habibzain Just husband, father and enthusiastic men about System Administration. Love to write short article about it. Perhaps can help and be useful for others.

Install Unbound Ubuntu 20.04/22.04 With Package Manager

6 min read

Install Unbound ubuntu 20

Hi Dude, in this article is a continuation of the unbound DNS resolver installation series. In the previous article, we discussed how to install the unbound dns resolver using the installer with the latest version. Then compile it manually. Well, in this post we will install Install Unbound ubuntu 20.04 as DNS Resolver using the package manager.

Basically the installation is the same. What makes the difference is the source. If by compiling, we can use the latest version, but if using the Package Manager we can only use the version available from the repository. Can’t get the latest version. Ok, lets do it.

On this post, i am use two host.

  • 1 host server unbound with IP 10.12.12.128.
  • 1 host windows as client with IP 10.12.12.122.

Install Unbound Ubuntu 20.04 From Package Manager

apt update
apt install unbound net-tools bind9-utils

After install package finished, check running port with netstat command.

habibza@habibzasrv:~$ sudo netstat -tulpn

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      49197/unbound
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      819/systemd-resolve
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      885/sshd: /usr/sbin
tcp6       0      0 ::1:53                  :::*                    LISTEN      49197/unbound
tcp6       0      0 :::22                   :::*                    LISTEN      885/sshd: /usr/sbin
udp        0      0 127.0.0.1:53            0.0.0.0:*                           49197/unbound
udp        0      0 127.0.0.53:53           0.0.0.0:*                           819/systemd-resolve
udp        0      0 10.12.12.128:68         0.0.0.0:*                           817/systemd-network
udp6       0      0 ::1:53                  :::*                                49197/unbound

As we can see, port 53 is shared by service unbound and systemd-resolve. Systemd-resolve use 127.0.0.53 and unbound use 127.0.0.1.

Lets check status unbound.service.

Install Unbound ubuntu 20
starting unbound

And also version of unbound.

<strong>habibza@habibzasrv:~$ unbound -V
Version 1.9.4</strong>

Configure line: --build=x86_64-linux-gnu --prefix=/usr --includedir=${prefix}/include --mandir=${prefix}/share/man --infodir=${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-silent-rules --libdir=${prefix}/lib/x86_64-linux-gnu --libexecdir=${prefix}/lib/x86_64-linux-gnu --disable-maintainer-mode --disable-dependency-tracking --disable-rpath --with-pidfile=/run/unbound.pid --with-rootkey-file=/var/lib/unbound/root.key --with-libevent --with-pythonmodule --enable-subnet --enable-dnstap --enable-systemd --with-chroot-dir= --with-dnstap-socket-path=/run/dnstap.sock --libdir=/usr/lib
Linked libs: libevent 2.1.11-stable (it uses epoll), OpenSSL 1.1.1f  31 Mar 2020
Linked modules: dns64 python subnetcache respip validator iterator

BSD licensed, see LICENSE in source package for details.
Report bugs to [email protected] or https://github.com/NLnetLabs/unbound/issues

Testing the resolver locally

To verify that the server works correctly, it’s a good idea to test it before committing the entire network to it. Luckily we can test this on the machine that you installed Unbound on (locally) and from any other machine (remotely) that will be using the resolver after we expose Unbound to the network.

See also  Install Unbound Ubuntu 20.04/22.04 with Compile

The command for testing locally on the Unbound machine is use dig example.com @127.0.0.1. In this example i will dig mx yahoo.com.

dig result from unbound service

As a we see together result of dig show us for answering of mx yahoo.com from 127.0.0.1.

Determine /etc/resolv.conf as default resolver services

By default, Ubuntu runs the systemd-resolved stub resolver which listens on 127.0.0.53:53. You need to stop it, so unbound can bind to 0.0.0.0:53.

We have two way to fix it.

Unbound and Systemd-resolve Run Together.

The resolver your machine uses by default is defined in /etc/systemd/resolved.conf in the DNS entry (It uses 127.0.0.53 ). While just changing this file will work as long as the machine doesn’t reboot, we need to make sure that this change is persistent. To do that, we need to change the DNS entry to be equal to 127.0.0.1 (or whatever IP address Unbound is bound to) so the machine uses Unbound as default. To make the change persistent, we also need to set the DNSStubListener to no so that is not changed by our router (such as with a “recommended resolver” mentioned below). We also want to enable the DNSSEC option so that we can verify the integrity the responses we get to our DNS queries. With your favourite text editor (e.g. vim) we can modify the file:

vim /etc/systemd/resolved.conf

Here, under there [Resolve] header we add (or rather, enable by removing the “#”) the options:

[Resolve]
DNS=127.0.0.1
#FallbackDNS=
#Domains=
DNSSEC=yes
#DNSOverTLS=no
#MulticastDNS=no
#LLMNR=no
#Cache=no-negative
DNSStubListener=no
#DNSStubListenerExtra=

To actually have the system start using Unbound, we then need to create a symlink to overwrite /etc/resolv.conf to the one we modified.

ln -fs /run/systemd/resolve/resolv.conf /etc/resolv.conf

With this file modified, we can restart using this configuration with:

systemctl restart systemd-resolved

After restart, we can check file /etc/resolv.conf.

