hello friends! new(ish)!
Unbound: Difference between revisions
Jump to navigation
Jump to search
>Galactus m (→External links) |
>Galactus |
||
| (47 intermediate revisions by 2 users not shown) | |||
| Line 4: | Line 4: | ||
== Installation == | == Installation == | ||
=== Unix-like === | === Unix-like === | ||
Install it from your distro's repository, or download it from [https://www.unbound.net/downloads/unbound-latest.tar.gz here]. | Install it from your distro's repository, or download it from [https://www.unbound.net/downloads/unbound-latest.tar.gz here]. Alternatively, you can build it yourself. | ||
==== Requirements & dependencies ==== | |||
`-- dev-libs/expat | |||
`-- dev-libs/libevent | |||
==== Building ==== | |||
# git clone git://github.com/jedisct1/unbound.git | |||
# cd unbound | |||
# CFLAGS="-O3 -march=native" ./configure --enable-systemd --with-pthreads --enable-pie --prefix=/usr --with-libevent=yes | |||
# make -jn (where n is the number of threads you want to spawn) | |||
# sudo make install | |||
{{note|For systemd support, add --enable-systemd to step 3.}} | |||
=== Windows === | === Windows === | ||
| Line 11: | Line 24: | ||
== What to expect == | == What to expect == | ||
There are numerous advantages to having a DNS server like Unbound, most of which can be summed up in a few short sentences: | There are numerous advantages to having a DNS server like Unbound, most of which can be summed up in a few short sentences: | ||
* Enforces DNSSEC | * Enforces DNSSEC. | ||
* Reduces privacy exposure by caching DNS queries | * Reduces privacy exposure by caching DNS queries. | ||
* Consequentially, decreases DNS look up latency if the DNS query has already been cached | * Consequentially, decreases DNS look up latency if the DNS query has already been cached. | ||
* Hardens DNS queries. | * Hardens DNS queries. | ||
== Configuration == | == Configuration == | ||
This is how a proper unbound.conf file ought to look like: [http://pastebin.com/raw.php?i=hXPPNdhP unbound.conf] (do not copy paste this unless your CPU has 4 threads, you're using Linux, and | This is how a proper unbound.conf file ought to look like: [http://pastebin.com/raw.php?i=hXPPNdhP unbound.conf] (do not copy paste this unless your CPU has 4 threads, you're using Linux, and have libevent). | ||
=== General === | === General === | ||
< | {{bc|<nowiki> | ||
server: | server: | ||
interface: 127.0.0.1 | interface: 127.0.0.1 | ||
interface: ::1 | # Using zero means to listen on _all_ interfaces, but unsupported on some systems | ||
# interface 0.0.0.0 | |||
# interface ::0 #IPv6 | |||
access-control: <YOUR ROUTER'S IP Range, for example 192.168.1.1>/16 allow | |||
access-control: ::1 allow #IPv6 localhost | |||
# Only use access-control if you want to stray away from the default, in which only the localhost is allowed, and the rest is refused | |||
verbosity: 1 | verbosity: 1 | ||
port: | port: 40 #make sure it's open | ||
user:<user you want it to run as, check security considerations> | |||
do-ip4: yes | do-ip4: yes | ||
do-ip6: <yes, if your ISP/router supports it> | do-ip6: <yes, if your ISP/router supports it> | ||
do-udp: yes | do-udp: yes | ||
do-tcp: yes | do-tcp: yes | ||
use-systemd: yes|no | |||
do-daemonize: yes #no if you're using systemd | |||
</ | </nowiki>}} | ||
=== Performance === | === Performance === | ||
< | {{bc|<nowiki> | ||
# | # Use all threads | ||
num-threads: <number of threads> | num-threads: <number of threads> | ||
| Line 45: | Line 64: | ||
key-cache-slabs: <same> | key-cache-slabs: <same> | ||
# | # More cache memory | ||
rrset-cache-size: 100m | rrset-cache-size: 100m | ||
msg-cache-size: <rrset-cache-size/2> | msg-cache-size: <rrset-cache-size/2> | ||
# | # More outgoing connections | ||
# | # Depends on number of threads | ||
outgoing-range: < | outgoing-range: <4096/8192> | ||
num-queries-per-thread: < | num-queries-per-thread: <outgoing-range/2> | ||
# Larger socket buffer | # Larger socket buffer | ||
| Line 58: | Line 77: | ||
so-sndbuf: 4m | so-sndbuf: 4m | ||
# Faster UDP with multithreading (only on Linux) | # Faster UDP with multithreading (only on Linux) | ||
so-reuseport: yes | so-reuseport: yes | ||
</ | </nowiki>}} | ||
Note: If you have libevent, the outgoing-range can be increased to 4096 or 8192, for a slight performance gain. In which case, | Note: If you have libevent, the outgoing-range can be increased to 4096 or 8192, for a slight performance gain. In which case, {{ic|num-queries-threads}} should be {{ic|<(outgoing-range/2)+50>}} to guarantee that every query can get a socket, and some to spare for queries-for-nameservers. | ||
