OpenBSD Home Server - Basic unbound.conf 06 Sep 2020
------------------------------------------------------------------------
Yesterday, I set up Unbound on my OpenBSD home server, and manually set
some other devices on the network to use it as their nameserver. So far,
so good.
The configuration that I settled on forwards requests to Cloudflare and
Quad9, using DNS-over-TLS. That means the requests are encrypted between
my server and the upstream DNS server to prevent snooping or tampering.
It's not end-to-end encryption, however, since the upstream server has
to (eventually) query authoritative nameservers using regular DNS. But
it's better than nothing.
There's still a few things left to do:
- Figure out a way to get everything on my network to use my DNS server
without having to manually configure them all. Since AT&T's gateway
doesn't let you specify a DNS server, that it's probably going to
involve some DHCP shenanigans.
- Set up a blocklist, so Unbound returns invalid response for ad servers
and malware sites.
But in the meantime, here's the current Unbound config file:
---
# /var/unbound/etc/unbound.conf
server:
# Listen on all interfaces.
interface: 0.0.0.0
interface: ::0
# Answer IPv4 requests from localhost and the local network.
access-control: 192.168.1.0/24 allow
access-control: 127.0.0.0/8 allow
# Answer IPv6 requests from localhost (for now).
access-control: ::1 allow
# Cert bundle to use for DNS over TLS.
tls-cert-bundle: "/etc/ssl/cert.pem"
# Set the initial trust anchor for DNSSEC, and log validation
# errors.
auto-trust-anchor-file: "/var/unbound/db/root.key"
val-log-level: 2
# Use cached NSEC records to generate negative responses.
aggressive-nsec: yes
# Enable use of the unbound-control CLI tool.
remote-control:
control-enable: yes
control-interface: /var/run/unbound.sock
# Forward all requests to some upstream nameservers using DNS-over-TLS.
# Unbound will spread its requests around between each of the configured
# forward-addrs.
forward-zone:
name: "."
forward-tls-upstream: yes
