Ok, so I opened Pandora’s box by starting to talk about DNS. I figure I should probably do a proper job of completely murdering the topic and kill it off for good. So – Unbound was the call. I don’t need to run an authoritative server at home any longer. Otherwise, I’d probably have stuck with BIND, honestly. I know it, it’s a pain at times, anything in it related to DNS over HTTPS or TLS is totally experimental, not ready for client-side, but the devil you know, right?
So, Unbound it is. I did a bit of a read-up, and between the Arch Linux wiki, the official docs, and a couple of random config snippets, and I had a config. As I mentioned in the other post, I used certbot to generate my DNS over TLS cert. I’m actually using the same cert for DNS over HTTPS, but the clients don’t really get to see that cert. Why? Well, these hosts also serve up other apps via https, so traefik is installed, and thus is bound to tcp/443, and I didn’t feel like messing with multiple IPs and binding different services to different IPs, so I just tied Unbound’s DNS-o-HTTPS to tcp/1443, and created a traefik service to front it with HTTPS, so it all works out in the end. Clients are none-the-wiser. Yes, there’s a little extra config, and this definitely flies in the face of my mantra of discarding technical debt. But what’s the greater debt – moving a port and making a reverse proxy entry, or setting up a whole new IP and playing around with all sorts of service bindings and ensuring that the right ports are bound the right IPs in the right places? Yeah, you’re seeing it now.
So, on to the config. It’s not the exact config, but it’s close enough. I’ve changed some bits to protect the sanctity of the innards of my home net. On my systems, I’m running Ubuntu Jammy (that’s 22.04 LTS), so I just installed the unbound package via apt, then dropped this in /etc/unbound/unbound.d/server.conf (the file doesn’t exist – you create it). There’s a handy syntax checker called unbound-checkconf, which helps you figure out where you’ve managed to fat-finger things in your config and mess it up. Ask me how I know how useful it is…
server:
port: 53
tls-port: 853
https-port: 1443
verbosity: 0
num-threads: 2
outgoing-range: 512
num-queries-per-thread: 1024
msg-cache-size: 32m
interface: 0.0.0.0
interface: 0.0.0.0@853
interface: 0.0.0.0@1443
rrset-cache-size: 64m
cache-max-ttl: 86400
infra-host-ttl: 60
infra-lame-ttl: 120
access-control: 127.0.0.0/8 allow
access-control: 0.0.0.0/0 allow
username: unbound
directory: "/etc/unbound"
use-syslog: yes
hide-version: yes
so-rcvbuf: 4m
so-sndbuf: 4m
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes
log-queries: no
log-servfail: no
log-local-actions: no
log-replies: no
extended-statistics: yes
statistics-cumulative: yes
tls-service-key: /etc/letsencrypt/live/dns.home.somedomain.net/privkey.pem
tls-service-pem: /etc/letsencrypt/live/dns.home.somedomain.net/cert.pem
http-endpoint: "/dns-query"
http-nodelay: yes
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-domain: "home.somedomain.net"
do-not-query-localhost: yes
tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"
local-zone: "10.in-addr.arpa." transparent
local-data: "1.10.10.10.in-addr.arpa. 600 IN PTR router.home.somedomain.net."
local-data: "2.10.10.10.in-addr.arpa. 600 IN PTR switch.home.somedomain.net."
local-data: "3.10.10.10.in-addr.arpa. 600 IN PTR ap1.home.somedomain.net."
local-data: "4.10.10.10.in-addr.arpa. 600 IN PTR ap2.home.somedomain.net."
local-data: "5.10.10.10.in-addr.arpa. 600 IN PTR ap3.home.somedomain.net."
local-data: "6.10.10.10.in-addr.arpa. 600 IN PTR printer.home.somedomain.net."
local-data: "10.10.10.10.in-addr.arpa. 600 IN PTR server1.home.somedomain.net."
local-data: "20.10.10.10.in-addr.arpa. 600 IN PTR server2.home.somedomain.net."
remote-control:
control-enable: yes
control-port: 953
control-use-cert: "yes"
control-interface: 127.0.0.1
server-key-file: "/etc/unbound/unbound_server.key"
server-cert-file: "/etc/unbound/unbound_server.pem"
control-key-file: "/etc/unbound/unbound_control.key"
control-cert-file: "/etc/unbound/unbound_control.pem"
forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 1.1.1.1@853#cloudflare-dns.com
forward-addr: 1.0.0.1@853#cloudflare-dns.com
forward-addr: 9.9.9.9@853#dns.quad9.net
forward-addr: 149.112.112.112@853#dns.quad9.net
forward-addr: 8.8.8.8@853#dns.google
forward-addr: 8.8.4.4@853#dns.google
Automating All the Things. 
You must be logged in to post a comment.