for reference: https://docs.pi-hole.net/guides/unbound/
unbound essentially turns your local pi-hole dns erver into a recursive dns server. see this for refrence: https://social.dnsmadeeasy.com/blog/authoritative-vs-recursive-dns-servers-whats-the-difference/#:~:text=Authoritative name servers store DNS,for storing the domain's records.
what this means is your dns request come directly from your pi-hole, not through your ISP. this is good for several reasons, primary privacy and speed (although it can be slightly slower at first). instead of your pi-hole forwarding its request upstream to open dns or cloudflare, it is getting its info directly from the root servers. this also minimizes the chance of something like a dns malware attack, that while rare, does happen to ISP's sometimes.
see pi-hole section of this wiki first and setup your pi-hole dns server if you have not already
ssh to your pi-hole host, then
sudo apt install unbound -y
this grabs the most recent root hints from the upstream dns servers. this updates very infrequently, so we only need to do this during install, then maybe once every few months. we'll automate this with cron later.
wget https://www.internic.net/domain/named.root -qO- | sudo tee /var/lib/unbound/root.hints
nano /etc/unbound/unbound.conf.d/pi-hole.conf
paste the following:
server:
# If no logfile is specified, syslog is used
# logfile: "/var/log/unbound/unbound.log"
verbosity: 0
interface: 127.0.0.1
port: 5335
do-ip4: yes
do-udp: yes
do-tcp: yes
# May be set to yes if you have IPv6 connectivity
do-ip6: no
# You want to leave this to no unless you have *native* IPv6. With 6to4 and
# Terredo tunnels your web browser should favor IPv4 for the same reasons
prefer-ip6: no
# Use this only when you downloaded the list of primary root servers!
# If you use the default dns-root-data package, unbound will find it automatically
#root-hints: "/var/lib/unbound/root.hints"
# Trust glue only if it is within the server's authority
harden-glue: yes
# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
harden-dnssec-stripped: yes
# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
use-caps-for-id: no
# Reduce EDNS reassembly buffer size.
# Suggested by the unbound man page to reduce fragmentation reassembly problems
edns-buffer-size: 1472
# Perform prefetching of close to expired message cache entries
# This only applies to domains that have been frequently queried
prefetch: yes
# One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
num-threads: 1
# Ensure kernel buffer is large enough to not lose messages in traffic spikes
so-rcvbuf: 1m
# Ensure privacy of local IP ranges
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
private-address: fd00::/8
private-address: fe80::/10
uncomment the root config line:
#root-hints: "/var/lib/unbound/root.hints"
exit and save (control x, y)
sudo service unbound restart
testing:
dig pi-hole.net @127.0.0.1 -p 5335
may be slow, but should work^
dig sigfail.verteiltesysteme.net @127.0.0.1 -p 5335 dig sigok.verteiltesysteme.net @127.0.0.1 -p 5335
The first command should give a status report of SERVFAIL and no IP address. The second should give NOERROR plus an IP address.
finally, configure Pi-hole to use your recursive DNS server by specifying 127.0.0.1#5335 as the Custom DNS (IPv4):
-login to webui as admin
-settings → dns
-uncheck previous upstream dns providers
-check custom, add 127.0.0.1#5335 under ipv4
-make sure to check dnssec
-uncheck the 2 options above it if using local dns records
click save at the bottom
remember that part about updating root hints via cron?
nano /etc/cron.monthly/unbound
#!/bin/bash
M=$(date +%m)
if [ $M -eq 1 -o $M -eq 7 ];then
O=/tmp/root.hints.$$
dig +bufsize=1200 +norec NS . @a.root-servers.net > $O 2>/dev/null
RET=$?
if [ $RET -eq 0 ];then
mv $O /var/lib/unbound/root.hints
systemctl restart unbound
fi
fi
exit and save (control x, y)
Discussion