Back to HomeServer

Why

I was done with all companies sleuthing information (this includes your DNS requests when they can!)
I wanted to be able to use DNSSEC and DANE
Without losing the dynamic DHCP/DNS capability from dnsmasq

Software

  1. dnsmasq for DHCP and dynamic DNS

  2. Unbound as validating, caching and recursive DNS resolver

How

There were 2 ways of doing this

  1. Make dnsmasq the primary DNS server on my LAN and use Unbound as the recursive resolver
  2. Make Unbound the primary DNS server on my LAN and make it use dnsmasq for my LAN (and domains)

I chose 2 assuming that Unbound is more geared towards performance and security than dnsmasq is

Configuring Unbound

This was amazingly simple to do, but Unbound is a bit daunting with the amount of features it has. I've boiled it down to

   1 server:
   2         verbosity: 1
   3         num-threads: 1
   4         interface: 192.0.2.1
   5         access-control: 192.0.2.1/24 allow
   6         chroot: "/usr/local/etc/unbound"
   7         username: "unbound"
   8         directory: "/usr/local/etc/unbound"
   9         use-syslog: yes
  10         pidfile: "/var/run/unbound/unbound.pid"
  11 
  12         # Tune for lower memory usage
  13         outgoing-num-tcp: 1
  14         incoming-num-tcp: 1
  15         outgoing-range: 60
  16         msg-buffer-size: 8192
  17         msg-cache-size: 100k
  18         msg-cache-slabs: 1
  19         rrset-cache-size: 100k
  20         rrset-cache-slabs: 1
  21         infra-cache-numhosts: 1000
  22         infra-cache-slabs: 1
  23         key-cache-size: 100k
  24         key-cache-slabs: 1
  25         neg-cache-size: 10k
  26         num-queries-per-thread: 30
  27         target-fetch-policy: "2 1 0 0 0 0"
  28 
  29         hide-identity: yes
  30         hide-version: yes
  31         harden-short-bufsize: yes
  32         harden-large-queries: yes
  33         harden-glue: yes
  34         harden-dnssec-stripped: yes
  35         harden-below-nxdomain: yes
  36 
  37         private-address: 192.0.2.0/24
  38         private-domain: "example.net"
  39         private-domain: "example.org"
  40         do-not-query-localhost: yes
  41 
  42         module-config: "validator iterator"
  43         auto-trust-anchor-file: "/usr/local/etc/unbound/root.key"
  44         dlv-anchor-file: "dlv.isc.org.key"
  45 
  46         val-clean-additional: yes
  47         local-zone: "0.192.in-addr.arpa." nodefault
  48         unblock-lan-zones: yes
  49 
  50 stub-zone:
  51         name: "example.net"
  52         stub-addr: 192.0.2.1@5353
  53 
  54 stub-zone:
  55         name: "example.org"
  56         stub-addr: 192.0.2.1@5353
  1. pidfile: "/var/run/unbound/unbound.pid"

The default config is for the pid-file to be in /usr/local/etc/unbound which is not as per hier(7) and as per Unbound's documentation not required to be inside the chroot.

mkdir -p /var/run/unbound
chown unbound /var/run/unbound
  1. interface: 192.168.100.1
  2. stub-addr: 192.0.2.0@5353

Unbound listens on the default dns port, dnsmasq on port 5353

dnsmasq configuration

   1 domain-needed
   2 bogus-priv
   3 expand-hosts
   4 
   5 no-resolv
   6 
   7 listen-address=192.0.2.1
   8 port=5353
   9 
  10 domain=example.net,192.0.2.0/24,local
  11 domain=example.org,192.0.2.0/24,local
  12 
  13 dhcp-range=192.0.2.100,192.0.2.199,255.255.255.0,24h
  14 dhcp-range=::,constructor:em0, ra-stateless, ra-names
  15 
  16 dhcp-host=somehost
  17 dhcp-host=anotherhost
  18 
  19 dhcp-option=option:router,192.0.2.254
  20 dhcp-option=option:dns-server,192.0.2.1
  21 dhcp-option=option:ntp-server,192.0.2.1
  22 dhcp-option=option:domain-search,example.org,example.net
  23 dhcp-option=54,192.0.2.1      # DHCP Server Id
  24 
  25 dhcp-option=option6:dns-server,[::]
  26 dhcp-option=option6:information-refresh-time,6h
  27 
  28 dhcp-option=19,0           # option ip-forwarding off
  29 dhcp-option=44,192.0.2.1   # set netbios-over-TCP/IP nameserver(s) aka WINS server(s)
  30 dhcp-option=45,0.0.0.0     # netbios datagram distribution server
  31 dhcp-option=46,8           # netbios node type
  32 dhcp-option=252,"\n"       # please Windows 7
  33 
  34 mx-target=smtp.example.org
  35 localmx
  36 selfmx
  37 
  38 srv-host=_ldap._tcp.example.org,example.org,389
  1. Give fixed IP-address to host defined in /etc/hosts

BernardSpil/DHCP_DNS (last edited 2015-05-17 11:42:16 by BernardSpil)