====== DNS & Unbound =======
===== Installation unbound =====
apt-get update
apt-get install unbound
===== Mise à jour de la liste des serveurs root DNS =====
wget ftp://FTP.INTERNIC.NET/domain/named.cache -O /etc/unbound/root.hints
===== DNSSEC =====
Via : https://data.iana.org/root-anchors/root-anchors.xml
nano /etc/unbound/root.key
. IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
chown unbound:unbound /etc/unbound/root.key
===== Configuration unbound =====
server:
verbosity: 1
interface: 1.2.3.4 #IPv4
port: 53
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes
access-control: 0.0.0.0/0 allow #tout le monde a accès
auto-trust-anchor-file: "/etc/unbound/root.key"
root-hints: "/etc/unbound/root.hints"
hide-identity: yes
hide-version: yes
harden-glue: yes
harden-dnssec-stripped: yes
use-caps-for-id: yes
cache-min-ttl: 3600
cache-max-ttl: 86400
prefetch: yes
num-threads: 6
msg-cache-slabs: 8
rrset-cache-slabs: 8
infra-cache-slabs: 8
key-cache-slabs: 8
rrset-cache-size: 256m
msg-cache-size: 128m
so-rcvbuf: 1m
unwanted-reply-threshold: 10000
do-not-query-localhost: yes
val-clean-additional: yes
use-syslog: yes
logfile: /var/log/unbound.log
#Si besoin d'un domaine local
private-domain: "home.local"
include: "/etc/unbound/block-zone.conf"
include: "/etc/unbound/local-zone.conf"
include: "/etc/unbound/forward-zone.conf"
local-zone: "doubleclick.net" redirect
local-data: "doubleclick.net A 127.0.0.1"
local-zone: "googlesyndication.com" redirect
local-data: "googlesyndication.com A 127.0.0.1"
local-zone: "googleadservices.com" redirect
local-data: "googleadservices.com A 127.0.0.1"
local-zone: "google-analytics.com" redirect
local-data: "google-analytics.com A 127.0.0.1"
local-zone: "ads.youtube.com" redirect
local-data: "ads.youtube.com A 127.0.0.1"
local-zone: "adserver.yahoo.com" redirect
local-data: "adserver.yahoo.com A 127.0.0.1"
local-zone: "ask.com" redirect
local-data: "ask.com A 127.0.0.1"
#Si besoin de bloquer d'autres sites
# local-zone: "domaine.com" redirect
# local-data: "domaine.com A 127.0.0.1"
local-zone: "home.local." static
local-data: "firewall.home.local. IN A 10.0.0.1"
local-data: "laptop.home.local. IN A 10.0.0.2"
local-data: "xboxone.home.local. IN A 10.0.0.3"
local-data: "ps4.home.local. IN A 10.0.0.4"
local-data: "dhcp.home.local. IN A 10.0.0.5"
local-data-ptr: "10.0.0.1 firewall.home.local"
local-data-ptr: "10.0.0.2 laptop.home.local"
local-data-ptr: "10.0.0.3 xboxone.home.local"
local-data-ptr: "10.0.0.4 ps4.home.local"
local-data-ptr: "10.0.0.5 dhcp.home.local"
forward-zone:
name: "."
forward-addr: 8.8.4.4 # Google
forward-addr: 8.8.8.8 # Google
forward-addr: 37.235.1.174 # FreeDNS
forward-addr: 37.235.1.177 # FreeDNS
forward-addr: 50.116.23.211 # OpenNIC
forward-addr: 64.6.64.6 # Verisign
forward-addr: 64.6.65.6 # Verisign
forward-addr: 74.82.42.42 # Hurricane Electric
forward-addr: 84.200.69.80 # DNS Watch
forward-addr: 84.200.70.40 # DNS Watch
forward-addr: 91.239.100.100 # censurfridns.dk
forward-addr: 109.69.8.51 # puntCAT
forward-addr: 208.67.222.220 # OpenDNS
forward-addr: 208.67.222.222 # OpenDNS
forward-addr: 216.146.35.35 # Dyn Public
forward-addr: 216.146.36.36 # Dyn Public
===== Checkup =====
Reboot service :
service unbound restart
Check service :
unbound-control status
Test service :
apt-get install ldnsutils
drill libox.fr @ip-dns-server
box liandri # drill libox.fr @10.0.0.101
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 21223
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; libox.fr. IN A
;; ANSWER SECTION:
libox.fr. 3600 IN A 5.196.197.68
;; AUTHORITY SECTION:
;; ADDITIONAL SECTION:
;; Query time: 654 msec
;; SERVER: 10.0.0.101
;; WHEN: Wed Sep 7 14:06:05 2016
;; MSG SIZE rcvd: 42
box liandri # drill libox.fr @10.0.0.101
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 10054
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; libox.fr. IN A
;; ANSWER SECTION:
libox.fr. 3593 IN A 5.196.197.68
;; AUTHORITY SECTION:
;; ADDITIONAL SECTION:
;; Query time: 0 msec
;; SERVER: 10.0.0.101
;; WHEN: Wed Sep 7 14:06:13 2016
;; MSG SIZE rcvd: 42
654ms la récupération, ensuite, latence 0 en local.
===== Commandes utiles =====
Backup cache DNS :
unbound-control dump_cache > /home/liandri/dns-backup.conf
Restaurer cache DNS :
unbound-control dump_cache < /home/liandri/dns-backup.conf
Vérifier un domaine particulier :
unbound-control lookup libox.fr
Mise à jour rapide d’hôte ou de zone :
unbound-control flush www.libox.fr
unbound-control flush_zone libox.fr
Lister les servers de forward utilisés actuellement :
unbound-control list_forwards
===== Étape finale : changer les serveurs DNS des clients =====
Suivant les clients.
===== Alternative =====
Via https://github.com/Angristan/Local-DNS-resolver/blob/master/debian-unbound.sh
# Set conf location
unbound -c /etc/unbound/unbound.conf
# Set root key location (for DNSSEC)
unbound-anchor -a "/var/lib/unbound/root.key"
# Get root servers list
wget ftp://FTP.INTERNIC.NET/domain/named.cache -O /var/lib/unbound/root.hints
# Configuration
mv /etc/unbound/unbound.conf /etc/unbound/unbound.conf.old
echo "server:
root-hints: "/var/lib/unbound/root.hints"
auto-trust-anchor-file: "/var/lib/unbound/root.key"
interface: 127.0.0.1
access-control: 127.0.0.1 allow
port: 53
do-daemonize: yes
num-threads: 2
use-caps-for-id: yes
harden-glue: yes
hide-identity: yes
hide-version: yes" > /etc/unbound/unbound.conf
# Restart unbound
service unbound restart
# Allow the modification of the file
apt install -y e2fsprogs
chattr -i /etc/resolv.conf
# Disable previous DNS servers
sed -i 's|nameserver|#nameserver|' /etc/resolv.conf
# Set localhost as the DNS resolver
echo "nameserver 127.0.0.1" >> /etc/resolv.conf
# Disallow the modification to prevent the file from being overwritten by the system
chattr +i /etc/resolv.conf