Substition dnsmasq by unbound?

(Marko Dargel) #1

NethServer Version: 7.4 ELPRO-Kernel
Hello, next question…

On my local Macs I use a long time unbound as a local DNS-resolver without forwarding and “qname-minimisation: yes” . Also I got a DNSSEC-Solution by the way!

On my last attempt the to implement a gateway I used IPFirewall (with kernel 2.x tooo slow). They provide unbound by default, but with forwarding. A charming feature is the possibility to block web pages on DNS level and therefore you don’t need a webproxy. To do this I used the script dns-blocklist. sh

Finally, I combined known blocklists with my own blacklists and white-lists and assigned them to the local zone instead of substituting them with via…

/bin/ -s 12 -b /etc/unbound_control/blacklist.hosts -w /etc/unbound_control/whitelist.hosts && sed -i 's/local-data/local-zone/g; s/[[:space:]]A"/" static/g' /etc/unbound/local.d/blocklist.conf && /etc/init.d/unbound restart

That’s a real fast solution for blocking ads and tracking!

My questions:

  1. is it possible to replace dnsmasq with unbound in Nethserver and if so how?
  2. would the script also work in Nethserver?
  3. If not - how I could implement DNSSEC in Nethserver?

Best regards, Marko

Unbound substitution
(Markus Neuberger) #2

There is an unbound module but it’s not a replacement:

(Marko Dargel) #3

Danke Markus, ich versuche es mal auf deutsch… Danke für den hinweis, aber das erfüllt nicht meinen Zweck.

Meine Idee (wenn vollständige Subistion nicht geht) wäre:

  1. Unbound installieren
  2. Unbund auf einen Port abseits von 53 (u.B. auf 5353) konfigurieren
  3. in NethServer DNS-Forwarding auf 127.0.01:5353 umbiegen

Würde das gehen, ohne das ein Konflikt mit dem Service Manger eintritt? dnsmasq manuell umzukonfigurieren würde ich mir ja noch zutrauen. Aber ich weiß nicht, an welcher Stelle Serivce Manager noch eingreift.

Wenn das nicht wirklich machbar sein sollte, tendiere ich zu einem Forwarding auf einem RASPI - das müsste doch gehen, oder? Ich fürchte nur, dass dann aber durchgehendes DNSSEC-Validerung nicht möglich ist, das NethServer keine solche vorgesehen hat. Richtig?

Herzlichst, Marko

Thank you Markus, I will try it in German… Thanks for pointing that out, but it doesn’t do my job.

My idea (if complete subsistence is not possible) would be:

  1. install Unbound
  2. configure unbund on a port other than 53 (e. g. 5353)
  3. in NethServer redirect DNS forwarding to 127.0.01:5353

Would that be possible without a conflict with the Service Manager? dnsmasq would still be able to configure dnsmasq manually. But I don’t know where else Serivce Manager is going.

If this is not really feasible, I tend to forward on a RASPI - that should work, right? I only fear, however, that then continuous DNSSEC validation is not possible, since NethServer does not provide for such a validation. Right?

Sincerely, Konrad

(Filippo Carletti) #4

@capote, you can’t easily remove dnsmasq, but it should be possible to make it work together with unbound.
I think that you could use nethserver-unbound, which will listen on port 10053. You will only need to add a custom template to route all queries from dnsmasq to localhost:10053.
Now, the dnsmasq template routes to 10053 only queries to some domains. See this fragment to get the idea:

Please, keep us updated, I’ll try to help.

(Marko Dargel) #5

Hello, Filippo, thank you. That sounds good, but I’m not familiar with the concept of templates. I must first read the instructions on this subject. I hope I understand that somehow, because it sounds very special, at first sight.

best regards, Marko

(Michael Träumner) #6

It’s not so complicated, build a file


with the content Fillipoi posted and save it.
After that you have to expand the template.

expand-template /etc/dnsmasq.conf

(Marko Dargel) #7

Hello @m.traeumner and @filippo_carletti ,
I wankt to go next steps for prototyping. I want to forward any DNS-requests to my unbound implementation on my RASPBERRY (
I understand that I have to define two parts

  • the requested domain
  • the forward destination.

Inside the 26unbound_rbl are, and such requested domains.

But what should I define if I want to forward all requests to 192168.2.8?

  # forward DNS  queries to RASPI unbound

Could you explain please, how the “expand-template” command works? And how could I roll back if fails?

Best Regrads, Marko

(Filippo Carletti) #8

You can forward dns requests to the rpi configuring the dns on the network page.

(Michael Träumner) #9

The expand-template command builds a new config file from “system” templates and custom templates.

If there are for example system tenmplates 10base, 20dns and 30dhcp and so on and you create a custom template 26unbound_rbl, after expanding templates you have a config file with

  • 10base
  • 20dns
  • 26unbound_rbl
  • 30dhcp

If you want to change a value at a system template, for example 20dns, you have to copy it to templates-custom and change values there. At this case the system takes your custom template instead of the system template.

You only have to delete your custom template and do the expand-template command again.

Error - should be sent to WINS server
(Marko Dargel) #10

That was my first idea. But it isn’t possible because there ist only the forwarding IP accepted, not IP-adress and port number.

(Michael Träumner) #11

@support_team Somebody has an idea?

(Markus Neuberger) #12

Hi @capote,

seems like # is the wildcard, I did not try it:


(Ralph) #13

In another firewall system a server blocklist file is included in the unbound.conf file. The file itself sits in /var/lib/unbound.
That works great to block ads on web pages.
Can this file be used in NS unbound as well?
And if so, how can it be updated and made permanent?