Example unbound.conf

By: Jacob Taylor
on updated

2023 Update: systemd-resolved, the Ubuntu-ecosystem's chosen DNS resolution solution, performs very badly (to put it politely). So, I do this swap to unbound for DNS anyway, even though I no longer have horrible internet problems.
# install unbound sudo apt install unbound # add custom configuration file with our unbound config in it sudo nano /etc/unbound/unbound.conf.d/aranjebound.conf -> contents of this file are the config which is the subject of the article (below) # add custom configuration file which disables the DNS Stub Resolver sudo nano /etc/systemd/resolved.conf.d/disable-stub.conf ''' [Resolve] DNSStubListener=no DNS=::1 ''' # restart systemd-resolved to commit the change which disables systemd DNS Stub Resolver sudo systemctl restart systemd-resolved.service # restart unbound so it can bind to all the ports sudo systemctl restart unbound.service # you can also just reboot your computer

I'm going to drop this here for anybody else that might find it useful. It's a bit overkill as far as caching goes (the cache is likely huge for the relative use), but it works extremely well.

I presently have Charter as my ISP, and their network hardware is so bad that if you try and open more than 20 or so connections simultaneously, the routermodem chokes out. This results in a massive number dns lookup failures (and connection timeouts) even when using, say, google's dns servers. With the number of tracking scripts, images, and other resources on webpages these days, it mostly just doesn't work. Every page you view has probably partially failed in some way. So, as part of my stop-gap measure, I cache DNS. Here's how.

Short explanation: It has decently large caches for the different parts of dns lookups and responses, and when a record is nearing expiration it preemptively looks it up again (that way your local cache is hopefully always fresh and giving you sub-millisecond responses). It will listen on all interfaces (ipv4 and ipv6) to local network requests (in my case, 192.168.*). And some hardening stuff that I'm sure is useless on a local network, but I figured why the heck not.

Any recommendations? More or less cache, and of what kinds? Any other tunables I should know about? Otherwise, hopefully this helps someone. ♥

# this particular unbound.conf configured by Aranjedeath # must be used with libevent compiled unbound. # if you do not have a libevent-compiled unbound, comment out the num-threads line server: # this file is distributed with most linux os packages. # it is required for dnssec validation. # your operating system may import this automatically. `apt show unbound-anchor` # only uncomment if you know you need it # auto-trust-anchor-file: "/var/lib/unbound/root.key" # most distributions do not give this file out. it must be downloaded manually # https://www.iana.org/domains/root/files # (lookup) performance increase. # sudo wget -O /var/lib/unbound/root.hints https://www.internic.net/domain/named.root # uncomment the following root-hints line, if that command ran successfully # root-hints: "/var/lib/unbound/root.hints" # review runtime logs with the following command: # journalctl -u unbound use-syslog: yes log-servfail: yes num-threads: 2 msg-cache-size: 32m msg-cache-slabs: 8 rrset-cache-size: 64m rrset-cache-slabs: 8 infra-cache-slabs: 8 key-cache-slabs: 8 key-cache-size: 16m # this is dangerous -- you're intentionally ignoring the dns record TTL and storing it for 2700s (45 mins) # however, many things are set to 5 minute expiry but change once per year # use your brain about whether you want this # cache-min-ttl: 2700 harden-short-bufsize: yes harden-large-queries: yes harden-glue: yes harden-dnssec-stripped: yes harden-below-nxdomain: yes prefetch-key: yes prefetch: yes outgoing-range: 8192 num-queries-per-thread: 8192 do-udp: yes do-ip6: yes interface: 0.0.0.0 interface: ::0 interface: 127.0.0.1 interface: 127.0.0.53 access-control: 127.0.0.0/8 allow access-control: 192.168.0.0/16 allow access-control: ::1 allow private-address: 10.0.0.0/8 private-address: 172.16.0.0/12 private-address: 169.254.0.0/16 private-address: 192.168.0.0/16 private-address: 203.0.113.0/24 private-address: 198.51.100.0/24 private-address: 198.18.0.0/15 private-address: 192.0.2.0/24 private-address: 100.64.0.0/10 private-address: 192.0.0.0/29 private-address: 240.0.0.0/4 private-address: ::ffff:0:0/96 private-address: 2001:10::/28 private-address: 2001:db8::/32

Caveat: This runs on Ubuntu, so if you're running another OS your trust anchor file is likely to be elsewhere. Otherwise, it should just work™.

Note: The writing at the top has not been modified after publishing, but the configuration does get updated occasionally.