Skip to content

Instantly share code, notes, and snippets.

@dch

dch/unbound-osx-homebrew.md

Forked from denji/unbound-osx-homebrew.md
Last active August 29, 2015 14:27
Show Gist options
  • Save dch/3be35170a32d92fd12c7 to your computer and use it in GitHub Desktop.
Save dch/3be35170a32d92fd12c7 to your computer and use it in GitHub Desktop.
Download ZIP
Install unbound DNS(SEC) resolver on OS X, on the basis of https://www.spatof.org/blog/unbound-dns-resolver-on-osx.html
Raw
unbound-osx-homebrew.md
To install unbound you can use homebrew
$ brew install unbound ldns
Now we can edit the configuration file of unbound which by default is located in /usr/local/etc/unbound/unbound.conf:
server:
      verbosity: 1
      interface: 127.0.0.1
      access-control: 127.0.0.1/8 allow
      chroot: ""
      private-address: 10.0.1.0/24
      private-domain: "my.lan"
      domain-insecure: "my.lan"
      auto-trust-anchor-file: "/usr/local/etc/unbound/root.key"

python:

remote-control:
      control-enable: no
      control-interface: 127.0.0.1
      server-key-file: "/usr/local/etc/unbound/unbound_server.key"
      server-cert-file: "/usr/local/etc/unbound/unbound_server.pem"
      control-key-file: "/usr/local/etc/unbound/unbound_control.key"
      control-cert-file: "/usr/local/etc/unbound/unbound_control.pem"

stub-zone:
      name: "my.lan"
      stub-addr: 10.0.1.1

You can tell unbound about local domains with the private-domain parameter; in this configuration we are specifying my.lan as a private domain.

If you wish to enable DNS forwarding to an external DNS server you can specify one with a catch-all forward zone; for example to use Google Public DNS as a forwarder add this to the bottom of unbound.conf:

forward-zone:
        name: .
        # Google DNS
        forward-addr: 8.8.8.8
        forward-addr: 8.8.4.4
        # Yandex DNS
        forward-addr: 77.88.8.8
        forward-addr: 77.88.8.1
In the next step we will fetch the root key needed for DNSSEC validation:
$ unbound-anchor -a /usr/local/etc/unbound/root.key
Now we must create the certificate files needed by the unbound-control utility:
$ unbound-control-setup -d /usr/local/etc/unbound
Check unbound config file
$ unbound-checkconf /usr/local/etc/unbound/unbound.conf

To start unbound now we must load the plist with launchctl (be aware that you must execute launchctl outside of tmux or proxied by reattach-to-user-namespace):

$ sudo cp /usr/local/Cellar/unbound/*/homebrew.mxcl.unbound.plist /Library/LaunchDaemons/homebrew.mxcl.unbound.plist
$ sudo launchctl load /Library/LaunchDaemons/homebrew.mxcl.unbound.plist
If you see ad in the flags field then DNSSEC is working.

You can also do a TXT query for test.dnssec-or-not.net to get a verbose confirmation that you are using DNSSEC; be aware that this test will fail if you are using an external DNS forwarder:

$ drill -D TXT test.dnssec-or-not.net @127.0.0.1
Raw
unbound.conf
server:
username: root
verbosity: 1
logfile: "/usr/local/var/log/unbound.log"
interface: 127.0.0.1
interface: ::1
access-control: 127.0.0.1/8 allow
access-control: ::1/8 allow
chroot: ""
private-address: 10.0.0.0/8
private-domain: "lolcat.host"
domain-insecure: "lolcat.host"
auto-trust-anchor-file: "/usr/local/etc/unbound/root.key"
python:
remote-control:
control-enable: no
control-interface: 127.0.0.1
server-key-file: "/usr/local/etc/unbound/unbound_server.key"
server-cert-file: "/usr/local/etc/unbound/unbound_server.pem"
control-key-file: "/usr/local/etc/unbound/unbound_control.key"
control-cert-file: "/usr/local/etc/unbound/unbound_control.pem"
stub-zone:
name: "lolcat.host"
stub-addr: 10.0.0.0
#
#forward-zone:
# name: .
# # HE
# forward-addr: 74.82.42.42
# # Yandex DNS
# forward-addr: 77.88.8.8
# forward-addr: 77.88.8.1
# # Google DNS
# # forward-addr: 8.8.8.8
# # forward-addr: 8.8.4.4
# # http://pcsupport.about.com/od/tipstricks/a/free-public-dns-servers.htm
#
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment