Skip to content
/ dns Public

Configuration of filtering caching DNS server with DoH/DoH3/DoT/DoQ interfaces and second level cache. Ready for Prometheus, Loki, Promtail, Grafana.

License

Notifications You must be signed in to change notification settings

ousatov-ua/dns

Folders and files

NameName
Last commit message
Last commit date

Latest commit

ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 

Repository files navigation

โšกFiltering Caching DNS Resolverโšก

dns ย ย release ย ย visitors ย ย license ย ย GitHub last commit

๐Ÿ”ธ Intro

  • Current HOWTO defines steps to setup caching DNS resolver with configuration for family usage.

  • It gives possibility to have next DNS endpoints: Plain/DoH/DoH3/DoQ/DoT.

  • Facade for DNS interfaces is Dnsdist.

  • Main DNS resolver is Unbound. It works as resolver, without forwarding queries to any upstream DNS servers.

  • Second level cache is Redis - for Unbound only

  • There are also BIND9 and PDNS-recursor setup instructions as alternative.

  • Everything is prepared to setup monitoring tools such as Loki, Prometheus, Promtail and Grafana

๐Ÿ”ธ Tested on Debian 12.

๐Ÿ”ธ Should work on other distributions with minimal changes

๐Ÿ”ธ I'm working on a script to automate next steps.

Important

๐ŸŽ‰ Many thanks to: AA ar51an, Gerd hagezy. Please give a star for their awesome work! ๐ŸŽ‰

Tip

For Home network I would say that minimal requirements are 1 CPU core and 2 Gb RAM.

Having 2 CPU cores and 4Gb RAM is more than compfortable.

Regarding hyper-threading: In my testings I found out that disabling HT gives better performance results. Your observations can vary.

๐Ÿงฐ General configuration

expand

๐Ÿ”ธ !!!Optional!!! IPv6 (just for FAQ)

  • Edit /etc/default/grub, make sure that ipv6.disable=1 is present, e.g.:

    GRUB_CMDLINE_LINUX="ipv6.disable=1"
  • Run:

    sudo update-grub
  • Reboot

๐Ÿ”ธ Limits and Sysctl

  • Next steps are for optimizing/securing current environment.

  • Put content of /etc/security/limits.conf into your limits.conf

  • Put content of etc/sysctl.conf into your sysctl.conf

๐Ÿ”ธ !!!Optional!!! Hyper-threading

  • If you want HT disabled but you cannot disable it in BIOS, make sure that nosmt is present in /etc/default/grub, e.g.:

    GRUB_CMDLINE_LINUX="nosmt"
  • Apply it:

    sudo update-grub

๐Ÿ”ธ !!!Optional!!! Tuned package

  • Use tuned package for network latency optimizations:

    sudo apt install tuned
    sudo tuned-adm profile network-latency
    sudo reboot

๐Ÿ”ธ UFW

  • Review current configuration of UFW:

    sudo ufw status
  • To delete some particular rule run:

    sudo ufw status numbered
    sudo ufw delete <number>
  • Verify that UFW has these configuration:

    sudo ufw allow 443
    sudo ufw limit 22/tcp
  • If you want port 53 accessible to all:

    sudo ufw allow 53/udp
  • For a specific IP address only:

    sudo ufw allow from <ip> proto udp to any port 53
  • Apply rules:

    sudo ufw reload

๐Ÿ”ธ Compiler

  • Setup steps for Unbound and Dnsdist contain possibility to compile services locally. This means that you'll need compiler :) In next sections it is supposed using standard compiler for your distributives.
  • You can consider to use AOCC compiler if your processor is AMD. Many sources declare that code compiled by AOCC is faster on AMD. All you need is to follow instructions for AOCC.

๐Ÿ”ธ Useful things

  • If you need to create some direcotory on startup, for instance on this path /var/run/some-dir and setup rights for user:user-group then create next file
vim /etc/tmpfiles.d/some-service.conf
  • Put this content:
d /var/run/some-dir 0755 user user-group

๐Ÿงฐ Unbound

expand

๐Ÿ”ธ Install Unbound

  • We need to compile it locally because default Unbound from apt does not include cachedb module.
  • Even if you will not use Redis as Level 2 cache for Unbound I would anyway suggest to compile Unbound locally to have the latest version.
wget https://github.com/NLnetLabs/unbound/archive/refs/tags/release-1.19.3.zip
unzip release-1.19.3.zip
cd release-1.19.3
sudo apt install bison flex libevent-dev libexpat1-dev libhiredis-dev libnghttp2-dev libprotobuf-c-dev libssl-dev libsystemd-dev protobuf-c-compiler python3-dev swig
  • Compilation flags (I used next but you are free to specify any you want)
export CFLAGS="-Ofast -pipe -march=native"
export CXXFLAGS="-Ofast -pipe -march=native"
export CPPFLAGS="-Ofast -pipe -march=native"
  • Configure
./configure --prefix=/usr --includedir=\${prefix}/include --infodir=\${prefix}/share/info --mandir=\${prefix}/share/man --localstatedir=/var --runstatedir=/run --sysconfdir=/etc --with-chroot-dir= --with-dnstap-socket-path=/run/dnstap.sock --with-libevent --with-libhiredis --with-libnghttp2 --with-pidfile=/run/unbound.pid --with-pythonmodule --with-pyunbound --with-rootkey-file=/var/lib/unbound/root.key --disable-dependency-tracking --disable-flto --disable-maintainer-mode --disable-option-checking --disable-rpath --disable-silent-rules --enable-cachedb --enable-dnstap --enable-subnet --enable-systemd --enable-tfo-client --enable-tfo-server --without-pthreads --without-solaris-threads
  • Make and install
make
sudo make install

๐Ÿ”ธ Unbound and chroot

  • Unbound usually is running under chroot.

  • Next steps usually are needed if Unbound is running under chroot, otherwise it will fail to create *.sock and *.log files.

sudo vim /etc/apparmor.d/local/usr.sbin.unbound
  • Put next to this file
/var/log/unbound/unbound.log rw,
/run/unbound.sock rw,
  • Apply it
sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.unbound

๐Ÿ”ธ Create logging staff

sudo mkdir /var/log/unbound
sudo chown unbound:unbound /var/log/unbound
  • Put file /etc/logrotate.d/unbound to /etc/logrotate.d/

๐Ÿ”ธ Unbound config

  • Replace default configuration of Unbound with files from /etc/unbound.

  • Review config, make appropriate changes for number of threads etc, default is 2 threads.

  • Enable ipv6 if needed.

  • Setup unbound-control:

sudo unbound-control-setup

๐Ÿ”ธ Root hints and key

  • Setup root.hints and root.key
sudo apt install dns-root-data
sudo ln -s /usr/share/dns/root.key /var/lib/unbound/root.key
sudo ln -s /usr/share/dns/root.hints /var/lib/unbound/root.hints

๐Ÿ”ธ Unbound filters

  • For DNS filtering put update-conf.sh into corresponding path
sudo chmod +x /opt/unbound/update-conf.sh
sudo mkdir /etc/unbound/rules
sudo sh /opt/unbound/update-conf.sh
  • You can check which filters are used in /etc/unbound/unbound.conf.d/rules.conf and /opt/unbound/update-conf.sh

๐Ÿ”ธ Unbound service

  • Put unbound-update-config.service and unbound-update-config.timer in corresponding path.
sudo systemctl daemon-reload
sudo systemctl enable --now unbound-update-config.timer`
  • Put /etc/systemd/system/unbound.service from repo.

