Unbound is a free, open-source, recursive, and validating DNS caching server. It uses DNS-over-TLS and DNS-over-HTTPS to encrypt connections between clients. Compared to Bind9, Unbound is lightweight and extremely fast. A caching server will help you to reduce the loading time of the website by keeping the cache database on an Unbound server. It is also capable of DNSSEC validation and can serve as a trust anchor.
In this post, we will show you how to set up Unbound DNS Resolver on Ubuntu 20.04.
- A fresh Ubuntu 20.04 server on the Atlantic.Net Cloud Platform
- A root password configured on your server
Step 1 – Create Atlantic.Net Cloud Server
First, log in to your Atlantic.Net Cloud Server. Create a new server, choosing Ubuntu 20.04 as the operating system with at least 2GB RAM. Connect to your Cloud Server via SSH and log in using the credentials highlighted at the top of the page.
Once you are logged in to your Ubuntu 20.04 server, run the following command to update your base system with the latest available packages.
apt-get update -y
Step 2 – Install Required Dependencies
Before starting, you will need to install some basic DNS tools in your system. You can install all of them using the following command:
apt-get install bind9-utils dnsutils net-tools -y
Once all the packages are installed, you can proceed to the next step.
Step 3 – Install and Configure Unbound DNS
By default, the Unbound package is included in the Ubuntu default repository. You can install it using the following command:
apt-get install unbound -y
After installing Unbound DNS, you will need to configure it. By default, the Unbound main configuration file is located at /etc/unbound/unbound.conf. However, it is recommended to create a separate configuration file:
Add the following lines:
server: port: 53 verbosity: 0 num-threads: 2 outgoing-range: 512 num-queries-per-thread: 1024 msg-cache-size: 32m interface: 0.0.0.0 rrset-cache-size: 64m cache-max-ttl: 86400 infra-host-ttl: 60 infra-lame-ttl: 120 access-control: 127.0.0.0/8 allow access-control: 0.0.0.0/0 allow username: unbound directory: "/etc/unbound" logfile: "/var/log/unbound.log" use-syslog: no hide-version: yes so-rcvbuf: 4m so-sndbuf: 4m do-ip4: yes do-ip6: no do-udp: yes do-tcp: yes remote-control: control-enable: yes control-port: 953 control-interface: 0.0.0.0
Save and close the file, then validate the configuration file with the following command:
You should get the following output:
unbound-checkconf: no errors in /etc/unbound/unbound.conf.d/myunbound.conf
Next, create a log file for Unbound and set proper permissions:
touch /var/log/unbound.log chown unbound:unbound /var/log/unbound.log
Step 4 – Start Unbound DNS Service
At this point, Unbound DNS is installed and configured. Now, restart the Unbound service and enable it to start at system reboot:
systemctl restart unbound systemctl enable unbound
You can also verify the status of Unbound with the following command:
systemctl status unbound
● unbound.service - Unbound DNS server Loaded: loaded (/lib/systemd/system/unbound.service; enabled; vendor preset: enabled) Active: active (running) since Sun 2021-08-15 06:30:33 UTC; 7s ago Docs: man:unbound(8) Process: 2788 ExecStartPre=/usr/lib/unbound/package-helper chroot_setup (code=exited, status=0/SUCCESS) Process: 2791 ExecStartPre=/usr/lib/unbound/package-helper root_trust_anchor_update (code=exited, status=0/SUCCESS) Main PID: 2804 (unbound) Tasks: 2 (limit: 2353) Memory: 4.8M CGroup: /system.slice/unbound.service └─2804 /usr/sbin/unbound -d Aug 15 06:30:32 ubuntu2004 systemd: Starting Unbound DNS server... Aug 15 06:30:33 ubuntu2004 package-helper: /var/lib/unbound/root.key has content Aug 15 06:30:33 ubuntu2004 package-helper: success: the anchor is ok Aug 15 06:30:33 ubuntu2004 systemd: Started Unbound DNS server.
At this point, the Unbound service is started and listening on port 53. You can check it using the following command:
ss -antpl | grep 53
LISTEN 0 256 0.0.0.0:53 0.0.0.0:* users:(("unbound",pid=3407,fd=6)) LISTEN 0 256 0.0.0.0:53 0.0.0.0:* users:(("unbound",pid=3407,fd=4)) LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:* users:(("systemd-resolve",pid=356,fd=13)) LISTEN 0 256 0.0.0.0:953 0.0.0.0:* users:(("unbound",pid=3407,fd=7))
Step 5 – Test Unbound DNS
Now, you will need to use the dig command and perform some DNS queries to test the Unbound DNS server.
We will use ubuntu.com for testing.
dig ubuntu.com @localhost
; <<>> DiG 9.16.1-Ubuntu <<>> ubuntu.com @localhost ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6037 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;ubuntu.com. IN A ;; ANSWER SECTION: ubuntu.com. 60 IN A 188.8.131.52 ubuntu.com. 60 IN A 184.108.40.206 ;; Query time: 307 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sun Aug 15 06:32:18 UTC 2021 ;; MSG SIZE rcvd: 71
As you can see the query time is 307 msec in the first query. Your query is now cached.
Next, let’s run the same query again:
dig ubuntu.com @localhost
; <<>> DiG 9.16.1-Ubuntu <<>> ubuntu.com @localhost ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37832 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;ubuntu.com. IN A ;; ANSWER SECTION: ubuntu.com. 49 IN A 220.127.116.11 ubuntu.com. 49 IN A 18.104.22.168 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sun Aug 15 06:33:36 UTC 2021 ;; MSG SIZE rcvd: 71
As you can see the query time is 0 msec.
You can also test the Unbound DNS server from the client machine. In this case, you will need to specify your Unbound DNS server IP with the query:
dig ubuntu.com @22.214.171.124
; <<>> DiG 9.9.5-3ubuntu0.4-Ubuntu <<>> ubuntu.com @126.96.36.199 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 28051 ;; flags: qr rd ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; Query time: 365 msec ;; SERVER: 188.8.131.52#53(184.108.40.206) ;; WHEN: Sun Aug 15 12:04:37 IST 2021 ;; MSG SIZE rcvd: 12
Step 6 – Troubleshooting Unbound
If you want to check the status of the Unbound DNS, run the following command:
version: 1.9.4 verbosity: 0 threads: 2 modules: 3 [ subnet validator iterator ] uptime: 65 seconds options: reuseport control(ssl) unbound (pid 3407) is running...
If you want to back up a DNS Cache to a text file, run the following command:
unbound-control dump_cache > cache.txt
You can verify the cache.txt file with the following command:
START_RRSET_CACHE END_RRSET_CACHE START_MSG_CACHE END_MSG_CACHE EOF
In some cases, your DNS server cannot reply to your query. In this case, you can flush the DNS cache using the following command:
unbound-control flush ubuntu.com
In the above guide, we explained how to install and use an Unbound DNS caching server on Ubuntu 20.04. We also performed some testing using the dig command to query Unbound DNS and get a response. Try it out on your VPS from Atlantic.Net today!