Unbound DNS Blockingsteffin stanlyBlockedUnblockFollowFollowingFeb 21Today we will learn how to create your own recursive DNS server using Unbound.
This will improve performance through caching.
We will also look at blocking unwanted web pages.
Download the Official Unbound DNS files from the Github Repository which is given here “NLnetLabs-unbound”.
WARNING: I am by no means an expert in Unbound DNS .
I tried to explain about Unbound DNS setup the best way I could, and I’m sure I might have made a few mistakes here and there.
So if a mistake was made or something is misleading, then please let me know in the comments section!Step 1: Install UnboundThe Unbound package is included in the base repositories for most Linux distributions, installing separate repositories is usually not necessary.
ON UBUNTU# apt-get update && apt-get install -y unboundON CENTOS# yum install -y unboundStep 2: ON UBUNTUChange /etc/unbound/unbound.
confON CENT OSChange /etc/unbound/unbound.
confNext we will enable unboundAfter package has been installed, make a copy of the unbound configuration file before making any changes to original file.
# cp /etc/unbound/unbound.
originalNext, use any of your favourite text editor to open and edit ‘unbound.
conf‘ configuration file.
# vi /etc/unbound/unbound.
confEnable IPv4 and Protocol SupportsSearch for the following string and make it ‘Yes‘.
do-ip4: yesdo-udp yesdo-tcp: yesEnable the loggingTo enable the log, add the variable as below, it will log every unbound activities.
logfile: /var/log/unboundHide Identity and VersionEnable the following parameters to hide id.
server and hostname.
hide-identity: yesEnable following parameter to hide version.
server and version.
hide-version: yesInclude the block file path to the unbound.
conf file to setup the block list for unbound.
NOTE: Change the resolv.
conf IP to the interface IP if you are running Unbound Locally in your systemAdd the system or server ip to the interfaces listBy default, the port is 53 if change is required just edit the port number.
NOTE: check whether any other process is using that port using the command netstat -tunlpNext, Change the access control for our interface IP networkForward zones is where the IP is forwarded after the making the request to our local server.
After the request has been made to our server the recursive call is made to the ISP’s DNS server.
After making the above configuration, now let’s verify the unbound.
conf file for any errors using the following command.
# unbound-checkconf /etc/unbound/unbound.
confAfter verifying the file without any errors, you can safely restart the ‘unbound’ service and enable it at system startup.
# systemctl start unbound.
service# sudo systemctl enable unbound.
serviceBlocklist FileNOTE: Inside the block.
conf always start with server: on top of the fileThe Blocklist can be created as a static list or you could fetch the website list from various repositories which cater sites list.
One such list which i found really useful was “StevenBlack” Github Repo where he has a well-curated block list from various sources.
All the Block list entries are having the same format, so we can use our own custom scripts to fetch the list and change it to our need.
For updating our list daily we could run our script as a cronjob.
DNS CACHE SETUPTest DNS Cache LocallyNow it’s time to check our DNS cache, by doing a ‘drill’ (query) on ‘india.
At first the ‘drill‘ command results for ‘india.
com‘ domain will take some milliseconds, and then do a second drill and have a note on Query time it takes for both drills.
50As you can see in the above output, the first query taken almost 262 ms to resolve and the second query takes 0 ms to resolve domain (india.
That means, the first query gets cached in our DNS Cache, so when we run ‘drill’ second time the query is served from our local DNS cache, this way we can improve loading speed of websites.
Flush Iptables and Add Firewalld RulesWe can’t use both iptables and firewalld at same time on same machine, if we do both will conflict with each other, thus removing ipables rules will be a good idea.
To remove or flush the iptables, use the following command.
# iptables -FAfter removing iptables rules permanently, now add the DNS service to firewalld list permanently.
# firewall-cmd –add-service=dns# firewall-cmd –add-service=dns –permanentAfter adding DNS service rules, list the rules and confirm.
# firewall-cmd –list-allManaging and Troubleshooting UnboundTo get the current server status, use the following command.
# unbound-control statusFlushing DNS RecordsTo check whether the specific address was resolved by our forwarders in unbound cache Server, use the command given below.
# unbound-control lookup google.
comSometimes our DNS cache server will not reply to our query, in the mean time we can use flush command to remove information such as A, AAA, NS, SO, CNAME, MX, PTR etc.
records from DNS cache.
We can remove all information using flush_zone this will remove all informations.
# unbound-control flush www.
com# unbound-control flush_zone bing.
comTo check which forwards are currently used to resolve.
# unbound-control list_forwardsnow it’s time to restart the network using following command.
d/network restartSetting Up Apache Server to serve the Block Pagelet’s make a directory for keeping our block page files and for the log files# mkdir -p /var/log/httpd/blocking.
comLets Uncomment 404 page and add /index.
php or the path from /etc/httpd/conf/httpd.
conf for serving our custom pageNow lets make the necessary changes in our block page and start our apache server# systemctl restart httpd.
serviceFinally if we start our unbound DNS Server and browse to any website which is included in the block list we will be greeted with this Block Page.
Now try to bounce the firewall!!!.. More details