Back to HomeServer
Why
I was done with all companies sleuthing information (this includes your DNS requests when they can!)
I wanted to be able to use DNSSEC and DANE
Without losing the dynamic DHCP/DNS capability from dnsmasq
Software
How
There were 2 ways of doing this
- Make dnsmasq the primary DNS server on my LAN and use Unbound as the recursive resolver
- Make Unbound the primary DNS server on my LAN and make it use dnsmasq for my LAN (and domains)
I chose 2 assuming that Unbound is more geared towards performance and security than dnsmasq is
Configuring Unbound
This was amazingly simple to do, but Unbound is a bit daunting with the amount of features it has. I've boiled it down to
1 server:
2 verbosity: 1
3 num-threads: 1
4 interface: 192.0.2.1
5 access-control: 192.0.2.1/24 allow
6 chroot: "/usr/local/etc/unbound"
7 username: "unbound"
8 directory: "/usr/local/etc/unbound"
9 use-syslog: yes
10 pidfile: "/var/run/unbound/unbound.pid"
11
12 # Tune for lower memory usage
13 outgoing-num-tcp: 1
14 incoming-num-tcp: 1
15 outgoing-range: 60
16 msg-buffer-size: 8192
17 msg-cache-size: 100k
18 msg-cache-slabs: 1
19 rrset-cache-size: 100k
20 rrset-cache-slabs: 1
21 infra-cache-numhosts: 1000
22 infra-cache-slabs: 1
23 key-cache-size: 100k
24 key-cache-slabs: 1
25 neg-cache-size: 10k
26 num-queries-per-thread: 30
27 target-fetch-policy: "2 1 0 0 0 0"
28
29 hide-identity: yes
30 hide-version: yes
31 harden-short-bufsize: yes
32 harden-large-queries: yes
33 harden-glue: yes
34 harden-dnssec-stripped: yes
35 harden-below-nxdomain: yes
36
37 private-address: 192.0.2.0/24
38 private-domain: "example.net"
39 private-domain: "example.org"
40 do-not-query-localhost: yes
41
42 module-config: "validator iterator"
43 auto-trust-anchor-file: "/usr/local/etc/unbound/root.key"
44 dlv-anchor-file: "dlv.isc.org.key"
45
46 val-clean-additional: yes
47 local-zone: "0.192.in-addr.arpa." nodefault
48 unblock-lan-zones: yes
49
50 stub-zone:
51 name: "example.net"
52 stub-addr: 192.0.2.1@5353
53
54 stub-zone:
55 name: "example.org"
56 stub-addr: 192.0.2.1@5353
- pidfile: "/var/run/unbound/unbound.pid"
The default config is for the pid-file to be in /usr/local/etc/unbound which is not as per hier(7) and as per Unbound's documentation not required to be inside the chroot.
mkdir -p /var/run/unbound chown unbound /var/run/unbound
- interface: 192.168.100.1
- stub-addr: 192.0.2.0@5353
Unbound listens on the default dns port, dnsmasq on port 5353
dnsmasq configuration
1 domain-needed
2 bogus-priv
3 expand-hosts
4
5 no-resolv
6
7 listen-address=192.0.2.1
8 port=5353
9
10 domain=example.net,192.0.2.0/24,local
11 domain=example.org,192.0.2.0/24,local
12
13 dhcp-range=192.0.2.100,192.0.2.199,255.255.255.0,24h
14 dhcp-range=::,constructor:em0, ra-stateless, ra-names
15
16 dhcp-host=somehost
17 dhcp-host=anotherhost
18
19 dhcp-option=option:router,192.0.2.254
20 dhcp-option=option:dns-server,192.0.2.1
21 dhcp-option=option:ntp-server,192.0.2.1
22 dhcp-option=option:domain-search,example.org,example.net
23 dhcp-option=54,192.0.2.1 # DHCP Server Id
24
25 dhcp-option=option6:dns-server,[::]
26 dhcp-option=option6:information-refresh-time,6h
27
28 dhcp-option=19,0 # option ip-forwarding off
29 dhcp-option=44,192.0.2.1 # set netbios-over-TCP/IP nameserver(s) aka WINS server(s)
30 dhcp-option=45,0.0.0.0 # netbios datagram distribution server
31 dhcp-option=46,8 # netbios node type
32 dhcp-option=252,"\n" # please Windows 7
33
34 mx-target=smtp.example.org
35 localmx
36 selfmx
37
38 srv-host=_ldap._tcp.example.org,example.org,389
- Give fixed IP-address to host defined in /etc/hosts