We are still actively working on the spam issue.
Difference between revisions of "Unbound"
(Created page with "thumb '''Unbound''' is a validating, recursive, and caching DNS server. It is quite useful for enforcing DNSSEC and caching DNS queries. Best used in co...") |
m (→What to expect) |
||
Line 17: | Line 17: | ||
* Enforces DNSSEC; | * Enforces DNSSEC; | ||
* Reduces privacy exposure by caching DNS queries; | * Reduces privacy exposure by caching DNS queries; | ||
− | * Consequentially, decreases DNS look up if the DNS query has already been cached; | + | * Consequentially, decreases DNS look up latency if the DNS query has already been cached; |
* Hardens DNS queries. | * Hardens DNS queries. | ||
Revision as of 03:25, 9 December 2015
Unbound is a validating, recursive, and caching DNS server. It is quite useful for enforcing DNSSEC and caching DNS queries.
Best used in conjunction with DNSCrypt.
Contents
Installation
GNU/Linux
Install it from your distro's repository, or download it from here.
Windows
Windows children may download it from the official page.
What to expect
There are numerous advantages to having a DNS server like Unbound, most of which can be summed up in a few short sentences:
- Enforces DNSSEC;
- Reduces privacy exposure by caching DNS queries;
- Consequentially, decreases DNS look up latency if the DNS query has already been cached;
- Hardens DNS queries.
Configuration
This is how a proper unbound.conf file ought to look like: unbound.conf.
General
server: interface: 127.0.0.1 interface: ::1 verbosity: 1 port: 53 do-ip4: yes do-ip6: <yes, if your ISP/router supports it> do-udp: yes do-tcp: yes do-daemonize: yes logfile: "<where you want your log files to be>"
Performance
# use all threads num-threads: <number of cores*threads> # 2^{number_of_cores} msg-cache-slabs: <same> rrset-cache-slabs: <same> infra-cache-slabs: <same> key-cache-slabs: <same> # more cache memory, rrset=msg*2 rrset-cache-size: 100m msg-cache-size: 50m # more outgoing connections # depends on number of threads: 1024/threads - 50 outgoing-range: <1024/threads - 50> # Larger socket buffer so-rcvbuf: 4m so-sndbuf: 4m # Faster UDP with multithreading (only on Linux). so-reuseport: yes
Security
hide-identity: yes hide-version: yes harden-short-bufsize: yes harden-large-queries: yes harden-glue: yes harden-dnssec-stripped: yes harden-below-nxdomain: yes harden-referral-path: yes use-caps-for-id: yes # enables support for DNSSEC(!) auto-trust-anchor-file: "<path to your root.key file>"
w/ DNSCrypt
# this is necessary for the local host, in this case DNSCrypt, to be used to send queries do-not-query-localhost: no forward-zone: name: "." # 127.0.0.1 is DNSCrypt's --local-address; 40 is the port DNSCrypt is using forward-addr: 127.0.0.1@40