Want to block ads network-wide and encrypt DNS traffic with DNS-Over-TLS (DoT) ?
In this post, I will go over the configuration of Unbound (DNS server) with DoT (DNS over TLS)
For this you will need Unbound 1.9.6 linked with libssl and libcrypto. For this I chose Gentoo Linux:
* net-dns/unbound
Latest version available: 1.9.6
Latest version installed: 1.9.6
Size of files: 5,548 KiB
Homepage: https://unbound.net/ https://nlnetlabs.nl/projects/unbound/about/
Description: A validating, recursive and caching DNS resolver
License: BSD GPL-2
So you’d install unbound by executing:
emerge -qv net-dns/unbound
After unbound is installed, you’ll want to edit the configuration so it looks like this:
server: tls-cert-bundle: /etc/unbound/ca-certificates.crt do-not-query-localhost: no verbosity: 2 logfile: /etc/unbound/unbound.log interface: 0.0.0.0 port: 53 outgoing-interface: LAN.IP access-control: LAN.SUBNET/BITS allow access-control: 127.0.0.0/8 allow access-control: 0.0.0.0/0 refuse access-control: ::0/0 refuse ip-ratelimit: 2000 hide-identity: yes hide-version: yes harden-large-queries: yes harden-short-bufsize: yes harden-glue: yes use-syslog: no root-hints: "/etc/unbound/root.hints" do-tcp: yes do-udp: yes forward-zone: name: "." forward-tls-upstream: yes forward-addr: 1.1.1.1@853#one.one.one.one forward-addr: 1.0.0.1@853#one.one.one.one
Be sure to adjust the ACLs to allow your IP ranges to query the server, everything else should be denied
In order to get the root.hints file, you’ll need to download the latest from InterNIC:
wget https://www.internic.net/domain/named.cache -O /etc/unbound/root.hints
To get the CA certificates file you’ll need to validate 1.1.1.1/one.one.one.one you’ll need the ca-certificates package:
emerge -qv app-misc/ca-certificates cp /etc/ssl/certs/ca-certificates.crt /etc/unbound/ca-certificates.crt
To activate logging you’ll need to give your unbound user access to write to the logfile:
touch /var/log/unbound.log chown unbound:unbound /var/log/unbound.log chmod 700 /var/log/unbound.log
Touch the blocklist file:
mkdir /var/unbound touch /etc/unbound/ad-blocklist.conf ln -s /etc/unbound/ad-blocklist.conf /var/unbound/ad-blocklist.conf chown -h unbound:unbound /var/unbound/ad-blocklist.conf chown unbound:unbound /etc/unbound/ad-blocklist.conf /var/unbound
At this point you’ll need a script called unbound-adblock:
https://github.com/matijazezelj/unbound-adblock
Simply clone on your server, cd to unbound-adblock, run update-hosts.sh, and it should populate /etc/unbound/ad-blocklist.conf
Check the configuration of Unbound:
unbound-checkconf
It should return “unbound-checkconf: no errors in /etc/unbound/unbound.conf” if all is well.
Add it to runlevel default:
# rc-update add unbound default * service unbound added to runlevel default
Start the service:
rc-service unbound start
Test that the server works for local and LAN queries:
# dig +short @localhost google.com 216.239.32.117 216.239.34.117 216.239.36.117 216.239.38.117
$ dig @192.168.x.x +short google.com 216.239.36.117 216.239.38.117 216.239.32.117 216.239.34.117
After that, I set the default DNS server for my network with DHCP, so every device that asks for an IP gets one. Bear in mind this means you’ll need a statically configured IP on the server, or DHCP reservation on your DHCP server/router to have your DNS server on a specific IP address.
You could also enforce the usage of your DNS server using a dst-nat firewall rule which catches 53/udp packets and redirects them to your DNS server’s IP. Since Unbound is doing port 853 (DoT) outbound, only clients issuing lookups on 53/udp will get redirected and protected via DoT. Note that when you enforce redirects of 53/udp packets, even servers that aren’t configured to use your DNS will end up going through yours regardless of their configuration.