Chapter 2. Setting up an unbound DNS server
unbound DNS server is a validating, recursive, and caching DNS resolver. Additionally,
unbound focuses on security and has, for example, Domain Name System Security Extensions (DNSSEC) enabled by default.
2.1. Configuring Unbound as a caching DNS server
By default, the
unbound DNS service resolves and caches successful and failed lookups. The service then answers requests to the same records from its cache.
# dnf install unbound
/etc/unbound/unbound.conffile, and make the following changes in the
interfaceparameters to configure on which IP addresses the
unboundservice listens for queries, for example:
interface: 127.0.0.1 interface: 192.0.2.1 interface: 2001:db8:1::1
With these settings,
unboundonly listens on the specified IPv4 and IPv6 addresses.
Limiting the interfaces to the required ones prevents clients from unauthorized networks, such as the internet, from sending queries to this DNS server.
access-controlparameters to configure from which subnets clients can query the DNS service, for example:
access-control: 127.0.0.0/8 allow access-control: 192.0.2.0/24 allow access-control: 2001:db8:1::/64 allow
Create private keys and certificates for remotely managing the
# systemctl restart unbound-keygen
If you skip this step, verifying the configuration in the next step will report the missing files. However, the
unboundservice automatically creates the files if they are missing.
Verify the configuration file:
# unbound-checkconf unbound-checkconf: no errors in /etc/unbound/unbound.conf
Update the firewalld rules to allow incoming DNS traffic:
# firewall-cmd --permanent --add-service=dns # firewall-cmd --reload
Enable and start the
# systemctl enable --now unbound
unboundDNS server listening on the
localhostinterface to resolve a domain:
# dig @localhost www.example.com ... www.example.com. 86400 IN A 198.51.100.34 ;; Query time: 330 msec ...
After querying a record for the first time,
unboundadds the entry to its cache.
Repeat the previous query:
# dig @localhost www.example.com ... www.example.com. 85332 IN A 198.51.100.34 ;; Query time: 1 msec ...
Because of the cached entry, further requests for the same record are significantly faster until the entry expires.
Configure clients in your network to use this DNS server. For example, use the
nmcliutility to set the IP of the DNS server in a NetworkManager connection profile:
# nmcli connection modify Example_Connection ipv4.dns 192.0.2.1 # nmcli connection modify Example_Connection ipv6.dns 2001:db8:1::1