DNS server installation and configuration (Part 4) - Unbound installation (EN) - Edoardo Tosin


Updated 23 Mar 2024

DNS server installation and configuration (Part 4) - Unbound installation (EN)

In the previous part it was explained how to install Pi-Hole.

Unbound Installation

Package Installation

Now you can proceed with the installation of the DNS resolver Unbound with the command sudo apt install unbound. It may request the user password as it is launched with administrator privileges. In case affirmative, enter it and press Enter.

Unbound 1

Confirm the application installation by writing y and pressing Enter.

Unbound 2

Once the installation is finished, you may see some written messages in red as follows. They can be ignored as they do not affect the functioning of the system and its applications.

Unbound 3

Downloading domain registration server resolution IP

Now it is possible to download the list of IPv4 and IPv6 for resolving the domain registration servers. To do this, use the following string: wget -O root.hints sudo mv root.hints /var/lib/unbound/.

Unbound 4

Press Enter to start everything.

Unbound 5

File Configuration

It is necessary to modify the Unbound configuration file. To do this, write the command sudo nano /etc/unbound/unbound.conf.d/pi-hole.conf and confirm with the user password as it is executed with administrator privileges.

Unbound 6

Within the empty file, the following text should be inserted:

    # If no logfile is specified, syslog is used
    # logfile: "/var/log/unbound/unbound.log"
    verbosity: 0
    port: 5353
    do-ip4: yes
    do-udp: yes
    do-tcp: yes
    # May be set to yes if you have IPv6 connectivity
    do-ip6: no
    # You want to leave this to no unless you have *native* IPv6. With 6to4 and
    # Terredo tunnels your web browser should favor IPv4 for the same reasons
    prefer-ip6: no
    # Use this only when you downloaded the list of primary root servers!
    # If you use the default dns-root-data package, unbound will find it automatically
    #root-hints: "/var/lib/unbound/root.hints"
    # Trust glue only if it is within the server's authority
    harden-glue: yes
    # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
    harden-dnssec-stripped: yes
    # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
    # see for further details
    use-caps-for-id: no
    # Reduce EDNS reassembly buffer size.
    # Suggested by the unbound man page to reduce fragmentation reassembly problems
    edns-buffer-size: 1472
    # Perform prefetching of close to expired message cache entries
    # This only applies to domains that have been frequently queried
    prefetch: yes
    # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
    num-threads: 1
    # Ensure kernel buffer is large enough to not lose messages in traffic spikes
    so-rcvbuf: 1m
    # Ensure privacy of local IP ranges
    private-address: fd00::/8
    private-address: fe80::/10

Link to the reference file: pi-hole.conf

At lines that begin with interface and port (in this case containing respectively and 5353) will have the strings that will subsequently be inserted into the Pi-Hole web interface settings.

Unbound 7

To exit, press CTRL+X. It will ask if you want to save and confirm by writing y and pressing Enter.

Unbound 8

Confirm the name and save location of the file by pressing Enter.

Unbound 9

Check correctness of the file

To be sure that the file has been saved correctly, copy the following command sudo cat /etc/unbound/unbound.conf.d/pi-hole.conf and press Enter to execute it.

Unbound 10

Check that it is equal to what was previously copied.

Unbound 11

Restart Unbound service

Restart Unbound to load the new configuration: sudo service unbound restart and press Enter. It may request the user password as it is launched with administrator privileges. In case affirmative, enter it and press Enter.

Unbound 12

Check DNSSEC operation

The following commands serve to check that DNSSEC works correctly. First command: dig @ -p 5353

Unbound 14

The following command should return SERVFAIL without any IP address: dig @ -p 5353.

Unbound 16

This command should return NOERROR with an IP address: dig @ -p 5353. If both return correctly then DNSSEC is working.

Unbound 18

Next part