Scheck status service unbound and systemd-resolv.

Check systemd-resolve --status.

root@habibza:~# systemd-resolve --status
Global
       LLMNR setting: no
MulticastDNS setting: no
  DNSOverTLS setting: no
      DNSSEC setting: yes
    DNSSEC supported: yes
         DNS Servers: 127.0.0.1
          DNSSEC NTA: 10.in-addr.arpa
                      16.172.in-addr.arpa
                      168.192.in-addr.arpa
                      17.172.in-addr.arpa
                      18.172.in-addr.arpa
                      19.172.in-addr.arpa
                      20.172.in-addr.arpa
                      21.172.in-addr.arpa
                      22.172.in-addr.arpa
                      23.172.in-addr.arpa
                      24.172.in-addr.arpa
                      25.172.in-addr.arpa
                      26.172.in-addr.arpa
                      27.172.in-addr.arpa
                      28.172.in-addr.arpa
                      29.172.in-addr.arpa
                      30.172.in-addr.arpa
                      31.172.in-addr.arpa
                      corp
                      d.f.ip6.arpa
                      home
                      internal
                      intranet
                      lan
                      local
                      private
                      test

Link 2 (ens33)
      Current Scopes: DNS
DefaultRoute setting: yes
       LLMNR setting: yes
MulticastDNS setting: no
  DNSOverTLS setting: no
      DNSSEC setting: yes
    DNSSEC supported: yes
  Current DNS Server: 10.12.12.2
         DNS Servers: 10.12.12.2
          DNS Domain: localdomain

Unbound Replaces the Role of systemd-resolved

Second way is unbound replace role of systemd-resolved as default resolver in /etc/resolv.conf.

By default if we installed unbound from package manager there will be 2 services created, that is unbound.service and unbound-resolvconf.service, where unbound-resolvconf.service is not running.

root@habibza:~# systemctl status unbound-resolvconf.service
 unbound-resolvconf.service - Unbound DNS server via resolvconf
     Loaded: loaded (/lib/systemd/system/unbound-resolvconf.service; enabled; vendor preset: enabled)
     Active: inactive (dead)
  Condition: start condition failed at Tue 2022-07-26 11:34:02 WIB; 15min ago

Jul 26 11:34:01 habibza systemd[1]: Condition check resulted in Unbound DNS server via resolvconf being skipped.

The first thing we have to do is replace /etc/resolv.conf with the openresolv service. Install the openresolv package first.

apt install openresolv

After openresolv installed, we must stop service systemd-resolved.

systemctl stop systemd-resolved.service
systemctl disable systemd-resolved.service

Remove /etc/resolv.conf and this file will auto generated with unbound-resolvconf.service.

 rm -rf /etc/resolv.conf

Ok, after that restart unbound.service and unbound-resolvconf.service.

 systemctl restart unbound.service
 systemctl restart unbound-resolvconf.service
 cat /etc/resolv.conf
# Generated by resolvconf
nameserver 127.0.0.1

We can see Generated by resolvconf, unbound-resolvconf.service is running properly.

See also  Amavisd Bad Header Whitelist from Specific Mail Address

Setting unbound.conf

For first setup, we can fill with simple confugration. We can tuning it later.

The default config is found at /etc/unbound/unbound.conf

server:
        # location of the trust anchor file that enables DNSSEC
#        auto-trust-anchor-file: "/var/lib/unbound/root.key"
        # send minimal amount of information to upstream servers to enhance privacy
        <strong>qname-minimisation: yes</strong>
        # the interface that is used to connect to the network (this will listen to all interfaces)
      <strong>  interface: 0.0.0.0</strong>
        # interface: ::0
        # addresses from the IP range that are allowed to connect to the resolver
        <strong>access-control: 192.168.0.0/16 allow
        access-control: 10.0.0.0/8 allow</strong>
        # access-control: 2001:DB8/64 allow
     <strong>   do-ip4: yes
        do-ip6: no
        do-udp: yes
        do-tcp: yes</strong>
remote-control:
        # allows controling unbound using "unbound-control"
     <strong>   control-enable: yes</strong>

The interface is currently configured to listen to any address on the machine, and the access-control only allows queries from the 192.168.0.0/16 and 10.0.0.0/8 IP subnet range.

