Now that the root DNS servers are signed, I thought it was time I started using DNSSEC on my own PC. However, not wanting to wait for my ISP to enable it, I decided to setup a private recursive DNS resolver for myself using Unbound.

Installing Unbound

Being already packaged in Debian and Ubuntu, unbound is only an apt-get away:

apt install unbound

Optional settings

In /etc/unbound/unbound.conf.d/francois.conf, I enabled the following security options:

harden-below-nxdomain: yes
harden-referral-path: yes
harden-algo-downgrade: no # false positives with improperly configured zones
use-caps-for-id: no # makes lots of queries fail
hide-identity: yes
hide-version: yes

and turned on prefetching to hopefully keep in cache the sites I visit regularly:

prefetch: yes
prefetch-key: yes
msg-cache-size: 128k
msg-cache-slabs: 2
rrset-cache-size: 8m
rrset-cache-slabs: 2
key-cache-size: 32m
key-cache-slabs: 2
cache-min-ttl: 3600
num-threads: 2

Finally, I also enabled the control interface:

remote-control:
    control-enable: yes
    control-interface: 127.0.0.1

and increased the amount of debugging information:

val-log-level: 2
use-syslog: yes
verbosity: 1

before running sudo unbound-control-setup to generate the necessary keys.

Once unbound is restarted (sudo service unbound restart) stats can be queried to make sure that the DNS resolver is working:

unbound-control stats

Overriding DHCP settings

In order to use my own unbound server for DNS lookups and not the one received via DHCP, I added this line to /etc/dhcp/dhclient.conf:

supersede domain-name-servers 127.0.0.1;

and restarted dhclient:

sudo killall dhclient
sudo killall dhclient
sudo /etc/init.d/network-manager restart

If you're not using DHCP, then you simply need to put this in your /etc/resolv.conf:

nameserver 127.0.0.1

Testing DNSSEC resolution

Once everything is configured properly, the best way I found to test that this setup was actually working is to use a web browser to visit these sites:

and using dig:

$ dig +dnssec A www.dnssec.cz | grep ad ;; flags: qr rd ra <b>ad</b>; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 1

Are there any other ways of making sure that DNSSEC is fully functional?

Integration with OpenVPN

If you are running your own OpenVPN server, you can tell clients to connect to the local unbound DNS client by putting the following in /etc/unbound/unbound.conf.d/openvpn.conf:

server:
    interface: 127.0.0.1
    interface: 10.8.0.1
    access-control: 127.0.0.1 allow
    access-control: 10.8.0.1/24 allow

the following in /etc/openvpn/server.conf:

push "dhcp-option DNS 10.8.0.1"
push "register-dns"

and opening the following port on your firewall (typically /etc/network/iptables.up.rules on Debian):

-A INPUT -p udp --dport 53 -s 10.8.0.0/24 -j ACCEPT

Then restart both services and everything should work:

systemctl restart unbound.service
systemctl restart openvpn.service

You can test it on http://dnsleak.com.