In the previous part it was explained how to install Pi-Hole.
Now you can proceed with the installation of the DNS resolver Unbound with the command
sudo apt install unbound.
It may request the user password as it is launched with administrator privileges.
In case affirmative, enter it and press
Confirm the application installation by writing
y and pressing
Once the installation is finished, you may see some written messages in red as follows. They can be ignored as they do not affect the functioning of the system and its applications.
Downloading domain registration server resolution IP
Now it is possible to download the list of IPv4 and IPv6 for resolving the domain registration servers. To do this, use the following string:
wget -O root.hints https://www.internic.net/domain/named.root sudo mv root.hints /var/lib/unbound/.
Enter to start everything.
It is necessary to modify the Unbound configuration file. To do this, write the command
sudo nano /etc/unbound/unbound.conf.d/pi-hole.conf and confirm with the user password as it is executed with administrator privileges.
Within the empty file, the following text should be inserted:
# If no logfile is specified, syslog is used
# logfile: "/var/log/unbound/unbound.log"
# May be set to yes if you have IPv6 connectivity
# You want to leave this to no unless you have *native* IPv6. With 6to4 and
# Terredo tunnels your web browser should favor IPv4 for the same reasons
# Use this only when you downloaded the list of primary root servers!
# If you use the default dns-root-data package, unbound will find it automatically
# Trust glue only if it is within the server's authority
# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
# Reduce EDNS reassembly buffer size.
# Suggested by the unbound man page to reduce fragmentation reassembly problems
# Perform prefetching of close to expired message cache entries
# This only applies to domains that have been frequently queried
# One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
# Ensure kernel buffer is large enough to not lose messages in traffic spikes
# Ensure privacy of local IP ranges
Link to the reference file:
At lines that begin with
port (in this case containing respectively
5353) will have the strings that will subsequently be inserted into the Pi-Hole web interface settings.
To exit, press
CTRL+X. It will ask if you want to save and confirm by writing
y and pressing
Confirm the name and save location of the file by pressing
Check correctness of the file
To be sure that the file has been saved correctly, copy the following command
sudo cat /etc/unbound/unbound.conf.d/pi-hole.conf and press
Enter to execute it.
Check that it is equal to what was previously copied.
Restart Unbound service
Restart Unbound to load the new configuration:
sudo service unbound restart and press
Enter. It may request the user password as it is launched with administrator privileges. In case affirmative, enter it and press
Check DNSSEC operation
The following commands serve to check that DNSSEC works correctly.
dig pi-hole.net @127.0.0.1 -p 5353
The following command should return SERVFAIL without any IP address:
dig sigfail.verteiltesysteme.net @127.0.0.1 -p 5353.
This command should return NOERROR with an IP address:
dig sigok.verteiltesysteme.net @127.0.0.1 -p 5353.
If both return correctly then DNSSEC is working.