Request - Update UNBOUND to latest version (1.9.3)

[BassMan]

Hello community! I plan to install UNBOUND as my local DNS-Resolver, so I can connect to my selected public DNS-servers via DNS over TLS.
I believe, this is a good step to get more privacy and security when browsing the net.
The actual version (1.6.3) has some severe bugs and is almost unusable.
Thanks in advance, greetings from lower saxony (Germany).

[Stevo]

OK, it's on my TODO list.

[BassMan]

Tkank you very much, Stevo!

[Stevo]

It's now in the MX 17/18 test repo--can you give it a test and report back?

[BassMan]

I will do. Again, thank you very much! That was an extremely fast work!

[BassMan]

Hello Stevo, I give a first short report: unbound is installed on my Acer Travelmate and running well! Internet traffic is running exclusively over unbound,
TLS-encryption works. Start-command is in autostart-folder and it works. For now, I'm happy. Will do some more testing and send a more detailed report
(incl. my unbound.conf, settings and additional packages installed) during weekend.
Thank you very much for providing this new version of unbound!
Greetings Rainer

[BassMan]

Okay, here is my report: installing unbound

After install I did the following: to get a recent list of primary DNS-servers, I used this command :

„wget https://www.internic.net/domain/named.root -O /etc/unbound/root.hints“ , next command :

„unbound-anchor“ , to verify the root-anchors.
Then I changed settings of network-manager: ipv4-method to: „automatic dhcp, only adresses“
and: ipv6-method to: „automatic dhcp, only adresses“
I installed these packages via synaptic : bind9utils, dnsutils, libldns2, libldnsutils
then edited one line in file : /etc/dhcp/dhclient.conf :
commented in the line : prepend domain-name-servers 127.0.0.1;
At last, /etc/unbound/unbound.conf had to be edited. I‘ll post it below.
The start-command is : "unbound -c /etc/unbound/unbound.conf"
After all : restarted system, and everythings works!
I used tcpdump to verify that the whole internet traffic is encrypted : it is!
Now I‘m simply happy, to have unbound running. Up to now without issues!
This is my unbound.conf :

Code: Select all

# Unbound configuration file for Debian.
#
# See the unbound.conf(5) man page.
#
# See /usr/share/doc/unbound/examples/unbound.conf for a commented
# reference config file.
#
# The following line includes additional configuration files from the
# /etc/unbound/unbound.conf.d directory.
include: "/etc/unbound/unbound.conf.d/*.conf"

server:

  directory: "/etc/unbound"
  username: "unbound"
  

  
  tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
  # verbosity number, 0 is least verbose. 1 is default.
  verbosity: 1
  interface: 0.0.0.0
  interface: ::0
  port: 53
  rrset-cache-size: 10m
  do-ip4: yes
  do-ip6: yes
  do-udp: yes
  do-tcp: yes

  tcp-upstream: yes
  
  access-control: 192.168.178.24/24 allow
  access-control: 127.0.0.1/8 allow
  access-control: 192.168.0.0/24 allow
 

  root-hints: "/etc/unbound/root.hints"
  hide-identity: yes
  hide-version: yes
  harden-glue: yes
  harden-dnssec-stripped: yes
  use-caps-for-id: yes
  cache-min-ttl: 300
  cache-max-ttl: 86400
  prefetch: yes
  rrset-roundrobin: yes
  num-threads: 2

  minimal-responses: yes

  qname-minimisation: yes

forward-zone:
  name: "."

  forward-tls-upstream: yes
  
  # Quad9
  forward-addr: 2620:fe::fe@853#dns.quad9.net
  forward-addr: 9.9.9.9@853#dns.quad9.net
  forward-addr: 2620:fe::9@853#dns.quad9.net
  forward-addr: 149.112.112.112@853#dns.quad9.net
  # Digitalcourage
  forward-addr: 2a02:2970:1002::18@853#dns2.digitalcourage.de
  forward-addr: 46.182.19.48@853#dns2.digitalcourage.de

  # Digitale Gesellschaft
  forward-addr: 2a05:fc84::42@853#dns.digitale-gesellschaft.ch
  forward-addr: 2a05:fc84::43@853#dns.digitale-gesellschaft.ch
  forward-addr: 185.95.218.42@853#dns.digitale-gesellschaft.ch
  forward-addr: 185.95.218.43@853#dns.digitale-gesellschaft.ch

[Stevo]

Thanks! I don't know if we have anyone else running it, so we might move it to main on your positive review.

[BassMan]

Well, i have to report one issue, which is not solved yet: unbound is running well, but I cannot acces my network-printer (brother-MFC-J480DW) any more.
Think I have to configure local-zones and private-adresses, which had left out in my unbound.conf. Still reading and learning about that.
Will report back.

[BassMan]

Still no success. As far as I understand the operating principle of unbound, the whole internet traffic is done by using the "localhost-interface", which is
IP 127.0.0.1. The setup of my network-printer was done by CUPS, which uses the localhost-interface, too.
So I guess, this is the point. Maybe CUPS cannot access the printer while the same interface is used for another purpose (accessed by unbound).
Tried to deactivate unbound by killing the process, which didn't help. Then restarted the system with unbound not activated : no success.
When I do a complete uninstall of unbound, printer -access is back immediately. It looks like I cannot have both, running unbound as a local DNS-server and use my network printer.
Next thing I will do is to set up a raspberry-pi with unbound installed on (already read about this). It will be designed to do the network traffic of my entire home-network, which includes 5 laptops an one desktop-pc. Will need the help of a good friend, who will be back from a health spa in a few weeks.
Will report back, or perhaps better open a new thread ?