=== Security === | === Security === | ||
< | {{bc|<nowiki> | ||
hide-identity: yes | hide-identity: yes | ||
hide-version: yes | hide-version: yes | ||
qname-minimisation: yes | |||
qname-minimisation-strict: no #else it will break a few nameservers, so enable at your own risk | |||
harden-short-bufsize: yes | harden-short-bufsize: yes | ||
harden-large-queries: yes | harden-large-queries: yes | ||
| Line 75: | Line 96: | ||
harden-referral-path: yes | harden-referral-path: yes | ||
use-caps-for-id: yes | use-caps-for-id: yes | ||
# | # Enables support for DNSSEC(!) | ||
auto-trust-anchor-file: "<path to your root.key file>" | auto-trust-anchor-file: "<path to your root.key file, whose location should ideally be inside the unbound folder. Generate it using 'sudo unbound-anchor -a '/desired/path/to/root.key' as root>" | ||
</ | </nowiki>}} | ||
=== with DNSCrypt === | {{Tip|[[Unbound#Security_considerations|Security considerations]].}} | ||
< | |||
# | === with [[DNSCrypt]] === | ||
do-not-query-localhost: | {{bc|<nowiki> | ||
# This is necessary for the local host, in this case DNSCrypt, to be used to send queries | |||
do-not-query-localhost: yes | |||
forward-zone: | forward-zone: | ||
name: "." | name: "." | ||
# 127.0.0.1 is DNSCrypt's --local-address; 40 is the port DNSCrypt is using | # 127.0.0.1 is DNSCrypt's --local-address; 40 is the port DNSCrypt is using, which is probably either 40 or 53 | ||
forward-addr: 127.0.0.1@ | forward-addr: 127.0.0.1@53 | ||
</ | </nowiki>}} | ||
If you would like to run multiple instances of DNSCrypt, to have fallback servers, you will need to forward all of the addresses they are using here. The above example works if your single instance of DNSCrypt was set up to use the 127.0.0.1 local address and port 53. | |||
== Security considerations == | |||
=== Creating a new user and group === | |||
It is possible to sandbox Unbound, and even recommended. You can also create an extra user/group to run it, with no privileges, and no home folder for an additional layer of protection, by issuing {{ic|sudo useradd -U -r -d /var/unbound -m -s /sbin/nologin unbound}} (for the user), and {{ic|sudo usermod -g unbound unbound}} (for the group). | |||
=== Sandboxing === | |||
To sandbox Unbound, simply install firejail, and edit your systemd/OpenRC scripts, adding the prefix 'firejail' before unbound. Firejail comes bundled with a profile for Unbound and many more, which you can analyse, and even edit, by issuing {{ic|vim /etc/firejail}}. Alternatively, you can use systemd's native sandbox. | |||
== Troubleshooting == | == Troubleshooting == | ||
The log file will most definitely wield the answer to your woes. In most cases, the problem will lie in either not setting the path to the root.key file right, or a port that's already being used. | The log file will most definitely wield the answer to your woes. In most cases, the problem will lie in either not setting the path to the root.key file right, setting the forward-address to the wrong port and thus conflicting with another piece of software, or a port that's already being used ([[Unbound#General|Unbound generally binds itself to port 53]]). | ||
Example of a log file, where the path to the root-anchors file was deliberately wrong (or, in my case, didn't belong to the right user): [http://pastebin.com/raw.php?i=0tT8NfmZ unbound.log]. | |||
== External links == | == External links == | ||
*[https://www.unbound.net Official site] | *[https://www.unbound.net Official site] | ||
*[https://github.com/jedisct1/unbound Github project mirror] | *[https://github.com/jedisct1/unbound Github project mirror] | ||
*[https://www.unbound.net/documentation/index.html Documentation] | |||
*[https://data.iana.org/root-anchors/ Root anchors] | *[https://data.iana.org/root-anchors/ Root anchors] | ||
[[Category:Software]] | [[Category:DNS]][[Category:Security]][[Category:Software]] | ||
Latest revision as of 14:28, 14 February 2017
Unbound is a validating, recursive, and caching DNS server. It is quite useful for enforcing DNSSEC and caching DNS queries. Best used in conjunction with DNSCrypt.
Installation
Unix-like
Install it from your distro's repository, or download it from here. Alternatively, you can build it yourself.
