Hi Dude, in this article is a continuation of the unbound DNS resolver installation series. In the previous article, we discussed how to install the unbound dns resolver using the installer with the latest version. Then compile it manually. Well, in this post we will install Install Unbound ubuntu 20.04 as DNS Resolver using the package manager.
Basically the installation is the same. What makes the difference is the source. If by compiling, we can use the latest version, but if using the Package Manager we can only use the version available from the repository. Can’t get the latest version. Ok, lets do it.
On this post, i am use two host.
- 1 host server unbound with IP 10.12.12.128.
- 1 host windows as client with IP 10.12.12.122.
Install Unbound Ubuntu 20.04 From Package Manager
apt update
apt install unbound net-tools bind9-utils
After install package finished, check running port with netstat
command.
habibza@habibzasrv:~$ sudo netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 49197/unbound
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 819/systemd-resolve
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 885/sshd: /usr/sbin
tcp6 0 0 ::1:53 :::* LISTEN 49197/unbound
tcp6 0 0 :::22 :::* LISTEN 885/sshd: /usr/sbin
udp 0 0 127.0.0.1:53 0.0.0.0:* 49197/unbound
udp 0 0 127.0.0.53:53 0.0.0.0:* 819/systemd-resolve
udp 0 0 10.12.12.128:68 0.0.0.0:* 817/systemd-network
udp6 0 0 ::1:53 :::* 49197/unbound
As we can see, port 53 is shared by service unbound
and systemd-resolve
. Systemd-resolve
use 127.0.0.53 and unbound
use 127.0.0.1.
Lets check status unbound.service.
And also version of unbound.
habibza@habibzasrv:~$ unbound -V
Version 1.9.4
Configure line: --build=x86_64-linux-gnu --prefix=/usr --includedir=${prefix}/include --mandir=${prefix}/share/man --infodir=${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-silent-rules --libdir=${prefix}/lib/x86_64-linux-gnu --libexecdir=${prefix}/lib/x86_64-linux-gnu --disable-maintainer-mode --disable-dependency-tracking --disable-rpath --with-pidfile=/run/unbound.pid --with-rootkey-file=/var/lib/unbound/root.key --with-libevent --with-pythonmodule --enable-subnet --enable-dnstap --enable-systemd --with-chroot-dir= --with-dnstap-socket-path=/run/dnstap.sock --libdir=/usr/lib
Linked libs: libevent 2.1.11-stable (it uses epoll), OpenSSL 1.1.1f 31 Mar 2020
Linked modules: dns64 python subnetcache respip validator iterator
BSD licensed, see LICENSE in source package for details.
Report bugs to [email protected] or https://github.com/NLnetLabs/unbound/issues
Testing the resolver locally
To verify that the server works correctly, it’s a good idea to test it before committing the entire network to it. Luckily we can test this on the machine that you installed Unbound on (locally) and from any other machine (remotely) that will be using the resolver after we expose Unbound to the network.
The command for testing locally on the Unbound machine is use dig example.com @127.0.0.1
. In this example i will dig mx yahoo.com.
As a we see together result of dig show us for answering of mx yahoo.com from 127.0.0.1.
Determine /etc/resolv.conf as default resolver services
By default, Ubuntu runs the systemd-resolved stub resolver which listens on 127.0.0.53:53
. You need to stop it, so unbound can bind to 0.0.0.0:53
.
We have two way to fix it.
Unbound and Systemd-resolve Run Together.
The resolver your machine uses by default is defined in /etc/systemd/resolved.conf
in the DNS
entry (It uses 127.0.0.53
). While just changing this file will work as long as the machine doesn’t reboot, we need to make sure that this change is persistent. To do that, we need to change the DNS
entry to be equal to 127.0.0.1
(or whatever IP address Unbound is bound to) so the machine uses Unbound as default. To make the change persistent, we also need to set the DNSStubListener
to no
so that is not changed by our router (such as with a “recommended resolver” mentioned below). We also want to enable the DNSSEC
option so that we can verify the integrity the responses we get to our DNS queries. With your favourite text editor (e.g. vim) we can modify the file:
vim /etc/systemd/resolved.conf
Here, under there [Resolve]
header we add (or rather, enable by removing the “#”) the options:
[Resolve]
DNS=127.0.0.1
#FallbackDNS=
#Domains=
DNSSEC=yes
#DNSOverTLS=no
#MulticastDNS=no
#LLMNR=no
#Cache=no-negative
DNSStubListener=no
#DNSStubListenerExtra=
To actually have the system start using Unbound, we then need to create a symlink to overwrite /etc/resolv.conf
to the one we modified.
