diff --git a/README.md b/README.md index 3756754..7ce89e7 100644 --- a/README.md +++ b/README.md @@ -103,6 +103,7 @@ List of all Documents used within this project. |[nginx_proxy_manager.md](./docs/nginx_proxy_manager.md)|Install and setup instructions for Nginx Proxy Manager (NPM)| |[Self Signed SSL Certificate](https://github.com/akkupy/Self_Signed_SSL_Cerificate)|Follow these steps for SSL Certificate Authority for Local Https Development(can be used with NPM)| |[pi-hole.md](./docs/pi-hole.md)|Install and Setup Pi-Hole for Network-Wide Ad Block| +|[unbound.md](./docs/unbound.md)|Install and Setup Unbound , a validating, recursive, caching DNS resolver.| |[vaultwarden.md](./docs/vaultwarden.md)|Install and Setup Vaultwarden, A privately hosted password manager| |[rpimonitoring.md](./docs/rpimonitoring.md)|Install and Setup Raspberry Pi & Docker Monitoring, A user-friendly way to monitor the performance of your Raspberry Pi| |[jellyfin.md](./docs/jellyfin.md)|Install and Setup Jellyfin, A Software to provide media from a dedicated server to end-user devices via multiple apps| diff --git a/docs/unbound.md b/docs/unbound.md new file mode 100644 index 0000000..0c5f5ff --- /dev/null +++ b/docs/unbound.md @@ -0,0 +1,247 @@ +# Unbound + +![](../images/pihole-unbound.png) + +## Introduction + +[Unbound](https://nlnetlabs.nl/projects/unbound/about/) is a validating, recursive, caching DNS resolver. It is designed to be fast and lean and incorporates modern features based on open standards. + +### What is a recursive DNS server? + +The first distinction we have to be aware of is whether a DNS server is authoritative or not. + +If I'm the authoritative server for, e.g., ```akkupy.me```, then I know which IP is the correct answer for a query. Recursive name servers, in contrast, resolve any query they receive by consulting the servers authoritative for this query by traversing the domain. + +Example: We want to resolve ```akkupy.me```. On behalf of the client, the recursive DNS server will traverse the path of the domain across the Internet to deliver the answer to the question. + + +## Setting up Pi-hole as a recursive DNS server solution¶ + +We will use ```unbound```, a secure open-source recursive DNS server primarily developed by NLnet Labs, VeriSign Inc., Nominet, and Kirei. The first thing you need to do is to install the recursive DNS resolver: + +``` +sudo apt install unbound +``` + +If you are installing unbound from a package manager, it should install the ```root.hints``` file automatically with the dependency ```dns-root-data```. The root hints will then be automatically updated by your package manager. + +Optional: Download the current root hints file (the list of primary root servers which are serving the domain "." - the root domain). Update it roughly every six months. Note that this file changes infrequently. This is only necessary if you are not installing unbound from a package manager. If you do this optional step, you will need to uncomment the ```root-hints:``` configuration line in the suggested config file. + +``` +wget https://www.internic.net/domain/named.root -qO- | sudo tee /var/lib/unbound/root.hints +``` +### Configure ```unbound``` + +Highlights: + + * Listen only for queries from the local Pi-hole installation (on port 5335) + * Listen for both UDP and TCP requests + * Verify DNSSEC signatures, discarding BOGUS domains + * Apply a few security and privacy tricks + + ```/etc/unbound/unbound.conf.d/pi-hole.conf```: + + ``` + server: + # If no logfile is specified, syslog is used + # logfile: "/var/log/unbound/unbound.log" + verbosity: 0 + + interface: 127.0.0.1 + port: 5335 + do-ip4: yes + do-udp: yes + do-tcp: yes + + # May be set to yes if you have IPv6 connectivity + do-ip6: no + + # You want to leave this to no unless you have *native* IPv6. With 6to4 and + # Terredo tunnels your web browser should favor IPv4 for the same reasons + prefer-ip6: no + + # Use this only when you downloaded the list of primary root servers! + # If you use the default dns-root-data package, unbound will find it automatically + #root-hints: "/var/lib/unbound/root.hints" + + # Trust glue only if it is within the server's authority + harden-glue: yes + + # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS + harden-dnssec-stripped: yes + + # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes + # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details + use-caps-for-id: no + + # Reduce EDNS reassembly buffer size. + # IP fragmentation is unreliable on the Internet today, and can cause + # transmission failures when large DNS messages are sent via UDP. Even + # when fragmentation does work, it may not be secure; it is theoretically + # possible to spoof parts of a fragmented DNS message, without easy + # detection at the receiving end. Recently, there was an excellent study + # >>> Defragmenting DNS - Determining the optimal maximum UDP response size for DNS <<< + # by Axel Koolhaas, and Tjeerd Slokker (https://indico.dns-oarc.net/event/36/contributions/776/) + # in collaboration with NLnet Labs explored DNS using real world data from the + # the RIPE Atlas probes and the researchers suggested different values for + # IPv4 and IPv6 and in different scenarios. They advise that servers should + # be configured to limit DNS messages sent over UDP to a size that will not + # trigger fragmentation