Eigener DNS-Server mit Unbound einrichten

Unbound ist ein Open-Source-DNS-Resolver, der zur Verbesserung der Sicherheit und Privatsphäre beim Surfen im Internet eingesetzt werden kann. Dieser Artikel befasst sich mit der Einrichtung von Unbound auf einem Linux-Server.

Installation von Unbound

Für Ubuntu kann Unbound mit dem Befehl:

sudo apt-get install unbound -y

installiert werden.

Konfigurieren von Unbound

Bearbeiten Sie die Konfigurationsdatei: sudo nano /etc/unbound/unbound.conf und fügen Sie den folgenden Inhalt hinzu (natürlich kann man individuelle Werte eingeben, z.B. bei interface):

server:

    # The  verbosity  number, level 0 means no verbosity, only errors.
    # Level 1 gives operational information. Level  2  gives  detailed
    # operational  information. Level 3 gives query level information,
    # output per query.  Level 4 gives  algorithm  level  information.
    # Level 5 logs client identification for cache misses.  Default is
    # level 1.
    verbosity: 0
    
    interface: 127.0.1.2
    port: 5335
    do-ip4: yes
    do-udp: yes
    do-tcp: yes
    
    # May be set to yes if you have IPv6 connectivity
    do-ip6: no

    # You want to leave this to no unless you have *native* IPv6. With 6to4 and
    # Terredo tunnels your web browser should favor IPv4 for the same reasons
    prefer-ip6: no
    
    # Use this only when you downloaded the list of primary root servers!
    # Read  the  root  hints from this file. Make sure to 
    # update root.hints evry 5-6 months.
    root-hints: "/var/lib/unbound/root.hints"
    
    # Trust glue only if it is within the servers authority
    harden-glue: yes
    
    # Ignore very large queries.
    harden-large-queries: yes
    
    # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
    # If you want to disable DNSSEC, set harden-dnssec stripped: no
    harden-dnssec-stripped: yes
    
    # Number of bytes size to advertise as the EDNS reassembly buffer
    # size. This is the value put into  datagrams over UDP towards
    # peers. The actual buffer size is determined by msg-buffer-size
    # (both for TCP and UDP).
    edns-buffer-size: 1232
    
    # Rotates RRSet order in response (the pseudo-random 
    # number is taken from Ensure privacy of local IP 
    # ranges the query ID, for speed and thread safety).  
    # private-address: 192.168.0.0/16
    rrset-roundrobin: yes
    
    # Time to live minimum for RRsets and messages in the cache. If the minimum
    # kicks in, the data is cached for longer than the domain owner intended,
    # and thus less queries are made to look up the data. Zero makes sure the
    # data in the cache is as the domain owner intended, higher values,
    # especially more than an hour or so, can lead to trouble as the data in
    # the cache does not match up with the actual data anymore
    cache-min-ttl: 300
    cache-max-ttl: 86400
    
    # Have unbound attempt to serve old responses from cache with a TTL of 0 in
    # the response without waiting for the actual resolution to finish. The
    # actual resolution answer ends up in the cache later on. 
    serve-expired: yes
    
    # Harden against algorithm downgrade when multiple algorithms are
    # advertised in the DS record.
    harden-algo-downgrade: yes
    
    # Ignore very small EDNS buffer sizes from queries.
    harden-short-bufsize: yes
    
    # Refuse id.server and hostname.bind queries
    hide-identity: yes
    
    # Report this identity rather than the hostname of the server.
    identity: "Server"
    
    # Refuse version.server and version.bind queries
    hide-version: yes
    
    # Prevent the unbound server from forking into the background as a daemon
    do-daemonize: no
    
    # Number  of  bytes size of the aggressive negative cache.
    neg-cache-size: 4m
    
    # Send minimum amount of information to upstream servers to enhance privacy
    qname-minimisation: yes
    
    # Deny queries of type ANY with an empty response.
    # Works only on version 1.8 and above
    deny-any: yes

    # Do no insert authority/additional sections into response messages when
    # those sections are not required. This reduces response size
    # significantly, and may avoid TCP fallback for some responses. This may
    # cause a slight speedup
    minimal-responses: yes
    
