How to Enable Ports 53 and 853 with Unbound DNS Resolver in OpenBSD

Did you know that we can improve internet performance and security by choosing a free and reliable alternative DNS troubleshooter? Domain Name Systems (DNS) may come up frequently in network administrator conversations, but the average user probably doesn't know or care what DNS is or how it benefits them.

DNS is the glue that binds domain names and IP addresses together. If you own a server and want others to be able to access it using your domain name, you can pay a fee and register your unique domain name (if available) with an internet registrar. If you have a domain name associated with your server's IP address, then people can visit your site using your domain name instead of typing in the IP address. DNS resolvers help do this.

DNS resolver servers allow a computer (or person) to look up a domain name (for example, unixwinbsd.site) and find the IP address of the computer, server, or other device that owns it (for example, 216.239.38.21). Think of DNS Resolver as a phone book for a computer.

When you enter a website's domain name into a web browser, behind the scenes there is a DNS resolver server appointed by your computer that determines the IP address where the domain name will be entered so that your browser can get everything that site has to offer. offer. DNS is also used to determine which email server a message should be sent to. He had many other goals.

Unbound is one of the DNS resolvers that is currently widely used. In fact, Unbound's presence as a DNS server almost beats ISC Bind, which is older than Unbound. We can feel the sophistication of Unbound with the various features it has, such as Python modules, Redis and DNS Over TLS support. So it is very natural that Unbound can match ISC Bind in terms of quality and features.


1. No need to install Unbound on OpenBSD

Maybe you are asking why you don't have to install Unbound on OpenBSD, does OpenBSD not support Unbound? Open that's the answer, now it has almost replaced ISC Bind as the main DNS in Unix BSD systems such as FreeBSD, OpenBSD, DragonFly BSD and others. Almost all BSD operating systems include Unbound as their main DNS server.

If you look at the facts above, it can be predicted that Unbound will become the leading DNS server and leave behind ISC Bind, Knot resolver and others. Unbound developers continue to improve Unbound's performance and continue to conduct research so that Unbound becomes the leading DNS server.

We can prove this by making Unbound the main DNS server on the BSD system. Like OpenBSD, OpenBSD users do not need to install Unbound, because it is installed the first time you install OpenBSD on your server computer. We just need to activate, configure and run Unbound.


2. Set up Unbound on port 53

By default the DNS port runs on port 53, but you can change it according to your needs, such as port 54, 8853, 55 and others. Because the title of this article is port 53, we will activate Unbound on port 53. Before we set up Unbound, we recommend that you first delete the Unbound application on OpenBSD, then we update the PKG. We do this right to get the latest version of the Unbound application.

For your knowledge, on OpenBSD the Unbound application is called "libunbound", which is different from FreeBSD which gives the name Unbound. Now we delete the Unbound library in OpenBSD.

Remove Unbound
ns3# pkg_delete libunbound
ns3# rm -rf /var/unbound
Then you run the Update PKG command and continue by installing Unbound back into the OpenBSD system.

Update PKG and install Unbound
ns3# pkg_add -uvi
ns3# pkg_add libunbound debug-libunbound
Create a directory for Unbound with sub directories db and etc, pay attention to the command below.

Create directory
ns3# mkdir -p /var/unbound/etc
ns3# mkdir -p /var/unbound/db
On OpenBSD the main configuration file is named "unbound.conf". Run the command below to create the unbound.conf file. After that, type the script for the unbound.conf file as below.

Create /var/unbound/etc/unbound.conf
ns3# touch /var/unbound/etc/unbound.conf
Script /var/unbound/etc/unbound.conf
server:
	interface: 192.168.5.3
	port: 53	
chroot: /var/unbound
username: "_unbound"
directory: "/var/unbound"
pidfile: "/var/run/unbound.pid"	
	do-ip4: yes
	do-ip6: no
	do-udp: yes
	do-tcp: yes
	do-daemonize: yes
access-control: 192.168.5.0/24 allow
access-control: 127.0.0.0/8 allow
	verbosity: 1
	harden-glue: yes
	hide-identity: yes
	hide-version: yes
	auto-trust-anchor-file: "/var/unbound/db/root.key"
	root-hints: "/var/unbound/db/root.hints"
	val-log-level: 2
	aggressive-nsec: yes
remote-control:
	control-enable: yes
	control-interface: /var/run/unbound.sock
forward-zone:
name: "."
forward-first: no
forward-ssl-upstream: yes
forward-addr: 1.1.1.1@853
forward-addr: 1.0.0.1@853
forward-addr: 8.8.8.8@853
Match "interface: 192.168.5.3" with the Private IP of your OpenBSD computer. In this article we use the private IP 192.168.5.3 and the domain kursor.my.id

Get Unbound up and running on OpenBSD.

Enable unbound
ns3# rcctl enable unbound
ns3# rcctl restart unbound
Then you run the two commands below to download the root.hints file and give ownership to unbound.

Create ownership
ns3# wget ftp://FTP.INTERNIC.NET/domain/named.cache -O /var/unbound/db/root.hints
ns3# chown -R _unbound /var/unbound/db/
After that, open the /etc/resolv.conf file, and type the script below in the /etc/resolv.conf file.

Script /etc/resolv.conf
domain kursor.my.id
nameserver 192.168.5.3
Run unbound again with the rcctl command.

