From c495962bc7d1da5b27adb0604d638d7965a5bd08 Mon Sep 17 00:00:00 2001 From: Neel Chauhan Date: Wed, 10 Jul 2024 21:13:41 -0400 Subject: [PATCH] New guide: Unbound Recursive DNS --- docs/guides/dns/unbound_recursive_dns.md | 98 ++++++++++++++++++++++++ 1 file changed, 98 insertions(+) create mode 100644 docs/guides/dns/unbound_recursive_dns.md diff --git a/docs/guides/dns/unbound_recursive_dns.md b/docs/guides/dns/unbound_recursive_dns.md new file mode 100644 index 0000000000..0029e1f49d --- /dev/null +++ b/docs/guides/dns/unbound_recursive_dns.md @@ -0,0 +1,98 @@ +--- +title: Unbound Recursive DNS +author: Neel Chauhan +contributors: +tested_with: 9.4 +tags: + - dns +--- + +An alternative to BIND, [Unbound](https://www.nlnetlabs.nl/projects/unbound/about/) is a modern validating, recursive and caching DNS server maintained by [NLnet Labs](https://www.nlnetlabs.nl/). + +## Prerequisites and assumptions + +- A server running Rocky Linux +- Able to use `firewalld` for creating firewall rules + +## Introduction + +There are two types of DNS servers: authoritative and recursive. Whereas authoritative DNS servers advertise a DNS zone, recursive servers resolve queries on behalf of clients by forwarding them to an ISP or public DNS resolver, or the root zones for larger servers. + +As an example, your home router is likely running an embedded recursive DNS resolver to forward to your ISP or a well-known public DNS server which is also a recursive DNS server. + +## Installing and enabling Unbound + +Install Unbound: + +```bash +dnf install unbound +``` + +## Configuring Unbound + +Before making changes to any configuration file, move the original installed working file, `unbound.conf`: + +```bash +cp /etc/unbound/unbound.conf /etc/unbound/unbound.conf.orig +``` + +That will help in the future if the introduction of errors into the configuration file occurs. It is *always* a good idea to make a backup copy before making changes. + +Edit the *unbound.conf* file. The author uses *vi*, but you can substitute your favorite command line editor: + +```bash +vi /etc/unbound/unbound.conf +``` + +Insert the following: + +```bash +server: + interface: 0.0.0.0 + interface: :: + access-control: 192.168.0.0/16 allow + access-control: 2001:db8::/64 allow + +forward-zone: + name: "." + forward-addr: 1.0.0.1@53 + forward-addr: 1.1.1.1@53 +``` + +Replace `192.168.0.0/16` and `2001:db8::/64` with the subnets you are resolving DNS queries for. Save your changes. + +### Taking a closer look + +- The `interface` denotes the interfaces (IPv4 or IPv6) you want to listen for DNS queries on. We are listening on all interfaces with `0.0.0.0` and `::`. +- The `access-control` denotes which subnets (IPv4 or IPv6) you want to allow DNS queries from. We are allowing requests from `192.168.0.0/16` and `2001:db8::/64`. +- The `forward-addr` defines the servers we will forward to. We are forwarding to CloudFlare's 1.1.1.1. + +## Enabling Unbound + +Next, allow DNS ports in `firewalld` and enable Unbound: + +```bash +firewall-cmd --add-service=dns --zone=public +firewall-cmd --runtime-to-permanent +systemctl enable --now unbound +``` + +Check DNS resolution with the `host` command: + +```bash +$ host google.com 172.20.0.100 +Using domain server: +Name: 192.168.50.209 +Address: 192.168.50.209#53 +Aliases: + +google.com has address 142.251.215.238 +google.com has IPv6 address 2607:f8b0:400a:805::200e +google.com mail is handled by 10 smtp.google.com. +``` + +% +## Conclusion +Most people use their home router's DNS resolver or public DNS resolvers run by ISPs and tech companies. In homelab and large networks it is a norm to run a network-wide resolver to reduce latency and network load by caching DNS requests for commonly-requested websites such as Google. A network-wide resolver also enables intranet services such as SharePoint and Active Directory. + +Unbound is one of many open source tools that make resolving DNS possible. Congratulations, you have your very own DNS resolver! Cheers!