How to Configure Unbound as a Local DNS Resolver on FreeBSD

How to set up Unbound as a local DNS resolver on FreeBSD, a lightweight and high-performance DNS resolver.

Unbound is a lightweight, high-performance recursive DNS resolver that can be used to improve DNS resolution speed and security. FreeBSD includes Unbound in its base system, making it easy to set up and configure. This guide walks you through installing, configuring, and securing Unbound as a local DNS resolver on FreeBSD.

1. Understanding Unbound

Unbound is a validating, caching, and recursive DNS resolver. When set up as a local resolver, it directly queries authoritative DNS servers instead of relying on an upstream provider like your ISP’s DNS or Google Public DNS. This enhances privacy, reduces latency, and improves overall reliability.

Benefits of Using Unbound

  • Improved Performance: Caches DNS responses for faster lookup times.
  • Better Privacy: Reduces reliance on third-party DNS services.
  • Security Features: Supports DNSSEC for secure and validated DNS responses.
  • Customizable: Allows fine-tuning of DNS configurations for specific needs.

2. Installing Unbound on FreeBSD

On FreeBSD, Unbound comes pre-installed in the base system. However, if you need additional features or a newer version, you can install it from ports or packages.

Verify if Unbound is Installed

unbound -V

If Unbound is not installed, you can install it using:

pkg install unbound

Or using ports:

cd /usr/ports/dns/unbound && make install clean

3. Configuring Unbound as a Local Resolver

Edit the Unbound Configuration File

The primary configuration file for Unbound is located at:

/etc/unbound/unbound.conf

Use your preferred text editor to modify the configuration file:

vi /etc/unbound/unbound.conf

Basic Configuration Example

Below is a minimal working configuration for a local resolver:

server:
    verbosity: 1
    interface: 127.0.0.1
    interface: ::1
    access-control: 127.0.0.1/8 allow
    access-control: ::1 allow
    root-hints: "/var/unbound/root.hints"
    do-ip4: yes
    do-ip6: yes
    do-udp: yes
    do-tcp: yes
    harden-glue: yes
    harden-dnssec-stripped: yes
    use-caps-for-id: no
    cache-min-ttl: 3600
    cache-max-ttl: 86400
    prefetch: yes
    num-threads: 2
    rrset-roundrobin: yes
    minimal-responses: yes
    hide-identity: yes
    hide-version: yes
    qname-minimisation: yes
    module-config: "validator iterator"
    val-log-level: 2
    val-permissive-mode: no

forward-zone:
    name: "."
    forward-addr: 1.1.1.1
    forward-addr: 8.8.8.8

Explanation of Key Settings

  • interface: Specifies which network interfaces Unbound listens on.
  • access-control: Defines which IPs can use this resolver.
  • root-hints: Points to a file containing root DNS server hints.
  • cache settings: Controls how long DNS responses are cached.
  • DNSSEC settings: Enables DNS security extensions.
  • forward-zone: Specifies upstream resolvers if needed.

4. Fetching Root Hints File

Unbound requires a root hints file for direct resolution. You can download it from the official source:

fetch -o /var/unbound/root.hints https://www.internic.net/domain/named.cache

Update this file periodically to keep it current.

5. Enabling and Starting Unbound

To enable Unbound at boot:

echo 'local_unbound_enable="YES"' >> /etc/rc.conf

Start the Unbound service:

service local_unbound start

To check the status:

service local_unbound status

6. Configuring FreeBSD to Use Unbound as a Resolver

To make FreeBSD use Unbound for DNS resolution, update /etc/resolv.conf:

echo 'nameserver 127.0.0.1' > /etc/resolv.conf

This ensures all DNS queries go through your local Unbound instance.

7. Testing Your Configuration

To verify Unbound is working correctly, use:

dig freebsd.org @127.0.0.1

If it resolves successfully, Unbound is functioning correctly.

To check caching, run the same command twice and note the reduced query time on the second attempt.

8. Enabling DNSSEC Validation

Unbound supports DNSSEC to verify the authenticity of DNS responses. Enable it by ensuring these settings are present in /etc/unbound/unbound.conf:

server:
    val-log-level: 2
    val-permissive-mode: no
    trust-anchor-file: "/var/unbound/root.key"

Initialize DNSSEC support:

unbound-anchor -a /var/unbound/root.key

Restart Unbound:

service local_unbound restart

To verify DNSSEC validation:

dig +dnssec freebsd.org @127.0.0.1

Look for the ad (Authenticated Data) flag in the response.

9. Optimizing and Securing Unbound

Blocking Ads and Trackers

Unbound can block ads and trackers by using blocklists. Add entries to /etc/unbound/unbound.conf:

local-zone: "example.com" static

Replace example.com with known ad domains.

Rate Limiting

To prevent abuse, enable rate limiting:

server:
    ratelimit: 1000

Logging Queries

For troubleshooting, enable logging:

server:
    log-queries: yes
    log-replies: yes
    logfile: "/var/log/unbound.log"

Ensure Unbound can write to this file:

touch /var/log/unbound.log
chmod 644 /var/log/unbound.log

Restart Unbound:

service local_unbound restart

10. Conclusion

Setting up Unbound as a local DNS resolver on FreeBSD enhances speed, security, and privacy. By configuring Unbound properly, enabling DNSSEC, and optimizing settings, you can create a reliable and efficient DNS setup tailored to your needs. Regular maintenance, such as updating root hints and monitoring logs, ensures continued performance and security.

With this setup, your FreeBSD system can now resolve domain names efficiently without relying on external DNS providers.