Setting up Unbound as DNS server

abderrahman

Hello,

I'm trying to setup my own DNS server, not just a caching server or a forwarder
I started with dns-server but I found Unbound to be more user-friendly and advanced

I don't know a way to check which DNS is doing the resolving (if anyone has a way please tell me). In 'General Setup' I have 8.8.8.8 as DNS, after enabling Unbound (and disabling DNS forwarder) DNS resolution stops if I don't have a functional DNS server entered (leaving it empty, or putting 127.0.0.1 doesn't work)

In Unbound, I have DNSSEC enabled, network interface is LAN, 'enable DNS forwarder mode' is unchecked

I'm running pfSense 2.0.2 amd64 on VirtualBox

abderrahman

anyone?

redbox

you may have been hitting the same issue as me. when you hit save in general setup the unbound process is shutdown. to workaround that just go to unbound and hit save it will start the process again. you should be able to tell which dns is doing the resolving by logging into pfsense via ssh.

Only one process can bind a port so if you do the following commands:

: ps aux | grep unbound
unbound 19744  0.0  1.1 34808 22824  ??  Ss    1:01AM  0:41.11 unbound -c /usr/local/etc/unbound/unbound.conf

: netstat -an | grep 53
tcp4      0      0 127.0.0.1.953          .                    LISTEN
tcp4      0      0 127.0.0.1.53          .                    LISTEN
tcp4      0      0 10.xxx.xxx.1.53        .                    LISTEN
tcp4      0      0 172.xxx.xxx.1.53        .                    LISTEN
udp4      0      0 127.0.0.1.53          .                   
udp4      0      0 10.xxx.xxx.1.53        .                   
udp4      0      0 172.xxx.xxx.1.53        .

if the first command shows that unbound is running then the second command shows which interface(s) it is listening on.

abderrahman

The first command showed that it is running. In general setup I have 208.67.222.222 as primary, 8.8.8.8 secondary. should I change it?

netstat gave the following:

tcp4      0      0 127.0.0.1.953        .                    LISTEN
tcp4      0      0 10.0.0.138.53        .                    LISTEN
udp4      0      0 10.0.0.138.53          .

how many interfaces do you have? 127.0.0.1 is localhost, meaning Unbound. but 10.0.0.138 is pfSense LAN interface, so is it using the General Setup DNS or Unbound?

addresses resolve normally, but Unbound stats indicate that no queries have passed through it:

total.num.queries=0
total.num.cachehits=0
total.num.cachemiss=0
total.num.prefetch=0
total.num.recursivereplies=0

but it could be wrong, maybe it's not logging right

redbox

In total i have 4 interfaces. Loopback, WAN, and 2 VLANs.

if you have "Enable forwarding mode" checked in unbound then it should use the DNS servers in General Setup but in my case it is not (probably another bug). I had to go to advanced tab in unbound and put the following in the Custom Options:

forward-zone:; name: "."; forward-addr: 71.250.0.14; forward-addr: 71.242.0.14;

I am using FiOS so those are the DNS servers I used (on net DNS servers are usually faster unless you have a crappy ISP). You can use the ones you have in General Setup.

I do have some hits but this is right after restarting unbound again.

thread0.num.queries=5
thread0.num.cachehits=0
thread0.num.cachemiss=5
thread0.num.prefetch=0
thread0.num.recursivereplies=5

EDIT: Check your DHCP settings and see if you are handing out the DNS servers in General Setup or you entered the DNS in DHCP. Also check the client, for windows ipconfig /all or cat /etc/resolv.conf on linux.

abderrahman

cat /etc/resolv.conf gives nameserver 127.0.0.1
however, under "Connection Information" in Ubuntu it lists the DNS servers in General Setup

DNS forwarding mode is disabled in Unbound, my listening network interface is LAN, query is empty

It's not about speed or reliability, I just want to successfully setup a home DNS server for fun & science, not necessarily actually using it

redbox

ok so if ubuntu shows the DNS servers in General Setup then that means your DHCP is giving ubuntu those DNS servers. Are you using the pfsense as DHCP or is there another device that's doing DHCP? If it is pfsense then in the DHCP Server under Services put your LAN IP (10.0.0.138) in the DNS servers field. Renew DHCP on ubuntu or restart it. Ubuntu should now see your LAN IP as the DNS server and will use unbound since it is listening on that interface.

abderrahman

Ya, pfSense LAN is DHCP

I COMPLETELY forgot about DHCP Server's settings! Of course! (the other solution is entering 10.0.0.138 in General Setup, not 127.0.0.1 as I was doing)
Now Unbound's stats are showing queries :)

I guess that makes it a functional DNS server then, ha?  ;D
How do I ABSOLUTELY make sure it's pfSense that's doing the resolution and not DNS entries in General Setup? And how can make sure it's making use of DNSSEC (be it a DNS server or just a forwarder), and if Unbound is just a forwarder then do the other settings in 'advanced' work, like hide identity & version?

redbox

I can only answer how to make sure pfsense is doing the lookup. I'm not really sure about the other things like dnssec, etc.

Login to shell and run "grep forward /usr/local/etc/unbound/unbound.conf"
I get:
forward-zone:
forward-addr: 71.250.0.14
forward-addr: 71.242.0.14

if nothing shows up then that means unbound is doing the lookups on its own and not through the dns in general setup.

abderrahman

Thank you man… sometimes it's the little things that get you :)

anyway, one thing leads to another... I have a question... how do I act as a man-in-the-middle? can I make pfSense, at least at the DNS level, to reply to PING requests without actually contacting the address. I got the idea when I was asleep ;D and also when I noticed how I sometimes get PING replies (usually unrealistically low time) when I know for a fact that the connection is down