arainho/archlinux_unbound.sh

## archlinux_unbound.sh
# Unbound is a validating, recursive, and caching DNS resolver.
https://wiki.archlinux.org/index.php/Unbound

# install unbound, expat
sudo pacman -Syy --noconfirm unbound expat ldns bind-tools

# setup etckeeper
sudo pacman -Syy --noconfirm etckeeper
git config --global user.email "me@armory"
git config --global user.name "Me Myself and I"
cd /etc/ && etckeeper init && etckeeper commit "first commit"

# create resolv.conf
sudo cp --backup=numbered -av /etc/resolvconf.conf /etc/resolvconf.conf.backup
sudo sed -i 's/#name_servers=127.0.0.1/name_servers="::1 127.0.0.1"/g' /etc/resolvconf.conf
sudo resolvconf -u

# change gadget-deadbeef default dns to localhost
sed -i 's/DNS=8.8.8.8/DNS=127.0.0.1/g' /etc/systemd/network/gadget-deadbeef.network

# prevent programs from overwriting /etc/resolv.conf
#sudo chattr +i /etc/resolv.conf

# Roothints systemd timer
sudo bash -c 'cat > /etc/systemd/system/roothints.service' << EOF
[Unit]
Description=Update root hints for unbound
After=network.target

[Service]
ExecStart=/usr/bin/curl -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache
EOF

sudo bash -c 'cat > /etc/systemd/system/roothints.timer' << EOF
[Unit]
Description=Run root.hints monthly

[Timer]
OnCalendar=monthly
Persistent=true

[Install]
WantedBy=timers.target
EOF

# use DNSSEC validation
sed -i 's/# auto-trust-anchor-file: "/etc/trusted-key.key"/auto-trust-anchor-file: "/etc/trusted-key.key"/g' /etc/unbound/unbound.conf

sudo bash -c 'cat >> /etc/resolvconf.conf' << EOF

# If don't want to forward the root zone and let the local resolver
# recursively query the root servers directly,
# simply mark all interfaces private.
# You may need to do this if you enable DNSSEC in the local resolver but the
# upstream DNS servers say from your router or ISP don't support DNSSEC.
private_interfaces="*"

# Write out unbound configuration file
unbound_conf=/etc/unbound/resolvconf.conf
EOF
sudo resolvconf -u

# start services
systemctl restart unbound.service
systemctl restart roothints.timer
systemctl restart roothints.service

# check
#resolvectl status
#drill @8.8.8.8 TXT google.pt
#dig sigfail.verteiltesysteme.net @127.0.0.1 -p 53
#dig sigok.verteiltesysteme.net @127.0.0.1 -p 53
	# Unbound is a validating, recursive, and caching DNS resolver.
	https://wiki.archlinux.org/index.php/Unbound

	# install unbound, expat
	sudo pacman -Syy --noconfirm unbound expat ldns bind-tools

	# setup etckeeper
	sudo pacman -Syy --noconfirm etckeeper
	git config --global user.email "me@armory"
	git config --global user.name "Me Myself and I"
	cd /etc/ && etckeeper init && etckeeper commit "first commit"

	# create resolv.conf
	sudo cp --backup=numbered -av /etc/resolvconf.conf /etc/resolvconf.conf.backup
	sudo sed -i 's/#name_servers=127.0.0.1/name_servers="::1 127.0.0.1"/g' /etc/resolvconf.conf
	sudo resolvconf -u

	# change gadget-deadbeef default dns to localhost
	sed -i 's/DNS=8.8.8.8/DNS=127.0.0.1/g' /etc/systemd/network/gadget-deadbeef.network

	# prevent programs from overwriting /etc/resolv.conf
	#sudo chattr +i /etc/resolv.conf

	# Roothints systemd timer
	sudo bash -c 'cat > /etc/systemd/system/roothints.service' << EOF
	[Unit]
	Description=Update root hints for unbound
	After=network.target

	[Service]
	ExecStart=/usr/bin/curl -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache
	EOF

	sudo bash -c 'cat > /etc/systemd/system/roothints.timer' << EOF
	[Unit]
	Description=Run root.hints monthly

	[Timer]
	OnCalendar=monthly
	Persistent=true

	[Install]
	WantedBy=timers.target
	EOF

	# use DNSSEC validation
	sed -i 's/# auto-trust-anchor-file: "/etc/trusted-key.key"/auto-trust-anchor-file: "/etc/trusted-key.key"/g' /etc/unbound/unbound.conf

	sudo bash -c 'cat >> /etc/resolvconf.conf' << EOF

	# If don't want to forward the root zone and let the local resolver
	# recursively query the root servers directly,
	# simply mark all interfaces private.
	# You may need to do this if you enable DNSSEC in the local resolver but the
	# upstream DNS servers say from your router or ISP don't support DNSSEC.
	private_interfaces="*"

	# Write out unbound configuration file
	unbound_conf=/etc/unbound/resolvconf.conf
	EOF
	sudo resolvconf -u

	# start services
	systemctl restart unbound.service
	systemctl restart roothints.timer
	systemctl restart roothints.service

	# check
	#resolvectl status
	#drill @8.8.8.8 TXT google.pt
	#dig sigfail.verteiltesysteme.net @127.0.0.1 -p 53
	#dig sigok.verteiltesysteme.net @127.0.0.1 -p 53