🔸 Intro
-
Current HOWTO defines steps to setup caching DNS resolver with configuration for family usage.
-
It gives possibility to have next DNS endpoints: Plain/DoH/DoH3/DoQ/DoT.
-
Facade for DNS interfaces is Dnsdist.
-
Main DNS resolver is Unbound. It works as resolver, without forwarding queries to any upstream DNS servers.
-
There are also BIND9 and PDNS-recursor setup instructions as alternative.
-
Everything is prepared to setup monitoring tools such as
Loki
,Prometheus
,Promtail
andGrafana
🔸 Tested on Debian 12.
🔸 Should work on other distributions with minimal changes
🔸 I'm working on a script to automate next steps.
Important
🎉 Many thanks to: AA ar51an, Gerd hagezy. Please give a star for their awesome work! 🎉
Tip
For Home network I would say that minimal requirements are 1 CPU core and 2 Gb RAM.
Having 2 CPU cores and 4Gb RAM is more than compfortable.
Regarding hyper-threading: In my testings I found out that disabling HT gives better performance results. Your observations can vary.
expand
-
Edit
/etc/default/grub
, make sure thatipv6.disable=1
is present, e.g.:GRUB_CMDLINE_LINUX="ipv6.disable=1"
-
Run:
sudo update-grub
-
Reboot
-
Next steps are for optimizing/securing current environment.
-
Put content of
/etc/security/limits.conf
into yourlimits.conf
-
Put content of
etc/sysctl.conf
into yoursysctl.conf
-
If you want HT disabled but you cannot disable it in BIOS, make sure that
nosmt
is present in/etc/default/grub
, e.g.:GRUB_CMDLINE_LINUX="nosmt"
-
Apply it:
sudo update-grub
-
Use
tuned
package for network latency optimizations:sudo apt install tuned sudo tuned-adm profile network-latency sudo reboot
-
Review current configuration of UFW:
sudo ufw status
-
To delete some particular rule run:
sudo ufw status numbered sudo ufw delete <number>
-
Verify that UFW has these configuration:
sudo ufw allow 443 sudo ufw limit 22/tcp
-
If you want port
53
accessible to all:sudo ufw allow 53/udp
-
For a specific IP address only:
sudo ufw allow from <ip> proto udp to any port 53
-
Apply rules:
sudo ufw reload
- Setup steps for
Unbound
andDnsdist
contain possibility to compile services locally. This means that you'll need compiler :) In next sections it is supposed using standard compiler for your distributives. - You can consider to use AOCC compiler if your processor is AMD. Many sources declare that code compiled by
AOCC
is faster on AMD. All you need is to follow instructions forAOCC
.
- If you need to create some direcotory on startup, for instance on this path
/var/run/some-dir
and setup rights foruser:user-group
then create next file
vim /etc/tmpfiles.d/some-service.conf
- Put this content:
d /var/run/some-dir 0755 user user-group
expand
- We need to compile it locally because default
Unbound
fromapt
does not includecachedb
module. - Even if you will not use
Redis
as Level 2 cache forUnbound
I would anyway suggest to compileUnbound
locally to have the latest version.
wget https://github.com/NLnetLabs/unbound/archive/refs/tags/release-1.19.3.zip
unzip release-1.19.3.zip
cd release-1.19.3
sudo apt install bison flex libevent-dev libexpat1-dev libhiredis-dev libnghttp2-dev libprotobuf-c-dev libssl-dev libsystemd-dev protobuf-c-compiler python3-dev swig
- Compilation flags (I used next but you are free to specify any you want)
export CFLAGS="-Ofast -pipe -march=native"
export CXXFLAGS="-Ofast -pipe -march=native"
export CPPFLAGS="-Ofast -pipe -march=native"
- Configure
./configure --prefix=/usr --includedir=\${prefix}/include --infodir=\${prefix}/share/info --mandir=\${prefix}/share/man --localstatedir=/var --runstatedir=/run --sysconfdir=/etc --with-chroot-dir= --with-dnstap-socket-path=/run/dnstap.sock --with-libevent --with-libhiredis --with-libnghttp2 --with-pidfile=/run/unbound.pid --with-pythonmodule --with-pyunbound --with-rootkey-file=/var/lib/unbound/root.key --disable-dependency-tracking --disable-flto --disable-maintainer-mode --disable-option-checking --disable-rpath --disable-silent-rules --enable-cachedb --enable-dnstap --enable-subnet --enable-systemd --enable-tfo-client --enable-tfo-server --without-pthreads --without-solaris-threads
- Make and install
make
sudo make install
-
Unbound usually is running under chroot.
-
Next steps usually are needed if Unbound is running under chroot, otherwise it will fail to create
*.sock
and*.log
files.
sudo vim /etc/apparmor.d/local/usr.sbin.unbound
- Put next to this file
/var/log/unbound/unbound.log rw,
/run/unbound.sock rw,
- Apply it
sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.unbound
sudo mkdir /var/log/unbound
sudo chown unbound:unbound /var/log/unbound
- Put file
/etc/logrotate.d/unbound
to/etc/logrotate.d/
-
Replace default configuration of Unbound with files from
/etc/unbound
. -
Review config, make appropriate changes for number of threads etc, default is 2 threads.