๐Ÿงฐ Redis

expand
๐Ÿ”ธ Compile locally
wget https://download.redis.io/redis-stable.tar.gz
tar -xzvf redis-stable.tar.gz
cd redis-stable
make MALLOC=jemalloc USE_SYSTEMD=yes
sudo make install
  • Put next content into /etc/tmpfiles.d/redis.conf
d /var/run/redis 0755 redis redis
  • Put next content into /etc/systemd/system/redis.service
[Unit]
Description=Redis In-Memory Data Store
After=network.target

[Service]
Type=notify
User=redis
Group=redis
ExecStart=/usr/local/bin/redis-server /etc/redis/redis.conf --supervised systemd
ExecStop=/usr/local/bin/redis-cli shutdown
Restart=always

[Install]
WantedBy=multi-user.target
  • Create user redis with next config
redis:x:112:116::/var/lib/redis:/usr/sbin/nologin
  • Create folder
sudo mkdir /var/lib/redis
sudo chown redis:redis /var/lib/redis
๐Ÿ”ธ Install Redis by `apt`
sudo apt install redis-server
  • Put /etc/redis/redis.conf from repo
sudo systemctl enable --now redis-server

๐Ÿ”ธ Running Unbound

  • Now you should be able to run Unbound
sudo systemctl daemon-reload
sudo systemctl enable --now unbound.service

๐Ÿงฐ Dnsdist

expand
  • Dnsdist is used as facade for Unbound: to give DoH/DoH3/DoT/DoQ
Installing using apt * Follow instructions for installing Dnsdist from their official site.
  • Put /etc/dnsdist/dnsdist.conf from repo.

  • dnsdist.conf contains DoH configuration where you can restrict access to it using custom url. Just replace <some secret client id> in that configurations with some unique combination. You can specify as many such urls as you want, separating users. For Dot/DoQ there is no such configuration, but it is possible to configure if you are using wildcard certificate.

  • !!!Optional!!! If you will use DoH/DoH3/DoT/DoQ put crt and pem to /opt/lego (edit dnsdist.conf to point to right directory, also certificate/key filenames)

Compiling locally
sudo apt install autoconf automake libedit-dev libsodium-dev libtool-bin \
pkg-config protobuf-compiler libnghttp2-dev libh2o-evloop-dev libluajit-5.1-dev \
libboost-all-dev libsystemd-dev libbpf-dev libclang-dev git cmake
  • Install Rust using script /opt/install-rust.sh from repo.
  • Install Quiche if you need DoH3/DoQ using /opt/install-quiche.sh from repo. Additionally I create symlink to quiche lib for accessibility:
sudo ln /usr/local/lib/libdnsdist-quiche.so /usr/lib/libdnsdist-quiche.so
  • Export CFLAGS and CXXFLAGS if you want, I'm using next:
export CFLAGS="-Ofast -pipe -march=native"
export CXXFLAGS="-Ofast -pipe -march=native"
export CPPFLAGS="-Ofast -pipe -march=native"
  • Configure, make and install:
wget https://downloads.powerdns.com/releases/dnsdist-1.9.1.tar.bz2
tar xjf dnsdist-1.9.1.tar.bz2
cd dnsdist-1.9.1
./configure --enable-dns-over-tls --enable-dns-over-https --enable-dns-over-http3 --enable-dns-over-quic --with-systemd --with-quiche
make
sudo make install
  • Copy generated dnsdist.service to /etc/systemd/system directory
  • Copy etc/dnsdist/dnsdist.conf to /usr/local/etc. Please pay attention that there are DoH/DoH3/DoQ/DoT are configured, so you need to modify config to point to right certificate and private key or disable those interfaces.
  • Create user dnsdist:dnsdist and give rights to config:
sudo chown root:dnsdist /usr/local/etc/dnsdist.conf
  • Reload services and start dnsdist
sudo systemctl daemon-reload
  • Generate key to access dnsdist's console:
sudo dnsdist
>makeKey()
  • Copy key to dnsdist.conf as
setKey("<key from console>")
  • Generate password for webServerConfig
>hashPassword("<your password>")
  • Put it to config

  • Start dnsdist

sudo systemtl enable --now dnsdist.service

๐Ÿงฐ Monitoring

expand

๐Ÿ”ธ Follow next HOWTO

unbound-dashboard or forked one unbound-dashboard-forked

unbound-exporter or forked one unbound-exporter-forked

Thanks for your support!

About

Configuration of filtering caching DNS server with DoH/DoH3/DoT/DoQ interfaces and second level cache. Ready for Prometheus, Loki, Promtail, Grafana.

Topics

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages