-
Notifications
You must be signed in to change notification settings - Fork 0
Using Unbound as upstream DNS server
Jack'lul edited this page Mar 4, 2025
·
24 revisions
Install Unbound - opkg install unbound-daemon.
Create new /opt/etc/unbound/unbound.conf:
server:
#verbosity: 1
#logfile: "/opt/var/log/unbound.log"
use-syslog: yes
pidfile: "/opt/var/run/unbound.pid"
# chown -R 0:nobody /opt/var/lib/unbound && chmod 775 /opt/var/lib/unbound
username: "nobody"
directory: "/opt/var/lib/unbound"
chroot: "/opt/var/lib/unbound"
num-threads: 1
interface: 127.0.0.1
access-control: 127.0.0.1/32 allow
port: 5335
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes
prefer-ip6: no
outgoing-port-permit: "10240-65335"
cache-min-ttl: 60
cache-max-ttl: 86400
# To enable DNSSEC uncomment the following lines and run:
# install -m 664 /opt/etc/unbound/root.key /opt/var/lib/unbound/root.key
# chown 0:nobody/opt/var/lib/unbound/root.key
#module-config: "validator iterator"
#auto-trust-anchor-file: "/opt/var/lib/unbound/root.key"
# To use external root hints file uncomment the following line and run:
# wget https://www.internic.net/domain/named.cache -O /opt/var/lib/unbound/root.hints
# chmod 664 /opt/var/lib/unbound/root.hints
# chown 0:nobody /opt/var/lib/unbound/root.hints
#root-hints: "/opt/var/lib/unbound/root.hints"
harden-short-bufsize: yes
harden-large-queries: yes
harden-glue: yes
harden-dnssec-stripped: yes
#harden-algo-downgrade: yes
hide-identity: yes
hide-version: yes
identity: "DNS Server"
qname-minimisation: yes
deny-any: yes
minimal-responses: yes
#log-queries: yes
#log-replies: yes
#log-local-actions: yes
#log-servfail: yes
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
private-address: fd00::/8
private-address: fe80::/10
# Optimization for low memory systems
outgoing-num-tcp: 1
incoming-num-tcp: 1
outgoing-range: 60
msg-buffer-size: 8192
msg-cache-size: 100k
msg-cache-slabs: 1
rrset-cache-size: 100k
rrset-cache-slabs: 1
infra-cache-numhosts: 200
infra-cache-slabs: 1
key-cache-size: 100k
key-cache-slabs: 1
neg-cache-size: 10k
num-queries-per-thread: 30
target-fetch-policy: "2 1 0 0 0 0"
Create /opt/var/lib/unbound and set correct permissions:
mkdir -p /opt/var/lib/unbound
chown -R 0:nobody /opt/var/lib/unbound
chmod 775 /opt/var/lib/unboundStart Unbound service - /opt/etc/init.d/S61unbound start.
Modify /opt/etc/pihole/pihole.toml:
[dns]
upstreams = [
"127.0.0.1#5335"
]Restart Pi-hole service - /opt/etc/init.d/S65pihole-FTL restart.