Skip to content

Instantly share code, notes, and snippets.

@LaurentFough

LaurentFough/unbound-osx-homebrew.md

Forked from denji/unbound-osx-homebrew.md
Created July 11, 2016 05:17
Show Gist options
  • Save LaurentFough/b97904146521d6735b785aa6718b9304 to your computer and use it in GitHub Desktop.
Save LaurentFough/b97904146521d6735b785aa6718b9304 to your computer and use it in GitHub Desktop.
Download ZIP
Install unbound DNS(SEC) resolver on OS X, on the basis of https://www.spatof.org/blog/unbound-dns-resolver-on-osx.html
Raw
unbound-osx-homebrew.md
To install unbound you can use homebrew
$ brew install unbound ldns
Now we can edit the configuration file of unbound which by default is located in /usr/local/etc/unbound/unbound.conf:
server:
      verbosity: 1
      interface: 127.0.0.1
      access-control: 127.0.0.1/8 allow
      chroot: ""
      private-address: 192.168.0.0/16
      private-address: 172.16.0.0/12
      private-address: 10.0.0.0/8
      #private-domain: "my.lan"
      #domain-insecure: "my.lan"
      auto-trust-anchor-file: "/usr/local/etc/unbound/root.key"

python:

remote-control:
      control-enable: yes
      control-interface: 127.0.0.1
      server-key-file: "/usr/local/etc/unbound/unbound_server.key"
      server-cert-file: "/usr/local/etc/unbound/unbound_server.pem"
      control-key-file: "/usr/local/etc/unbound/unbound_control.key"
      control-cert-file: "/usr/local/etc/unbound/unbound_control.pem"

#stub-zone:
#      name: "my.lan"
#      stub-addr: 10.0.1.1

You can tell unbound about local domains with the private-domain parameter; in this configuration we are specifying my.lan as a private domain.

If you wish to enable DNS forwarding to an external DNS server you can specify one with a catch-all forward zone; for example to use Google Public DNS as a forwarder add this to the bottom of unbound.conf:

forward-zone:
        name: "."
        forward-addr: 8.8.4.4        # Google
        forward-addr: 8.8.8.8        # Google
        forward-addr: 37.235.1.174   # FreeDNS
        forward-addr: 37.235.1.177   # FreeDNS
        forward-addr: 50.116.23.211  # OpenNIC
        forward-addr: 64.6.64.6      # Verisign
        forward-addr: 64.6.65.6      # Verisign
        forward-addr: 74.82.42.42    # Hurricane Electric
        forward-addr: 84.200.69.80   # DNS Watch
        forward-addr: 84.200.70.40   # DNS Watch
        forward-addr: 91.239.100.100 # censurfridns.dk
        forward-addr: 109.69.8.51    # puntCAT
        forward-addr: 208.67.222.220 # OpenDNS
        forward-addr: 208.67.222.222 # OpenDNS
        forward-addr: 216.146.35.35  # Dyn Public
        forward-addr: 216.146.36.36  # Dyn Public
        #forward-addr: 77.88.8.8      # Yandex
        #forward-addr: 77.88.8.1      # Yandex
In the next step we will fetch the root key needed for DNSSEC validation:
$ unbound-anchor -a /usr/local/etc/unbound/root.key
Now we must create the certificate files needed by the unbound-control utility:
$ unbound-control-setup -d /usr/local/etc/unbound
Check unbound config file
$ unbound-checkconf /usr/local/etc/unbound/unbound.conf

To start unbound now we must load the plist with launchctl (be aware that you must execute launchctl outside of tmux or proxied by reattach-to-user-namespace):

$ sudo launchctl load /Library/LaunchDaemons/homebrew.mxcl.unbound.plist
If you see ad in the flags field then DNSSEC is working.

You can also do a TXT query for test.dnssec-or-not.net to get a verbose confirmation that you are using DNSSEC; be aware that this test will fail if you are using an external DNS forwarder:

$ drill -D TXT test.dnssec-or-not.net @127.0.0.1
Raw
unbound.conf
server:
verbosity: 1
interface: 127.0.0.1
access-control: 127.0.0.1/8 allow
username: root
directory: /usr/local/etc/unbound
chroot: /usr/local/etc/unbound
pidfile: /usr/local/var/run/unbound.pid
private-address: 192.168.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
#private-domain: "my.lan"
#domain-insecure: "my.lan"
auto-trust-anchor-file: /usr/local/etc/unbound/root.key
remote-control:
control-enable: yes
control-interface: 127.0.0.1
server-key-file: "/usr/local/etc/unbound/unbound_server.key"
server-cert-file: "/usr/local/etc/unbound/unbound_server.pem"
control-key-file: "/usr/local/etc/unbound/unbound_control.key"
control-cert-file: "/usr/local/etc/unbound/unbound_control.pem"
#stub-zone:
# name: "my.lan"
# stub-addr: 10.0.1.1
forward-zone:
name: "."
forward-addr: 8.8.4.4 # Google
forward-addr: 8.8.8.8 # Google
forward-addr: 37.235.1.174 # FreeDNS
forward-addr: 37.235.1.177 # FreeDNS
forward-addr: 50.116.23.211 # OpenNIC
forward-addr: 64.6.64.6 # Verisign
forward-addr: 64.6.65.6 # Verisign
forward-addr: 74.82.42.42 # Hurricane Electric
forward-addr: 84.200.69.80 # DNS Watch
forward-addr: 84.200.70.40 # DNS Watch
forward-addr: 91.239.100.100 # censurfridns.dk
forward-addr: 109.69.8.51 # puntCAT
forward-addr: 208.67.222.220 # OpenDNS
forward-addr: 208.67.222.222 # OpenDNS
forward-addr: 216.146.35.35 # Dyn Public
forward-addr: 216.146.36.36 # Dyn Public
#forward-addr: 77.88.8.8 # Yandex
#forward-addr: 77.88.8.1 # Yandex
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment