1 version=pmwiki-2.3.20 ordered=1 urlencoded=1
2 agent=Mozilla/5.0 (Windows NT 10.0; rv:102.0) Gecko/20100101 Firefox/102.0
5 csum=Edit after revert to include more accurate information, discussed with jrmu
11 text=Unbound is a caching DNS resolver that comes as a part of OpenBSD base. You can use this to provide faster as well as more secure DNS lookup for the users on your network.%0a%0aPlease read through the [[http://man.openbsd.org/unbound|unbound(8)]], [[http://man.openbsd.org/unbound.conf|unbound.conf(5)]], [[http://man.openbsd.org/unbound-checkconf|unbound-checkconf(8)]] and [[http://man.openbsd.org/nsd|nsd(8)]] man pages.%0a%0aHere's a sample /var/unbound/etc/unbound.conf:%0a%0a[@%0aserver:%0a interface: 127.0.0.1 # listen on localhost%0a interface: ::1%0a #interface: 10.0.0.1 # provide DNS for users on the IPSec internal network%0a #do-ip6: no%0a%0a access-control: 0.0.0.0/0 refuse # block all users by default%0a access-control: 10.0.0.0/8 allow # allow users on the internal network to use unbound%0a access-control: 127.0.0.0/8 allow # allow localhost to use unbound%0a access-control: ::0/0 refuse # block all IPv6 users by default%0a access-control: ::1 allow # allow IPv6 localhost to use unbound%0a%0a hide-identity: yes%0a hide-version: yes%0a%0aremote-control:%0a control-enable: yes%0a control-interface: /var/run/unbound.sock%0a%0aforward-zone:%0a name: "."%0a forward-addr: 185.117.154.144%0a forward-addr: 165.227.40.43%0a forward-addr: 217.144.132.169%0a forward-addr: 212.237.22.141%0a forward-addr: 165.227.108.86%0a@]%0a%0aThe forward-addr lines indicate which nameserver unbound will query. You can find a list of public servers on [[https://servers.opennic.org/|OpenNIC]].%0a%0a'''Tip''': To quickly get the IPs from OpenNIC, navigate to servers.opennic.org, click on the OK button at the top, then open up your web browser's javascript console window and run this command:%0a%0a[@%0adocument.clear();data=document.querySelectorAll("html body div#frame div#view div#srvlist div p");document.body.innerText="forward-addr: 9.9.9.9";data.forEach(line=>{%0aif (line.childNodes[0].childNodes[1].title == "No logs kept"){%0adocument.body.innerHTML+=`%3cbr>forward-addr: ${line.childNodes[2].childNodes[0].data}`;%0a}%0a});%0a@]%0a%0aYou can also run these command:%0aAttach:unbound.txt%0a%0a(:if false:)%0aif you are using another server as a master, set forwarding from this server as a priority:%0a[@%0aforward-zone:%0a name: "example.com."%0a forward-addr: 10.10.10.10@53%0a forward-first: no%0a forward-no-cache: no%0a@]%0a(:ifend:)%0a%0aIf you need to store local zones, add a block to the "server" section about it:%0a[@%0a local-zone: "localhost." static%0a local-data: "localhost. 10800 IN NS localhost."%0a local-data: "localhost. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"%0a local-data: "localhost. 10800 IN A 127.0.0.1"%0a local-data: "localhost. 10800 IN AAAA ::1"%0a@]%0a%0aTo start unbound:%0a[@%0a$ doas rcctl enable unbound%0a$ doas rcctl start unbound%0a@]%0a%0aFor the computer that runs unbound, you'll want to make sure /etc/resolv.conf uses 127.0.0.1 as the nameserver (that is, you query unbound running on port 53). In /etc/resolv.conf:%0a%0a[@%0anameserver 127.0.0.1%0alookup file bind%0a@]%0a%0aCheck to make sure /etc/resolv.conf.tail does not contain any other name servers except 127.0.0.1. All your nameservers should instead be specified in /var/unbound/etc/unbound.conf.%0a%0aIf the computer running unbound uses DHCP for network configuration, you will want to include this line in /etc/dhclient.conf:%0a%0a[@%0aignore domain-name-servers;%0a@]%0a%0aThis tells OpenBSD's dhclient to ignore the name server provided by the dhcp server.%0a%0aIf the computer running unbound is also providing a dhcp server for your local network, you will want to add this line inside your /etc/dhcpd.conf blocks:%0a%0a[@%0aoption domain-name-servers 192.168.1.1;%0a@]%0a%0a%0aHere's how to use unbound as a local caching resolver:%0a%0aEdit /etc/resolv.conf so it queries localhost on port 53:%0a%0a[@%0a# Generated by age0 dhclient%0anameserver 127.0.0.1%0alookup file bind%0a@]%0a%0aInside /var/unbound/etc/unbound.conf, you will see this at the top:%0a%0a[@%0aserver:%0a interface: 127.0.0.1%0a interface: ::1%0a%0a # override the default "any" address to send queries; if multiple%0a # addresses are available, they are used randomly to counter spoofing%0a #outgoing-interface: 192.0.2.1%0a #outgoing-interface: 2001:db8::53%0a%0a access-control: 0.0.0.0/0 refuse%0a access-control: 127.0.0.0/8 allow%0a access-control: ::0/0 refuse%0a access-control: ::1 allow%0a@]%0a%0aMake sure you are listening on 127.0.0.1 (for localhost) so that your VPS can query localhost on port 53, and also ::1 on port 53 (for IPv6).%0a%0aFor access control, you want to refuse 0.0.0.0/0 (all IPv4s) but allow 127.0.0.0/8 (everything that originates locally). Again, refuse ::0/0 (all IPv6s) but allow ::1 (localhost).%0a%0aPut this at the bottom of the file:%0a%0a[@%0aforward-zone:%0a name: "." # use for ALL queries%0aforward-addr: 163.53.248.170%0aforward-addr: 103.236.162.119%0aforward-addr: 192.99.85.244%0aforward-addr: 31.171.251.118%0aforward-addr: 51.254.25.115%0aforward-addr: 46.101.70.183%0aforward-addr: 45.71.112.70%0aforward-addr: 87.98.175.85%0aforward-addr: 185.208.208.141%0aforward-addr: 89.35.39.64%0aforward-addr: 87.98.175.85%0aforward-addr: 172.98.193.42%0aforward-addr: 111.67.20.8%0a@]%0a%0aThese are IP addresses for DNS servers which I got from [[https://servers.opennic.org/]]. However, the servers change regularly so make sure you update the list.%0a%0aTo start unbound:%0a%0a[@%0a$ doas rcctl enable unbound%0a$ doas rcctl start unbound%0a@]%0a%0aTo test if unbound is working:%0a%0a[@%0a$ dig @127.0.0.1 google.com%0a@]%0a%0aYou should see something like this:%0a%0a[@%0a;; ANSWER SECTION:%0agoogle.com. 29 IN A 172.217.27.142%0a@]%0a%0a!! DNSSEC%0a%0aIn @@/var/unbound/etc/unbound.conf@@, there are these two lines:%0a%0a[@%0a# auto-trust-anchor-file: "/var/unbound/db/root.key"%0a# aggressive-nsec: no%0a@]%0a%0aBoth should be commented to turn off DNSSEC when using forwarders that aren't known to support DNSSEC (the OpenNIC public servers suggested earlier are one example). Otherwise Unbound may refuse to serve answers to DNS queries because it fails to build a chain of trust.%0a%0a[@%0aMar 31 03:27:44 hostname unbound: [26496:0] info: validation failure %3cexample.com. A IN>: signature missing from 198.51.100.163 for trust anchor . while building chain of trust%0a@]%0a%0a!! Stale hostname%0a%0aIf you ever change your host's IP address, /etc/hosts may be intercepting the name lookup and giving you the old IP address.%0a%0aMake sure there is no entry in the /etc/hosts files that is causing your machine to use the old IP.%0a%0a!! Troubleshooting%0a[@%0aMar 8 01:34:41 hostname unbound: [45846:0] info: validation failure %3chostname.com. A IN>: key for validation . is marked as invalid because of a previous validation failure %3cprevioushostname.com. A IN>: no DNSKEY rrset for trust anchor . while building chain of trust%0a@]%0a%0aFlush all negative cache.%0a%0a[@%0a# unbound-control flush_negative%0a@]%0a
13 author:1696720794=sylv1a
14 csum:1696720794=Edit after revert to include more accurate information, discussed with jrmu
15 diff:1696720794:1696718766:=175,179c175,178%0a%3c !! DNSSEC%0a%3c %0a%3c In @@/var/unbound/etc/unbound.conf@@, there are these two lines:%0a%3c %0a%3c [@%0a---%0a> !! DNSSec%0a> %0a> In /var/unbound/etc/unbound.conf, there are these two lines:%0a> %0a182,188c181,184%0a%3c @]%0a%3c %0a%3c Both should be commented to turn off DNSSEC when using forwarders that aren't known to support DNSSEC (the OpenNIC public servers suggested earlier are one example). Otherwise Unbound may refuse to serve answers to DNS queries because it fails to build a chain of trust.%0a%3c %0a%3c [@%0a%3c Mar 31 03:27:44 hostname unbound: [26496:0] info: validation failure %3cexample.com. A IN>: signature missing from 198.51.100.163 for trust anchor . while building chain of trust%0a%3c @]%0a---%0a> %0a> Both should be commented to turn off DNSSEC. %0a> %0a> I have not yet found out how to turn on DNSSEC safely. The problem is that if you turn on DNSSEC it will refuse to serve DNS records that don't have DNSSEC enabled.%0a
16 host:1696720794=2602:2da:0:30::1
17 author:1696718766=sylv1a
18 csum:1696718766=Revert: talked with jrmu and he suggested using a separate page entirely
19 diff:1696718766:1696716886:=175,184c175,185%0a%3c !! DNSSec%0a%3c %0a%3c In /var/unbound/etc/unbound.conf, there are these two lines:%0a%3c %0a%3c # auto-trust-anchor-file: "/var/unbound/db/root.key"%0a%3c # aggressive-nsec: no%0a%3c %0a%3c Both should be commented to turn off DNSSEC. %0a%3c %0a%3c I have not yet found out how to turn on DNSSEC safely. The problem is that if you turn on DNSSEC it will refuse to serve DNS records that don't have DNSSEC enabled.%0a---%0a> !! DNSSEC%0a> %0a> DNSSEC (Domain Name System Security Extensions) attempts to add security while maintaining backward compatibility. [[DNSSEC is a best current practice -> https://datatracker.ietf.org/doc/html/rfc9364]] and it should be used whenever possible to help mitigate [[known attacks on DNS -> https://datatracker.ietf.org/doc/html/rfc3833]].%0a> %0a> Please see [[Howto enable DNSSEC -> https://www.nlnetlabs.nl/documentation/unbound/howto-anchor/]] and [[Howto Turn Off DNSSEC -> https://www.nlnetlabs.nl/documentation/unbound/howto-turnoff-dnssec/]] for Unbound configuration details.%0a> %0a> Also, if you need to enable a @@forward-zone@@, ensure that each @@forward-addr@@ entry points to a server that also has DNSSEC enabled. Otherwise Unbound may fail to resolve domains when it forwards DNS to a server that hasn't enabled DNSSEC:%0a> %0a> [@%0a> Mar 31 03:27:44 hostname unbound: [26496:0] info: validation failure %3cexample.com. A IN>: signature missing from 198.51.100.163 for trust anchor . while building chain of trust%0a> @] %0a
20 host:1696718766=2a0b:f4c2:2::54
21 author:1696716886=sylv1a
22 csum:1696716886=Edited DNSSEC section because it was misleading. The problem is with forwarding.
23 diff:1696716886:1696471537:=175,185c175,184%0a%3c !! DNSSEC%0a%3c %0a%3c DNSSEC (Domain Name System Security Extensions) attempts to add security while maintaining backward compatibility. [[DNSSEC is a best current practice -> https://datatracker.ietf.org/doc/html/rfc9364]] and it should be used whenever possible to help mitigate [[known attacks on DNS -> https://datatracker.ietf.org/doc/html/rfc3833]].%0a%3c %0a%3c Please see [[Howto enable DNSSEC -> https://www.nlnetlabs.nl/documentation/unbound/howto-anchor/]] and [[Howto Turn Off DNSSEC -> https://www.nlnetlabs.nl/documentation/unbound/howto-turnoff-dnssec/]] for Unbound configuration details.%0a%3c %0a%3c Also, if you need to enable a @@forward-zone@@, ensure that each @@forward-addr@@ entry points to a server that also has DNSSEC enabled. Otherwise Unbound may fail to resolve domains when it forwards DNS to a server that hasn't enabled DNSSEC:%0a%3c %0a%3c [@%0a%3c Mar 31 03:27:44 hostname unbound: [26496:0] info: validation failure %3cexample.com. A IN>: signature missing from 198.51.100.163 for trust anchor . while building chain of trust%0a%3c @] %0a---%0a> !! DNSSec%0a> %0a> In /var/unbound/etc/unbound.conf, there are these two lines:%0a> %0a> # auto-trust-anchor-file: "/var/unbound/db/root.key"%0a> # aggressive-nsec: no%0a> %0a> Both should be commented to turn off DNSSEC. %0a> %0a> I have not yet found out how to turn on DNSSEC safely. The problem is that if you turn on DNSSEC it will refuse to serve DNS records that don't have DNSSEC enabled.%0a
24 host:1696716886=45.141.215.61
25 author:1696471537=sylv1a
26 csum:1696471537=Revert last change until I find a solution, I just ran into what was described.
27 diff:1696471537:1696470241:=175,184c175,184%0a%3c !! DNSSec%0a%3c %0a%3c In /var/unbound/etc/unbound.conf, there are these two lines:%0a%3c %0a%3c # auto-trust-anchor-file: "/var/unbound/db/root.key"%0a%3c # aggressive-nsec: no%0a%3c %0a%3c Both should be commented to turn off DNSSEC. %0a%3c %0a%3c I have not yet found out how to turn on DNSSEC safely. The problem is that if you turn on DNSSEC it will refuse to serve DNS records that don't have DNSSEC enabled.%0a---%0a> !! DNSSEC%0a> %0a> DNSSEC (Domain Name System Security Extensions) adds verification to DNS lookups to help mitigate potential security threats like DNS spoofing. It's best to keep this enabled.%0a> %0a> That said, if a root trust anchor file is not present and DNSSEC validation is turned on with something like @@auto-trust-anchor-file: yes@@, all DNS queries might fail. To fix this, create the anchor file with [[unbound-anchor(8) -> https://man.openbsd.org/unbound-anchor]], and then restart Unbound.%0a> %0a> [@%0a> $ doas unbound-anchor%0a> $ doas rcctl restart unbound%0a> @]%0a
28 host:1696471537=2a03:94e0:ffff:185:243:218:0:204
29 author:1696470241=sylv1a
30 csum:1696470241=Rewrite DNSSEC section with the solution to the mentioned problem.
31 diff:1696470241:1691589220:=175,184c175,184%0a%3c !! DNSSEC%0a%3c %0a%3c DNSSEC (Domain Name System Security Extensions) adds verification to DNS lookups to help mitigate potential security threats like DNS spoofing. It's best to keep this enabled.%0a%3c %0a%3c That said, if a root trust anchor file is not present and DNSSEC validation is turned on with something like @@auto-trust-anchor-file: yes@@, all DNS queries might fail. To fix this, create the anchor file with [[unbound-anchor(8) -> https://man.openbsd.org/unbound-anchor]], and then restart Unbound.%0a%3c %0a%3c [@%0a%3c $ doas unbound-anchor%0a%3c $ doas rcctl restart unbound%0a%3c @]%0a---%0a> !! DNSSec%0a> %0a> In /var/unbound/etc/unbound.conf, there are these two lines:%0a> %0a> # auto-trust-anchor-file: "/var/unbound/db/root.key"%0a> # aggressive-nsec: no%0a> %0a> Both should be commented to turn off DNSSEC. %0a> %0a> I have not yet found out how to turn on DNSSEC safely. The problem is that if you turn on DNSSEC it will refuse to serve DNS records that don't have DNSSEC enabled.%0a
32 host:1696470241=2a0b:f4c0:16c:16::1
34 csum:1691589220=clarify navigating to openNIC
35 diff:1691589220:1678269177:minor=38c38%0a%3c '''Tip''': To quickly get the IPs from OpenNIC, navigate to servers.opennic.org, click on the OK button at the top, then open up your web browser's javascript console window and run this command:%0a---%0a> '''Tip''': To quickly get the IPs from OpenNIC, click on the OK button at the top, then open up your web browser's javascript console window and run this command:%0a
36 host:1691589220=70.30.130.225
37 author:1678269177=Yonle
38 diff:1678269177:1670126399:=191,201d190%0a%3c %0a%3c !! Troubleshooting%0a%3c [@%0a%3c Mar 8 01:34:41 hostname unbound: [45846:0] info: validation failure %3chostname.com. A IN>: key for validation . is marked as invalid because of a previous validation failure %3cprevioushostname.com. A IN>: no DNSKEY rrset for trust anchor . while building chain of trust%0a%3c @]%0a%3c %0a%3c Flush all negative cache.%0a%3c %0a%3c [@%0a%3c # unbound-control flush_negative%0a%3c @]%0a
39 host:1678269177=114.125.24.76
40 author:1670126399=Yonle
41 diff:1670126399:1667053840:=41c41%0a%3c document.clear();data=document.querySelectorAll("html body div#frame div#view div#srvlist div p");document.body.innerText="forward-addr: 9.9.9.9";data.forEach(line=>{%0a---%0a> clear();data=document.querySelectorAll("html body div#frame div#view div#srvlist div p");document.body.innerText="forward-addr: 9.9.9.9";data.forEach(line=>{%0a
42 host:1670126399=114.125.4.80
43 author:1667053840=jrmu
44 diff:1667053840:1642195190:=184c184%0a%3c I have not yet found out how to turn on DNSSEC safely. The problem is that if you turn on DNSSEC it will refuse to serve DNS records that don't have DNSSEC enabled.%0a---%0a> I have not yet found out how to turn on DNSSEC safely. The problem is that if you turn on DNSSEC it will refuse to serve DNS records that don't have DNSSEC enabled. This can cause [[openbsd/znc|segfaults in znc]]!%0a
45 host:1667053840=38.87.162.8
46 author:1642195190=Naglfar
47 csum:1642195190=Add url to man pages
48 diff:1642195190:1635606718:=2,3d1%0a%3c %0a%3c Please read through the [[http://man.openbsd.org/unbound|unbound(8)]], [[http://man.openbsd.org/unbound.conf|unbound.conf(5)]], [[http://man.openbsd.org/unbound-checkconf|unbound-checkconf(8)]] and [[http://man.openbsd.org/nsd|nsd(8)]] man pages.%0a
49 host:1642195190=92.191.225.58
50 author:1635606718=jrmu
51 diff:1635606718:1635591335:=46c46%0a%3c You can also run these command:%0a---%0a> You can also run this command:%0a
52 host:1635606718=38.87.162.8
53 author:1635591335=jrmu
54 diff:1635591335:1635591231:=47c47%0a%3c Attach:unbound.txt%0a---%0a> Attach:unbound.sh%0a
55 host:1635591335=38.87.162.8
56 author:1635591231=jrmu
57 diff:1635591231:1632490312:=45,47d44%0a%3c %0a%3c You can also run this command:%0a%3c Attach:unbound.sh%0a
58 host:1635591231=38.87.162.8
59 author:1632490312=jrmu
60 diff:1632490312:1625984880:=46d45%0a%3c (:if false:)%0a55,56c54%0a%3c (:ifend:)%0a%3c %0a---%0a> %0a185c183%0a%3c Make sure there is no entry in the /etc/hosts files that is causing your machine to use the old IP.%0a---%0a> Make sure there is no entry in the /etc/hosts files that is causing your machine to use the old IP.%0a\ No newline at end of file%0a
61 host:1632490312=125.231.18.235
62 author:1625984880=jrmu
