Skip to content

Latest commit

 

History

History
449 lines (316 loc) · 12.4 KB

README.md

File metadata and controls

449 lines (316 loc) · 12.4 KB

⚡Filtering Caching DNS Resolver⚡

dns   release   visitors   license   GitHub last commit

🔸 Intro

  • Current HOWTO defines steps to setup caching DNS resolver with configuration for family usage.

  • It gives possibility to have next DNS endpoints: Plain/DoH/DoH3/DoQ/DoT.

  • Facade for DNS interfaces is Dnsdist.

  • Main DNS resolver is Unbound. It works as resolver, without forwarding queries to any upstream DNS servers.

  • Second level cache is Redis - for Unbound only

  • There are also BIND9 and PDNS-recursor setup instructions as alternative.

  • Everything is prepared to setup monitoring tools such as Loki, Prometheus, Promtail and Grafana

🔸 Tested on Debian 12.

🔸 Should work on other distributions with minimal changes

🔸 I'm working on a script to automate next steps.

Important

🎉 Many thanks to: AA ar51an, Gerd hagezy. Please give a star for their awesome work! 🎉

Tip

For Home network I would say that minimal requirements are 1 CPU core and 2 Gb RAM.

Having 2 CPU cores and 4Gb RAM is more than compfortable.

Regarding hyper-threading: In my testings I found out that disabling HT gives better performance results. Your observations can vary.

🧰 General configuration

expand

🔸 !!!Optional!!! IPv6 (just for FAQ)

  • Edit /etc/default/grub, make sure that ipv6.disable=1 is present, e.g.:

    GRUB_CMDLINE_LINUX="ipv6.disable=1"
  • Run:

    sudo update-grub
  • Reboot

🔸 Limits and Sysctl

  • Next steps are for optimizing/securing current environment.

  • Put content of /etc/security/limits.conf into your limits.conf

  • Put content of etc/sysctl.conf into your sysctl.conf

🔸 !!!Optional!!! Hyper-threading

  • If you want HT disabled but you cannot disable it in BIOS, make sure that nosmt is present in /etc/default/grub, e.g.:

    GRUB_CMDLINE_LINUX="nosmt"
  • Apply it:

    sudo update-grub

🔸 !!!Optional!!! Tuned package

  • Use tuned package for network latency optimizations:

    sudo apt install tuned
    sudo tuned-adm profile network-latency
    sudo reboot

🔸 UFW

  • Review current configuration of UFW:

    sudo ufw status
  • To delete some particular rule run:

    sudo ufw status numbered
    sudo ufw delete <number>
  • Verify that UFW has these configuration:

    sudo ufw allow 443
    sudo ufw limit 22/tcp
  • If you want port 53 accessible to all:

    sudo ufw allow 53/udp
  • For a specific IP address only:

    sudo ufw allow from <ip> proto udp to any port 53
  • Apply rules:

    sudo ufw reload

🔸 Compiler

  • Setup steps for Unbound and Dnsdist contain possibility to compile services locally. This means that you'll need compiler :) In next sections it is supposed using standard compiler for your distributives.
  • You can consider to use AOCC compiler if your processor is AMD. Many sources declare that code compiled by AOCC is faster on AMD. All you need is to follow instructions for AOCC.

🔸 Useful things

  • If you need to create some direcotory on startup, for instance on this path /var/run/some-dir and setup rights for user:user-group then create next file
vim /etc/tmpfiles.d/some-service.conf
  • Put this content:
d /var/run/some-dir 0755 user user-group

🧰 Unbound

expand

🔸 Install Unbound

  • We need to compile it locally because default Unbound from apt does not include cachedb module.
  • Even if you will not use Redis as Level 2 cache for Unbound I would anyway suggest to compile Unbound locally to have the latest version.
wget https://github.com/NLnetLabs/unbound/archive/refs/tags/release-1.19.3.zip
unzip release-1.19.3.zip
cd release-1.19.3
sudo apt install bison flex libevent-dev libexpat1-dev libhiredis-dev libnghttp2-dev libprotobuf-c-dev libssl-dev libsystemd-dev protobuf-c-compiler python3-dev swig
  • Compilation flags (I used next but you are free to specify any you want)
export CFLAGS="-Ofast -pipe -march=native"
export CXXFLAGS="-Ofast -pipe -march=native"
export CPPFLAGS="-Ofast -pipe -march=native"
  • Configure
./configure --prefix=/usr --includedir=\${prefix}/include --infodir=\${prefix}/share/info --mandir=\${prefix}/share/man --localstatedir=/var --runstatedir=/run --sysconfdir=/etc --with-chroot-dir= --with-dnstap-socket-path=/run/dnstap.sock --with-libevent --with-libhiredis --with-libnghttp2 --with-pidfile=/run/unbound.pid --with-pythonmodule --with-pyunbound --with-rootkey-file=/var/lib/unbound/root.key --disable-dependency-tracking --disable-flto --disable-maintainer-mode --disable-option-checking --disable-rpath --disable-silent-rules --enable-cachedb --enable-dnstap --enable-subnet --enable-systemd --enable-tfo-client --enable-tfo-server --without-pthreads --without-solaris-threads
  • Make and install
make
sudo make install

🔸 Unbound and chroot

  • Unbound usually is running under chroot.

  • Next steps usually are needed if Unbound is running under chroot, otherwise it will fail to create *.sock and *.log files.

sudo vim /etc/apparmor.d/local/usr.sbin.unbound
  • Put next to this file
/var/log/unbound/unbound.log rw,
/run/unbound.sock rw,
  • Apply it
sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.unbound

🔸 Create logging staff

sudo mkdir /var/log/unbound
sudo chown unbound:unbound /var/log/unbound
  • Put file /etc/logrotate.d/unbound to /etc/logrotate.d/

🔸 Unbound config

  • Replace default configuration of Unbound with files from /etc/unbound.

