Why?
- We experienced small but repeated issues with the pre-installed Knot DNS resolver.
- Adding custom configurations can be daunting, if you are not familiar Knot configuration syntax.
- I use the Unbound resolver in various other projects since many years, so I am more familiar with it then Knot.
- I run secondary (unbound) resolvers in my networks and like their setup to be as similar as possible
- I like to use DNSSEC in local private domains and in domains where the upstream doesn’t provide it.
- I like to hold a copy of the root-zone in my resolvers for better speed and privacy.
- Unbound is already nicely integrated in TurrisOS (as is Knot).
- Unbound is already nicely integrated in the AdBlock package (as is Knot).
How?
opkg update
opkg install unbound unbound-anchor unbound-control-setup
Open /etc/config/resolver
with your preferred editor and change the following line:
From: option prefered_resolver 'kresd'
To: option prefered_resolver 'unbound'
Save the file and restart the TurrisOS resolver service:
/etc/init.d/resolver restart
Note: Don’t enable the unbound service, don’t start, stop or restart the unbound service. Always use /etc/init.d/resolver
for that, or you might loose the excellent TurrisOS integration.
Customizing
Most common and important options are set in the config resolver 'unbound'
section of /etc/config/resolver
If that is not enough for you, you find the section config resolver 'unbound_includes'
at the bottom of the file.
config resolver 'unbound_includes'
list include_path '/etc/unbound/unbound.conf.d/*.conf'
Drop your custom config files in that directory.
Alternative Upstream Resolvers
Unbound, as configured by the resolver-package on TurrisOS, will use the upstream DNS provider you choose in reForis → Network Settings → DNS.
Root-Zone
/etc/unbound/unbound.conf.d/root-zone.conf
# =========================================================
# Auth Zone for the Internet root zone "."
# See RFC 8806 - Running a Root Server Local to a Resolver
# https://www.rfc-editor.org/rfc/rfc8806.html
# =========================================================
auth-zone:
name: "."
master: "b.root-servers.net"
master: "c.root-servers.net"
master: "d.root-servers.net"
master: "f.root-servers.net"
master: "g.root-servers.net"
master: "k.root-servers.net"
url: https://www.internic.net/domain/root.zone
fallback-enabled: yes
for-downstream: no
for-upstream: yes
zonefile: "/var/etc/unbound/root.zone"
References:
- Evaluating Local DNSSEC Validators, Tore Anderson, 2019.
- Unbound Docs