_READ=libevent-2.1.12
_FILE_COMPLETE_OPTIONS_LIST=OPENSSL THREADS
OPTIONS_FILE_SET+=OPENSSL
OPTIONS_FILE_SET+=THREADS
"EOF"

mkdir -p /var/db/ports/dns_unbound
cat > /var/db/ports/dns_unbound/options << "EOF"
_OPTIONS_READ=unbound-1.16.1
_FILE_COMPLETE_OPTIONS_LIST=DEP-RSA1024 DNSCRYPT DNSTAP DOCS DOH ECDSA EVAPI FILTER_AAAA GOST HIREDIS LIBEVENT MUNIN_PLUGIN PYTHON SUBNET TFOCL TFOSE THREADS
OPTIONS_FILE_UNSET+=DEP-RSA1024
OPTIONS_FILE_SET+=DNSCRYPT
OPTIONS_FILE_UNSET+=DNSTAP
OPTIONS_FILE_SET+=DOCS
OPTIONS_FILE_SET+=DOH
OPTIONS_FILE_SET+=ECDSA
OPTIONS_FILE_UNSET+=EVAPI
OPTIONS_FILE_UNSET+=FILTER_AAAA
OPTIONS_FILE_SET+=GOST
OPTIONS_FILE_UNSET+=HIREDIS
OPTIONS_FILE_SET+=LIBEVENT
OPTIONS_FILE_UNSET+=MUNIN_PLUGIN
OPTIONS_FILE_UNSET+=PYTHON
OPTIONS_FILE_UNSET+=SUBNET
OPTIONS_FILE_UNSET+=TFOCL
OPTIONS_FILE_UNSET+=TFOSE
OPTIONS_FILE_SET+=THREADS
"EOF"


cd /usr/ports/dns/unbound
make all install clean-depends clean


sysrc unbound_enable=YES

Konfiguration¶

Wir konfigurieren Unbound:

Bash

cat > /usr/local/etc/unbound/unbound.conf << "EOF"
server:
  verbosity: 1
  num-threads: 4
  interface: 127.0.0.1
  interface: ::1
  port: 53
  access-control: 0.0.0.0/0 refuse
  access-control: 127.0.0.0/8 allow
  access-control: ::0/0 refuse
  access-control: ::1 allow
  access-control: ::ffff:127.0.0.1 allow
  access-control: 10.0.0.0/8 allow
  access-control: 172.16.0.0/12 allow
  access-control: 192.168.0.0/16 allow
  access-control: 169.254.0.0/16 allow
  access-control: fd00::/8 allow
  access-control: fe80::/10 allow
  access-control: ::ffff:0:0/96 allow
  do-ip4: yes
  do-ip6: yes
  do-udp: yes
  do-tcp: yes
  logfile: "/usr/local/etc/unbound/unbound.log"
  root-hints: "/usr/local/etc/unbound/root.hints"
  auto-trust-anchor-file: "/usr/local/etc/unbound/root.key"
  tls-cert-bundle: "/usr/local/share/certs/ca-root-nss.crt"
  aggressive-nsec: yes
  cache-max-ttl: 14400
  cache-min-ttl: 1200
  so-rcvbuf: 4m
  so-sndbuf: 4m
  msg-cache-size: 128m
  msg-cache-slabs: 8
  num-queries-per-thread: 4096
  outgoing-range: 8192
  rrset-cache-size: 256m
  rrset-cache-slabs: 8
  infra-cache-slabs: 8
  key-cache-slabs: 8
  hide-identity: yes
  hide-version: yes
  prefetch: yes
  serve-expired: yes
  serve-expired-ttl: 86400
  serve-expired-client-timeout: 1800
  rrset-roundrobin: yes
  so-reuseport: yes
  use-caps-for-id: yes
  harden-short-bufsize: yes
  harden-large-queries: yes
  harden-glue: yes
  harden-dnssec-stripped: yes
  harden-below-nxdomain: yes
  harden-referral-path: yes
  harden-algo-downgrade: yes
  qname-minimisation: yes
  private-address: 10.0.0.0/8
  private-address: 172.16.0.0/12
  private-address: 192.168.0.0/16
  private-address: 169.254.0.0/16
  private-address: fd00::/8
  private-address: fe80::/10
  private-address: ::ffff:0:0/96
  private-domain: "rootservice.lan"
  unwanted-reply-threshold: 10000
  do-not-query-localhost: no
  minimal-responses: yes
  val-clean-additional: yes
  local-zone: "localhost." static
  local-data: "localhost. 10800 IN NS localhost."
  local-data: "localhost. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
  local-data: "localhost. 10800 IN A 127.0.0.1"
  local-zone: "127.in-addr.arpa." static
  local-data: "127.in-addr.arpa. 10800 IN NS localhost."
  local-data: "127.in-addr.arpa. 10800 IN SOA localhost. nobody.invalid. 2 3600 1200 604800 10800"
  local-data: "1.0.0.127.in-addr.arpa. 10800 IN PTR localhost."

forward-zone:
  name: "."
  forward-tls-upstream: yes
  forward-addr: 1.0.0.1@853#one.one.one.one
  forward-addr: 8.8.4.4@853#dns.google
  forward-addr: 149.112.112.112@853#dns.quad9.net
  forward-addr: 1.1.1.1@853#one.one.one.one
  forward-addr: 8.8.8.8@853#dns.google
  forward-addr: 9.9.9.9@853#dns.quad9.net

#forward-zone:
#  name: "."
#  forward-addr: 1.0.0.1@53#one.one.one.one
#  forward-addr: 8.8.4.4@53#dns.google
#  forward-addr: 149.112.112.112@53#dns.quad9.net
#  forward-addr: 1.1.1.1@53#one.one.one.one
#  forward-addr: 8.8.8.8@53#dns.google
#  forward-addr: 9.9.9.9@53#dns.quad9.net

remote-control:
  control-enable: yes
  control-interface: 127.0.0.1
  control-interface: ::1
  control-port: 8953
  server-key-file: "/usr/local/etc/unbound/unbound_server.key"
  server-cert-file: "/usr/local/etc/unbound/unbound_server.pem"
  control-key-file: "/usr/local/etc/unbound/unbound_control.key"
  control-cert-file: "/usr/local/etc/unbound/unbound_control.pem"
"EOF"


fetch -o /usr/local/etc/unbound/root.hints https://www.internic.net/domain/named.root
chown unbound /usr/local/etc/unbound/root.hints


sudo -u unbound unbound-anchor -a "/usr/local/etc/unbound/root.key"


sudo -u unbound unbound-control-setup


cat > /etc/resolv.conf << "EOF"
nameserver 127.0.0.1
options edns0 ndots:1 timeout:0.3 attempts:1 rotate
"EOF"

cat > /etc/resolvconf.conf << "EOF"
resolvconf=NO
"EOF"

resolvconf -u

Abschluss¶

Unbound kann nun gestartet werden.

Bash

service local_unbound stop
sysrc -x local_unbound_enable

service unbound start

Author: Markus Kohlmeyer

Last updated: 2022-08-05

License: CC BY-NC-SA 4.0