  • Review config, make appropriate changes for number of threads etc, default is 2 threads.

  • Enable ipv6 if needed.

  • Setup unbound-control:

sudo unbound-control-setup

🔸 Root hints and key

  • Setup root.hints and root.key
sudo apt install dns-root-data
sudo ln -s /usr/share/dns/root.key /var/lib/unbound/root.key
sudo ln -s /usr/share/dns/root.hints /var/lib/unbound/root.hints

🔸 Unbound filters

  • For DNS filtering put update-conf.sh into corresponding path
sudo chmod +x /opt/unbound/update-conf.sh
sudo mkdir /etc/unbound/rules
sudo sh /opt/unbound/update-conf.sh
  • You can check which filters are used in /etc/unbound/unbound.conf.d/rules.conf and /opt/unbound/update-conf.sh

🔸 Unbound service

  • Put unbound-update-config.service and unbound-update-config.timer in corresponding path.
sudo systemctl daemon-reload
sudo systemctl enable --now unbound-update-config.timer`
  • Put /etc/systemd/system/unbound.service from repo.

🧰 Redis

expand
🔸 Compile locally
wget https://download.redis.io/redis-stable.tar.gz
tar -xzvf redis-stable.tar.gz
cd redis-stable
make MALLOC=jemalloc USE_SYSTEMD=yes
sudo make install
  • Put next content into /etc/tmpfiles.d/redis.conf
d /var/run/redis 0755 redis redis
  • Put next content into /etc/systemd/system/redis.service
[Unit]
Description=Redis In-Memory Data Store
After=network.target

[Service]
Type=notify
User=redis
Group=redis
ExecStart=/usr/local/bin/redis-server /etc/redis/redis.conf --supervised systemd
ExecStop=/usr/local/bin/redis-cli shutdown
Restart=always

[Install]
WantedBy=multi-user.target
  • Create user redis with next config
redis:x:112:116::/var/lib/redis:/usr/sbin/nologin
  • Create folder
sudo mkdir /var/lib/redis
sudo chown redis:redis /var/lib/redis
🔸 Install Redis by `apt`
sudo apt install redis-server
  • Put /etc/redis/redis.conf from repo
sudo systemctl enable --now redis-server

🔸 Running Unbound

  • Now you should be able to run Unbound
sudo systemctl daemon-reload
sudo systemctl enable --now unbound.service

🧰 Dnsdist

expand
  • Dnsdist is used as facade for Unbound: to give DoH/DoH3/DoT/DoQ
Installing using apt * Follow instructions for installing Dnsdist from their official site.
  • Put /etc/dnsdist/dnsdist.conf from repo.

  • dnsdist.conf contains DoH configuration where you can restrict access to it using custom url. Just replace <some secret client id> in that configurations with some unique combination. You can specify as many such urls as you want, separating users. For Dot/DoQ there is no such configuration, but it is possible to configure if you are using wildcard certificate.

  • !!!Optional!!! If you will use DoH/DoH3/DoT/DoQ put crt and pem to /opt/lego (edit dnsdist.conf to point to right directory, also certificate/key filenames)

Compiling locally
sudo apt install autoconf automake libedit-dev libsodium-dev libtool-bin \
pkg-config protobuf-compiler libnghttp2-dev libh2o-evloop-dev libluajit-5.1-dev \
libboost-all-dev libsystemd-dev libbpf-dev libclang-dev git cmake
  • Install Rust using script /opt/install-rust.sh from repo.
  • Install Quiche if you need DoH3/DoQ using /opt/install-quiche.sh from repo. Additionally I create symlink to quiche lib for accessibility:
sudo ln /usr/local/lib/libdnsdist-quiche.so /usr/lib/libdnsdist-quiche.so
  • Export CFLAGS and CXXFLAGS if you want, I'm using next:
export CFLAGS="-Ofast -pipe -march=native"
export CXXFLAGS="-Ofast -pipe -march=native"
export CPPFLAGS="-Ofast -pipe -march=native"
  • Configure, make and install:
wget https://downloads.powerdns.com/releases/dnsdist-1.9.1.tar.bz2
tar xjf dnsdist-1.9.1.tar.bz2
cd dnsdist-1.9.1
./configure --enable-dns-over-tls --enable-dns-over-https --enable-dns-over-http3 --enable-dns-over-quic --with-systemd --with-quiche
make
sudo make install
  • Copy generated dnsdist.service to /etc/systemd/system directory
  • Copy etc/dnsdist/dnsdist.conf to /usr/local/etc. Please pay attention that there are DoH/DoH3/DoQ/DoT are configured, so you need to modify config to point to right certificate and private key or disable those interfaces.
  • Create user dnsdist:dnsdist and give rights to config:
sudo chown root:dnsdist /usr/local/etc/dnsdist.conf
  • Reload services and start dnsdist
sudo systemctl daemon-reload
  • Generate key to access dnsdist's console:
sudo dnsdist
>makeKey()
  • Copy key to dnsdist.conf as
setKey("<key from console>")
  • Generate password for webServerConfig
>hashPassword("<your password>")
  • Put it to config

  • Start dnsdist

sudo systemtl enable --now dnsdist.service

🧰 Monitoring

expand

🔸 Follow next HOWTO

unbound-dashboard or forked one unbound-dashboard-forked

unbound-exporter or forked one unbound-exporter-forked

Thanks for your support!