Last active
January 23, 2023 16:44
-
-
Save arainho/3b63c288bb459bca05159a7e05d219c0 to your computer and use it in GitHub Desktop.
Pi-hole as All-Around DNS Solution - raspbian little
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| ## Setting up Pi-hole as a recursive DNS server solution¶ | |
| ## https://docs.pi-hole.net/guides/unbound/ | |
| ## 1. The first thing you need to do is to install the recursive DNS resolver: | |
| sudo apt update | |
| sudo apt -y install unbound | |
| ## 2. Important: Download the current root hints file | |
| ## (the list of primary root servers which are serving the domain "." - the root domain). | |
| ## Update it roughly every six months. Note that this file changes infrequently. | |
| wget -O root.hints https://www.internic.net/domain/named.root | |
| sudo mv -v root.hints /var/lib/unbound/ | |
| ## 3. Configure unbound | |
| # Highlights: | |
| # - Listen only for queries from the local Pi-hole installation (on port 5335) | |
| # - Listen for both UDP and TCP requests | |
| # - Verify DNSSEC signatures, discarding BOGUS domains | |
| # - Apply a few security and privacy tricks | |
| sudo bash -c 'cat << EOF > /etc/unbound/unbound.conf.d/pi-hole.conf | |
| server: | |
| # If no logfile is specified, syslog is used | |
| # logfile: "/var/log/unbound/unbound.log" | |
| verbosity: 0 | |
| interface: 127.0.0.1 | |
| port: 5335 | |
| do-ip4: yes | |
| do-udp: yes | |
| do-tcp: yes | |
| # May be set to yes if you have IPv6 connectivity | |
| do-ip6: no | |
| # You want to leave this to no unless you have *native* IPv6. With 6to4 and | |
| # Terredo tunnels your web browser should favor IPv4 for the same reasons | |
| prefer-ip6: no | |
| # Use this only when you downloaded the list of primary root servers! | |
| # If you use the default dns-root-data package, unbound will find it automatically | |
| root-hints: "/var/lib/unbound/root.hints" | |
| # Trust glue only if it is within the servers authority | |
| harden-glue: yes | |
| # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS | |
| harden-dnssec-stripped: yes | |
| # Do not use Capitalization randomization as it known to cause DNSSEC issues sometimes | |
| # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details | |
| use-caps-for-id: no | |
| # Reduce EDNS reassembly buffer size. | |
| # IP fragmentation is unreliable on the Internet today, and can cause | |
| # transmission failures when large DNS messages are sent via UDP. Even | |
| # when fragmentation does work, it may not be secure; it is theoretically | |
| # possible to spoof parts of a fragmented DNS message, without easy | |
| # detection at the receiving end. Recently, there was an excellent study | |
| # >>> Defragmenting DNS - Determining the optimal maximum UDP response size for DNS <<< | |
| # by Axel Koolhaas, and Tjeerd Slokker (https://indico.dns-oarc.net/event/36/contributions/776/) | |
| # in collaboration with NLnet Labs explored DNS using real world data from the | |
| # the RIPE Atlas probes and the researchers suggested different values for | |
| # IPv4 and IPv6 and in different scenarios. They advise that servers should | |
| # be configured to limit DNS messages sent over UDP to a size that will not | |
| # trigger fragmentation on typical network links. DNS servers can switch | |
| # from UDP to TCP when a DNS response is too big to fit in this limited | |
| # buffer size. This value has also been suggested in DNS Flag Day 2020. | |
| edns-buffer-size: 1232 | |
| # Perform prefetching of close to expired message cache entries | |
| # This only applies to domains that have been frequently queried | |
| prefetch: yes | |
| # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1. | |
| num-threads: 1 | |
| # Ensure kernel buffer is large enough to not lose messages in traffic spikes | |
| so-rcvbuf: 1m | |
| # Ensure privacy of local IP ranges | |
| private-address: 192.168.0.0/16 | |
| private-address: 169.254.0.0/16 | |
| private-address: 172.16.0.0/12 | |
| private-address: 10.0.0.0/8 | |
| private-address: fd00::/8 | |
| private-address: fe80::/10 | |
| EOF' | |
| sudo su -c "echo 'edns-packet-max=1232' > /etc/dnsmasq.d/99-edns.conf" | |
| # 4. Set cron to update root hints file | |
| sudo bash -c 'cat << EOF > /etc/cron.weekly/unbound_root_hints.sh | |
| #!/usr/bin/env bash | |
| # A. Download current root hints file | |
| wget -O root.hints https://www.internic.net/domain/named.root | |
| sudo mv -v root.hints /var/lib/unbound/ | |
| sudo ls -lt /var/lib/unbound/root.hints | |
| # B. Restart your local recursive server | |
| sudo /etc/init.d/unbound restart | |
| EOF' | |
| # 5. Set execute permissions | |
| sudo chmod +x /etc/cron.weekly/unbound_root_hints.sh | |
| ## 6. Setup logs | |
| sudo mkdir -p /var/log/unbound | |
| sudo touch /var/log/unbound/unbound.log | |
| sudo chown unbound /var/log/unbound/unbound.log | |
| ## 7. Check unbound config | |
| sudo /usr/sbin/unbound-checkconf | |
| ## 8. Restart your local recursive server | |
| sudo service unbound restart | |
| ## 9. Test that it's operational | |
| dig pi-hole.net @127.0.0.1 -p 5335 | |
| ## 10. Test DNSSEC validation using | |
| dig fail01.dnssec.works @127.0.0.1 -p 5335 | |
| dig dnssec.works @127.0.0.1 -p 5335 | |
| ## 11. Configure Pi-hole | |
| ## go to http://localhost:80/admin/settings.php?tab=dns | |
| # Finally, configure Pi-hole to use your recursive DNS server by specifying 127.0.0.1#5335 as the Custom DNS (IPv4): | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment