Skip to content

Instantly share code, notes, and snippets.

@mdellavo

mdellavo/dns.md

Last active April 8, 2018 05:14
Show Gist options
  • Save mdellavo/f33780eb75fde965222712c8366cc96b to your computer and use it in GitHub Desktop.
Save mdellavo/f33780eb75fde965222712c8366cc96b to your computer and use it in GitHub Desktop.
Download ZIP
Raw
dns.md

Setting up secure, private dns cache for local network

See https://calomel.org/unbound_dns.html - specifically recursive, authoritative, validating dns over tls cache using 9.9.9.9 and 1.1.1.1

Setup

  • Unifi usg with unifi controller running on a raspi with fixed ip
  • unifi usg serves dhcp and hostnames for dhcp devices, upstreams to local dns cache
  • local dns cache upstreams over tls, and validates with dnssec
sudo apt-get install unbound
sudo wget ftp://FTP.INTERNIC.NET/domain/named.cache -O /var/lib/unbound/root.hints

Configure custom dns on usg

configure
delete system name-server
set system name-server 192.168.1.1
set interfaces ethernet eth0 dhcp-options name-server no-update
set service dns forwarding name-server 192.168.1.8  # unbound
commit
save
exit
Raw
unbound.conf
## Authoritative, validating, recursive caching DNS
## based on unbound.conf -- https://calomel.org
#
server:
verbosity: 1
interface: 0.0.0.0
port: 53
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes
access-control: 127.0.0.0/8 allow
access-control: 192.168.1.0/24 allow
root-hints: "/var/lib/unbound/root.hints"
hide-identity: yes
hide-version: yes
harden-glue: yes
harden-dnssec-stripped: yes
use-caps-for-id: yes
cache-min-ttl: 300
cache-max-ttl: 3600
prefetch: yes
num-threads: 4
msg-cache-slabs: 8
rrset-cache-slabs: 8
infra-cache-slabs: 8
key-cache-slabs: 8
rrset-cache-size: 256m
msg-cache-size: 128m
so-rcvbuf: 1m
private-address: 192.168.1.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
private-domain: "local"
unwanted-reply-threshold: 10000
do-not-query-localhost: no
minimal-responses: yes
# qname-minimisation: yes
rrset-roundrobin: yes
ssl-upstream: yes
auto-trust-anchor-file: "/var/lib/unbound/root.key"
forward-zone:
name: "."
forward-addr: 9.9.9.9@853 # quad9.net primary
forward-addr: 1.1.1.1@853 # cloudflare primary
forward-addr: 149.112.112.112@853 # quad9.net secondary
forward-addr: 1.0.0.1@853 # cloudflare secondary
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment