Ok, so I opened Pandora’s box by starting to talk about DNS. I figure I should probably do a proper job of completely murdering the topic and kill it off for good. So – Unbound was the call. I don’t need to run an authoritative server at home any longer. Otherwise, I’d probably have stuck with BIND, honestly. I know it, it’s a pain at times, anything in it related to DNS over HTTPS or TLS is totally experimental, not ready for client-side, but the devil you know, right?
So, Unbound it is. I did a bit of a read-up, and between the Arch Linux wiki, the official docs, and a couple of random config snippets, and I had a config. As I mentioned in the other post, I used certbot to generate my DNS over TLS cert. I’m actually using the same cert for DNS over HTTPS, but the clients don’t really get to see that cert. Why? Well, these hosts also serve up other apps via https, so traefik is installed, and thus is bound to
tcp/443, and I didn’t feel like messing with multiple IPs and binding different services to different IPs, so I just tied Unbound’s DNS-o-HTTPS to
tcp/1443, and created a traefik service to front it with HTTPS, so it all works out in the end. Clients are none-the-wiser. Yes, there’s a little extra config, and this definitely flies in the face of my mantra of discarding technical debt. But what’s the greater debt – moving a port and making a reverse proxy entry, or setting up a whole new IP and playing around with all sorts of service bindings and ensuring that the right ports are bound the right IPs in the right places? Yeah, you’re seeing it now.
So, on to the config. It’s not the exact config, but it’s close enough. I’ve changed some bits to protect the sanctity of the innards of my home net. On my systems, I’m running Ubuntu Jammy (that’s 22.04 LTS), so I just installed the unbound package via apt, then dropped this in
/etc/unbound/unbound.d/server.conf (the file doesn’t exist – you create it). There’s a handy syntax checker called
unbound-checkconf, which helps you figure out where you’ve managed to fat-finger things in your config and mess it up. Ask me how I know how useful it is…
server: port: 53 tls-port: 853 https-port: 1443 verbosity: 0 num-threads: 2 outgoing-range: 512 num-queries-per-thread: 1024 msg-cache-size: 32m interface: 0.0.0.0 interface: 0.0.0.0@853 interface: 0.0.0.0@1443 rrset-cache-size: 64m cache-max-ttl: 86400 infra-host-ttl: 60 infra-lame-ttl: 120 access-control: 127.0.0.0/8 allow access-control: 0.0.0.0/0 allow username: unbound directory: "/etc/unbound" use-syslog: yes hide-version: yes so-rcvbuf: 4m so-sndbuf: 4m do-ip4: yes do-ip6: no do-udp: yes do-tcp: yes log-queries: no log-servfail: no log-local-actions: no log-replies: no extended-statistics: yes statistics-cumulative: yes tls-service-key: /etc/letsencrypt/live/dns.home.somedomain.net/privkey.pem tls-service-pem: /etc/letsencrypt/live/dns.home.somedomain.net/cert.pem http-endpoint: "/dns-query" http-nodelay: yes private-address: 10.0.0.0/8 private-address: 172.16.0.0/12 private-address: 192.168.0.0/16 private-address: 169.254.0.0/16 private-domain: "home.somedomain.net" do-not-query-localhost: yes tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt" local-zone: "10.in-addr.arpa." transparent local-data: "18.104.22.168.in-addr.arpa. 600 IN PTR router.home.somedomain.net." local-data: "22.214.171.124.in-addr.arpa. 600 IN PTR switch.home.somedomain.net." local-data: "126.96.36.199.in-addr.arpa. 600 IN PTR ap1.home.somedomain.net." local-data: "188.8.131.52.in-addr.arpa. 600 IN PTR ap2.home.somedomain.net." local-data: "184.108.40.206.in-addr.arpa. 600 IN PTR ap3.home.somedomain.net." local-data: "220.127.116.11.in-addr.arpa. 600 IN PTR printer.home.somedomain.net." local-data: "10.10.10.10.in-addr.arpa. 600 IN PTR server1.home.somedomain.net." local-data: "18.104.22.168.in-addr.arpa. 600 IN PTR server2.home.somedomain.net." remote-control: control-enable: yes control-port: 953 control-use-cert: "yes" control-interface: 127.0.0.1 server-key-file: "/etc/unbound/unbound_server.key" server-cert-file: "/etc/unbound/unbound_server.pem" control-key-file: "/etc/unbound/unbound_control.key" control-cert-file: "/etc/unbound/unbound_control.pem" forward-zone: name: "." forward-tls-upstream: yes forward-addr: 22.214.171.124@853#cloudflare-dns.com forward-addr: 126.96.36.199@853#cloudflare-dns.com forward-addr: 188.8.131.52@853#dns.quad9.net forward-addr: 184.108.40.206@853#dns.quad9.net forward-addr: 220.127.116.11@853#dns.google forward-addr: 18.104.22.168@853#dns.google