Unbound Harden Unbound

[Jack-Sparr0w]

No problem using this in config file with vpn atm

use-caps-for-id: yes (don't use if you are using pi-hole)
harden-referral-path: yes
harden-algo-downgrade: yes
harden-large-queries: yes
harden-short-bufsize: yes
val-clean-additional: yes
harden-dnssec-stripped: yes
unwanted-reply-threshold: 5000000
jostle-timeout: 200 (North America) helps with dos attack use- ( unbound-control dump_infra ) and change it to same number as rtt
sock-queue-timeout: 3
discard-timeout: 1900 use 3000 if you bind VPN
qname-minimisation-strict: yes
infra-cache-numhosts: 20000 or 40000 ax 88u
harden-unknown-additional: yes
hide-trustanchor: yes - don't use vlan or VPN with this as some VPNs need this
hide-http-user-agent: yes - don't use vlan or DoT with this

 

[amplatfus]

Please, using this options the Unbound will be applied to vpn too?
Thank you!

 

[Jack-Sparr0w]

Make sure to unbind VPN before telling it to use this. Unbound had issues in the past when I did it with VPN bound to unbound

 

[Jack-Sparr0w]

Anything that is done to unbound from my understanding has to be done without VPN, that includes installing all its features. Gotta do order of operations method to get it to work nice

 

[New2This]

Have you looked into VPNMON thru the amtm you can route your Unbound traffic through your VPN- working great here

 

[Net Noob]

Hi all,

Thank you for this. I've always been confused as to how to get dns lookups via unbound to work over my wireguard vpn server (mullvad). I've tried a few times and dns lookups stop working completely. is there any chance you can point me in right direction as to which method works? VPNMON won't work with unbound i dont think because it has no capacity for monitoring wireguard iirc.

I'm on the latest Asus merlin for the AX86U router.

Thank you for any and all help.

 

[jacklul]

use-caps-for-id: yes

Clarification: do not set this to yes if you want to use DNSSEC - according to unbound devs.
So either use harden-dnssec-stripped DNSSEC or use-caps-for-id: yes, but not both.

harden-large-queries: yes

Doesn't make sense to set it if you're running unbound in your LAN, that option is only useful when hosting public resolver.

harden-short-bufsize: yes
val-clean-additional: yes

Are set to yes by default, according to unbound docs.

 

[Gary_Dexter]

use-caps-for-id: yes

Clarification: do not set this to yes if you want to use DNSSEC - according to unbound devs.
So either use harden-dnssec-stripped or use-caps-for-id, but not both.

Where is this documented please ?

I have both enabled and have no issue with returning DNSSEC lookups

 

[Viktor Jaep]

Hi all,

Thank you for this. I've always been confused as to how to get dns lookups via unbound to work over my wireguard vpn server (mullvad). I've tried a few times and dns lookups stop working completely. is there any chance you can point me in right direction as to which method works? VPNMON won't work with unbound i dont think because it has no capacity for monitoring wireguard iirc.

I'm on the latest Asus merlin for the AX86U router.

Thank you for any and all help.

At the moment, VPNMON can only use Unbound over VPN. The way it was implemented seems extremely complex, but I'm going to try to reverse engineer it to see if I can get it working on Wireguard as well.

Right now, I'm using Wireguard for my main internet connection(s), but using a standalone VPN connection handling Unbound DNS lookups. So it's a best of both worlds for now.

Since you're using Mullvad, it doesn't take much to get 1 additional VPN slot working (in addition to your Wireguard slot) with a new Mullvad VPN connection to duplicate this setup.

 

[jacklul]

Where is this documented please ?

I have both enabled and have no issue with returning DNSSEC lookups

According to the reports on Pi-hole's Discourse and Unbound's Github - this does not affect all DNSSEC lookups as it is caused by how the authoritative server handles the query, so you might've never encountered this.
In my Unbound config, I have a note about this, so I assume that when I made it, it was justified. I do not have the the source I based this on, probably a mailing list.
I personally still had problems with both these options set together so the issue is still there, for some people, at least.

Edit:
Looks like it is mentioned in the documentation indeed: https://unbound.docs.nlnetlabs.nl/en/latest/reference/history/patch-announce102.html#randomisation

This method currently has to be turned on by the operator manually, as it may result in maybe 0.4% of domains getting no answers due to no support on the authoritative server side.

So, depending what sites you visit you may or may never encounter this.

