Unbound configuration for LAN

unbound

As stated in the OpenBSD manual, unbound is a DNS validating resolver. It could be used to resolve local LAN names providing an answer for a DNS query and the reverse operation. Unbound is installed by default since it is part of the base OpenBSD installation. The user can proceed to configure it using:

$ doas vim /var/unbound/etc/unbound.conf

Note: The character '#' always starts a comment from its position to end of the line.

# $OpenBSD: unbound.conf,v 1.21 2020/10/28 11:35:58 sthen Exp $

server:
        use-syslog: yes
        verbosity: 4
        prefetch: yes
        interface: 0.0.0.0
        do-ip4: yes
        do-ip6: no
        do-udp: yes
        do-tcp: yes
        access-control: 0.0.0.0/0 refuse        # block all users by default
        access-control: 192.168.254.0/24 allow  # allow users on the internal network to use unbound
        access-control: 127.0.0.0/8 allow       # allow localhost to use unbound
        hide-identity: yes
        hide-version: yes
        do-not-query-localhost: no
        private-address: 192.168.254.0/24
        private-domain: "homelab.local"
        private-domain: "254.168.192.in-addr.arpa"
        domain-insecure: "homelab.local"
        unblock-lan-zones: yes
        insecure-lan-zones: yes

        local-zone: "home.local." static
        local-data: "ALPHA.home.local IN A 10.0.0.1"
        local-data: "BETA.home.local IN A 10.0.0.2"
        local-data: "GAMMA.home.local IN A 10.0.0.3"
        local-data: "DELTA.home.local IN A 10.0.0.4"

        local-data-ptr: "10.0.0.1 ALPHA.home.local"
        local-data-ptr: "10.0.0.2 BETA.home.local"
        local-data-ptr: "10.0.0.3 GAMMA.home.local"
        local-data-ptr: "10.0.0.4 DELTA.home.local"

remote-control:
        control-enable: yes
        control-interface: /var/run/unbound.sock

forward-zone:
        name: "."                               # use for ALL queries
        forward-addr: 208.67.222.222
        forward-addr: 208.67.220.220
        forward-addr: 8.8.8.8

Let's comment single sections in the above file. First of all there's the server: section. It is a general config entry for which the user can specify daemon behavior and so on:

use-syslog: yes - tells to unbound daemon to send to syslog facility. The default is to send logs to syslog.

verbosity: 4 - spans from 0 to 5, 1 is the default. A 0 value disable verbosity and only errors will be displayed.

prefetch: yes - with yes the messages in cache are fetched before they expire in order to keep the cache always updated.

interface: 0.0.0.0 - the unbound daemon will listen on all available interfaces.

do-ip4: yes - enable the IPv4 queries. Default is yes.

do-ip6: no - disable the IPv6 queries. Default is yes.

do-udp: yes and do-tcp: yes - enable respectively the udp and tcp queries. Default is yes for both.

access-control: <address>/<size> <action> - These three access control settings set how the unbound daemon has to respond to queries. The first, access-control: 0.0.0.0/0 refuse - blocks all users to the query system by default. The second, access-control 192.168.254.0/24 allow - allow users on the network 192.168.254.0/24 to query the daemon. Finally the third configuration, access-control: 127.0.0.1/8 allow - tells unbound daemon to allow queries coming from localhost.

hide-identity: yes and hide-version: yes - the first block id.server and hostname.bind queries. The second blocks version.server and version.bind queries.

do-not-query-localhost: no - enables localhost to send queries.

private-address: 192.168.254.0/24 -

See also:

$ man unbound.conf