-
Enable ipv6 if needed.
-
Setup unbound-control:
sudo unbound-control-setup
- Setup
root.hints
androot.key
sudo apt install dns-root-data
sudo ln -s /usr/share/dns/root.key /var/lib/unbound/root.key
sudo ln -s /usr/share/dns/root.hints /var/lib/unbound/root.hints
- For DNS filtering put
update-conf.sh
into corresponding path
sudo chmod +x /opt/unbound/update-conf.sh
sudo mkdir /etc/unbound/rules
sudo sh /opt/unbound/update-conf.sh
- You can check which filters are used in
/etc/unbound/unbound.conf.d/rules.conf
and/opt/unbound/update-conf.sh
- Put
unbound-update-config.service
andunbound-update-config.timer
in corresponding path.
sudo systemctl daemon-reload
sudo systemctl enable --now unbound-update-config.timer`
- Put
/etc/systemd/system/unbound.service
from repo.
expand
🔸 Compile locally
wget https://download.redis.io/redis-stable.tar.gz
tar -xzvf redis-stable.tar.gz
cd redis-stable
make MALLOC=jemalloc USE_SYSTEMD=yes
sudo make install
- Put next content into
/etc/tmpfiles.d/redis.conf
d /var/run/redis 0755 redis redis
- Put next content into
/etc/systemd/system/redis.service
[Unit]
Description=Redis In-Memory Data Store
After=network.target
[Service]
Type=notify
User=redis
Group=redis
ExecStart=/usr/local/bin/redis-server /etc/redis/redis.conf --supervised systemd
ExecStop=/usr/local/bin/redis-cli shutdown
Restart=always
[Install]
WantedBy=multi-user.target
- Create user
redis
with next config
redis:x:112:116::/var/lib/redis:/usr/sbin/nologin
- Create folder
sudo mkdir /var/lib/redis
sudo chown redis:redis /var/lib/redis
🔸 Install Redis by `apt`
sudo apt install redis-server
- Put
/etc/redis/redis.conf
from repo
sudo systemctl enable --now redis-server
- Now you should be able to run Unbound
sudo systemctl daemon-reload
sudo systemctl enable --now unbound.service
expand
- Dnsdist is used as facade for Unbound: to give DoH/DoH3/DoT/DoQ
Installing using apt
* Follow instructions for installing Dnsdist from their official site.-
Put
/etc/dnsdist/dnsdist.conf
from repo. -
dnsdist.conf
contains DoH configuration where you can restrict access to it using custom url. Just replace<some secret client id>
in that configurations with some unique combination. You can specify as many such urls as you want, separating users. For Dot/DoQ there is no such configuration, but it is possible to configure if you are using wildcard certificate. -
!!!Optional!!! If you will use DoH/DoH3/DoT/DoQ put crt and pem to
/opt/lego
(editdnsdist.conf
to point to right directory, also certificate/key filenames)
Compiling locally
sudo apt install autoconf automake libedit-dev libsodium-dev libtool-bin \
pkg-config protobuf-compiler libnghttp2-dev libh2o-evloop-dev libluajit-5.1-dev \
libboost-all-dev libsystemd-dev libbpf-dev libclang-dev git cmake
- Install Rust using script
/opt/install-rust.sh
from repo. - Install Quiche if you need DoH3/DoQ using
/opt/install-quiche.sh
from repo. Additionally I create symlink toquiche
lib for accessibility:
sudo ln /usr/local/lib/libdnsdist-quiche.so /usr/lib/libdnsdist-quiche.so
- Export CFLAGS and CXXFLAGS if you want, I'm using next:
export CFLAGS="-Ofast -pipe -march=native"
export CXXFLAGS="-Ofast -pipe -march=native"
export CPPFLAGS="-Ofast -pipe -march=native"
- Configure, make and install:
wget https://downloads.powerdns.com/releases/dnsdist-1.9.1.tar.bz2
tar xjf dnsdist-1.9.1.tar.bz2
cd dnsdist-1.9.1
./configure --enable-dns-over-tls --enable-dns-over-https --enable-dns-over-http3 --enable-dns-over-quic --with-systemd --with-quiche
make
sudo make install
- Copy generated
dnsdist.service
to/etc/systemd/system
directory - Copy
etc/dnsdist/dnsdist.conf
to/usr/local/etc
. Please pay attention that there are DoH/DoH3/DoQ/DoT are configured, so you need to modify config to point to right certificate and private key or disable those interfaces. - Create user
dnsdist:dnsdist
and give rights to config:
sudo chown root:dnsdist /usr/local/etc/dnsdist.conf
- Reload services and start dnsdist
sudo systemctl daemon-reload
- Generate key to access dnsdist's console:
sudo dnsdist
>makeKey()
- Copy key to dnsdist.conf as
setKey("<key from console>")
- Generate password for webServerConfig
>hashPassword("<your password>")
-
Put it to config
-
Start dnsdist
sudo systemtl enable --now dnsdist.service
expand
🔸 Follow next HOWTO
unbound-dashboard or forked one unbound-dashboard-forked
unbound-exporter or forked one unbound-exporter-forked
Thanks for your support!