    # Perform prefetching of close to expired message cache entries
    # This only applies to domains that have been frequently queried
    # This flag updates the cached domains
    prefetch: yes
    
    # Fetch the DNSKEYs earlier in the validation process, when a DS record is
    # encountered. This lowers the latency of requests at the expense of little
    # more CPU usage.
    prefetch-key: yes
    
    # One thread should be sufficient, can be increased on beefy machines. In reality for 
    # most users running on small networks or on a single machine, it should be unnecessary
    # to seek performance enhancement by increasing num-threads above 1.
    num-threads: 1

    # more cache memory. rrset-cache-size should twice what msg-cache-size is.
    msg-cache-size: 50m
    rrset-cache-size: 100m
   
    # Faster UDP with multithreading (only on Linux).
    so-reuseport: yes
    
    # Ensure kernel buffer is large enough to not lose messages in traffix spikes
    so-rcvbuf: 4m
    so-sndbuf: 4m
    
    # Set the total number of unwanted replies to keep track of in every thread.
    # When it reaches the threshold, a defensive action of clearing the rrset
    # and message caches is taken, hopefully flushing away any poison.
    # Unbound suggests a value of 10 million.
    unwanted-reply-threshold: 100000

    #Use 0x20-encoded random bits in the  query  to  foil  spoof  at-
    #tempts.   This  perturbs  the  lowercase  and uppercase of query
    #names sent to authority servers and checks if  the  reply  still
    #has  the  correct casing.  Disabled by default.  This feature is
    #an experimental implementation of draft dns-0x20.
    use-caps-for-id: yes

    
    # Minimize logs
    # Do not print one line per query to the log
    log-queries: no
    # Do not print one line per reply to the log
    log-replies: no
    # Do not print log lines that say why queries return SERVFAIL to clients
    log-servfail: no
    # Do not print log lines to inform about local zone actions
    log-local-actions: no
    # Do not print log lines that say why queries return SERVFAIL to clients
    logfile: /dev/null
    
    # Ensure privacy of local IP ranges
    private-address: 192.168.0.0/16
    private-address: 169.254.0.0/16
    private-address: 172.16.0.0/12
    private-address: 10.0.0.0/8
    private-address: fd00::/8
    private-address: fe80::/10

Root hints Downloaden

Mit folgendem Befehl bekommt man die aktuellen root hints:

wget https://www.internic.net/domain/named.root -qO- | sudo tee /var/lib/unbound/root.hints

Damit bekommt man die aktuellen Rootserver um die Domainen aufzulösen.

Die root hints aktualiseren sich circa alle 6 Monate.

Konfiguration überprüfen

Mit dem Befehl

sudo unbound-checkconf

wird geprüft ob die Konfiguration Fehler entählt, wenn nicht, dann kommt folgende Meldung:

“unbound-checkconf: no errors in /etc/unbound/unbound.conf”.

Jetzt Unbound neu starten:

sudo systemctl restart unbound

Jetzt kann man mit dig die DNS-Auflösung prüfen:

dig duckduckgo.com

Einrichtes des DNS-Resolver auf Client/Router

Nachdem alles konfiguriert ist, kann man den DNS-Server händisch eintragen oder am Router die DNS-Auflösung automatisch per DHCP verteilen lassen, indem die IP-Adresse in der DNS Auflösung eingibt.

Abschluss

Zusammenfassend lässt sich sagen, dass Unbound eine leistungsstarke und vielseitige Lösung für die DNS-Auflösung ist. Mit der richtigen Konfiguration kann Unbound dazu beitragen, die Privatsphäre und Sicherheit Ihrer DNS-Anfragen zu schützen.