63 diff:1625984880:1616122566:=36,37c36%0a%3c '''Tip''': To quickly get the IPs from OpenNIC, click on the OK button at the top, then open up your web browser's javascript console window and run this command:%0a%3c %0a---%0a> if you are using another server as a master, set forwarding from this server as a priority:%0a39,47d37%0a%3c clear();data=document.querySelectorAll("html body div#frame div#view div#srvlist div p");document.body.innerText="forward-addr: 9.9.9.9";data.forEach(line=>{%0a%3c if (line.childNodes[0].childNodes[1].title == "No logs kept"){%0a%3c document.body.innerHTML+=`%3cbr>forward-addr: ${line.childNodes[2].childNodes[0].data}`;%0a%3c }%0a%3c });%0a%3c @]%0a%3c %0a%3c if you are using another server as a master, set forwarding from this server as a priority:%0a%3c [@%0a177,183c167%0a%3c I have not yet found out how to turn on DNSSEC safely. The problem is that if you turn on DNSSEC it will refuse to serve DNS records that don't have DNSSEC enabled. This can cause [[openbsd/znc|segfaults in znc]]!%0a%3c %0a%3c !! Stale hostname%0a%3c %0a%3c If you ever change your host's IP address, /etc/hosts may be intercepting the name lookup and giving you the old IP address.%0a%3c %0a%3c Make sure there is no entry in the /etc/hosts files that is causing your machine to use the old IP.%0a\ No newline at end of file%0a---%0a> I have not yet found out how to turn on DNSSEC safely. The problem is that if you turn on DNSSEC it will refuse to serve DNS records that don't have DNSSEC enabled. This can cause [[openbsd/znc|segfaults in znc]]!%0a\ No newline at end of file%0a
64 host:1625984880=125.224.22.56
65 author:1616122566=jrmu
66 diff:1616122566:1616122566:=1,167d0%0a%3c Unbound is a caching DNS resolver that comes as a part of OpenBSD base. You can use this to provide faster as well as more secure DNS lookup for the users on your network.%0a%3c %0a%3c Here's a sample /var/unbound/etc/unbound.conf:%0a%3c %0a%3c [@%0a%3c server:%0a%3c interface: 127.0.0.1 # listen on localhost%0a%3c interface: ::1%0a%3c #interface: 10.0.0.1 # provide DNS for users on the IPSec internal network%0a%3c #do-ip6: no%0a%3c %0a%3c access-control: 0.0.0.0/0 refuse # block all users by default%0a%3c access-control: 10.0.0.0/8 allow # allow users on the internal network to use unbound%0a%3c access-control: 127.0.0.0/8 allow # allow localhost to use unbound%0a%3c access-control: ::0/0 refuse # block all IPv6 users by default%0a%3c access-control: ::1 allow # allow IPv6 localhost to use unbound%0a%3c %0a%3c hide-identity: yes%0a%3c hide-version: yes%0a%3c %0a%3c remote-control:%0a%3c control-enable: yes%0a%3c control-interface: /var/run/unbound.sock%0a%3c %0a%3c forward-zone:%0a%3c name: "."%0a%3c forward-addr: 185.117.154.144%0a%3c forward-addr: 165.227.40.43%0a%3c forward-addr: 217.144.132.169%0a%3c forward-addr: 212.237.22.141%0a%3c forward-addr: 165.227.108.86%0a%3c @]%0a%3c %0a%3c The forward-addr lines indicate which nameserver unbound will query. You can find a list of public servers on [[https://servers.opennic.org/|OpenNIC]].%0a%3c %0a%3c if you are using another server as a master, set forwarding from this server as a priority:%0a%3c [@%0a%3c forward-zone:%0a%3c name: "example.com."%0a%3c forward-addr: 10.10.10.10@53%0a%3c forward-first: no%0a%3c forward-no-cache: no%0a%3c @]%0a%3c %0a%3c If you need to store local zones, add a block to the "server" section about it:%0a%3c [@%0a%3c local-zone: "localhost." static%0a%3c local-data: "localhost. 10800 IN NS localhost."%0a%3c local-data: "localhost. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"%0a%3c local-data: "localhost. 10800 IN A 127.0.0.1"%0a%3c local-data: "localhost. 