 

[Jack-Sparr0w]

Hi all,

Thank you for this. I've always been confused as to how to get dns lookups via unbound to work over my wireguard vpn server (mullvad). I've tried a few times and dns lookups stop working completely. is there any chance you can point me in right direction as to which method works? VPNMON won't work with unbound i dont think because it has no capacity for monitoring wireguard iirc.

I'm on the latest Asus merlin for the AX86U router.

Thank you for any and all help.

unbound_manager advanced the use option 3 and look for bind to vpn

 

[Jack-Sparr0w]

Hi all,

Thank you for this. I've always been confused as to how to get dns lookups via unbound to work over my wireguard vpn server (mullvad). I've tried a few times and dns lookups stop working completely. is there any chance you can point me in right direction as to which method works? VPNMON won't work with unbound i dont think because it has no capacity for monitoring wireguard iirc.

I'm on the latest Asus merlin for the AX86U router.

Thank you for any and all help.

use open vpn if possible, it has a better cipher

 

[Twiglets]

According to the reports on Pi-hole's Discourse and Unbound's Github - this does not affect all DNSSEC lookups as it is caused by how the authoritative server handles the query, so you might've never encountered this.
In my Unbound config, I have a note about this, so I assume that when I made it, it was justified. I do not have the the source I based this on, probably a mailing list.
I personally still had problems with both these options set together so the issue is still there, for some people, at least.

Edit:
Looks like it is mentioned in the documentation indeed: https://unbound.docs.nlnetlabs.nl/en/latest/reference/history/patch-announce102.html#randomisation

So, depending what sites you visit you may or may never encounter this.

If the server is set to ignore case, which many (Most!!!???) are then 'use-caps-for-id: yes' will not matter.
Therefore all id's will be stored in CAPS and forced to CAPS when received.
If the Server does NOT ignore case then 'Dummy.site.com' is not the same as 'DUMMY.site.com', this makes a difference as the crytographic keys generated/stored in the DNS Records (for DNSSEC) will not match as they are based on the EXACT id.

See https://www.rfc-archive.org/getrfc?rfc=4034 (for fine detail)

(Read all the related rfc's for DNS & DNSSEC for many hours of 'Fun' .... .... I have because I like stuff like this !!! )

If you have not found any problems when using 'use-caps-for-id: yes' it is simply good luck !!!
I have set 'use-caps-for-id: no' to ensure there are no unforeseen errors ... it works for me !!!

 

[SomeWhereOverTheRainBow]

No problem using this in config file with vpn atm

use-caps-for-id: yes (don't use if you are using pi-hole)
harden-referral-path: yes
harden-algo-downgrade: yes
harden-large-queries: yes
harden-short-bufsize: yes
val-clean-additional: yes
harden-dnssec-stripped: yes

With all this unbound hardening, don't forget about the need to reduce the possibility for packet fragmentation which in turn mitigates DDOS threats when using dnssec.

max-udp-size: 3072

 

[Jack-Sparr0w]

use-caps-for-id: yes (don't use if you are using pi-hole)
harden-referral-path: yes
harden-algo-downgrade: yes
harden-large-queries: yes
harden-short-bufsize: yes
val-clean-additional: yes
harden-dnssec-stripped: yes
unwanted-reply-threshold: 5000000
jostle-timeout: 200 (North America) helps with dos attack
sock-queue-timeout: 3
discard-timeout: 1900 use 3000 if you bind VPN
qname-minimisation-strict: yes
infra-cache-numhosts: 20000 or 40000 ax 88u
harden-unknown-additional: yes
hide-trustanchor: yes - don't use vlan or VPN with this as some VPNs need this
hide-http-user-agent: yes - don't use vlan or DoT with this as DoT requires Http
harden-unverified-glue: yes

 

[Jack-Sparr0w]

My config For Nord VPN made easy for anyone just delete from here to so on and copy and paste:


# no threads and no memory slabs for threads
num-threads: 4
msg-cache-slabs: 4
rrset-cache-slabs: 4
infra-cache-slabs: 4
key-cache-slabs: 4
ip-ratelimit-slabs: 4
ratelimit-slabs: 4

