Skip to content
GitLab
Projects Groups Topics Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
  • Register
  • Sign in
  • HardenedBSD HardenedBSD
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 31
    • Issues 31
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 2
    • Merge requests 2
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Terraform modules
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • HardenedBSDHardenedBSD
  • HardenedBSDHardenedBSD
  • Wiki
  • 4] Use local_unbound for user prefered DNS

4] Use local_unbound for user prefered DNS · Changes

Page history
Update 4] Use local_unbound for user prefered DNS authored May 28, 2021 by Loic's avatar Loic
Show whitespace changes
Inline Side-by-side
4]-Use-local_unbound-for-user-prefered-DNS.md 0 → 100644
View page @ 2f78253f
# Introduction
(This guide was tested with HardenedBSD 12-STABLE 1200515)
Usually users with laptops connect to several wireless networks and get their
settings regarding DNS nameservers. Because of this auto-setup, we may get the
DNS servers that may restrict our domain queries or log them to trace profiles.
Also if we do a query each time we change network and get new name-servers we
need to submit new queries and that is a overhead that could be exponential in
growth, so maybe there are gain in have a local DNS resolver running and
benefit from the cache factor and, like previously mentioned, gain some privacy.
HardenedBSD (and FreeBSD) have available local-unbound(8) that is a caching
DNS resolver.
## Process of connecting to network
The default process of connecting to wireless network with DHCP is:
1. select network
2. dhclient(8) is called to obtain configuration where it reads
/etc/dhclient.conf(5) and execute dhclient-script(8) with data from the DHCP server
3. resolv.conf(5) is changed to reflect the network configuration
4. pinging hardenedbsd.org works
So every time we change wi-fi network, this process is repeated and we have the
configuration file /etc/resolv.conf(5) rewritten.
## Run local-unbound
The normal process to connect to network with DHCP give us new DNS nameservers
to query, so we can avoid this regular change by running a DNS resolver
and we have `local-unbound` in base and easy available.
During a fresh install of HardenedBSD 12-STABLE you can activate `local_unbound`
on the setup program or if you're already running HardenedBSD, you can enable it
by running the command:
`sysrc local_unbound_enable=YES`
or add in /etc/rc.conf:
`local_unbound_enable="YES"`
After enable `local-unbound(8)` we need to start it:
`service local_unbound onestart`
This runs `local-unbound-setup` and configures the service. Adding several
changes, setting up chroot environment to run the service, and updating
configuration files:
- `/etc/resolv.conf`: add `nameserver 127.0.0.1` and comment out all others
- `/etc/unbound/*`: add conf files with defaults and `forward.conf` with nameservers
from `/etc/resolv.conf`
- `/etc/resolvconf.conf(5)`: this file is written by the script, and contains
`resolv_conf="/dev/null"` to prevent updating of this file by resolver
#### The process of connecting to network (revised)
The process now is as follows:
1. select network
2. `dhclient(8)` is called to obtain configuration where it reads
`/etc/dhclient.conf(5)` and execute `dhclient-script(8)` with data from router
3. `/etc/resolv.conf(5)` is changed to reflect the network configuration
4. `local-unbound(8)` updates its configuration but doesn't touch `/etc/resolv.conf(5)`
5. ping hardenedbsd.org doesn't works
## Solution to this problem
The problem for keeping your choice of DNS and running `local-unbound(8)` is
`dhclient(8)` rewriting our `/etc/resolv.conf(5)`. We should also setup the
`local-unbound-setup` to not change `local-unbound(8)` configuration files.
### Stop dhclient rewrite /etc/resolv.conf
Every time `dhclient(8)` runs to get network configuration it changes
`/etc/resolv.conf(5)`, specially removing `nameserver 127.0.0.1`.
To solve, create file /etc/dhclient-enter-hooks with the content:
```sh
# disable dhclient(8) rewriting resolv.conf(5) when setup network
add_new_resolv_conf() {
return 0
}
```
This overrides the function that `dhclient-script(8)` has defined.
### Add unbound forward-zone config file
Create file /etc/unbound/conf.d/01-nameserver.conf with the content:
```sh
# user choice of DNS resolvers
forward-zone:
name: "."
forward-addr: IP
```
Where `IP` is the IP address of the DNS nameserver.
For more than one name-server, provide additional `forward-addr:` lines.
Note that by default `local-unbound` runs with DNSSEC active,
to disable check section "Disable DNSSEC"
Placing files in folder `conf.d` assures that every time `local-unbound-setup` is run
when connecting to network you don't lose your configuration.
More information: [unbound.conf(8)](https://www.freebsd.org/cgi/man.cgi?query=unbound.conf&apropos=0&sektion=0&manpath=FreeBSD+12.0-RELEASE+and+Ports&arch=default&format=html)
### Check /etc/resolv.conf
Make sure `/etc/resolv.conf(5)` as this entry `nameserver 127.0.0.1`.
*Note: Insert only this nameserver entry. If you have more, this must be first but check CAVEAT*
### CAVEAT
Forward-zone names have to be unique, so if you have `/etc/resolv.conf(5)`
multiple entries for nameservers, `local-unbound-setup` will fill
`/etc/unbound/forward.conf` with those entries and the name of the zone
will be `name : "."`.
Note that `nameserver 127.0.0.1`as to be the first entry of nameservers.
This will result in error and may cause nondeterministic behaviour.
## Other options
#### Disable DNSSEC
Add `/etc/unbound/conf.d/99-disable-dnssec.conf`
```sh
# Disable unbound DNSSEC workings
server:
harden-dnssec-stripped: no
disable-dnssec-lame-check: yes
```
#### Use IPv6
For IPv6 users:
1. add `nameserver ::1` to /etc/resolv.conf(5)
2. add `forward-addr: Address` in IPv6 unbound config file with
nameservers.
\ No newline at end of file
Clone repository
  • 0] Home (Español)
  • 0] Home (Français)
  • 0] secadm (English)
  • 0] secadm (Français)
  • 1] Comparison to Linux commands
  • 1] Installation
  • 1] Non Compliant Applications
  • 2] Building Packages in HardenedBSD
  • 2] Building the memstick and ISO
  • 2] Repair a broken system
  • 2] Stable To Current
  • 2] Tor ified Home Network
  • 2] Upgrade HBSD 11.2 to version 12
  • 3] Development Branches and Workflow
  • 3] Secure Binary Update Mechanism
View All Pages