|
| 1 | +# Add Unbound as a recursive DNS Server to the PiHole setup |
| 2 | + |
| 3 | +## Install |
| 4 | + |
| 5 | +```bash |
| 6 | +sudo apt install unbound |
| 7 | +``` |
| 8 | + |
| 9 | +## Configuration |
| 10 | + |
| 11 | +Configure unbound with: |
| 12 | + |
| 13 | +- Listen on port 5335 |
| 14 | +- TCP & UDP |
| 15 | +- DNSSEC |
| 16 | +- Enable IPv4 & IPv6 |
| 17 | +- Ensure privacy of local IP ranges |
| 18 | + |
| 19 | +```yaml |
| 20 | +cat << EOF > /etc/unbound/unbound.conf.d/pi-hole.conf |
| 21 | +server: |
| 22 | + # If no logfile is specified, syslog is used |
| 23 | + # logfile: "/var/log/unbound/unbound.log" |
| 24 | + verbosity: 0 |
| 25 | + |
| 26 | + interface: 127.0.0.1 |
| 27 | + port: 5335 |
| 28 | + do-ip4: yes |
| 29 | + do-udp: yes |
| 30 | + do-tcp: yes |
| 31 | + |
| 32 | + # May be set to yes if you have IPv6 connectivity |
| 33 | + do-ip6: yes |
| 34 | + |
| 35 | + # You want to leave this to no unless you have *native* IPv6. With 6to4 and |
| 36 | + # Terredo tunnels your web browser should favor IPv4 for the same reasons |
| 37 | + prefer-ip6: no |
| 38 | + |
| 39 | + # Use this only when you downloaded the list of primary root servers! |
| 40 | + # If you use the default dns-root-data package, unbound will find it automatically |
| 41 | + #root-hints: "/var/lib/unbound/root.hints" |
| 42 | + |
| 43 | + # Trust glue only if it is within the server's authority |
| 44 | + harden-glue: yes |
| 45 | + |
| 46 | + # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS |
| 47 | + harden-dnssec-stripped: yes |
| 48 | + |
| 49 | + # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes |
| 50 | + # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details |
| 51 | + use-caps-for-id: no |
| 52 | + |
| 53 | + # Reduce EDNS reassembly buffer size. |
| 54 | + # IP fragmentation is unreliable on the Internet today, and can cause |
| 55 | + # transmission failures when large DNS messages are sent via UDP. Even |
| 56 | + # when fragmentation does work, it may not be secure; it is theoretically |
| 57 | + # possible to spoof parts of a fragmented DNS message, without easy |
| 58 | + # detection at the receiving end. Recently, there was an excellent study |
| 59 | + # >>> Defragmenting DNS - Determining the optimal maximum UDP response size for DNS <<< |
| 60 | + # by Axel Koolhaas, and Tjeerd Slokker (https://indico.dns-oarc.net/event/36/contributions/776/) |
| 61 | + # in collaboration with NLnet Labs explored DNS using real world data from the |
| 62 | + # the RIPE Atlas probes and the researchers suggested different values for |
| 63 | + # IPv4 and IPv6 and in different scenarios. They advise that servers should |
| 64 | + # be configured to limit DNS messages sent over UDP to a size that will not |
| 65 | + # trigger fragmentation on typical network links. DNS servers can switch |
| 66 | + # from UDP to TCP when a DNS response is too big to fit in this limited |
| 67 | + # buffer size. This value has also been suggested in DNS Flag Day 2020. |
| 68 | + edns-buffer-size: 1232 |
| 69 | + |
| 70 | + # Perform prefetching of close to expired message cache entries |
| 71 | + # This only applies to domains that have been frequently queried |
| 72 | + prefetch: yes |
| 73 | + |
| 74 | + # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1. |
| 75 | + num-threads: 1 |
| 76 | + |
| 77 | + # Ensure kernel buffer is large enough to not lose messages in traffic spikes |
| 78 | + so-rcvbuf: 1m |
| 79 | + |
| 80 | + # Ensure privacy of local IP ranges |
| 81 | + # Needs to be commented out if you have a public dns records (e.g. Cloudflare) resolving to |
| 82 | + # your local IP. Those records will otherwise be unresolvable. |
| 83 | + private-address: 192.168.0.0/16 |
| 84 | + private-address: 169.254.0.0/16 |
| 85 | + private-address: 172.16.0.0/12 |
| 86 | + private-address: 10.0.0.0/8 |
| 87 | + private-address: fd00::/8 |
| 88 | + private-address: fe80::/10 |
| 89 | +EOF |
| 90 | +``` |
| 91 | + |
| 92 | +Signal PiHole to use this limit |
| 93 | + |
| 94 | +```python |
| 95 | +cat << EOF > /etc/dnsmasq.d/99-edns.conf |
| 96 | +edns-packet-max=1232 |
| 97 | +EOF |
| 98 | +``` |
| 99 | + |
| 100 | +### Restart unbound |
| 101 | + |
| 102 | +```bash |
| 103 | +sudo systemctl restart unbound |
| 104 | +``` |
| 105 | + |
| 106 | +### Test unbound |
| 107 | + |
| 108 | +#### Query |
| 109 | + |
| 110 | +```bash |
| 111 | +dig google.com @127.0.0.1 -p 5335 |
| 112 | +``` |
| 113 | + |
| 114 | +#### DNSSec |
| 115 | + |
| 116 | +Get `Servfail` |
| 117 | + |
| 118 | +```bash |
| 119 | +dig sigfail.verteiltesysteme.net @127.0.0.1 -p 5335 |
| 120 | +``` |
| 121 | + |
| 122 | +Get `NOERROR` |
| 123 | + |
| 124 | +```bash |
| 125 | +dig sigok.verteiltesysteme.net @127.0.0.1 -p 5335 |
| 126 | +``` |
| 127 | + |
| 128 | +### Configure PiHole |
| 129 | + |
| 130 | +Now we need to tell PiHole to use unbound as an upstream DNS server. |
| 131 | + |
| 132 | +This is done by editing `/etc/pihole/setupVars.conf` and adding/replacing the following line: |
| 133 | + |
| 134 | +```bash |
| 135 | +PIHOLE_DNS_1=127.0.0.1#5335 |
| 136 | +PIHOLE_DNS_2=127.0.0.1#5335 |
| 137 | +``` |
| 138 | + |
| 139 | +Restart PiHole |
| 140 | + |
| 141 | +```bash |
| 142 | +systemctl restart pihole-FTL.service |
| 143 | +``` |
| 144 | + |
| 145 | +The PiHole web interface should now show under `//admin/settings.php?tab=dns` that the upstream DNS server is `127.0.0.1#5335`. |
| 146 | + |
0 commit comments