Raspberry Pi - unbound

Juni 25, 2018 Kladde

Um die DNS-Einstellungen der FritzBox später auf diesen Raspberry zu schicken, benötigt man zwei v4- und zwei v6-Adressen. Ich benutze jeweils eth0 und wlan0 dafür.

wlan anschalten

$ sudo nano /etc/wpa_supplicant/wpa_supplicant.conf

das sollte bisher so aussehen:

ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1
country=DE

ans ende hinzufügen:

network={
   ssid="WLAN-SSID"
   psk="WLAN-PASSWORT"
}

feste IP vergeben

$ sudo nano /etc/dhcpcd.conf

in etwa so

interface eth0
static ip_address=x.x.x.3/24
static ip6_address=fe80::1/64
static routers=10.0.0.1

interface wlan0
static ip_address=x.x.x.4/24
static ip6_address=fe80::2/64

wo ist dig?

$ sudo apt-get install dnsutils

Quelle:

unbound installieren

$ sudo apt-get install unbound

config

$ sudo nano /etc/unbound/unbound.conf.d/unbound.conf

/etc/unbound/unbound.conf.d/unbound.conf

server:
  verbosity: 1
  interface: 0.0.0.0
  port: 53
  do-ip4: yes
  do-ip6: no
  do-udp: yes
  do-tcp: yes
  access-control: 10.0.0.0/16 allow
  access-control: 127.0.0.0/8 allow
  access-control: 192.168.0.0/16 allow
  root-hints: "/etc/unbound/root.hints"
  hide-identity: yes
  hide-version: yes
  harden-glue: yes
  harden-dnssec-stripped: yes
  use-caps-for-id: yes
  cache-min-ttl: 300
  cache-max-ttl: 86400
  prefetch: yes
  num-threads: 2
  include: "/etc/unbound/unbound.conf.d/unbound_ad_servers"
  forward-zone:
    name: "."
    # definitely censor free & log free with DNSSEC Support:
    forward-addr: 84.200.69.80   # DNS Watch
    forward-addr: 84.200.70.40   # DNS Watch
    forward-addr: 77.109.148.136 # Xiala.net
    forward-addr: 77.109.148.137 # Xiala.net
    forward-addr: 91.239.100.100 # censurfridns.dk
    forward-addr: 89.233.43.71   # censurfridns.dk

root.hints laden

$ sudo curl -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache

Adblocker

$ sudo curl -sS -L --compressed "http://pgl.yoyo.org/adservers/serverlist.php?hostformat=unbound&showintro=0&mimetype=plaintext" > /etc/unbound/unbound.conf.d/unbound_ad_servers

automatisieren...

$ sudo nano /etc/cron.weekly/unbound_updates.sh

#!/bin/bash
# Updating Unbound resources.
# Place this into e.g. /etc/cron.monthly or /etc/cron.weekly
###[ unbound_ad_servers ]###
curl -sS -L --compressed "http://pgl.yoyo.org/adservers/serverlist.php?hostformat=unbound&showintro=0&mimetype=plaintext" > /etc/unbound/unbound.conf.d/unbound_ad_servers.new
if [[ $? -eq 0 ]]; then
  mv /etc/unbound/unbound.conf.d/unbound_ad_servers /etc/unbound/unbound.conf.d/unbound_ad_servers.bak
  mv /etc/unbound/unbound.conf.d/unbound_ad_servers.new /etc/unbound/unbound.conf.d/unbound_ad_servers
  unbound-checkconf >/dev/null
  if [[ $? -eq 0 ]]; then
    rm /etc/unbound/unbound.conf.d/unbound_ad_servers.bak
    service unbound reload >/dev/null
  else
    echo "Warning: Errors in unbound configuration due to probably failed update of"
    echo "/etc/unbound/unbound.conf.d/unbound_ad_servers:"
    unbound-checkconf
    mv /etc/unbound/unbound.conf.d/unbound_ad_servers /etc/unbound/unbound.conf.d/unbound_ad_servers.new
    mv /etc/unbound/unbound.conf.d/unbound_ad_servers.bak /etc/unbound/unbound.conf.d/unbound_ad_servers
  fi
else
  echo "Download of unbound_ad_servers list failed!"
fi
###[ root.hints ]###
curl -o /etc/unbound/root.hints.new https://www.internic.net/domain/named.cache
if [[ $? -eq 0 ]]; then
  mv /etc/unbound/root.hints /etc/unbound/root.hints.bak
  mv /etc/unbound/root.hints.new /etc/unbound/root.hints
  unbound-checkconf >/dev/null
  if [[ $? -eq 0 ]]; then
    rm /etc/unbound/root.hints.bak
    service unbound reload >/dev/null
  else
    echo "Warning: Errors in newly downloaded root.hints file probably due to incomplete download:"
    unbound-checkconf
    mv /etc/unbound/root.hints /etc/unbound/root.hints.new
    mv /etc/unbound/root.hints.bak /etc/unbound/root.hints
  fi
else
  echo "Download of unbound root.hints failed!"
fi

$ sudo chmod 0755 /etc/cron.weekly/unbound_updates.sh

unbound neustarten

$ sudo /etc/init.d/unbound restart
[ ok ] Restarting unbound (via systemctl): unbound.service.

WIFI Calling

Im iPhone folgende manuelle DNS der Telekom einstellen:

Genutzte DNS-Server

2003:180:2::53
2003:180:2:6000::53
217.237.151.51
217.237.149.205

Raspberry unbound