Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Install unbound DNS(SEC) resolver on OS X, on the basis of https://www.spatof.org/blog/unbound-dns-resolver-on-osx.html
To install unbound you can use homebrew
$ brew install unbound ldns
Now we can edit the configuration file of unbound which by default is located in /usr/local/etc/unbound/unbound.conf:
server:
      verbosity: 1
      interface: 127.0.0.1
      access-control: 127.0.0.1/8 allow
      chroot: ""
      private-address: 192.168.0.0/16
      private-address: 172.16.0.0/12
      private-address: 10.0.0.0/8
      #private-domain: "my.lan"
      #domain-insecure: "my.lan"
      auto-trust-anchor-file: "/usr/local/etc/unbound/root.key"

python:

remote-control:
      control-enable: yes
      control-interface: 127.0.0.1
      server-key-file: "/usr/local/etc/unbound/unbound_server.key"
      server-cert-file: "/usr/local/etc/unbound/unbound_server.pem"
      control-key-file: "/usr/local/etc/unbound/unbound_control.key"
      control-cert-file: "/usr/local/etc/unbound/unbound_control.pem"

#stub-zone:
#      name: "my.lan"
#      stub-addr: 10.0.1.1

You can tell unbound about local domains with the private-domain parameter; in this configuration we are specifying my.lan as a private domain.

If you wish to enable DNS forwarding to an external DNS server you can specify one with a catch-all forward zone; for example to use Google Public DNS as a forwarder add this to the bottom of unbound.conf:

forward-zone:
        name: "."
        forward-addr: 8.8.4.4        # Google
        forward-addr: 8.8.8.8        # Google
        forward-addr: 37.235.1.174   # FreeDNS
        forward-addr: 37.235.1.177   # FreeDNS
        forward-addr: 50.116.23.211  # OpenNIC
        forward-addr: 64.6.64.6      # Verisign
        forward-addr: 64.6.65.6      # Verisign
        forward-addr: 74.82.42.42    # Hurricane Electric
        forward-addr: 84.200.69.80   # DNS Watch
        forward-addr: 84.200.70.40   # DNS Watch
        forward-addr: 91.239.100.100 # censurfridns.dk
        forward-addr: 109.69.8.51    # puntCAT
        forward-addr: 216.146.35.35  # Dyn Public
        forward-addr: 216.146.36.36  # Dyn Public
In the next step we will fetch the root key needed for DNSSEC validation:
$ unbound-anchor -a /usr/local/etc/unbound/root.key
Now we must create the certificate files needed by the unbound-control utility:
$ unbound-control-setup -d /usr/local/etc/unbound
Check unbound config file
$ unbound-checkconf /usr/local/etc/unbound/unbound.conf

To start unbound now we must load the plist with launchctl (be aware that you must execute launchctl outside of tmux or proxied by reattach-to-user-namespace):

$ sudo launchctl load /Library/LaunchDaemons/homebrew.mxcl.unbound.plist
If you see ad in the flags field then DNSSEC is working.

You can also do a TXT query for test.dnssec-or-not.net to get a verbose confirmation that you are using DNSSEC; be aware that this test will fail if you are using an external DNS forwarder:

$ drill -D TXT test.dnssec-or-not.net @127.0.0.1
server:
verbosity: 1
interface: 127.0.0.1
access-control: 127.0.0.1/8 allow
username: root
directory: /usr/local/etc/unbound
chroot: /usr/local/etc/unbound
pidfile: /usr/local/var/run/unbound.pid
private-address: 192.168.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
#private-domain: "my.lan"
#domain-insecure: "my.lan"
auto-trust-anchor-file: /usr/local/etc/unbound/root.key
remote-control:
control-enable: yes
control-interface: 127.0.0.1
server-key-file: "/usr/local/etc/unbound/unbound_server.key"
server-cert-file: "/usr/local/etc/unbound/unbound_server.pem"
control-key-file: "/usr/local/etc/unbound/unbound_control.key"
control-cert-file: "/usr/local/etc/unbound/unbound_control.pem"
#stub-zone:
# name: "my.lan"
# stub-addr: 10.0.1.1
forward-zone:
name: "."
forward-addr: 8.8.4.4 # Google
forward-addr: 8.8.8.8 # Google
forward-addr: 37.235.1.174 # FreeDNS
forward-addr: 37.235.1.177 # FreeDNS
forward-addr: 50.116.23.211 # OpenNIC
forward-addr: 64.6.64.6 # Verisign
forward-addr: 64.6.65.6 # Verisign
forward-addr: 74.82.42.42 # Hurricane Electric
forward-addr: 84.200.69.80 # DNS Watch
forward-addr: 84.200.70.40 # DNS Watch
forward-addr: 91.239.100.100 # censurfridns.dk
forward-addr: 109.69.8.51 # puntCAT
forward-addr: 216.146.35.35 # Dyn Public
forward-addr: 216.146.36.36 # Dyn Public
@notDavid

This comment has been minimized.

Copy link

notDavid commented Oct 18, 2015

Hi there, i have a question about the forward-zone's i'm hoping you might be able to answer;

In the configuration as provided in the example above, will unbound walk through the (forward-addr)servers:

  1. sequentially in the order provided until it finds one that works?
  2. or in random order until it finds one that works?
  3. or will it query them all in parallel and use the quickest available?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.