How to Configure Unbound as a Local DNS Resolver on FreeBSD
Categories:
4 minute read
Unbound is a lightweight, high-performance recursive DNS resolver that can be used to improve DNS resolution speed and security. FreeBSD includes Unbound in its base system, making it easy to set up and configure. This guide walks you through installing, configuring, and securing Unbound as a local DNS resolver on FreeBSD.
1. Understanding Unbound
Unbound is a validating, caching, and recursive DNS resolver. When set up as a local resolver, it directly queries authoritative DNS servers instead of relying on an upstream provider like your ISP’s DNS or Google Public DNS. This enhances privacy, reduces latency, and improves overall reliability.
Benefits of Using Unbound
- Improved Performance: Caches DNS responses for faster lookup times.
- Better Privacy: Reduces reliance on third-party DNS services.
- Security Features: Supports DNSSEC for secure and validated DNS responses.
- Customizable: Allows fine-tuning of DNS configurations for specific needs.
2. Installing Unbound on FreeBSD
On FreeBSD, Unbound comes pre-installed in the base system. However, if you need additional features or a newer version, you can install it from ports or packages.
Verify if Unbound is Installed
unbound -V
If Unbound is not installed, you can install it using:
pkg install unbound
Or using ports:
cd /usr/ports/dns/unbound && make install clean
3. Configuring Unbound as a Local Resolver
Edit the Unbound Configuration File
The primary configuration file for Unbound is located at:
/etc/unbound/unbound.conf
Use your preferred text editor to modify the configuration file:
vi /etc/unbound/unbound.conf
Basic Configuration Example
Below is a minimal working configuration for a local resolver:
server:
verbosity: 1
interface: 127.0.0.1
interface: ::1
access-control: 127.0.0.1/8 allow
access-control: ::1 allow
root-hints: "/var/unbound/root.hints"
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes
harden-glue: yes
harden-dnssec-stripped: yes
use-caps-for-id: no
cache-min-ttl: 3600
cache-max-ttl: 86400
prefetch: yes
num-threads: 2
rrset-roundrobin: yes
minimal-responses: yes
hide-identity: yes
hide-version: yes
qname-minimisation: yes
module-config: "validator iterator"
val-log-level: 2
val-permissive-mode: no
forward-zone:
name: "."
forward-addr: 1.1.1.1
forward-addr: 8.8.8.8
Explanation of Key Settings
- interface: Specifies which network interfaces Unbound listens on.
- access-control: Defines which IPs can use this resolver.
- root-hints: Points to a file containing root DNS server hints.
- cache settings: Controls how long DNS responses are cached.
- DNSSEC settings: Enables DNS security extensions.
- forward-zone: Specifies upstream resolvers if needed.
4. Fetching Root Hints File
Unbound requires a root hints file for direct resolution. You can download it from the official source:
fetch -o /var/unbound/root.hints https://www.internic.net/domain/named.cache
Update this file periodically to keep it current.
5. Enabling and Starting Unbound
To enable Unbound at boot:
echo 'local_unbound_enable="YES"' >> /etc/rc.conf
Start the Unbound service:
service local_unbound start
To check the status:
service local_unbound status
6. Configuring FreeBSD to Use Unbound as a Resolver
To make FreeBSD use Unbound for DNS resolution, update /etc/resolv.conf:
echo 'nameserver 127.0.0.1' > /etc/resolv.conf
This ensures all DNS queries go through your local Unbound instance.
7. Testing Your Configuration
To verify Unbound is working correctly, use:
dig freebsd.org @127.0.0.1
If it resolves successfully, Unbound is functioning correctly.
To check caching, run the same command twice and note the reduced query time on the second attempt.
8. Enabling DNSSEC Validation
Unbound supports DNSSEC to verify the authenticity of DNS responses. Enable it by ensuring these settings are present in /etc/unbound/unbound.conf:
server:
val-log-level: 2
val-permissive-mode: no
trust-anchor-file: "/var/unbound/root.key"
Initialize DNSSEC support:
unbound-anchor -a /var/unbound/root.key
Restart Unbound:
service local_unbound restart
To verify DNSSEC validation:
dig +dnssec freebsd.org @127.0.0.1
Look for the ad (Authenticated Data) flag in the response.
9. Optimizing and Securing Unbound
Blocking Ads and Trackers
Unbound can block ads and trackers by using blocklists. Add entries to /etc/unbound/unbound.conf:
local-zone: "example.com" static
Replace example.com
with known ad domains.
Rate Limiting
To prevent abuse, enable rate limiting:
server:
ratelimit: 1000
Logging Queries
For troubleshooting, enable logging:
server:
log-queries: yes
log-replies: yes
logfile: "/var/log/unbound.log"
Ensure Unbound can write to this file:
touch /var/log/unbound.log
chmod 644 /var/log/unbound.log
Restart Unbound:
service local_unbound restart
10. Conclusion
Setting up Unbound as a local DNS resolver on FreeBSD enhances speed, security, and privacy. By configuring Unbound properly, enabling DNSSEC, and optimizing settings, you can create a reliable and efficient DNS setup tailored to your needs. Regular maintenance, such as updating root hints and monitoring logs, ensures continued performance and security.
With this setup, your FreeBSD system can now resolve domain names efficiently without relying on external DNS providers.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.