Undbound - RFC7706 (hyperlocal concept)

dns

#1

TLFor interested unbound users - with RFC7706(bis-00), also dubbed hyperlocal concept but its coiner prefers it not yet to be called as such , it is possible to mitigate the amount of DNS upstream queries and thereby increasing privacy and decreasing query response times.

In essence it is the transfer (AXFR/IXFR) of the internet root zone (.) and its top-level domains (TLD) referrals to the router. Thus queries for the root domain and TLD are resolved locally.

Since the settings cannot be parsed by UCI it requires 2 steps to implement the necessary settings

First add to “/etc/config/resolver”

    config resolver 'unbound_includes'
    	list include_path "/etc/unbound/unbound_ext.conf"

and then create the file “/etc/unbound/unbound_ext.conf” and insert

auth-zone:
 name: .
 for-downstream: no
 fallback-enabled: yes
 master: 198.41.0.4
 master: 199.9.14.201
 master: 192.33.4.12
 master: 199.7.91.13
 master: 192.203.230.10
 master: 192.5.5.241
 master: 192.112.36.4
 master: 198.97.190.53
 master: 192.36.148.17
 master: 192.58.128.30
 master: 193.0.14.129
 master: 199.7.83.42
 master: 202.12.27.33

Finally restart the resolver to apply the settings.

Word of caution - the aforementioned ipv4 addresses represent the world’s root domain servers and thus might change over time, though likely not very frequently. Changes should be monitored and updated in the config thus.
Furthermore not all root servers as of date permit the zone transfer and the permission for the root zone transfer could be revoked entirely at any time.

Users with a preference to ipv6 can utilise the corresponding addresses or hostnames instead (which have to be resolved first), e.g. master: b.root-servers.net

Instead of the master directive the url directive can be utilized url: https://www.internic.net/domain/root.zone, which is probably the most convenient way but not RFC7706 since the root zone is not transferred but downloaded and thus are difference semantics.