on typical network links. DNS servers can switch + # from UDP to TCP when a DNS response is too big to fit in this limited + # buffer size. This value has also been suggested in DNS Flag Day 2020. + edns-buffer-size: 1232 + + # Perform prefetching of close to expired message cache entries + # This only applies to domains that have been frequently queried + prefetch: yes + + # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1. + num-threads: 1 + + # Ensure kernel buffer is large enough to not lose messages in traffic spikes + so-rcvbuf: 1m + + # Ensure privacy of local IP ranges + private-address: 192.168.0.0/16 + private-address: 169.254.0.0/16 + private-address: 172.16.0.0/12 + private-address: 10.0.0.0/8 + private-address: fd00::/8 + private-address: fe80::/10 + ``` + + Start your local recursive server and test that it's operational: + + ``` + sudo service unbound restart +dig pi-hole.net @127.0.0.1 -p 5335 + ``` + + The first query may be quite slow, but subsequent queries, also to other domains under the same TLD, should be fairly quick. + + You should also consider adding + + ``` + edns-packet-max=1232 + ``` +to a config file like ```/etc/dnsmasq.d/99-edns.conf``` to signal FTL to adhere to this limit. + +### Test validation + +You can test DNSSEC validation using + +``` +dig fail01.dnssec.works @127.0.0.1 -p 5335 +dig dnssec.works @127.0.0.1 -p 5335 +``` + +The first command should give a status report of ```SERVFAIL``` and no IP address. The second should give ```NOERROR``` plus an IP address. + +### Configure ```Pi-hole``` + +Finally, configure Pi-hole to use your recursive DNS server by specifying ```127.0.0.1#5335``` as the Custom DNS (IPv4): + +![](../images/RecursiveResolver.png) + +(don't forget to hit Return or click on ```Save```) + +### Disable ```resolvconf.conf``` entry for ```unbound``` (Required for Debian Bullseye+ releases) + +Debian Bullseye+ releases auto-install a package called ```openresolv``` with a certain configuration that will cause unexpected behaviour for pihole and unbound. + + The effect is that the ```unbound-resolvconf.service``` instructs ```resolvconf``` to write ```unbound```'s own DNS service at ```nameserver 127.0.0.1``` , but without the 5335 port, into the file ```/etc/resolv.conf```. + + That ```/etc/resolv.conf``` file is used by local services/processes to determine DNS servers configured. You need to edit the configuration file and disable the service to work-around the misconfiguration. + + #### Step 1 - Disable the Service + + To check if this service is enabled for your distribution, run below one. It will show either ```active``` or ```inactive``` or it might not even be installed resulting in a ```could not be found``` message: + + ``` + systemctl is-active unbound-resolvconf.service + ``` + + To disable the service, run the statement below: + + ``` + sudo systemctl disable --now unbound-resolvconf.service + ``` + + #### Step 2 - Disable the file resolvconf_resolvers.conf + + Disable the file resolvconf_resolvers.conf from being generated when resolvconf is invoked elsewhere. + + ``` + sudo sed -Ei 's/^unbound_conf=/#unbound_conf=/' /etc/resolvconf.conf + sudo rm /etc/unbound/unbound.conf.d/resolvconf_resolvers.conf + ``` + Restart ```unbound```. + + ``` + sudo service unbound restart + ``` + +### Add logging to unbound + +> **WARNING :** +> It's not recommended to increase verbosity for daily use, as unbound logs a lot. But it might be helpful for debugging purposes. + +There are five levels of verbosity + +``` +Level 0 means no verbosity, only errors +Level 1 gives operational information +Level 2 gives detailed operational information +Level 3 gives query level information +Level 4 gives algorithm level information +Level 5 logs client identification for cache misses +``` + +First, specify the log file, human-readable timestamps and the verbosity level in the ```server``` part of ```/etc/unbound/unbound.conf.d/pi-hole.conf```: + +``` +server: + # If no logfile is specified, syslog is used + logfile: "/var/log/unbound/unbound.log" + log-time-ascii: yes + verbosity: 1 +``` + +Second, create log dir and file, set permissions: + +``` +sudo mkdir -p /var/log/unbound +sudo touch /var/log/unbound/unbound.log +sudo chown unbound /var/log/unbound/unbound.log +``` + +On modern Debian/Ubuntu-based Linux systems, you'll also have to add an AppArmor exception for this new file so ```unbound``` can write into it. + +Create (or edit if existing) the file ```/etc/apparmor.d/local/usr.sbin.unbound``` and append + +``` +/var/log/unbound/unbound.log rw, +``` + +to the end (make sure this value is the same as above). Then reload AppArmor using + +``` +sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.unbound +sudo service unbound restart +``` + +Lastly, restart ```unbound```: + +``` +sudo service unbound restart +``` + +### Uninstall ```unbound``` + +To remove ```unbound``` from your system run + +``` +sudo apt remove unbound +``` +Make sure to switch to another upstream DNS server for ```Pi-hole```. + diff --git a/images/RecursiveResolver.png b/images/RecursiveResolver.png new file mode 100644 index 0000000..c2a246f Binary files /dev/null and b/images/RecursiveResolver.png differ diff --git a/images/pihole-unbound.png b/images/pihole-unbound.png new file mode 100644 index 0000000..30e8175 Binary files /dev/null and b/images/pihole-unbound.png differ