Requirements & dependencies
`-- dev-libs/expat `-- dev-libs/libevent
Building
- git clone git://github.com/jedisct1/unbound.git
- cd unbound
- CFLAGS="-O3 -march=native" ./configure --enable-systemd --with-pthreads --enable-pie --prefix=/usr --with-libevent=yes
- make -jn (where n is the number of threads you want to spawn)
- sudo make install
Windows
Windows children may download it from the official page.
What to expect
There are numerous advantages to having a DNS server like Unbound, most of which can be summed up in a few short sentences:
- Enforces DNSSEC.
- Reduces privacy exposure by caching DNS queries.
- Consequentially, decreases DNS look up latency if the DNS query has already been cached.
- Hardens DNS queries.
Configuration
This is how a proper unbound.conf file ought to look like: unbound.conf (do not copy paste this unless your CPU has 4 threads, you're using Linux, and have libevent).
General
server:
interface: 127.0.0.1
# Using zero means to listen on _all_ interfaces, but unsupported on some systems
# interface 0.0.0.0
# interface ::0 #IPv6
access-control: <YOUR ROUTER'S IP Range, for example 192.168.1.1>/16 allow
access-control: ::1 allow #IPv6 localhost
# Only use access-control if you want to stray away from the default, in which only the localhost is allowed, and the rest is refused
verbosity: 1
port: 40 #make sure it's open
user:<user you want it to run as, check security considerations>
do-ip4: yes
do-ip6: <yes, if your ISP/router supports it>
do-udp: yes
do-tcp: yes
use-systemd: yes|no
do-daemonize: yes #no if you're using systemd
Performance
# Use all threads
num-threads: <number of threads>
# 2^{number_of_threads}
msg-cache-slabs: <same>
rrset-cache-slabs: <same>
infra-cache-slabs: <same>
key-cache-slabs: <same>
# More cache memory
rrset-cache-size: 100m
msg-cache-size: <rrset-cache-size/2>
# More outgoing connections
# Depends on number of threads
outgoing-range: <4096/8192>
num-queries-per-thread: <outgoing-range/2>
# Larger socket buffer
so-rcvbuf: 4m
so-sndbuf: 4m
# Faster UDP with multithreading (only on Linux)
so-reuseport: yes
Note: If you have libevent, the outgoing-range can be increased to 4096 or 8192, for a slight performance gain. In which case, num-queries-threads should be <(outgoing-range/2)+50> to guarantee that every query can get a socket, and some to spare for queries-for-nameservers.
Security
hide-identity: yes
hide-version: yes
qname-minimisation: yes
qname-minimisation-strict: no #else it will break a few nameservers, so enable at your own risk
harden-short-bufsize: yes
harden-large-queries: yes
harden-glue: yes
harden-dnssec-stripped: yes
harden-below-nxdomain: yes
harden-referral-path: yes
use-caps-for-id: yes
# Enables support for DNSSEC(!)
auto-trust-anchor-file: "<path to your root.key file, whose location should ideally be inside the unbound folder. Generate it using 'sudo unbound-anchor -a '/desired/path/to/root.key' as root>"
with DNSCrypt
# This is necessary for the local host, in this case DNSCrypt, to be used to send queries
do-not-query-localhost: yes
forward-zone:
name: "."
# 127.0.0.1 is DNSCrypt's --local-address; 40 is the port DNSCrypt is using, which is probably either 40 or 53
forward-addr: 127.0.0.1@53
If you would like to run multiple instances of DNSCrypt, to have fallback servers, you will need to forward all of the addresses they are using here. The above example works if your single instance of DNSCrypt was set up to use the 127.0.0.1 local address and port 53.
Security considerations
Creating a new user and group
It is possible to sandbox Unbound, and even recommended. You can also create an extra user/group to run it, with no privileges, and no home folder for an additional layer of protection, by issuing sudo useradd -U -r -d /var/unbound -m -s /sbin/nologin unbound (for the user), and sudo usermod -g unbound unbound (for the group).
Sandboxing
To sandbox Unbound, simply install firejail, and edit your systemd/OpenRC scripts, adding the prefix 'firejail' before unbound. Firejail comes bundled with a profile for Unbound and many more, which you can analyse, and even edit, by issuing vim /etc/firejail. Alternatively, you can use systemd's native sandbox.
Troubleshooting
The log file will most definitely wield the answer to your woes. In most cases, the problem will lie in either not setting the path to the root.key file right, setting the forward-address to the wrong port and thus conflicting with another piece of software, or a port that's already being used (Unbound generally binds itself to port 53).
Example of a log file, where the path to the root-anchors file was deliberately wrong (or, in my case, didn't belong to the right user): unbound.log.