Unbound

Requirements

Setup

Installation

% yum install unbound -y
% systemctl enable unbound

DNS over TLS (DoT)

Setting up DoT with unbound is straight forward, whether you already have a DNS server already or not. Let’s go over the most basic configuration.

% vi /etc/unbound/unbound.conf
server:
        . . .
        # Set the below to an IP address if you wish - as I have multiple VLAN's
        # it is just easier for me to listen everywhere
        interface: 0.0.0.0
        interface: ::
        # Optionally set a port - I have bind already running, so port 9053 works
        interface-automatic: no
        port: 9053
        . . .
        # Set access control rules here. I'll show a few examples with just two of
        # my networks
        # REFUSE everything
        access-control: 0.0.0.0/0 refuse
        access-control: ::0/0 refuse
        # Allow localhost to snoop
        access-control: 127.0.0.1/32 allow_snoop
        access-control: ::1 allow_snoop
        # Allow the entire localhost subnet
        access-control: 127.0.0.0/8 allow
        access-control: ::ffff:127.0.0.1 allow
        # Allow my main network and sandbox network
        access-control: 10.100.0.0/24 allow
        access-control: 10.100.1.0/24 allow
        . . .
        # Ensure tls-cert-bundle is set
        tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
        . . .
# Create the forward zone for DoT queries
forward-zone:
        name: "."
        forward-tls-upstream: yes
        # Cloudflare
        forward-addr: 1.1.1.1@853#cloudflare-dns.com
        forward-addr: 1.0.0.1@853#cloudflare-dns.com
        forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
        forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
        # Quad9
        forward-addr: 9.9.9.9@853#dns.quad9.net
        forward-addr: 149.112.112.112@853#dns.quad9.net

% systemctl enable unbound --now
# If you are using bind already with forwarders, you should edit it. Example.
% vi /etc/named.conf
options {
        . . .
        forwarders {
                # This assumes your bind server and unbound server are on
                # the same server like I did.
                127.0.0.1 port 9053;
        };
        forward only;
        . . .