Blocking ads with Unbound and DoT

DNS Security

Reading time: 7m

Want to block ads network-wide and encrypt DNS traffic with DNS-Over-TLS (DoT) ?

In this post, I will go over the configuration of Unbound (DNS server) with DoT (DNS over TLS)

For this you will need Unbound 1.9.6 linked with libssl and libcrypto.  For this I chose Gentoo Linux:

* net-dns/unbound
Latest version available: 1.9.6
Latest version installed: 1.9.6
Size of files: 5,548 KiB
Homepage: https://unbound.net/ https://nlnetlabs.nl/projects/unbound/about/
Description: A validating, recursive and caching DNS resolver
License: BSD GPL-2

So you’d install unbound by executing:

emerge -qv net-dns/unbound

After unbound is installed, you’ll want to edit the configuration so it looks like this:

server:
    tls-cert-bundle: /etc/unbound/ca-certificates.crt
    do-not-query-localhost: no
    verbosity: 2
    logfile: /etc/unbound/unbound.log
    interface: 0.0.0.0
    port: 53
    outgoing-interface: LAN.IP
    access-control: LAN.SUBNET/BITS allow
    access-control: 127.0.0.0/8 allow
    access-control: 0.0.0.0/0 refuse
    access-control: ::0/0 refuse
    ip-ratelimit: 2000
    hide-identity: yes
    hide-version: yes
    harden-large-queries: yes
    harden-short-bufsize: yes
    harden-glue: yes
    use-syslog: no
    root-hints: "/etc/unbound/root.hints"
    do-tcp: yes
    do-udp: yes

forward-zone:
    name: "."
    forward-tls-upstream: yes
    forward-addr: 1.1.1.1@853#one.one.one.one
    forward-addr: 1.0.0.1@853#one.one.one.one

Be sure to adjust the ACLs to allow your IP ranges to query the server, everything else should be denied

In order to get the root.hints file, you’ll need to download the latest from InterNIC:

 wget https://www.internic.net/domain/named.cache -O /etc/unbound/root.hints

To get the CA certificates file you’ll need to validate 1.1.1.1/one.one.one.one you’ll need the ca-certificates package:

emerge -qv app-misc/ca-certificates
cp /etc/ssl/certs/ca-certificates.crt /etc/unbound/ca-certificates.crt

To activate logging you’ll need to give your unbound user access to write to the logfile:

touch /var/log/unbound.log
chown unbound:unbound /var/log/unbound.log
chmod 700 /var/log/unbound.log

Touch the blocklist file:

mkdir /var/unbound
touch /etc/unbound/ad-blocklist.conf
ln -s /etc/unbound/ad-blocklist.conf /var/unbound/ad-blocklist.conf
chown -h unbound:unbound /var/unbound/ad-blocklist.conf
chown unbound:unbound /etc/unbound/ad-blocklist.conf /var/unbound

At this point you’ll need a script called unbound-adblock:

https://github.com/matijazezelj/unbound-adblock

Simply clone on your server, cd to unbound-adblock, run update-hosts.sh, and it should populate /etc/unbound/ad-blocklist.conf

Check the configuration of Unbound:

unbound-checkconf

It should return “unbound-checkconf: no errors in /etc/unbound/unbound.conf” if all is well.

Add it to runlevel default:

# rc-update add unbound default
* service unbound added to runlevel default

Start the service:

rc-service unbound start

Test that the server works for local and LAN queries:

# dig +short @localhost google.com
216.239.32.117
216.239.34.117
216.239.36.117
216.239.38.117
$ dig @192.168.x.x +short google.com
216.239.36.117
216.239.38.117
216.239.32.117
216.239.34.117

After that, I set the default DNS server for my network with DHCP, so every device that asks for an IP gets one.  Bear in mind this means you’ll need a statically configured IP on the server, or DHCP reservation on your DHCP server/router to have your DNS server on a specific IP address.

You could also enforce the usage of your DNS server using a dst-nat firewall rule which catches 53/udp packets and redirects them to your DNS server’s IP.  Since Unbound is doing port 853 (DoT) outbound, only clients issuing lookups on 53/udp will get redirected and protected via DoT.  Note that when you enforce redirects of 53/udp packets, even servers that aren’t configured to use your DNS will end up going through yours regardless of their configuration.

 

Leave a Comment