10800 IN AAAA ::1"%0a%3c @]%0a%3c %0a%3c To start unbound:%0a%3c [@%0a%3c $ doas rcctl enable unbound%0a%3c $ doas rcctl start unbound%0a%3c @]%0a%3c %0a%3c For the computer that runs unbound, you'll want to make sure /etc/resolv.conf uses 127.0.0.1 as the nameserver (that is, you query unbound running on port 53). In /etc/resolv.conf:%0a%3c %0a%3c [@%0a%3c nameserver 127.0.0.1%0a%3c lookup file bind%0a%3c @]%0a%3c %0a%3c Check to make sure /etc/resolv.conf.tail does not contain any other name servers except 127.0.0.1. All your nameservers should instead be specified in /var/unbound/etc/unbound.conf.%0a%3c %0a%3c If the computer running unbound uses DHCP for network configuration, you will want to include this line in /etc/dhclient.conf:%0a%3c %0a%3c [@%0a%3c ignore domain-name-servers;%0a%3c @]%0a%3c %0a%3c This tells OpenBSD's dhclient to ignore the name server provided by the dhcp server.%0a%3c %0a%3c If the computer running unbound is also providing a dhcp server for your local network, you will want to add this line inside your /etc/dhcpd.conf blocks:%0a%3c %0a%3c [@%0a%3c option domain-name-servers 192.168.1.1;%0a%3c @]%0a%3c %0a%3c %0a%3c Here's how to use unbound as a local caching resolver:%0a%3c %0a%3c Edit /etc/resolv.conf so it queries localhost on port 53:%0a%3c %0a%3c [@%0a%3c # Generated by age0 dhclient%0a%3c nameserver 127.0.0.1%0a%3c lookup file bind%0a%3c @]%0a%3c %0a%3c Inside /var/unbound/etc/unbound.conf, you will see this at the top:%0a%3c %0a%3c [@%0a%3c server:%0a%3c interface: 127.0.0.1%0a%3c interface: ::1%0a%3c %0a%3c # override the default "any" address to send queries; if multiple%0a%3c # addresses are available, they are used randomly to counter spoofing%0a%3c #outgoing-interface: 192.0.2.1%0a%3c #outgoing-interface: 2001:db8::53%0a%3c %0a%3c access-control: 0.0.0.0/0 refuse%0a%3c access-control: 127.0.0.0/8 allow%0a%3c access-control: ::0/0 refuse%0a%3c access-control: ::1 allow%0a%3c @]%0a%3c %0a%3c Make sure you are listening on 127.0.0.1 (for localhost) so that your VPS can query localhost on port 53, and also ::1 on port 53 (for IPv6).%0a%3c %0a%3c For access control, you want to refuse 0.0.0.0/0 (all IPv4s) but allow 127.0.0.0/8 (everything that originates locally). Again, refuse ::0/0 (all IPv6s) but allow ::1 (localhost).%0a%3c %0a%3c Put this at the bottom of the file:%0a%3c %0a%3c [@%0a%3c forward-zone:%0a%3c name: "." # use for ALL queries%0a%3c forward-addr: 163.53.248.170%0a%3c forward-addr: 103.236.162.119%0a%3c forward-addr: 192.99.85.244%0a%3c forward-addr: 31.171.251.118%0a%3c forward-addr: 51.254.25.115%0a%3c forward-addr: 46.101.70.183%0a%3c forward-addr: 45.71.112.70%0a%3c forward-addr: 87.98.175.85%0a%3c forward-addr: 185.208.208.141%0a%3c forward-addr: 89.35.39.64%0a%3c forward-addr: 87.98.175.85%0a%3c forward-addr: 172.98.193.42%0a%3c forward-addr: 111.67.20.8%0a%3c @]%0a%3c %0a%3c These are IP addresses for DNS servers which I got from [[https://servers.opennic.org/]]. However, the servers change regularly so make sure you update the list.%0a%3c %0a%3c To start unbound:%0a%3c %0a%3c [@%0a%3c $ doas rcctl enable unbound%0a%3c $ doas rcctl start unbound%0a%3c @]%0a%3c %0a%3c To test if unbound is working:%0a%3c %0a%3c [@%0a%3c $ dig @127.0.0.1 google.com%0a%3c @]%0a%3c %0a%3c You should see something like this:%0a%3c %0a%3c [@%0a%3c ;; ANSWER SECTION:%0a%3c google.com. 29 IN A 172.217.27.142%0a%3c @]%0a%3c %0a%3c !! DNSSec%0a%3c %0a%3c In /var/unbound/etc/unbound.conf, there are these two lines:%0a%3c %0a%3c # auto-trust-anchor-file: "/var/unbound/db/root.key"%0a%3c # aggressive-nsec: no%0a%3c %0a%3c Both should be commented to turn off DNSSEC. %0a%3c %0a%3c I have not yet found out how to turn on DNSSEC safely. The problem is that if you turn on DNSSEC it will refuse to serve DNS records that don't have DNSSEC enabled. This can cause [[openbsd/znc|segfaults in znc]]!%0a\ No newline at end of file%0a
67 host:1616122566=198.251.81.119
