DNS resolver
Unbound is described as a validating, recursive, and caching DNS resolver. For a long period I was using Google Public DNS (8.8.8.8 and 8.8.4.4). But 2 years ago I purchased a czech domain name. I`m from Slovakia but I decided to buy czech because of their DNSSEC support. And if you want to check validity of signature included in DNS reply, you have to use DNS server supporting DNSSEC. Unfortunately Google Public DNS doesn`t support this feature for now. So after looking for possible solutions, I found installing own DNS resolver the easiest way. There are more of them but Unbound is designed to match exactly what i need. First install unbound package.
apt-get install unbound
After successful instalation you should have unbound daemon running and also configured for DNSSEC validations. Now it is good idea to restrict access to this daemon from only your local network. It can be set in unbound configuration file.
nano /etc/unbound/unbound.conf
And add this lines in the "server:" section.
access-control: 127.0.0.0/8 allow
access-control: 192.168.1.0/24 allow
Don`t forget to edit network address to match yours. Now you can close the file (CTRL+X...) and save changes (...press "y" and Enter). Changes made to configuration file applies after restart of unbound daemon. You can restart unbound using:
/etc/init.d/unbound restart
Now you can test configuration by using perfect tool included in dnsutils package.
apt-get install dnsutils
The application is called dig. To test unbound is working properly you can use this command.
dig @127.0.0.1 ripe.net
And it will generate something like this:
; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> @127.0.0.1 ripe.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20706
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 2
;; QUESTION SECTION:
;ripe.net. IN A
;; ANSWER SECTION:
ripe.net. 21600 IN A 193.0.6.139
;; AUTHORITY SECTION:
ripe.net. 3600 IN NS sns-pb.isc.org.
ripe.net. 3600 IN NS tinnie.arin.net.
ripe.net. 3600 IN NS pri.authdns.ripe.net.
ripe.net. 3600 IN NS ns3.nic.fr.
ripe.net. 3600 IN NS sec3.apnic.net.
ripe.net. 3600 IN NS sec1.apnic.net.
;; ADDITIONAL SECTION:
pri.authdns.ripe.net. 3600 IN A 193.0.9.5
pri.authdns.ripe.net. 3600 IN AAAA 2001:67c:e0::5
;; Query time: 552 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon May 12 11:31:34 2013
;; MSG SIZE rcvd: 234
From the information in bold you can see that unbound is working and translating... But dig by default don`t ask for DNSSEC validation. To check also this feature you can issue slightly modified command.
dig @127.0.0.1 ripe.net +dnssec
Which will generate a little longer output because it also includes encrypted hashes to valitate response.
; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> @127.0.0.1 ripe.net +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19483
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 5
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;ripe.net. IN A
;; ANSWER SECTION:
ripe.net. 21126 IN A 193.0.6.139
ripe.net. 21126 IN RRSIG A 5 2 21600 20130611105251 20130512095251 36246 ripe.net. OBd1n9NyO5u7CKZzQuxG1gcY7xyWvQn8KBKg6Sjsbltw4Pay7c58QbN4 6JegK2ZtEnVHBJ9leJXucJMDchfiJEBwJ7XFoyFFqlJAStzJtKjCgH/b D1793+ubBdRWP0hiWDBkn1lvjUqrgMS2TQOq0rkk+hZA9pX7VXjntjnJ s4s=
;; AUTHORITY SECTION:
ripe.net. 3125 IN NS sns-pb.isc.org.
ripe.net. 3125 IN NS tinnie.arin.net.
ripe.net. 3125 IN NS pri.authdns.ripe.net.
ripe.net. 3125 IN NS ns3.nic.fr.
ripe.net. 3125 IN NS sec3.apnic.net.
ripe.net. 3125 IN NS sec1.apnic.net.
ripe.net. 3125 IN RRSIG NS 5 2 3600 20130611105251 20130512095251 36246 ripe.net. Ua7IYoIG0imy36FfE9n3yEC9H7qyqmCzYV/oevDiT93W88ee67qZQyWT SlN83fRl0BtEofLfz/TaAOweN8K86hM5cg/vjaSlXTAv6ZdA0GXyOXlm NSkSmGJW2RMfk0ZEZC2iP3g++ahXstTkpLEvzqptwacKMF8/J6Jh9BMk usk=
;; ADDITIONAL SECTION:
pri.authdns.ripe.net. 3126 IN A 193.0.9.5
pri.authdns.ripe.net. 3126 IN AAAA 2001:67c:e0::5
pri.authdns.ripe.net. 3126 IN RRSIG A 5 4 3600 20130611105251 20130512095251 36246 ripe.net. bxYxa/DlSZ/vDhKKx5d5rgPzXfZFzqJjDeqsYt06WuuQrk8Xl61SC1B1 nnrvTFm5avOMfyJiGXg1IvIlEsZ9w3IK5+8GiVpdfK6NV3pzGlNTcdju kr90T2B9BAeRszwCxIOj7aoJYF1hbmyNgfItYE6M8zjDD3Nqqy7mZ7TT +c0=
pri.authdns.ripe.net. 3126 IN RRSIG AAAA 5 4 3600 20130611105251 20130512095251 36246 ripe.net. L8gYlPdK4MJP99WVoIajxH8Pr8VMCzrnwZDXBd4ebEdDlivMqdHFalYh ebVYn6uGugkW+4EQAVMZacM39hxoUuJ7K0JocVBkAKV/yppRoYP9mET3 sDdkU6cd4cvdnI77PoePLYvqL10y1F5iqqeaClBcQM0y/G88f7gVQzU9 mBw=
;; Query time: 24 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon May 12 11:39:28 2013
;; MSG SIZE rcvd: 917
If you check flags section you can see that resolved data was validated (presence of ad flag (authenticated data)). Now you have unbound fully cofigured and working. Next step is to force Raspbian to use itself as DNS resolver. DNS servers are defined in /etc/resolv.conf file. But any manual changes to this file are overwritten by dhclient (if you use DHCP) or ifplugd (in case of static IP address defined in /etc/network/interfaces). In case your RPi has IP address assigned by DHCP, edit file /etc/dhcp/dhclient.conf.
nano /etc/dhcp/dhclient.conf
And add following line:
prepend domain-name-servers 127.0.0.1;
The keyword "prepend" means to place 127.0.0.1 before nameservers announced by DHCP server. you can replace it with keyword "supersede" to ignore announced nameservers and set 127.0.0.1. You can also set more nameservers. In this case use comma and space as delimiter.
Or in case you use static IP address defined in /etc/network/interfaces, open it:
nano /etc/network/interfaces
And edit to something like:
iface eth0 inet static
address 192.168.1.2
netmask 255.255.255.0
gateway 192.168.1.1
dns-nameservers 127.0.0.1
You can set more nameservers - use space as delimiter.
To see if everything behaves as you wanted, restart networking service.
/etc/init.d/networking restart
And check for changes in resolv.conf containing system-wide information about used nameservers.
cat /etc/resolv.conf