Run unbound
ns3# rcctl restart unbound
The final step is the Unbound test with the dig command.

Test unbound
ns3# dig yahoo.com

; <<>> dig 9.10.8-P1 <<>> yahoo.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29407
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;yahoo.com.			IN	A

;; ANSWER SECTION:
yahoo.com.		854	IN	A	74.6.143.26
yahoo.com.		854	IN	A	74.6.231.20
yahoo.com.		854	IN	A	98.137.11.163
yahoo.com.		854	IN	A	74.6.143.25
yahoo.com.		854	IN	A	98.137.11.164
yahoo.com.		854	IN	A	74.6.231.21

;; Query time: 0 msec
;; SERVER: 192.168.5.3#53(192.168.5.3)
;; WHEN: Fri May 10 17:29:11 WIB 2024
;; MSG SIZE  rcvd: 134


3. Set up Unbound on port 853 (DNS Over TLS)

OK, now let's continue our discussion to the next lesson, namely how to activate port 853 in Unbound. Port 53 or DNS Over TLS (DOT) port is a port that is encrypted by an SSL certificate. To create an SSL certificate we will use OpenSSL which is free and free. Before we start creating an SSL certificate, you can reopen the unbound.conf file, and add the script below.

Add Script /var/unbound/etc/unbound.conf
interface: 192.168.5.3@853
tls-port: 853
tls-cert-bundle: "/etc/ssl/cert.pem"
tls-service-pem: "/etc/ssl/unbound/mydomain.crt"
tls-service-key: "/etc/ssl/unbound/mydomain.key"
server-key-file: "/var/unbound/etc/unbound_server.key"
server-cert-file: "/var/unbound/etc/unbound_server.pem"
control-key-file: "/var/unbound/etc/unbound_control.key"
control-cert-file: "/var/unbound/etc/unbound_control.pem"
Create a certificate with a key that can be used to control all Unbound activities.

Create a control key
ns3# unbound-control-setup
setup in directory /var/unbound/etc
Generating RSA private key, 3072 bit long modulus
.................................................
.....................
e is 65537 (0x010001)
Generating RSA private key, 3072 bit long modulus
...................
..............................................................................................................................................................................................................
e is 65537 (0x010001)
Signature ok
subject=/CN=unbound-control
removing artifacts
Setup success. Certificates created. Enable in unbound.conf file to use
Create a directory to place all Unbound SSL certificates, after that you also create an SSL certificate with OpenSSL. Follow all the commands below.

Create directory /etc/ssl/unbound
ns3# mkdir -p /etc/ssl/unbound
ns3# cd /etc/ssl/unbound
Create certificate SSL
ns3# openssl genrsa -out mydomain.key 2048
ns3# openssl req -new -key mydomain.key -out mydomain.csr
ns3# openssl x509 -req -days 365 -in mydomain.csr -signkey mydomain.key -out mydomain.crt
ns3# bash -c 'cat mydomain.key mydomain.crt >> /etc/ssl/unbound/mydomain.pem'
Create ownership
ns3# chown -R _unbound /etc/ssl/unbound/
The final step is to test Unbound, whether it can open port 853 or not. We use the dig command to test Unbound.

Test Unbound port 853
ns3# dig -p 853 google.com @192.168.5.3
Test Unbound port 53
ns3# dig -p 53 yahoo.com @192.168.5.3
Below we show the complete script of the unbound.conf file.

Complete Script /var/unbound/etc/unbound.conf Port 53 and 853
server:
	interface: 192.168.5.3@53
	interface: 192.168.5.3@853
	#port: 53
	tls-port: 853
chroot: /var/unbound
username: "_unbound"
directory: "/var/unbound"
pidfile: "/var/run/unbound.pid"
	do-ip4: yes
	do-ip6: no
	do-udp: yes
	do-tcp: yes
	do-daemonize: yes
tls-cert-bundle: "/etc/ssl/cert.pem"
tls-service-pem: "/etc/ssl/unbound/mydomain.crt"
tls-service-key: "/etc/ssl/unbound/mydomain.key"
	
access-control: 192.168.5.0/24 allow
access-control: 127.0.0.0/8 allow
	verbosity: 1
	harden-glue: yes
	hide-identity: yes
	hide-version: yes
	auto-trust-anchor-file: "/var/unbound/db/root.key"
	root-hints: "/var/unbound/db/root.hints"
	val-log-level: 2
	aggressive-nsec: yes
remote-control:
	control-enable: yes
	control-interface: /var/run/unbound.sock
	server-key-file: "/var/unbound/etc/unbound_server.key"
	server-cert-file: "/var/unbound/etc/unbound_server.pem"
	control-key-file: "/var/unbound/etc/unbound_control.key"
	control-cert-file: "/var/unbound/etc/unbound_control.pem"

forward-zone:
name: "."
forward-first: no
forward-ssl-upstream: yes
forward-addr: 1.1.1.1@853
forward-addr: 1.0.0.1@853
forward-addr: 8.8.8.8@853
Well, that's enough for this tutorial about Unbound. There are many benefits to Unbound. You can continue to try other features in Unbound, such as Redis, Python and others. Keep learning and reading so that you can immediately feel the benefits of Unbound.
Iwan Setiawan

I Like Adventure: Mahameru Mount, Rinjani Mount I Like Writer FreeBSD

Post a Comment

Previous Post Next Post