root@dns0:~# cat /etc/unbound/unbound.conf
# Unbound configuration file for Debian.
#
# See the unbound.conf(5) man page.
#
# See /usr/share/doc/unbound/examples/unbound.conf for a commented
# reference config file.
server:
# Use the root servers key for DNSSEC
auto-trust-anchor-file: “/var/lib/unbound/root.key”
# Enable logs
#verbosity: 1 # uncomment and increase to get more
#logfile: “/var/log/unbound/unbound.log”
#log-queries: yes
# Respond to
DNS requests on all interfaces
interface: 0.0.0.0@53
#
DNS request port, IP and protocol
port: 53
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes
# Authorized IPs to access the
DNS Server
access-control: 0.0.0.0/0 refuse
access-control: 103.152.236.0/23 allow
access-control: 210.4.64.0/24 allow
access-control: 10.253.0.0/16 allow
access-control: 10.254.0.0/16 allow
access-control: 10.255.0.0/16 allow
-
root-hints: “/var/lib/unbound/root.hints”
-
hide-identity: yes
hide-version: yes
# Improve the security of your
DNS Server (Limit
DNS Fraud and use DNSSEC)
harden-glue: yes
harden-dnssec-stripped: yes
# Rewrite URLs written in CAPS
use-caps-for-id: yes
# TTL Min (Seconds)
cache-min-ttl: 3600
# TTL Max (Seconds)
cache-max-ttl: 86400
# Enable the prefetch
prefetch: yes
# Number of maximum threads to use
num-threads: 2
### Tweaks and optimizations
# Number of slabs to use (Must be a multiple of num-threads value)
msg-cache-slabs: 8
rrset-cache-slabs: 8
infra-cache-slabs: 8
key-cache-slabs: 8
# Cache and buffer size (in mb)
rrset-cache-size: 51m
msg-cache-size: 25m
so-rcvbuf: 1m
# Make sure your
DNS Server treat your local network requests
private-address: 10.253.0.0/16
private-address: 10.254.0.0/16
private-address: 10.255.0.0/16
private-address: 10.10.0.0/23
private-address: 210.4.64.0/24
private-address: 103.152.236.0/23
# Add an unwanted reply threshold to clean the cache and avoid when possible a
DNS Poisoning
unwanted-reply-threshold: 10000
# Authorize or not the localhost requests
do-not-query-localhost: no
# Use the root.key file for DNSSEC
#auto-trust-anchor-file: “/var/lib/unbound/root.key”
val-clean-additional: yes
### Block popular advertising companies
local-zone: “doubleclick.net” redirect
local-data: “doubleclick.net A 127.0.0.1”
local-zone: “googlesyndication.com” redirect
local-data: “googlesyndication.com A 127.0.0.1”
local-zone: “googleadservices.com” redirect
local-data: “googleadservices.com A 127.0.0.1”
local-zone: “google-analytics.com” redirect
local-data: “google-analytics.com A 127.0.0.1”
local-zone: “ads.youtube.com” redirect
local-data: “ads.youtube.com A 127.0.0.1”
local-zone: “adserver.yahoo.com” redirect
local-data: “adserver.yahoo.com A 127.0.0.1”
root@cloudns0:~# cat /etc/unbound/unbound.conf
# Unbound configuration file for Debian.
#
# See the unbound.conf(5) man page.
#
# See /usr/share/doc/unbound/examples/unbound.conf for a commented
# reference config file.
#
# The following line includes additional configuration files from the
# /etc/unbound/unbound.conf.d directory.
include: “/etc/unbound/unbound.conf.d/*.conf”
#The configuration file is located at /etc/unbound/unbound.conf. Configure the interface to listen to using the “interface” directive. 0.0.0.0 will instruct unbound to listen on all interfaces.
#
# Enable logs
verbosity: 1 # uncomment and increase to get more
logfile: “/var/log/unbound/unbound.log”
log-queries: yes
#server:
# chroot: “”
# logfile: /var/log/unbound.log
# verbosity: 1
# log-queries: yes
#interface: 0.0.0.0@53
#interface: ::/0@53
interface: 0.0.0.0@53
interface: ::0@53
#
DNS request port, IP and protocol
port: 53
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes
#Setup clients that may make recursive queries:
# Authorized IPs to access the
DNS Server
access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.1 allow
access-control: ::1 allow
access-control: 210.4.64.0/24 allow
access-control: 210.4.77.0/24 allow
access-control: 10.255.0.0/16 allow
access-control: 2403:4000::/32 allow
#To require DNSSEC data for trust-anchored zones, use the “harden-dnssec-stripped” option:
harden-dnssec-stripped: yes
#Configure the TTLs for the
DNS cache in seconds. It is good practice to not keep the minimum higher than an hour since it could result in reading stale data which might have changed. This could especially be the case for the hostname resolutions to dynamic IP addresses.
#
cache-min-ttl: 3600
cache-max-ttl: 86400
#Performance tuning parameters to tune unbound depending on the number of clients that will depend on this server as well as the hardware on which it is running. My unbound server is on a 512MB 1vcpu VM and will only serve requests for clients within my home network, so I have deliberately tuned these down
#
num-threads: 2
msg-cache-slabs: 4
rrset-cache-slabs: 4
infra-cache-slabs: 4
key-cache-slabs: 4
rrset-cache-size: 128m
msg-cache-size: 32m
so-rcvbuf: 1m
#Lets now setup the private domain which this
DNS server will be an authority for. You should add all your local hosts that are present within your network for which this server will act as an authority for as local-data entries similar to below.
#
#private-domain: “home.asrivas.me”
#local-zone: “home.asrivas.me” static
#local-data: “webserver.home.asrivas.me IN A 192.168.1.143”
#One really useful aspect of running your own
DNS server is the ability to block a number of ad servers by creating a blackhole for those domains. This is especially useful for mobile devices where it is difficult to configure ad-blocking. The following servers actually server majority of the ads over the internet:
local-zone: “doubleclick.net” redirect
local-data: “doubleclick.net A 127.0.0.1”
local-zone: “googlesyndication.com” redirect
local-data: “googlesyndication.com A 127.0.0.1”
local-zone: “googleadservices.com” redirect
local-data: “googleadservices.com A 127.0.0.1”
local-zone: “google-analytics.com” redirect
local-data: “google-analytics.com A 127.0.0.1”
local-zone: “ads.youtube.com” redirect
local-data: “ads.youtube.com A 127.0.0.1”
local-zone: “adserver.yahoo.com” redirect
local-data: “adserver.yahoo.com A 127.0.0.1”
local-zone: “ask.com” redirect
local-data: “ask.com A 127.0.0.1”
#Lastly, you should setup forwarding queries to the appropriate public
DNS server for queries that cannot be answered by this server:
forward-zone:
name: “.”
forward-addr: 1.0.0.1@53#one.one.one.one
forward-addr: 1.1.1.1@53#one.one.one.one
forward-addr: 8.8.4.4@53#dns.google
forward-addr: 8.8.8.8@53#dns.google
forward-addr: 9.9.9.9@53#dns.quad9.net
forward-addr: 149.112.112.112@53#dns.quad9.net
forward-addr: 2606:4700:4700::1003@53#cloudfare.ipv6
forward-addr: 2606:4700:4700::1113@53#cloudfare.ipv6
forward-addr: 2403:4000:0:2::3@53#BDCOM.ipv6
forward-addr: 2403:4000:0:2::4@53#BDCOM.ipv6