$ brew install unbound ldns
server: verbosity: 1 interface: 127.0.0.1 access-control: 127.0.0.1/8 allow chroot: "" private-address: 192.168.0.0/16 private-address: 172.16.0.0/12 private-address: 10.0.0.0/8 #private-domain: "my.lan" #domain-insecure: "my.lan" auto-trust-anchor-file: "/usr/local/etc/unbound/root.key" python: remote-control: control-enable: yes control-interface: 127.0.0.1 server-key-file: "/usr/local/etc/unbound/unbound_server.key" server-cert-file: "/usr/local/etc/unbound/unbound_server.pem" control-key-file: "/usr/local/etc/unbound/unbound_control.key" control-cert-file: "/usr/local/etc/unbound/unbound_control.pem" #stub-zone: # name: "my.lan" # stub-addr: 10.0.1.1
You can tell unbound about local domains with the private-domain parameter; in this configuration we are specifying my.lan as a private domain.
If you wish to enable DNS forwarding to an external DNS server you can specify one with a catch-all forward zone; for example to use Google Public DNS as a forwarder add this to the bottom of unbound.conf:
forward-zone: name: "." forward-addr: 188.8.131.52 # Google forward-addr: 184.108.40.206 # Google forward-addr: 220.127.116.11 # FreeDNS forward-addr: 18.104.22.168 # FreeDNS forward-addr: 22.214.171.124 # OpenNIC forward-addr: 126.96.36.199 # Verisign forward-addr: 188.8.131.52 # Verisign forward-addr: 184.108.40.206 # Hurricane Electric forward-addr: 220.127.116.11 # DNS Watch forward-addr: 18.104.22.168 # DNS Watch forward-addr: 22.214.171.124 # censurfridns.dk forward-addr: 126.96.36.199 # puntCAT forward-addr: 188.8.131.52 # Dyn Public forward-addr: 184.108.40.206 # Dyn Public
In the next step we will fetch the root key needed for DNSSEC validation:
$ unbound-anchor -a /usr/local/etc/unbound/root.key
Now we must create the certificate files needed by the unbound-control utility:
$ unbound-control-setup -d /usr/local/etc/unbound
Check unbound config file
$ unbound-checkconf /usr/local/etc/unbound/unbound.conf
$ sudo launchctl load /Library/LaunchDaemons/homebrew.mxcl.unbound.plist
If you see ad in the flags field then DNSSEC is working.
You can also do a TXT query for test.dnssec-or-not.net to get a verbose confirmation that you are using DNSSEC; be aware that this test will fail if you are using an external DNS forwarder:
$ drill -D TXT test.dnssec-or-not.net @127.0.0.1