An introduction to Unbound DNS

As sysadmins, we need to know a bit about what DNS is and how it works — including what could go wrong. Knowing all of that, what advantage would there be in running our very own DNS server at home or in our small organization? There could be several reasons you might want to have your own DNS server.

1. A local DNS server can decrease response time for address queries, and make more efficient use of network resources, improving performance overall.
2. A local DNS server can be used to filter queries. For example, it may block DNS resolution of sites serving advertising or malware.
3. Some people run their own DNS server out of concerns for privacy and the security of data.
4. You might want your own DNS server in your own home lab or small organization to manage internal, local name resolution. In addition, you do not have to remember addresses, rely on an external DNS service, or maintain hosts files on all your devices.

So why Unbound?

There are many options to choose from for this project. For the sake of discussion, we'll talk briefly about a popular example of the three main types (note that we'll only consider 'open' software that you can get without having to pay for a license).

BIND

BIND is the grandfather of DNS servers, the first and still the most common of the available options. BIND comes capable of anything you would want to do with a DNS server — notably, it provides an authoritative DNS server. It can manage many (like hundreds of) zones or domains as the final word on addressing. All these features make it slightly harder to configure and manage than some other options, and it's slower than the others as well. It can quickly become complicated to manage and is probably overkill for a smaller project.

DNSMasq

DNSMasq is a lightweight caching server designed for performance and ease of implementation. It is also packaged with a simple DHCP and TFTP server. It's very popular as part of software packaged for home use and is an underlying piece of some other software you might have used like Clonezilla and Pi-Hole because it can provide all these services as a single small package. Unfortunately, even though it's capable of split-DNS, it is a caching-only server. It can't do recursion (it can't look for another DNS server or handle referrals to or from other servers), and it can't host even a stub domain, so it's not too helpful managing names and addresses.

Unbound

Unbound can be a caching server, but it can also do recursion and keep records it gets from other DNS servers as well as provide some authoritative service, like if you have just a few zones — so it can serve as a stub or "glue" server, or host a small zone of just a few domains — which makes it perfect for a lab or small organization. It's also very popular as a recursive and caching layer server in larger deployments. Unbound is capable of DNSSEC validation and can serve as a trust anchor. It can do TLS encryption, and the most recent version now implements the RPZ standard (a more robust and sophisticated version of what DNSMasq does with split-DNS to allow the filtering of DNS queries for privacy and security). It's also become the standard default DNS server software available for many GNU/Linux distributions, including BSD and Red Hat-based versions.

In my own lab, I'm running a BIND authoritative server for an internal domain, and I want to add an Unbound server that refers to this but can also cache, recurse, and forward requests to the outside world. The only reason I'm doing these separately is for reference and practice.

Installation

From RHEL/CENTOS/Fedora machines, it's as simple as getting it from the main YUM repositories:

[root@callisto ~]# yum install unbound
 
---> Package unbound.x86_64 0:1.6.6-1.el7 will be installed
---> Package libevent.x86_64 0:2.0.21-4.el7 will be installed
---> Package unbound-libs.x86_64 0:1.6.6-1.el7 will be installed
--> Finished Dependency Resolution


Total download size: 1.3 M
Installed size: 4.2 M

The main file we'll be working with to configure unbound is the unbound.conf file, which on RHEL/CentOS/Fedora is at /etc/unbound/unbound.conf

For this project, I'm going to install Unbound as a caching/recursive DNS server with the additional job of resolving machines in my local lab via an already existing DNS server that acts as an authoritative server for my lab and home office.

Wrapping up

In the next installment of this article, we'll look at the basic configuration of Unbound.

[ Getting started with networking? Check out the Linux networking cheat sheet. ]