Unbound is a recursive, validating, very secure, and DNS caching server which is distributed free of charge under the BSD license. Unbound supports DNS-over-TLS and DNS-over-HTTPS to increase online privacy by allowing clients to encrypt their connection. Depending on your network configuration, Unbound can support both IPV4 and IPV6. The installation and configuration of Unbound in Linux distributions is quite simple and straightforward. The Unbound package is available in most modern OS's including CentOS, Ubuntu, Fedora. Companies that use their own domain to serve applications or websites internally can utilize unbound as a DNS server.
Here at LinuxAPT, as part of our Server Management Services, we regularly help our Customers to perform related Linux Systems queries.
In this context, we shall look into how to install and configure a Unbound server in Ubuntu 20.04.
To install Unbound name resolution server in Ubuntu 20.04, execute the command below:
$ sudo apt install unbound -y
Also, run the following command to install additional packages which we will use to check the DNS server configurations
$ sudo apt install bind-utils net-tools -y
After the installation is completed, the contents of the configuration file can be found by using the command:
$ cat /etc/unbound/unbound.conf
Here, you will see that all the .conf files will be loaded from the unbound.conf.d directory.
Next, we will create a new configuration file under the directory /etc/unbound/unbound.conf.d directory.
Here, we have created an unbound_test.conf file.
Now, Open the file using the text editor and add the following sample configuration. You can modify the parameters accordingly.
$ sudo nano /etc/unbound/unbound.conf.d/unbound_test.conf
server:
port: 53
verbosity: 0
num-threads: 2
outgoing-range: 512
num-queries-per-thread: 1024
msg-cache-size: 32m
interface: 127.0.0.1
interface: 192.168.5.5
rrset-cache-size: 64m
cache-max-ttl: 86400
infra-host-ttl: 60
infra-lame-ttl: 120
outgoing-interface: 192.168.0.2
access-control: 127.0.0.0/8 allow
access-control: 192.168.5.0/24 allow
username: unbound
directory: "/etc/unbound"
logfile: "/var/log/unbound.log"
use-syslog: no
hide-version: yes
so-rcvbuf: 4m
so-sndbuf: 4m
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes
Also, create a log file and assign permission to write logs with the commands:
$ sudo touch /var/log/unbound.log
$ sudo chown unbound:unbound /var/log/unbound.log
Restart the Unbound service the load the configuration:
$ sudo service unbound restart
Use the following command to enable to service:
$ sudo service unbound enable
Check if the unbound service is running or not using the command:
$ sudo service unbound status
Run the following command to check in which port unbound is listening to:
$ sudo netstat -anlpt | grep LIST
The output will show that the Unbound service is listening on port 53 to accept the requests.
How to Open the DNS port in the firewall ?
Once the configuration file is created, you need to open a DNS port to allow your local LAN clients to connect to your Unbound cache-only DNS server:
$ sudo ufw allow from any to any port 53 proto tcp
$ sudo ufw allow from any to any port 53 proto udp
To check the firewall rule run the following command:
$ sudo ufw status
Now we have come to the final point to test our new Unbound DNS server. For testing we can use the dig command which comes with the previously installed package bind-utils. Perform some DNS queries in the actual DNS server. Here, we have queried kernel.org for testing:
$ dig kernel.org @localhost
The response time is 4 msec in the first query.
Since we have configured the Unbound DNS server, the query is now cached .
To verify the dns cache, run the following query with the same domain name:
$ dig kernel.org @localhost
Now you can find that the query time is 0 msec.
If you want to test the Unbound DNS server's configuration from LAN clients, query the DNS response pointing to the Unbound DNS server's IP. (In our case the Unbound DNS server IP is 192.168.178.100):
$ dig kernel.org @192.168.178.100
How to Optimize Unbound ?
The default configuration of Unbound works fine for limited users but in case there is a large number of users to be provided service then certain optimization needs to be made.
Here are some optimization options which you can implement to get high performance:
This article covers how to install and configure the Unbound name resolution server in Ubuntu with basic configuration. Unbound is basically a recursive-only caching DNS server which can perform DNSSEC validation of results. Unbound is the best alternative for setting up a caching nameserver on your LAN or personal machine.
To install Unbound from official Repository, run the following commands:
$ sudo apt update
$ sudo apt install unbound -y