# tiny memory cache
extended-statistics: yes # v1.06 Martineau for @juched GUI TAB
key-cache-size: 16m
msg-cache-size: 16m
rrset-cache-size: 32m
ip-ratelimit-size: 16m
ratelimit-size: 16m
http-query-buffer-size: 16m
http-response-buffer-size: 16m
stream-wait-size: 16m
quic-size: 16m
cache-max-ttl: 14400 # v1.08 Martineau
cache-min-ttl: 3600 # v1.08 Martineau
# prefetch
prefetch: yes
prefetch-key: yes
minimal-responses: yes
serve-expired: yes
serve-expired-ttl: 86400 # v1.12 as per @juched
serve-expired-ttl-reset: yes # v1.13 as per @jumpsmm7 Set the TTL of expired records to the serve-expired-ttl value after a failed attempt to retrieve the record from u>
incoming-num-tcp: 950
outgoing-num-tcp: 200
num-queries-per-thread: 100
outgoing-range: 200
ip-ratelimit: 1000 # v1.04 as per @L&LD as it impacts ipleak.net?
edns-buffer-size: 1472 # v1.01 as per @dave14305 minimal config
max-udp-size: 3072 # v1.13 as per @jumpsmm7 mitigate DDOS threats when using dnssec, reduce potential for fragmentation.
#outgoing-port-avoid: 0-32767 # v1.13 as per @jumpsmm7 avoid grabbing udp ports commonly used / only for users with UDP port availability problems
#outgoing-port-permit: 32768-65535 # v1.13 as per @jumpsmm7 ports to permit / Not necessary if port-avoid is not used. limits port randomization.
jostle-timeout: 1000
sock-queue-timeout: 3
infra-cache-numhosts: 40000
discard-timeout: 3000
unwanted-reply-threshold: 5000000
infra-keep-probing: no
infra-host-ttl: 900
so-reuseport: yes
tcp-reuse-timeout: 60000
msg-buffer-size: 65552
max-global-quota: 300
delay-close: 10000
http-max-streams: 300
tls-use-sni: yes
pad-responses: yes
pad-responses-block-size: 512
pad-queries: yes
pad-queries-block-size: 512
val-bogus-ttl: 60
wait-limit-cookie: 10000
wait-limit: 1000
infra-cache-min-rtt: 1000
infra-cache-max-rtt: 120000
tcp-idle-timeout: 60000
max-reuse-tcp-queries: 300
tcp-auth-query-timeout: 3000
unknown-server-time-limit: 1000
neg-cache-size: 16m
val-sig-skew-min: 3600
val-sig-skew-max: 86400
cache-min-negative-ttl: 0
cache-max-negative-ttl: 3600
serve-expired-client-timeout: 2900
iter-scrub-ns: 20
iter-scrub-cname: 11
max-sent-count: 32
answer-cookie: yes
target-fetch-policy: "0 0 0 0 0 0"
cookie-secret: 1b72a4d5dd36d85726316b3e88ac40a7
ip-ratelimit-cookie: 10000
val-max-restart: 5
val-nsec3-keysize-iterations: "1024 150 2048 150 4096 150"
serve-expired-reply-ttl: 30
outbound-msg-retry: 5
serve-original-ttl: yes
max-sent-count: 32
max-query-restarts: 11
ip-freebind: yes
zonemd-permissive-mode: yes

# Ensure kernel buffer is large enough to not lose messages in traffic spikes
#so-rcvbuf: 2m # v1.05 Martineau see DEFAULT /proc/sys/net/core/rmem_default

#so-sndbuf: 2m

#########################################
# Options for integration with TCP/TLS Stubby
# udp-upstream-without-downstream: yes
#########################################

# gentle on recursion
hide-identity: yes
hide-version: yes
do-not-query-localhost: no
qname-minimisation: yes
harden-glue: yes
harden-below-nxdomain: yes
rrset-roundrobin: yes
aggressive-nsec: yes
deny-any: yes
use-caps-for-id: yes
harden-referral-path: yes
harden-algo-downgrade: yes
harden-large-queries: yes
harden-short-bufsize: yes
val-clean-additional: yes
harden-dnssec-stripped: yes
qname-minimisation-strict: yes
harden-unverified-glue: yes
hide-http-user-agent: yes

# Self jail Unbound with user "nobody" to /var/lib/unbound
username: "nobody"
directory: "/opt/var/lib/unbound"
chroot: "/opt/var/lib/unbound"

# The pid file
pidfile: "/opt/var/run/unbound.pid"

# ROOT Server's
root-hints: "/opt/var/lib/unbound/root.hints"

# DNSSEC
auto-trust-anchor-file: "/opt/var/lib/unbound/root.key"
trust-anchor-signaling: yes
root-key-sentinel: yes