Here is the configuration for the pi-hole conf for unbound
server:
# If no logfile is specified, syslog is used
# logfile: "/var/log/unbound/unbound.log"
verbosity: 0
port: 6001
do-ip4: yes
do-udp: yes
do-tcp: yes
# May be set to yes if you have IPv6 connectivity
do-ip6: no
# Use this only when you downloaded the list of primary root servers!
root-hints: "/var/lib/unbound/root.hints"
# Trust glue only if it is within the servers authority
harden-glue: yes
# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
harden-dnssec-stripped: yes
# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
use-caps-for-id: no
# Reduce EDNS reassembly buffer size.
# Suggested by the unbound man page to reduce fragmentation reassembly problems
edns-buffer-size: 1472
# TTL bounds for cache
cache-min-ttl: 3600
cache-max-ttl: 86400
# Perform prefetching of close to expired message cache entries
# This only applies to domains that have been frequently queried
prefetch: yes
# One thread should be sufficient, can be increased on beefy machines
num-threads: 1
# Ensure kernel buffer is large enough to not lose messages in traffic spikes
so-rcvbuf: 1m
# Ensure privacy of local IP ranges
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
private-address: fd00::/8
private-address: fe80::/10
/etc/unbound/unbound.conf.d $ ls -lh
total 12K
-rw-r--r-- 1 root root 2.0K Dec 28 07:52 pi-hole.conf
-rw-r--r-- 1 root root 302 Feb 19 2017 qname-minimisation.conf
-rw-r--r-- 1 root root 190 Feb 19 2017 root-auto-trust-anchor-file.conf
pi@Pi-3B-DEV:/etc/unbound/unbound.conf.d $ cat root-auto-trust-anchor-file.conf
server:
# The following line will configure unbound to perform cryptographic
# DNSSEC validation using the root trust anchor.
auto-trust-anchor-file: "/var/lib/unbound/root.key"
Yes I downloaded the anchor file as part of the help page. I did not have the root-auto-trust-anchor-file.conf I suppose.
In my frustration as I have to submit this as part of my dissertation, I have formatted the card and rebuilding the system. Hopefully, it will be smoother next time.
Thank you for your assistance, be back in sometime.
No, this is not recommended Unbound is handling the DNSSEC in this setup.
No. The authoritative servers do not support SSL - they are plain text between themselves and resolvers. With DNSSEC, the replies are validated as authentic and unaltered, but not encrypted.
The root hints just point unbound to the TLD servers - essentially a bootstrap. From there, the TLD servers provide addresses for lower level servers, which then get to the next level down, etc. Once unbound loads root hints and and queries the TLDs, the addresses of the TLD's are kept in cache for a lengthy period. They return a TTL of 3600000 seconds (1,000 hours). The unbound configuration file sets cache-max-TTL to 86,400 seconds, which is still 24 hours. So, the TLDs aren't queried very frequently by unbound.
What changes will I need in Pi-Hole to provide DNS server over the internet to clients in an encrypted form (I can take care of networking part such as UFW rules, port forwarding and getting certificate).
Hi I want to retain unbound logs. I have tried adding following in both unbound.conf and pi-hole.conf but i don't seem to be getting the queries and responses.
logfile: "/mnt/dns_logs/unbound.log"
verbosity: 1
I have created unbound.log and provided user unbound access via sudo chown unbound.unbound unbound.log