Setting up a local DNS server with Unbound
Blacklists
One big reason for running your own DNS server is to be able to blacklist sites you don't want the users of your LAN to visit. In a home environment, that's advertisers. In a small office, that might include time-wasting sites, such as social networks or digital sport journals. Your easiest option is to return bogus addresses or NXDOMAIN
messages when asked about domains you don't want users to visit.
Something important to take into account is that DNS blacklisting is easy to set up but also very easy to bypass. Users in your LAN may try to configure their computers to use a different DNS server, use Tor, set up a VPN, or use a web proxy. A user can also bypass DNS if they already know the target IP address. A DNS blacklist thus works best when it is combined with other measures.
A simple way of blacklisting a domain is to add an entry like the following to your Unbound configuration:
local-zone: "example.org" always_nxdomain
When a client asks the Unbound server where example.org
is, it will get an NXDOMAIN
response.
Adding hosts manually to the configuration files can be tiresome. If you want to have good malware, phishing, and advertisement protection, getting an existing list of bad domains and adapting the list to Unbound is a good start. Many good lists of bad domains exist on the Internet. The StevenBlack blacklist [9] is very complete, so I will use it as a demonstration. The following commands will download the list and convert it to Unbound format:
$ curl -o hosts https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts $ su [password] # grep '^0\.0\.0\.0' hosts | awk '{print "local-zone: \""$2"\"always_nxdomain"}' > /etc/unbound/unbound.conf.d/blacklist.conf
The Steven Black site has some tools for customizing the list, which are totally worth the time it takes to check them out.
Configuring Local Zones
Suppose you have a printer in your LAN. You can connect to that printer by using its known IP address, like, for example, 192.168.1.2
. However, wouldn't you rather give a human readable name to that printer?
Unbound is not an authoritative server, so it cannot manage a full zone with all its bells and whistles directly. However, it has horsepower enough for managing a small home LAN. Listing 6 shows an example configuration for a home LAN zone. It assumes that the LAN is using 192.168.1.0/24
as the network.
Listing 6
local_names.conf
# /etc/unbound/unbound.conf.d/local_names.conf private-address: 192.168.1.0/24 local-zone: "mylan.dyn." static local-data: "gateway.mylan.dyn. IN A 192.168.1.1" local-data: "printer.mylan.dyn. IN A 192.168.1.2" local-data: "computer.mylan.dyn. IN A 192.168.1.3" local-data: "server.mylan.dyn. IN A 192.168.1.100" local-data-ptr: "192.168.1.1 gateway.mylan.dyn" local-data-ptr: "192.168.1.2 printer.mylan.dyn" local-data-ptr: "192.168.1.3 computer.mylan.dyn" local-data-ptr: "192.168.1.100 server.mylan.dyn"
The private-address
directive prevents addresses in your LAN from being returned for public Internet names. This step prevents DNS rebinding attacks [10].
The local-zone
directive defines all domains under mylan.dyn
as local. The static
word means that the static entries defined in the configuration file are used as DNS entries. Each of the local-data
entries assigns a name to an address. For example, 192.168.1.2
would be assigned the name printer.mylan.dyn
. If you queried the Unbound server for a name in the mylan.dyn
zone that did not exist, it would be answered with a NXDOMAIN
message. Alternatively, transparent
could be used instead of static
. A transparent
local zone is one in which the server tries to resolve the name of a host by other means if it has no static entry for it in its configuration.
The local-data-ptr
entries are optional and define reverse DNS information. Reverse DNS is, as the expression implies, the opposite of DNS. A reverse DNS query asks "What is the name of the host with the address 192.168.1.2
?"
Configuring Access
Listing 7 shows how to grant access to the Unbound server to hosts on your LAN and to the machine running the server. This example assumes that the LAN sits at 192.168.1.0/24
.
Listing 7
access_options.conf
# /etc/unbound/unbound.conf.d/access_options.conf access-control: "0.0.0.0/0" allow access-control: "127.0.0.0/8" allow access-control: "192.168.1.0/24" allow
There are many good reasons for restricting access to your DNS server. The first one is that a DNS server may be used as part of a denial of service attack. A common technique is to send queries with spoofed IP addresses to exposed recursive DNS servers, which will send their responses to what they think is the computer that made the query in the first place. In practice, it means that an attacker can ask the recursive server for a DNS record using a fake IP, and the owner of the IP address that was faked will get the response. This means that an evil entity can force a recursive server to flood a victim with DNS responses and therefore use the server as a proxy for a denial of service attack. Another reason is that a local DNS server might contain sensitive DNS entries that are not intended to be known by outsiders. If you are using a local zone for naming local resources, such as printers, cameras, and NAS servers, it is better to have that information protected from outsiders.
In addition to the Unbound configuration presented here, it is a good idea to block access to your DNS server by using appropriate firewall rules. DNS servers listen for queries at port 53 and may support both UDP and TCP.
The access-control
directives are self-explanatory.
« Previous 1 2 3 4 Next »
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Direct Download
Read full article as PDF:
Price $2.95
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Find SysAdmin Jobs
News
-
Escuelas Linux 8.0 is Now Available
Just in time for its 25th anniversary, the developers of Escuelas Linux have released the latest version.
-
LibreOffice 7.5 has Arrived Loaded with New Features and Improvements
The favorite office suite of the Linux community has a new release that includes some visual refreshing and new features across all modules.
-
The Next Major Release of Elementary OS Has Arrived
It's been over a year since the developers of elementary OS released version 6.1 (Jólnir) but they've finally made their latest release (Horus) available with a renewed focus on the user.
-
KDE Plasma 5.27 Beta Is Ready for Testing
The latest beta iteration of the KDE Plasma desktop is now available and includes some important additions and fixes.
-
Netrunner OS 23 Is Now Available
The latest version of this Linux distribution is now based on Debian Bullseye and is ready for installation and finally hits the KDE 5.20 branch of the desktop.
-
New Linux Distribution Built for Gamers
With a Gnome desktop that offers different layouts and a custom kernel, PikaOS is a great option for gamers of all types.
-
System76 Beefs Up Popular Pangolin Laptop
The darling of open-source-powered laptops and desktops will soon drop a new AMD Ryzen 7-powered version of their popular Pangolin laptop.
-
Nobara Project Is a Modified Version of Fedora with User-Friendly Fixes
If you're looking for a version of Fedora that includes third-party and proprietary packages, look no further than the Nobara Project.
-
Gnome 44 Now Has a Release Date
Gnome 44 will be officially released on March 22, 2023.
-
Nitrux 2.6 Available with Kernel 6.1 and a Major Change
The developers of Nitrux have officially released version 2.6 of their Linux distribution with plenty of new features to excite users.