ln -fs /run/systemd/resolve/resolv.conf /etc/resolv.conf
With this file modified, we can restart using this configuration with:
systemctl restart systemd-resolved
After restart, we can check file /etc/resolv.conf.
Scheck status service unbound
and systemd-resolv
.
Check systemd-resolve --status
.
root@habibza:~# systemd-resolve --status
Global
LLMNR setting: no
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: yes
DNSSEC supported: yes
DNS Servers: 127.0.0.1
DNSSEC NTA: 10.in-addr.arpa
16.172.in-addr.arpa
168.192.in-addr.arpa
17.172.in-addr.arpa
18.172.in-addr.arpa
19.172.in-addr.arpa
20.172.in-addr.arpa
21.172.in-addr.arpa
22.172.in-addr.arpa
23.172.in-addr.arpa
24.172.in-addr.arpa
25.172.in-addr.arpa
26.172.in-addr.arpa
27.172.in-addr.arpa
28.172.in-addr.arpa
29.172.in-addr.arpa
30.172.in-addr.arpa
31.172.in-addr.arpa
corp
d.f.ip6.arpa
home
internal
intranet
lan
local
private
test
Link 2 (ens33)
Current Scopes: DNS
DefaultRoute setting: yes
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: yes
DNSSEC supported: yes
Current DNS Server: 10.12.12.2
DNS Servers: 10.12.12.2
DNS Domain: localdomain
Unbound Replaces the Role of systemd-resolved
Second way is unbound
replace role of systemd-resolved
as default resolver in /etc/resolv.conf
.
By default if we installed unbound from package manager there will be 2 services created, that is unbound.service
and unbound-resolvconf.service
, where unbound-resolvconf.service
is not running.
root@habibza:~# systemctl status unbound-resolvconf.service
● unbound-resolvconf.service - Unbound DNS server via resolvconf
Loaded: loaded (/lib/systemd/system/unbound-resolvconf.service; enabled; vendor preset: enabled)
Active: inactive (dead)
Condition: start condition failed at Tue 2022-07-26 11:34:02 WIB; 15min ago
Jul 26 11:34:01 habibza systemd[1]: Condition check resulted in Unbound DNS server via resolvconf being skipped.
The first thing we have to do is replace /etc/resolv.conf with the openresolv service. Install the openresolv
package first.
apt install openresolv
After openresolv installed
, we must stop service systemd-resolved.
systemctl stop systemd-resolved.service
systemctl disable systemd-resolved.service
Remove /etc/resolv.conf and this file will auto generated with unbound-resolvconf.service
.
rm -rf /etc/resolv.conf
Ok, after that restart unbound.service
and unbound-resolvconf.service
.
systemctl restart unbound.service
systemctl restart unbound-resolvconf.service
cat /etc/resolv.conf
# Generated by resolvconf
nameserver 127.0.0.1
We can see Generated by resolvconf, unbound-resolvconf.service
is running properly.
Setting unbound.conf
For first setup, we can fill with simple confugration. We can tuning it later.
The default config is found at /etc/unbound/unbound.conf
server:
# location of the trust anchor file that enables DNSSEC
# auto-trust-anchor-file: "/var/lib/unbound/root.key"
# send minimal amount of information to upstream servers to enhance privacy
qname-minimisation: yes
# the interface that is used to connect to the network (this will listen to all interfaces)
interface: 0.0.0.0
# interface: ::0
# addresses from the IP range that are allowed to connect to the resolver
access-control: 192.168.0.0/16 allow
access-control: 10.0.0.0/8 allow
# access-control: 2001:DB8/64 allow
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes
remote-control:
# allows controling unbound using "unbound-control"
control-enable: yes
The interface is currently configured to listen to any address on the machine, and the access-control only allows queries from the 192.168.0.0/16
and 10.0.0.0/8
IP subnet range.
