https://www.redhat.com/sysadmin/bound-dns

https://github.com/MartineauUK/Unbound-Asuswrt-Merlin/issues/7

https://linuxreviews.org/HOWTO_setup_your_own_caching_nameserver_using_Unbound

#!/bin/bash wget -q https://www.internic.net/domain/named.root -O /tmp/root.hints if grep -q ROOT-SERVERS /tmp/root.hints ;then mv -f /tmp/root.hints /etc/unbound/root.hints ; chmod a+r /etc/unbound/root.hints fi

https://www.atlantic.net/vps-hosting/how-to-set-up-unbound-dns-resolver-on-ubuntu-20-04/

• root@dns0:~# cat /etc/unbound/unbound.conf
• # Unbound configuration file for Debian.
• #
• # See the unbound.conf(5) man page.
• #
• # See /usr/share/doc/unbound/examples/unbound.conf for a commented
• # reference config file.
• server:
• # Use the root servers key for DNSSEC
• auto-trust-anchor-file: “/var/lib/unbound/root.key”
• # Enable logs
• #verbosity: 1 # uncomment and increase to get more
• #logfile: “/var/log/unbound/unbound.log”
• #log-queries: yes
• # Respond to DNS requests on all interfaces
• interface: 0.0.0.0@53
• # DNS request port, IP and protocol
• port: 53
• do-ip4: yes
• do-ip6: no
• do-udp: yes
• do-tcp: yes
• # Authorized IPs to access the DNS Server
• access-control: 0.0.0.0/0 refuse
• access-control: 103.152.236.0/23 allow
• access-control: 210.4.64.0/24 allow
• access-control: 10.253.0.0/16 allow
• access-control: 10.254.0.0/16 allow
• access-control: 10.255.0.0/16 allow
• # Root servers information (To download here: ftp://ftp.internic.net/domain/named.cache)
• root-hints: “/var/lib/unbound/root.hints”
• # Hide DNS Server info
• hide-identity: yes
• hide-version: yes
• # Improve the security of your DNS Server (Limit DNS Fraud and use DNSSEC)
• harden-glue: yes
• harden-dnssec-stripped: yes
• # Rewrite URLs written in CAPS
• use-caps-for-id: yes
• # TTL Min (Seconds)
• cache-min-ttl: 3600
• # TTL Max (Seconds)
• cache-max-ttl: 86400
• # Enable the prefetch
• prefetch: yes
• # Number of maximum threads to use
• num-threads: 2
• ### Tweaks and optimizations
• # Number of slabs to use (Must be a multiple of num-threads value)
• msg-cache-slabs: 8
• rrset-cache-slabs: 8
• infra-cache-slabs: 8
• key-cache-slabs: 8
• # Cache and buffer size (in mb)
• rrset-cache-size: 51m
• msg-cache-size: 25m
• so-rcvbuf: 1m
• # Make sure your DNS Server treat your local network requests
• private-address: 10.253.0.0/16
• private-address: 10.254.0.0/16
• private-address: 10.255.0.0/16
• private-address: 10.10.0.0/23
• private-address: 210.4.64.0/24
• private-address: 103.152.236.0/23
• # Add an unwanted reply threshold to clean the cache and avoid when possible a DNS Poisoning
• unwanted-reply-threshold: 10000
• # Authorize or not the localhost requests
• do-not-query-localhost: no
• # Use the root.key file for DNSSEC
• #auto-trust-anchor-file: “/var/lib/unbound/root.key”
• val-clean-additional: yes
• ### Block popular advertising companies
• local-zone: “doubleclick.net” redirect
• local-data: “doubleclick.net A 127.0.0.1”
• local-zone: “googlesyndication.com” redirect
• local-data: “googlesyndication.com A 127.0.0.1”
• local-zone: “googleadservices.com” redirect
• local-data: “googleadservices.com A 127.0.0.1”
• local-zone: “google-analytics.com” redirect
• local-data: “google-analytics.com A 127.0.0.1”
• local-zone: “ads.youtube.com” redirect
• local-data: “ads.youtube.com A 127.0.0.1”
• local-zone: “adserver.yahoo.com” redirect
• local-data: “adserver.yahoo.com A 127.0.0.1”

https://www.redhat.com/sysadmin/bound-dns

• root@cloudns0:~# cat /etc/resolv.conf
• search xxx.net
• nameserver xxx.4.77.135
• nameserver 2403:4000:0:2::2

''root@cloudns0:~# ifconfig'' 
* ens13: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
*         inet xxx.4.77.135  netmask 255.255.255.192  broadcast xxx.4.77.191
*         inet6 fe80::a800:ff:fe79:5a1  prefixlen 64  scopeid 0x20<link>
*         inet6 2403:4000:0:2::2  prefixlen 64  scopeid 0x0<global>
*         ether aa:00:00:79:05:a1  txqueuelen 1000  (Ethernet)
*         RX packets 213715417  bytes 14053348903 (13.0 GiB)
*         RX errors 0  dropped 1  overruns 0  frame 0
*         TX packets 9511552  bytes 958058087 (913.6 MiB)
*         TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
* 
* lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
*         inet 127.0.0.1  netmask 255.0.0.0
*         inet6 ::1  prefixlen 128  scopeid 0x10<host>
*         loop  txqueuelen 1000  (Local Loopback)
*         RX packets 78633600  bytes 7941971840 (7.3 GiB)
*         RX errors 0  dropped 0  overruns 0  frame 0
*         TX packets 78633600  bytes 7941971840 (7.3 GiB)
*         TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
* 

root@cloudns0:~# cat /etc/network/interfaces

• # This file describes the network interfaces available on your system
• # and how to activate them. For more information, see interfaces(5).
• source /etc/network/interfaces.d/*
• # The loopback network interface
• auto lo
• iface lo inet loopback
• # The primary network interface
• allow-hotplug ens13
• iface ens13 inet static
• address 210.xxx.77.1xxx/26
• gateway 210.xxx.77.129
• # dns-* options are implemented by the resolvconf package, if installed
• dns-nameservers 210.4.77.135
• dns-search bdcom.net
• iface ens13 inet6 static
• address 2403:xxx:0:2::2
• netmask 64
• gateway 2403:xxx:0:2::1
• dns-nameservers 2403:xxx:0:2::2

