hello friends! new(ish)!

Unbound: Difference between revisions

From InstallGentoo Wiki v2
Jump to navigation Jump to search
>Galactus
(→‎with DNSCrypt: - minor consideration in light of my recent additions to the DNSCrypt article)
>Galactus
m (→‎Sandboxing: - same as dnscrypt)
Line 102: Line 102:
It is possible to sandbox Unbound, and even recommended. You can also create an extra user/group to run it, with no privileges, and no home folder for an additional layer of protection.
It is possible to sandbox Unbound, and even recommended. You can also create an extra user/group to run it, with no privileges, and no home folder for an additional layer of protection.


To sandbox Unbound, simply install firejail, and edit your systemd/OpenRC scripts and adding the prefix 'firejail' before unbound. Firejail comes bundled with a profile for Unbound and many more, which you can analyse, and even edit, by issuing {{ic|vim /etc/firejail}}
To sandbox Unbound, simply install firejail, and edit your systemd/OpenRC scripts, adding the prefix 'firejail' before unbound. Firejail comes bundled with a profile for Unbound and many more, which you can analyse, and even edit, by issuing {{ic|vim /etc/firejail}}.


== Troubleshooting ==
== Troubleshooting ==

Revision as of 06:09, 5 March 2016

Unbound.png

Unbound is a validating, recursive, and caching DNS server. It is quite useful for enforcing DNSSEC and caching DNS queries. Best used in conjunction with DNSCrypt.

Installation

Unix-like

Install it from your distro's repository, or download it from here.

Windows

Windows children may download it from the official page.

What to expect

There are numerous advantages to having a DNS server like Unbound, most of which can be summed up in a few short sentences:

  • Enforces DNSSEC;
  • Reduces privacy exposure by caching DNS queries;
  • Consequentially, decreases DNS look up latency if the DNS query has already been cached;
  • Hardens DNS queries.

Configuration

This is how a proper unbound.conf file ought to look like: unbound.conf (do not copy paste this unless your CPU has 4 threads, you're using Linux, and you have libevent).

General

server:
        interface: 127.0.0.1
        # Using zero means to listen on _all_ interfaces, but unsupported on some systems
        # interface 0.0.0.0
        # interface ::0 #IPv6
        access-control: <YOUR ROUTER'S IP Range, for example 192.168.1.1>/16 allow
        access-control: ::1 allow #IPv6 localhost
        # Only use access-control if you want to stray away from the default, in which only the localhost is allowed, and the rest is refused
        verbosity: 1
        port: 53
        do-ip4: yes
        do-ip6: <yes, if your ISP/router supports it>
        do-udp: yes
        do-tcp: yes
        do-daemonize: yes
        logfile: "<where you want your log files to be, for example /var/log/unbound>"

Performance

        # Use all threads
        num-threads: <number of threads>  
        
        # 2^{number_of_threads}  
        msg-cache-slabs: <same>
        rrset-cache-slabs: <same>
        infra-cache-slabs: <same>
        key-cache-slabs: <same>

        # More cache memory
        rrset-cache-size: 100m
        msg-cache-size: <rrset-cache-size/2>

        # More outgoing connections
        # Depends on number of threads
        outgoing-range: <(1024/threads)-50>
        num-queries-per-thread: <(1024/threads)/2>

        # Larger socket buffer
        so-rcvbuf: 4m
        so-sndbuf: 4m

        # Faster UDP with multithreading (only on Linux)
        so-reuseport: yes

Note: If you have libevent, the outgoing-range can be increased to 4096 or 8192, for a slight performance gain. In which case, num-queries-threads should be <(outgoing-range/2)+50> to guarantee that every query can get a socket, and some to spare for queries-for-nameservers.

Security

        hide-identity: yes
        hide-version: yes
        harden-short-bufsize: yes
        harden-large-queries: yes
        harden-glue: yes
        harden-dnssec-stripped: yes
        harden-below-nxdomain: yes
        harden-referral-path: yes
        use-caps-for-id: yes
        # Enables support for DNSSEC(!)
        auto-trust-anchor-file: "<path to your root.key file, whose location should ideally be inside the unbound folder. Generate it using 'sudo unbound-anchor -a '/desired/path/to/root.key' as root>"
Tip: Security considerations.

with DNSCrypt

        # This is necessary for the local host, in this case DNSCrypt, to be used to send queries
        do-not-query-localhost: no
forward-zone:
        name: "."
        # 127.0.0.1 is DNSCrypt's --local-address; 40 is the port DNSCrypt is using, which is probably either 40 or 53
        forward-addr: 127.0.0.1@40

If you would like to run multiple instances of DNSCrypt, to have fallback servers, you will need to forward all of the addresses they are using here. The above example works if your single instance of DNSCrypt was set up to use the 127.0.0.1 local address and port 40.

Additional considerations

Sandboxing

It is possible to sandbox Unbound, and even recommended. You can also create an extra user/group to run it, with no privileges, and no home folder for an additional layer of protection.

To sandbox Unbound, simply install firejail, and edit your systemd/OpenRC scripts, adding the prefix 'firejail' before unbound. Firejail comes bundled with a profile for Unbound and many more, which you can analyse, and even edit, by issuing vim /etc/firejail.

Troubleshooting

The log file will most definitely wield the answer to your woes. In most cases, the problem will lie in either not setting the path to the root.key file right, setting the forward-address to the wrong port and thus conflicting with another piece of software, or a port that's already being used (Unbound generally binds itself to port 53).

Example of a log file, where the path to the root-anchors file was deliberately wrong (or, in my case, didn't belong to the right user): unbound.log.

External links