When we’ve modified the configuration we check it for mistakes with the unbound-checkconf command:
root@habibza:~# unbound-checkconf /etc/unbound/unbound.conf
unbound-checkconf: no errors in /etc/unbound/unbound.conf
Testing the setup
After running the unbound-checkconf command to see if your config file is correct, you can test your setup by running Unbound in “debug” mode. This allows you to see what is happening during startup and catch any errors. The unbound(8) manpage shows that the -d
flag will start Unbound in this mode. The manpage also shows that we can use the -c
flag to specify the path to the config file, so we can use the one we created. We also recommend increasing the verbosity of the logging to 1 or 2, to see what’s actually happening (-v
or -vv
). We can stop with 'ctrl + c'
in keyboard.
unbound -d -vv -c unbound.conf
Set up Remote Control
Apart from an extensive config file, with just about all the possible configuration options, unbound-control-setup creates the cryptographic keys necessary for the control option.
root@habibza:~# unbound-control-setup
setup in directory /etc/unbound
unbound_server.key exists
unbound_control.key exists
create unbound_server.pem (self signed certificate)
create unbound_control.pem (signed client certificate)
Signature ok
subject=CN = unbound-control
Getting CA Private Key
Setup success. Certificates created. Enable in unbound.conf file to use
root@habibza:/etc/unbound# ls -al /etc/unbound/
total 32
drwxr-xr-x 3 root root 4096 Jul 26 15:22 .
drwxr-xr-x 102 root root 4096 Jul 26 14:59 ..
-rw-r--r-- 1 root root 1130 Jul 26 15:20 unbound.conf
drwxr-xr-x 2 root root 4096 Jul 26 14:58 unbound.conf.d
-rw-r----- 1 root root 2455 Jul 26 11:33 unbound_control.key
-rw-r----- 1 root root 1342 Jul 26 15:22 unbound_control.pem
-rw-r----- 1 root root 2459 Jul 26 11:33 unbound_server.key
-rw-r----- 1 root root 1334 Jul 26 15:22 unbound_server.pem
We have to add path of cert for completetion remote control in the config unbound.conf
above.
remote-control:
# allows controling unbound using "unbound-control"
control-enable: yes
control-interface: 127.0.0.1
control-port: 953
server-key-file: "/etc/unbound/unbound_server.key"
server-cert-file: "/etc/unbound/unbound_server.pem"
control-key-file: "/etc/unbound/unbound_control.key"
control-cert-file: "/etc/unbound/unbound_control.pem"
Set up Trust Anchor (Enable DNSSEC)
To enable DNSSEC, which we strongly recommend, we need to set up a trust anchor as it allows the verification of the integrity of the responses to the queries you send.
To help, we can use the unbound-anchor command.
unbound-anchor performs the setup by configuring a trust anchor. This trust anchor will only serve as the initial anchor from builtin values. To keep this anchor up to date, Unbound must be able to read and write to this file. The default location that unbound-anchor creates this in is determined by your installation method.
Usually the default directory is /usr/local/etc/unbound/
. Or in /etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf
if we install unbound via apt.
unbound-anchor
Final step, restart service unbound.
systemctl restart unbound
Testing DNS Resolver and DNSSEC in Client.
After configuration finished, test it in client. In host client, pointind DNS client to IP unbound.
i am use web tool beliw for test dnssec.
- https://dnssec.vs.uni-due.de/
- http://www.dnssec-or-not.com/
Conclusion
This is last word from article Install Unbound Ubuntu 20.04. Unbound is very light and powerfull.
Source :
- https://unbound.docs.nlnetlabs.nl/en/latest/use-cases/home-resolver.html
- https://www.linuxbabe.com/ubuntu/set-up-unbound-dns-resolver-on-ubuntu-20-04-server
- https://askubuntu.com/questions/1081832/how-do-i-disable-systemd-resolved-and-replace-with-something-sane-on-ubuntu-18
Let's Buy Me Coffee. https://saweria.co/habibzain https://ko-fi.com/habibzain