riipandi/unbound-osx-homebrew.md

## unbound-osx-homebrew.md

      
    Raw
  

              unbound-osx-homebrew.md
            
          
    To install unbound you can use homebrew

$ brew install unbound ldns
Now we can edit the configuration file of unbound which by default is located in /usr/local/etc/unbound/unbound.conf:

server:
      verbosity: 1
      interface: 127.0.0.1
      access-control: 127.0.0.1/8 allow
      chroot: ""
      private-address: 192.168.0.0/16
      private-address: 172.16.0.0/12
      private-address: 10.0.0.0/8
      #private-domain: "my.lan"
      #domain-insecure: "my.lan"
      auto-trust-anchor-file: "/usr/local/etc/unbound/root.key"

python:

remote-control:
      control-enable: yes
      control-interface: 127.0.0.1
      server-key-file: "/usr/local/etc/unbound/unbound_server.key"
      server-cert-file: "/usr/local/etc/unbound/unbound_server.pem"
      control-key-file: "/usr/local/etc/unbound/unbound_control.key"
      control-cert-file: "/usr/local/etc/unbound/unbound_control.pem"

#stub-zone:
#      name: "my.lan"
#      stub-addr: 10.0.1.1
You can tell unbound about local domains with the private-domain parameter; in this configuration we are specifying my.lan as a private domain.
If you wish to enable DNS forwarding to an external DNS server you can specify one with a catch-all forward zone; for example to use Google Public DNS as a forwarder add this to the bottom of unbound.conf:
forward-zone:
        name: "."
        forward-addr: 8.8.4.4        # Google
        forward-addr: 8.8.8.8        # Google
        forward-addr: 37.235.1.174   # FreeDNS
        forward-addr: 37.235.1.177   # FreeDNS
        forward-addr: 50.116.23.211  # OpenNIC
        forward-addr: 64.6.64.6      # Verisign
        forward-addr: 64.6.65.6      # Verisign
        forward-addr: 74.82.42.42    # Hurricane Electric
        forward-addr: 84.200.69.80   # DNS Watch
        forward-addr: 84.200.70.40   # DNS Watch
        forward-addr: 91.239.100.100 # censurfridns.dk
        forward-addr: 109.69.8.51    # puntCAT
        forward-addr: 216.146.35.35  # Dyn Public
        forward-addr: 216.146.36.36  # Dyn Public
In the next step we will fetch the root key needed for DNSSEC validation:

$ unbound-anchor -a /usr/local/etc/unbound/root.key
Now we must create the certificate files needed by the unbound-control utility:

$ unbound-control-setup -d /usr/local/etc/unbound
Check unbound config file

$ unbound-checkconf /usr/local/etc/unbound/unbound.conf
To start unbound now we must load the plist with launchctl (be aware that you must execute launchctl outside of tmux or proxied by reattach-to-user-namespace):
$ sudo launchctl load /Library/LaunchDaemons/homebrew.mxcl.unbound.plist
If you see ad in the flags field then DNSSEC is working.

You can also do a TXT query for test.dnssec-or-not.net to get a verbose confirmation that you are using DNSSEC; be aware that this test will fail if you are using an external DNS forwarder:
$ drill -D TXT test.dnssec-or-not.net @127.0.0.1

https://github.com/drduh/macOS-Security-and-Privacy-Guide#dnsmasq


## unbound.conf
server:
        verbosity: 1
        interface: 127.0.0.1
        access-control: 127.0.0.1/8 allow
        username: root
        directory: /usr/local/etc/unbound
        chroot: /usr/local/etc/unbound
        pidfile: /usr/local/var/run/unbound.pid
        private-address: 192.168.0.0/16
        private-address: 172.16.0.0/12
        private-address: 10.0.0.0/8
        #private-domain: "my.lan"
        #domain-insecure: "my.lan"
        auto-trust-anchor-file: /usr/local/etc/unbound/root.key

remote-control:
      control-enable: yes
      control-interface: 127.0.0.1
      server-key-file: "/usr/local/etc/unbound/unbound_server.key"
      server-cert-file: "/usr/local/etc/unbound/unbound_server.pem"
      control-key-file: "/usr/local/etc/unbound/unbound_control.key"
      control-cert-file: "/usr/local/etc/unbound/unbound_control.pem"

#stub-zone:
#      name: "my.lan"
#      stub-addr: 10.0.1.1

forward-zone:
        name: "."
        forward-addr: 8.8.4.4        # Google
        forward-addr: 8.8.8.8        # Google
        forward-addr: 37.235.1.174   # FreeDNS
        forward-addr: 37.235.1.177   # FreeDNS
        forward-addr: 50.116.23.211  # OpenNIC
        forward-addr: 64.6.64.6      # Verisign
        forward-addr: 64.6.65.6      # Verisign
        forward-addr: 74.82.42.42    # Hurricane Electric
        forward-addr: 84.200.69.80   # DNS Watch
        forward-addr: 84.200.70.40   # DNS Watch
        forward-addr: 91.239.100.100 # censurfridns.dk
        forward-addr: 109.69.8.51    # puntCAT
        forward-addr: 216.146.35.35  # Dyn Public
        forward-addr: 216.146.36.36  # Dyn Public
	server:
	verbosity: 1
	interface: 127.0.0.1
	access-control: 127.0.0.1/8 allow
	username: root
	directory: /usr/local/etc/unbound
	chroot: /usr/local/etc/unbound
	pidfile: /usr/local/var/run/unbound.pid
	private-address: 192.168.0.0/16
	private-address: 172.16.0.0/12
	private-address: 10.0.0.0/8
	#private-domain: "my.lan"
	#domain-insecure: "my.lan"
	auto-trust-anchor-file: /usr/local/etc/unbound/root.key

	remote-control:
	control-enable: yes
	control-interface: 127.0.0.1
	server-key-file: "/usr/local/etc/unbound/unbound_server.key"
	server-cert-file: "/usr/local/etc/unbound/unbound_server.pem"
	control-key-file: "/usr/local/etc/unbound/unbound_control.key"
	control-cert-file: "/usr/local/etc/unbound/unbound_control.pem"

	#stub-zone:
	# name: "my.lan"
	# stub-addr: 10.0.1.1

	forward-zone:
	name: "."
	forward-addr: 8.8.4.4 # Google
	forward-addr: 8.8.8.8 # Google
	forward-addr: 37.235.1.174 # FreeDNS
	forward-addr: 37.235.1.177 # FreeDNS
	forward-addr: 50.116.23.211 # OpenNIC
	forward-addr: 64.6.64.6 # Verisign
	forward-addr: 64.6.65.6 # Verisign
	forward-addr: 74.82.42.42 # Hurricane Electric
	forward-addr: 84.200.69.80 # DNS Watch
	forward-addr: 84.200.70.40 # DNS Watch
	forward-addr: 91.239.100.100 # censurfridns.dk
	forward-addr: 109.69.8.51 # puntCAT
	forward-addr: 216.146.35.35 # Dyn Public
	forward-addr: 216.146.36.36 # Dyn Public