When we’ve modified the configuration we check it for mistakes with the unbound-checkconf command:

root@habibza:~# unbound-checkconf /etc/unbound/unbound.conf
unbound-checkconf: no errors in /etc/unbound/unbound.conf

Testing the setup

After running the unbound-checkconf command to see if your config file is correct, you can test your setup by running Unbound in “debug” mode. This allows you to see what is happening during startup and catch any errors. The unbound(8) manpage shows that the -d flag will start Unbound in this mode. The manpage also shows that we can use the -c flag to specify the path to the config file, so we can use the one we created. We also recommend increasing the verbosity of the logging to 1 or 2, to see what’s actually happening (-v or -vv). We can stop with 'ctrl + c' in keyboard.

unbound -d -vv -c unbound.conf

Set up Remote Control

Apart from an extensive config file, with just about all the possible configuration options, unbound-control-setup creates the cryptographic keys necessary for the control option.

root@habibza:~# <strong>unbound-control-setup</strong>
setup in directory /etc/unbound
unbound_server.key exists
unbound_control.key exists
create unbound_server.pem (self signed certificate)
create unbound_control.pem (signed client certificate)
Signature ok
subject=CN = unbound-control
Getting CA Private Key
Setup success. Certificates created. Enable in unbound.conf file to use
root@habibza:/etc/unbound# ls -al /etc/unbound/
total 32
drwxr-xr-x   3 root root 4096 Jul 26 15:22 .
drwxr-xr-x 102 root root 4096 Jul 26 14:59 ..
-rw-r--r--   1 root root 1130 Jul 26 15:20 unbound.conf
drwxr-xr-x   2 root root 4096 Jul 26 14:58 unbound.conf.d
-rw-r-----   1 root root 2455 Jul 26 11:33 unbound_control.key
-rw-r-----   1 root root 1342 Jul 26 15:22 unbound_control.pem
-rw-r-----   1 root root 2459 Jul 26 11:33 unbound_server.key
-rw-r-----   1 root root 1334 Jul 26 15:22 unbound_server.pem

We have to add path of cert for completetion remote control in the config unbound.conf above.

remote-control:
        # allows controling unbound using "unbound-control"
        control-enable: yes
        control-interface: 127.0.0.1
        control-port: 953
        server-key-file: "/etc/unbound/unbound_server.key"
        server-cert-file: "/etc/unbound/unbound_server.pem"
        control-key-file: "/etc/unbound/unbound_control.key"
        control-cert-file: "/etc/unbound/unbound_control.pem"

Set up Trust Anchor (Enable DNSSEC)

To enable DNSSEC, which we strongly recommend, we need to set up a trust anchor as it allows the verification of the integrity of the responses to the queries you send.

See also  Setting HA cluster with Corosync and Pacemaker Ubuntu 20.04 server

To help, we can use the unbound-anchor command.

unbound-anchor performs the setup by configuring a trust anchor. This trust anchor will only serve as the initial anchor from builtin values. To keep this anchor up to date, Unbound must be able to read and write to this file. The default location that unbound-anchor creates this in is determined by your installation method.

Usually the default directory is /usr/local/etc/unbound/. Or in /etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf if we install unbound via apt.

unbound-anchor

Final step, restart service unbound.

systemctl restart unbound

Testing DNS Resolver and DNSSEC in Client.

After configuration finished, test it in client. In host client, pointind DNS client to IP unbound.

i am use web tool beliw for test dnssec.

Conclusion

This is last word from article Install Unbound Ubuntu 20.04. Unbound is very light and powerfull.

Source :


Let's Buy Me Coffee.

Buy Me a Coffee at ko-fi.com

https://saweria.co/habibzain
https://ko-fi.com/habibzain
habibzain Just husband, father and enthusiastic men about System Administration. Love to write short article about it. Perhaps can help and be useful for others.

Easy Create Laravel Project with Composer

Requirement Laravel, a popular PHP framework, is renowned for its elegant syntax and robust features, making it a top choice for web developers. One...
habibzain
1 min read

Virtualbox Change Storage Size

Changing the storage size of a virtual machine in VirtualBox involves a few steps. Here’s a general guide. Backup your Virtual Machine (VM) Before...
habibzain
35 sec read

Easy Setup Logrotate Nginx Ubuntu

Log rotation is an important aspect of managing log files on a Linux system, including those generated by Nginx. Logrotate is a utility that...
habibzain
1 min read

Leave a Reply

Your email address will not be published. Required fields are marked *

Never miss good article from us, get weekly updates in your inbox