Librarium
Settings

How to surf the internet using Pi-Hole & Unbound

TechBytes with Ron Nutter
cloudflare dnscloudflare dns over httpsconfiguring unbounddns over httpsdns over tlshowto install unboundinstall pihole unboundinstall unbound raspberry piinstall unbound raspbianpiholepihole cloudflarepihole cloudflare dohpihole setupraspberry pi 4 projects for beginnersraspberry pi projectsuninstall cloudflareduninstall cloudflared raspberry piusing cloudflare with piholeusing pihole with cloudflareusing unbound

Want to increase being safe when surfing the internet? Want to minimize the number of DNS lookup requests leaving your network?

Stay tuned and I will show you how

• Removing Cloudflare client sudo systemctl stop cloudflared • Verify it is stopped sudo systemctl status cloudflared • uninstall service Sudo cloudflared service uninstall

Install Unbound sudo apt install unbound

Sudo nano /etc/unbound/unbound.conf.d/pi-hole.conf

server: # If no logfile is specified, syslog is used # logfile: "/var/log/unbound/unbound.log" verbosity: 0 interface: 127.0.0.1 port: 5335 do-ip4: yes do-udp: yes do-tcp: yes

May be set to yes if you have IPv6 connectivity

do-ip6: no

You want to leave this to no unless you have native IPv6. With 6to4 and

# Terredo tunnels your web browser should favor IPv4 for the same reasons
prefer-ip6: no

Use this only when you downloaded the list of primary root servers!

# If you use the default dns-root-data package, unbound will find it automatically
#root-hints: "/var/lib/unbound/root.hints"

Trust glue only if it is within the server's authority

harden-glue: yes

Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS

harden-dnssec-stripped: yes

Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes

# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
use-caps-for-id: no

Reduce EDNS reassembly buffer size.

# Suggested by the unbound man page to reduce fragmentation reassembly problems
edns-buffer-size: 1472

Perform prefetching of close to expired message cache entries

# This only applies to domains that have been frequently queried
prefetch: yes

One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.

num-threads: 1

Ensure kernel buffer is large enough to not lose messages in traffic spikes

so-rcvbuf: 1m

Ensure privacy of local IP ranges

private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
private-address: fd00::/8
private-address: fe80::/10

Start your local recursive server and test that it's operational: sudo service unbound restart dig pi-hole.net @127.0.0.1 -p 5335

You can test DNSSEC validation using dig sigfail.verteiltesysteme.net @127.0.0.1 -p 5335 dig sigok.verteiltesysteme.net @127.0.0.1 -p 5335

Finally, configure Pi-hole to use your recursive DNS server by specifying 127.0.0.1#5335 as the Custom DNS (IPv4):

⏱️TIMESTAMPS ... https://www.youtube.com/watch?v=U_OSX3-Kcrc

2021-07-26
0.0 LBC
Copyrighted (contact publisher)

98664447 Bytes