Caching DNS Server Using Unbound on CentOS 7 on LAN

Here is how to setup your own caching DNS server with Unbound on CentOS 7.

A caching DNS server just caches results from queries that clients ask. If a client asks it to resolve technichristian.net, the caching DNS server asks the authoritative name server responsible for the appropriate zone to resolve it, and caches the answer. If another client asks it to resolve the same record, the caching DNS server can answer from its cache.

This saves on DNS look up time and avoids unnecessary network communication.

Another advantage is that you can bypass your ISP’s DNS servers where govt mandated blocking happens (usually, not always).

Sometimes, the ISP blocks sites by IP, in which case only a VPN can help. This is a different scenario and is not related to this article.

I use unbound as my caching DNS server.

Note: Run the following commands as root or using sudo.

  1. To install unbound on CentOS 7, run:

yum install unbound

2. Edit /etc/unbound/unbound.conf

Find the line that reads: cache-min-ttl

cache-min-ttl defines the minimum amount of time (in seconds) that responses should be cached.

Uncomment this line and set it to whatever time period you wish to cache the records. I have set mine to 7200 seconds (2 hours).

Add the following at the end of the file:

server:
interface: 0.0.0.0
access-control: 10.0.0.0/16 allow
access-control: 127.0.0.0/8 allow
access-control: 192.168.0.0/16 allow
verbosity: 1

forward-zone:
name: “.”
forward-addr: 202.12.27.33 # m.root-servers.net
forward-addr: 199.7.83.42 # l
forward-addr: 193.0.14.129 # k
forward-addr: 192.58.128.30 # j
forward-addr: 192.36.148.17 # i
forward-addr: 198.97.190.53 # h
forward-addr: 192.112.36.4 # g
forward-addr: 192.5.5.241 # f
forward-addr: 192.203.230.10 # e
forward-addr: 199.7.91.13 # d
forward-addr: 192.33.4.12 # c
forward-addr: 192.228.79.201 # b
forward-addr: 198.41.0.4 # a

Here, I have made unbound listen on all interfaces of the system, and service clients that originate only from the LAN along with localhost itself.

To resolve a domain, unbound contacts any of the root servers.

3. Save the file.

4. Start unbound. Run:

service unbound start

5. To make unbound start automatically at boot, run:

chkconfig unbound on

On your router, set the DNS to the IP of the machine running unbound.

6. To test DNS resolution, on the system running unbound, run:

dig <url>

For example:

dig slashdot.org

The output is as follows:

[[email protected] ~]$ dig slashdot.org

; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3.2 <<>> slashdot.org

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41229

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 4096

;; QUESTION SECTION:

;slashdot.org.         IN   A

;; ANSWER SECTION:

slashdot.org.      6000   IN   A   216.34.181.45

;; Query time: 104 msec

;; SERVER: 127.0.0.1#53(127.0.0.1)

;; WHEN: Fri Mar 31 11:42:42 IST 2017

;; MSG SIZE rcvd: 57

This shows that DNS resolution took 104 ms and the server is our local unbound server.

Run the same query again:

dig slashdot.org

The output now is:

[[email protected] ~]$ dig slashdot.org

; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3.2 <<>> slashdot.org

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6651

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 4096

;; QUESTION SECTION:

;slashdot.org.         IN   A

;; ANSWER SECTION:

slashdot.org.      5812   IN   A   216.34.181.45

;; Query time: 0 msec

;; SERVER: 127.0.0.1#53(127.0.0.1)

;; WHEN: Fri Mar 31 11:45:50 IST 2017

;; MSG SIZE rcvd: 57

The DNS resolution took 0 ms proving that the record was read from the unbound cache.

Done.

I use the root servers for resolution, since they are bound to have the latest updates always, and they are never manipulated by govt blocking (never heard of root servers being manipulated, till now.)

For people with ipv6 connectivity, add the ipv6 addresses of the root servers to the forward-zone section in the unbound configuration. For example:

 forward-addr: 2001:503:ba3e::2:30

and so on.

Attached is my configuration.

Leave a Reply

Your email address will not be published. Required fields are marked *