Short notes for UNBOUND Caching DNS Server under Ubuntu 18

Installation of UNBOUND dns server for local network is fairly simple but I encountered some hurdles setting it up with Ubuntu 18 therefore I took notes on how I resolved it in this post for reference purposes.

After fresh installation of Ubuntu 18, It’a a good idea to keep your system TIME with any NTP source.

apt-get -y install ntp ntpdate
# Change timezone as per your local
cp /usr/share/zoneinfo/Asia/Karachi /etc/localtime
sudo /etc/init.d/ntp restart

Install UNBOUND DNS Server

Step#1

apt-get install -y unbound

Step#2

#Additional notes for Ubuntu 18 version

The problem with Ubuntu 18.04 is the systemd-resolved service which is listening on port 53 and therefore conflicts with unbound service

Edit the file /etc/systemd/resolved.conf

nano /etc/systemd/resolved.conf 

& modify this

DNSStubListener=no

Now reboot

shutdown -r now

You can now confirm if 53 port is now free up

netstat -tulpn | grep :53

Step#3

Some housekeeping stuff

sudo service systemd-resolved stop
sudo rm -f /etc/resolv.conf
sudo ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf
sudo service systemd-resolved start

Step#4

Edit the existing UNBOUND configuration file for customization…

nano /etc/unbound/unbound.conf

Example of unbound.conf

# Unbound configuration file for Debian.
server:
# Use the root servers key for DNSSEC
#auto-trust-anchor-file: "/var/lib/unbound/root.key"
# Enable logs
chroot: ""
#verbosity (log level from 0 to 4, 4 is debug)
#verbosity: 1
#logfile: /var/log/unbound/unbound.log
#log-queries: yes
#use-syslog: (do not write logs in syslog file in ubuntu /var/log/syslog -zaib)
use-syslog: no
#interface (interfaces on which Unbound will be launched and requests will be listened to)
# Respond to DNS requests on all interfaces
interface: 0.0.0.0
# DNS request port, IP and protocol
port: 53
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes

# Authorized IPs to access the DNS Server / access-control (determines whose requests are allowed to be processed)
access-control: 127.0.0.0/8 allow
access-control: 10.0.0.0/8 allow
access-control: 172.16.0.0/16 allow
access-control: 192.168.0.0/16 allow
access-control: 101.0.0.0/8 allow

# Root servers information (To download here: ftp://ftp.internic.net/domain/named.cache)
#root-hints: "/var/lib/unbound/root.hints"

# Hide DNS Server info
hide-identity: yes
hide-version: yes

# Improve the security of your DNS Server (Limit DNS Fraud and use DNSSEC)
harden-glue: yes
harden-dnssec-stripped: yes

# Rewrite URLs written in CAPS
use-caps-for-id: yes

# TTL Min (Seconds, I set it to 7 days)
cache-min-ttl: 604800
# TTL Max (Seconds, I set it to 14 days)
cache-max-ttl: 1209600
# Enable the prefetch
prefetch: yes

# Number of maximum threads CORES to use / zaib
num-threads: 4

### Tweaks and optimizations
# Number of slabs to use (Must be a multiple of num-threads value)
msg-cache-slabs: 8
rrset-cache-slabs: 8
infra-cache-slabs: 8
key-cache-slabs: 8
# Cache and buffer size (in mb)
rrset-cache-size: 51m
msg-cache-size: 25m
so-rcvbuf: 1m

# Make sure your DNS Server treat your local network requests
#private-address: 101.0.0.0/8

# Add an unwanted reply threshold to clean the cache and avoid when possible a DNS Poisoning
unwanted-reply-threshold: 10000

# Authorize or not the localhost requests
do-not-query-localhost: no

# Use the root.key file for DNSSEC
#auto-trust-anchor-file: "/var/lib/unbound/root.key"
val-clean-additional: yes
include: "/etc/unbound/unbound.conf.d/*.conf"

Example of /etc/unbound/myrecords.conf

You can use this file to add your custom records as well.

Create new file at

nano /etc/unbound/myrecords.conf

local-zone: "doubleclick.net" redirect
local-data: "doubleclick.net A 127.0.0.1"
local-zone: "googlesyndication.com" redirect
local-data: "googlesyndication.com A 127.0.0.1"
local-zone: "googleadservices.com" redirect
local-data: "googleadservices.com A 127.0.0.1"
local-zone: "google-analytics.com" redirect
local-data: "google-analytics.com A 127.0.0.1"
local-zone: "ads.youtube.com" redirect
local-data: "ads.youtube.com A 127.0.0.1"
local-zone: "adserver.yahoo.com" redirect
local-data: "adserver.yahoo.com A 127.0.0.1"
local-zone: "1.com" redirect
local-data: "1.com A 0.0.0.0"
local-data: "zaib.com A 1.2.3.4"
local-data: "zaib2.com A 1.2.3.4"

Once all done, restart the unbound service by

service unbound restart
OR
service unbound reload

Test if UNBOUND service is started successfully.

service unbound status

Result:

