NethServer Version: 7.4 ELPRO-Kernel
Hello, next question…
On my local Macs I use a long time unbound as a local DNS-resolver without forwarding and “qname-minimisation: yes” . Also I got a DNSSEC-Solution by the way!
On my last attempt the to implement a gateway I used IPFirewall (with kernel 2.x tooo slow). They provide unbound by default, but with forwarding. A charming feature is the possibility to block web pages on DNS level and therefore you don’t need a webproxy. To do this I used the script dns-blocklist. sh
Finally, I combined known blocklists with my own blacklists and white-lists and assigned them to the local zone instead of substituting them with 0.0.0.0.0 via…
Danke Markus, ich versuche es mal auf deutsch… Danke für den hinweis, aber das erfüllt nicht meinen Zweck.
Meine Idee (wenn vollständige Subistion nicht geht) wäre:
Unbound installieren
Unbund auf einen Port abseits von 53 (u.B. auf 5353) konfigurieren
in NethServer DNS-Forwarding auf 127.0.01:5353 umbiegen
Würde das gehen, ohne das ein Konflikt mit dem Service Manger eintritt? dnsmasq manuell umzukonfigurieren würde ich mir ja noch zutrauen. Aber ich weiß nicht, an welcher Stelle Serivce Manager noch eingreift.
Wenn das nicht wirklich machbar sein sollte, tendiere ich zu einem Forwarding auf einem RASPI - das müsste doch gehen, oder? Ich fürchte nur, dass dann aber durchgehendes DNSSEC-Validerung nicht möglich ist, das NethServer keine solche vorgesehen hat. Richtig?
Herzlichst, Marko
Thank you Markus, I will try it in German… Thanks for pointing that out, but it doesn’t do my job.
My idea (if complete subsistence is not possible) would be:
install Unbound
configure unbund on a port other than 53 (e. g. 5353)
in NethServer redirect DNS forwarding to 127.0.01:5353
Would that be possible without a conflict with the Service Manager? dnsmasq would still be able to configure dnsmasq manually. But I don’t know where else Serivce Manager is going.
If this is not really feasible, I tend to forward on a RASPI - that should work, right? I only fear, however, that then continuous DNSSEC validation is not possible, since NethServer does not provide for such a validation. Right?
@capote, you can’t easily remove dnsmasq, but it should be possible to make it work together with unbound.
I think that you could use nethserver-unbound, which will listen on port 10053. You will only need to add a custom template to route all queries from dnsmasq to localhost:10053.
Now, the dnsmasq template routes to 10053 only queries to some domains. See this fragment to get the idea:
Hello, Filippo, thank you. That sounds good, but I’m not familiar with the concept of templates. I must first read the instructions on this subject. I hope I understand that somehow, because it sounds very special, at first sight.
Hello @m.traeumner and @filippo_carletti ,
I wankt to go next steps for prototyping. I want to forward any DNS-requests to my unbound implementation on my RASPBERRY (192.168.2.8)
I understand that I have to define two parts
The expand-template command builds a new config file from “system” templates and custom templates.
If there are for example system tenmplates 10base, 20dns and 30dhcp and so on and you create a custom template 26unbound_rbl, after expanding templates you have a config file with
10base
20dns
26unbound_rbl
30dhcp
If you want to change a value at a system template, for example 20dns, you have to copy it to templates-custom and change values there. At this case the system takes your custom template instead of the system template.
You only have to delete your custom template and do the expand-template command again.
In another firewall system a server blocklist file is included in the unbound.conf file. The file itself sits in /var/lib/unbound.
That works great to block ads on web pages.
Can this file be used in NS unbound as well?
And if so, how can it be updated and made permanent?