Unbound Recursive DNS
An alternative to BIND, Unbound is a modern validating, recursive and caching DNS server maintained by NLnet Labs.
Prerequisites and assumptions¶
- A server running Rocky Linux
- Able to use
firewalld
for creating firewall rules
Introduction¶
There are two types of DNS servers: authoritative and recursive. Where authoritative DNS servers advertise a DNS zone, recursive servers resolve queries on behalf of clients by forwarding them to an ISP or public DNS resolver, or the root zones for larger servers.
As an example, your home router is likely running an embedded recursive DNS resolver to forward to your ISP or a well-known public DNS server which is also a recursive DNS server.
Installing and enabling Unbound¶
Install Unbound:
dnf install unbound
Configuring Unbound¶
Before making changes to any configuration file, move the original installed working file, unbound.conf
:
cp /etc/unbound/unbound.conf /etc/unbound/unbound.conf.orig
That will help in the future if the introduction of errors into the configuration file occurs. It is always a good idea to make a backup copy before making changes.
Edit the unbound.conf file. The author uses vi, but you can substitute your favorite command line editor:
vi /etc/unbound/unbound.conf
Insert the following:
server:
interface: 0.0.0.0
interface: ::
access-control: 192.168.0.0/16 allow
access-control: 2001:db8::/64 allow
forward-zone:
name: "."
forward-addr: 1.0.0.1@53
forward-addr: 1.1.1.1@53
Replace 192.168.0.0/16
and 2001:db8::/64
with the subnets you are resolving DNS queries for. Save your changes.
Taking a closer look¶
- The
interface
denotes the interfaces (IPv4 or IPv6) you want to listen for DNS queries on. We are listening on all interfaces with0.0.0.0
and::
. - The
access-control
denotes which subnets (IPv4 or IPv6) you want to allow DNS queries from. We are allowing requests from192.168.0.0/16
and2001:db8::/64
. - The
forward-addr
defines the servers we will forward to. We are forwarding to Cloudflare's 1.1.1.1.
Enabling Unbound¶
Next, allow DNS ports in firewalld
and enable Unbound:
firewall-cmd --add-service=dns --zone=public
firewall-cmd --runtime-to-permanent
systemctl enable --now unbound
Check DNS resolution with the host
command:
$ host google.com 172.20.0.100
Using domain server:
Name: 172.20.0.100
Address: 172.20.0.100#53
Aliases:
google.com has address 142.251.215.238
google.com has IPv6 address 2607:f8b0:400a:805::200e
google.com mail is handled by 10 smtp.google.com.
%
Conclusion¶
Most people use their home router's DNS resolver or public DNS resolvers run by ISPs and tech companies. In home lab and large networks it is a norm to run a network-wide resolver to reduce latency and network load by caching DNS requests for commonly-requested websites such as Google. A network-wide resolver also enables intranet services such as SharePoint and Active Directory.
Unbound is one of many open source tools that make resolving DNS possible. Congratulations, you have your very own DNS resolver! Cheers!
Author: Neel Chauhan
Contributors: Steven Spencer