â unbound.service - Unbound DNS server
Loaded: loaded (/lib/systemd/system/unbound.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2019-12-10 12:28:59 PKT; 2s ago
Docs: man:unbound(8)
Process: 1588 ExecStartPre=/usr/lib/unbound/package-helper root_trust_anchor_update (code=exited, status=0/SUCCESS)
Process: 1576 ExecStartPre=/usr/lib/unbound/package-helper chroot_setup (code=exited, status=0/SUCCESS)
Main PID: 1610 (unbound)
Tasks: 4 (limit: 2290)
CGroup: /system.slice/unbound.service
ââ1610 /usr/sbin/unbound -d

Dec 10 12:28:58 u18 systemd[1]: Starting Unbound DNS server...
Dec 10 12:28:59 u18 package-helper[1588]: /var/lib/unbound/root.key has content
Dec 10 12:28:59 u18 package-helper[1588]: success: the anchor is ok
Dec 10 12:28:59 u18 unbound[1610]: [1575962939] unbound[1610:0] warning: so-rcvbuf 1048576 was not granted. Got 425984. To fix: start with root permissions(linux) or sysctl bigger net.core.rmem_max
Dec 10 12:28:59 u18 unbound[1610]: [1575962939] unbound[1610:0] notice: init module 0: subnet
Dec 10 12:28:59 u18 unbound[1610]: [1575962939] unbound[1610:0] notice: init module 1: validator
Dec 10 12:28:59 u18 unbound[1610]: [1575962939] unbound[1610:0] notice: init module 2: iterator
Dec 10 12:28:59 u18 unbound[1610]: [1575962939] unbound[1610:0] info: start of service (unbound 1.6.7).
Dec 10 12:28:59 u18 systemd[1]: Started Unbound DNS server.

Test if DNS server is responding to DNS queries

dig @127.0.0.1 bbc.com

1st Result: [check the Query time]

;  DiG 9.11.3-1ubuntu1.11-Ubuntu  @127.0.0.1 bbc.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16313
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;bbc.com. IN A

;; ANSWER SECTION:
bbc.com. 86400 IN A 151.101.192.81
bbc.com. 86400 IN A 151.101.128.81
bbc.com. 86400 IN A 151.101.0.81
bbc.com. 86400 IN A 151.101.64.81

;; Query time: 971 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Dec 10 07:04:21 UTC 2019
;; MSG SIZE rcvd: 100

2nd Result: [check the Query time]

root@u18:/etc/unbound/unbound.conf.d# dig @127.0.0.1 bbc.com

;  DiG 9.11.3-1ubuntu1.11-Ubuntu  @127.0.0.1 bbc.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14171
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;bbc.com. IN A

;; ANSWER SECTION:
bbc.com. 86398 IN A 151.101.192.81
bbc.com. 86398 IN A 151.101.128.81
bbc.com. 86398 IN A 151.101.0.81
bbc.com. 86398 IN A 151.101.64.81

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Dec 10 07:04:23 UTC 2019
;; MSG SIZE rcvd: 100

See the difference between 1st & second response which shows that cache is working

Enabling LOG File [recommended for troubleshoot purposes only]

Create a Log file and assign rights to write logs:

mkdir /var/log/unbound
touch /var/log/unbound/unbound.log
chmod -R 777  /var/log/unbound/

Now enable it in the unbound config file. I have commented it in the configuration file.

An example of viewing logs:

sudo tail -f /var/log/unbound/unbound.log
sudo tail -f /var/log/syslog

UNBOUND.LOG

[1575963664] unbound[1962:3] info: 101.11.11.161 bbc.com.agp1. A IN
[1575963664] unbound[1962:3] info: resolving bbc.com.agp1. A IN
[1575963664] unbound[1962:3] info: response for bbc.com.agp1. A IN
[1575963664] unbound[1962:3] info: reply from  193.0.14.129#53
[1575963664] unbound[1962:3] info: query response was NXDOMAIN ANSWER
[1575963664] unbound[1962:3] info: validate(nxdomain): sec_status_secure
[1575963664] unbound[1962:3] info: validation success bbc.com.agp1. A IN
[1575963664] unbound[1962:3] info: 101.11.11.161 bbc.com.agp1. AAAA IN
[1575963664] unbound[1962:3] info: resolving bbc.com.agp1. AAAA IN
[1575963664] unbound[1962:3] info: response for bbc.com.agp1. AAAA IN
[1575963664] unbound[1962:3] info: reply from  199.7.83.42#53
[1575963664] unbound[1962:3] info: query response was NXDOMAIN ANSWER
[1575963664] unbound[1962:3] info: validate(nxdomain): sec_status_secure
[1575963664] unbound[1962:3] info: validation success bbc.com.agp1. AAAA IN
[1575963664] unbound[1962:1] info: 101.11.11.161 bbc.com. A IN
[1575963664] unbound[1962:1] info: resolving bbc.com. A IN
[1575963664] unbound[1962:1] info: resolving bbc.com. DS IN
[1575963664] unbound[1962:1] info: NSEC3s for the referral proved no DS.
[1575963664] unbound[1962:1] info: Verified that unsigned response is INSECURE
[1575963672] unbound[1962:0] info: 101.11.11.161 bbc.com. AAAA IN

Example of cache export and import:

unbound-control dump_cache > backup
unbound-control load_cache < backup

#Clear one site from cache

unbound-control flush_zone google.com

# View cached DNS contents or count

unbound-control dump_cache

unbound-control dump_cache | wc -l

Regard’s
Syed Jahanzaib