Setting up a local DNS server with Unbound
Finishing Up
When your configuration is ready, just boot your server up with the following command:
# /etc/init.d/unbound start
This command will bring up a caching DNS server with anti-advertisement, anti-malware, and anti-phishing capabilities, as well as a limited capability for validating the authenticity of the DNS responses it takes. Not bad at all.
The only task left to do is to configure the devices in your LAN to use this server. There are three main ways to do this. You can manually configure each one to use your DNS server, which is usually impractical. The second option is to configure your network router to assign your server via DHCP to each device that connects to the network. This is the easiest way, and it will work most of the time, as long as your router supports assigning custom DNS servers to the devices in your LAN.
There is a third, evil option, that I like to use when I have to deal with devices that will ignore DNS servers provided by DHCP. This method is to instruct the router to redirect queries to unauthorized DNS servers to your local DNS instance, using ds-nat. In practice, you are performing a man-in-the-middle attack by letting your local DNS server pretend to be the DNS server the rogue device is trying to connect to. This requires a router capable of advanced firewall configuration. But such mean deeds are the subject for another article.
Infos
- What is DNSSEC? https://www.icann.org/resources/pages/dnssec-what-is-it-why-important-2019-03-05-en
- What Is the Difference between Authoritative and Recursive DNS Nameservers? https://umbrella.cisco.com/blog/2014/07/16/difference-authoritative-recursive-dns-nameservers/
- Against DNSSEC: https://sockpuppet.org/blog/2015/01/15/against-dnssec/
- Questions and Answers from "Against DNSSEC": https://sockpuppet.org/stuff/dnssec-qa.html
- DNS over TLS Wikipedia article: https://en.wikipedia.org/wiki/DNS_over_TLS
- DNSCrypt official site: https://dnscrypt.info/
- Opennic Project: https://www.opennic.org/
- DNS.WATCH official site: https://dns.watch/
- StevenBlack DNS Blacklist: https://github.com/StevenBlack/hosts
- Practical Attacks with DNS Rebinding: https://www.tripwire.com/state-of-security/vert/practical-attacks-dns-rebinding/
- Namebench: https://code.google.com/archive/p/namebench/
« Previous 1 2 3 4
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
US / Canada
UK / Australia
Direct Download
Read full article as PDF:
Price $2.95
News
-
Mageia 8 is Now Available with Linux 5.10 LTS
The latest release of Mageia includes improved graphics support for both AMD and NVIDIA GPUs.
-
GNOME 40 Beta has been Released
Anyone looking to test the beta for the upcoming GNOME 40 release can now do so.
-
OpenMandriva Lx 4.2 has Arrived
The latest stable version of OpenMandriva has been released and offers the newest KDE desktop and ARM support.
-
Thunderbird 78 is being ported to Ubuntu 20.04
The Ubuntu developers have made the decision to port the latest release of Thunderbird to the LTS version of the platform.
-
Elementary OS is Bringing Multi-Touch Gestures to the OS
User-friendly Linux distribution, elementary OS, is working to make using the fan-favorite platform even better for laptops.
-
Decade-Old Sudo Flaw Discovered
A vulnerability has been discovered in the Linux sudo command that’s been hiding in plain sight.
-
Another New Linux Laptop has Arrived
Slimbook has released a monster of a Linux gaming laptop.
-
Mozilla VPN Now Available for Linux
The promised subscription-based VPN service from Mozilla is now available for the Linux platform.
-
Wayland and New App Menu Coming to KDE
The 2021 roadmap for the KDE desktop environment includes some exciting features and improvements.
-
Deepin 20.1 has Arrived
Debian-based Deepin 20.1 has been released with some interesting new features.