• root@cloudns0:~# cat /etc/unbound/unbound.conf
• # Unbound configuration file for Debian.
• #
• # See the unbound.conf(5) man page.
• #
• # See /usr/share/doc/unbound/examples/unbound.conf for a commented
• # reference config file.
• #
• # The following line includes additional configuration files from the
• # /etc/unbound/unbound.conf.d directory.
• include: “/etc/unbound/unbound.conf.d/*.conf”
• #The configuration file is located at /etc/unbound/unbound.conf. Configure the interface to listen to using the “interface” directive. 0.0.0.0 will instruct unbound to listen on all interfaces.
• #
• # Enable logs
• verbosity: 1 # uncomment and increase to get more
• logfile: “/var/log/unbound/unbound.log”
• log-queries: yes
• #server:
• # chroot: “”
• # logfile: /var/log/unbound.log
• # verbosity: 1
• # log-queries: yes
• #interface: 0.0.0.0@53
• #interface: ::/0@53
• interface: 0.0.0.0@53
• interface: ::0@53
• # DNS request port, IP and protocol
• port: 53
• do-ip4: yes
• do-ip6: yes
• do-udp: yes
• do-tcp: yes
• #Setup clients that may make recursive queries:
• # Authorized IPs to access the DNS Server
• access-control: 0.0.0.0/0 refuse
• access-control: 127.0.0.1 allow
• access-control: ::1 allow
• access-control: 210.4.64.0/24 allow
• access-control: 210.4.77.0/24 allow
• access-control: 10.255.0.0/16 allow
• access-control: 2403:4000::/32 allow
• #To require DNSSEC data for trust-anchored zones, use the “harden-dnssec-stripped” option:
• harden-dnssec-stripped: yes
• #Configure the TTLs for the DNS cache in seconds. It is good practice to not keep the minimum higher than an hour since it could result in reading stale data which might have changed. This could especially be the case for the hostname resolutions to dynamic IP addresses.
• #
• cache-min-ttl: 3600
• cache-max-ttl: 86400
• #Performance tuning parameters to tune unbound depending on the number of clients that will depend on this server as well as the hardware on which it is running. My unbound server is on a 512MB 1vcpu VM and will only serve requests for clients within my home network, so I have deliberately tuned these down
• #
• num-threads: 2
• msg-cache-slabs: 4
• rrset-cache-slabs: 4
• infra-cache-slabs: 4
• key-cache-slabs: 4
• rrset-cache-size: 128m
• msg-cache-size: 32m
• so-rcvbuf: 1m
• #Lets now setup the private domain which this DNS server will be an authority for. You should add all your local hosts that are present within your network for which this server will act as an authority for as local-data entries similar to below.
• #
• #private-domain: “home.asrivas.me”
• #local-zone: “home.asrivas.me” static
• #local-data: “webserver.home.asrivas.me IN A 192.168.1.143”
• #One really useful aspect of running your own DNS server is the ability to block a number of ad servers by creating a blackhole for those domains. This is especially useful for mobile devices where it is difficult to configure ad-blocking. The following servers actually server majority of the ads over the internet:
• local-zone: “doubleclick.net” redirect
• local-data: “doubleclick.net A 127.0.0.1”
• local-zone: “googlesyndication.com” redirect
• local-data: “googlesyndication.com A 127.0.0.1”
• local-zone: “googleadservices.com” redirect
• local-data: “googleadservices.com A 127.0.0.1”
• local-zone: “google-analytics.com” redirect
• local-data: “google-analytics.com A 127.0.0.1”
• local-zone: “ads.youtube.com” redirect
• local-data: “ads.youtube.com A 127.0.0.1”
• local-zone: “adserver.yahoo.com” redirect
• local-data: “adserver.yahoo.com A 127.0.0.1”
• local-zone: “ask.com” redirect
• local-data: “ask.com A 127.0.0.1”
• #Lastly, you should setup forwarding queries to the appropriate public DNS server for queries that cannot be answered by this server:
• forward-zone:
• name: “.”
• forward-addr: 1.0.0.1@53#one.one.one.one
• forward-addr: 1.1.1.1@53#one.one.one.one
• forward-addr: 8.8.4.4@53#dns.google
• forward-addr: 8.8.8.8@53#dns.google
• forward-addr: 9.9.9.9@53#dns.quad9.net
• forward-addr: 149.112.112.112@53#dns.quad9.net
• forward-addr: 2606:4700:4700::1003@53#cloudfare.ipv6
• forward-addr: 2606:4700:4700::1113@53#cloudfare.ipv6
• forward-addr: 2403:4000:0:2::3@53#BDCOM.ipv6
• forward-addr: 2403:4000:0:2::4@53#BDCOM.ipv6