How To Register Dns Ubuntu 18.04

Installation of UNBOUND dns server for local network is adequately simple only I encountered some hurdles setting it up with Ubuntu eighteen therefore I took notes on how I resolved it in this mail service for reference purposes. I found running Unbound on Ubuntu 16 more comfortably.

After fresh installation of Ubuntu 18, It'a a good idea to go on your system TIME with any NTP source.

apt-get -y install ntp ntpdate # Change timezone as per your local cp /usr/share/zoneinfo/Asia/Karachi /etc/localtime sudo /etc/init.d/ntp restart

Install UNBOUND DNS Server

Pace#1

apt-get install -y unbound

Step#2

#Additional notes for Ubuntu xviii version only

The trouble with Ubuntu 18.04 is the systemd-resolved service which is listening on port 53 and therefore conflicts with unbound service

Edit the file /etc/systemd/resolved.conf

nano /etc/systemd/resolved.conf        

& modify this

DNSStubListener=no

Now reboot

shutdown -r now

You can now confirm if 53 port is at present gratis up

netstat -tulpn | grep :53

Step#3

Some housekeeping stuff

sudo service systemd-resolved stop sudo rm -f /etc/resolv.conf sudo ln -southward /run/systemd/resolve/resolv.conf /etc/resolv.conf sudo service systemd-resolved start

Pace#4

Edit the existing UNBOUND configuration file for customization…

nano /etc/unbound/unbound.conf

---

Example of unbound.conf

# Unbound configuration file for Debian. server: # Use the root servers primal for DNSSEC #machine-trust-anchor-file: "/var/lib/unbound/root.key" # Enable logs chroot: "" #verbosity (log level from 0 to four, 4 is debug) #verbosity: 1 #logfile: /var/log/unbound/unbound.log #log-queries: aye #use-syslog: (do not write logs in syslog file in ubuntu /var/log/syslog -zaib) apply-syslog: no #interface (interfaces on which Unbound will be launched and requests will be listened to) # Reply to DNS requests on all interfaces interface: 0.0.0.0 # DNS asking port, IP and protocol port: 53 do-ip4: yes do-ip6: no do-udp: yes exercise-tcp: yeah  # Authorized IPs to access the DNS Server / access-control (determines whose requests are allowed to be candy) # if y'all want to permit all ip pools, uncomment following (make sure yous have good firewall for information technology) # access-control: 0.0.0.0/0 allow access-control: 127.0.0.0/8 allow access-command: x.0.0.0/8 allow access-control: 172.xvi.0.0/16 let admission-control: 192.168.0.0/16 allow access-control: 101.0.0.0/8 let  # Root servers information (To download here: ftp://ftp.internic.internet/domain/named.cache) #root-hints: "/var/lib/unbound/root.hints"  # Hide DNS Server info hibernate-identity: yeah hide-version: aye  # Improve the security of your DNS Server (Limit DNS Fraud and use DNSSEC) harden-glue: yes harden-dnssec-stripped: yes  # Rewrite URLs written in CAPS use-caps-for-id: yes  # Performance RELATED TUNING - Apply IT WITH CARE - TTL Min (Seconds, I set information technology to 7 days) cache-min-ttl: 604800 # PERFORMANCE RELATED TUNING - USE Information technology WITH CARE - TTL Max (Seconds, I fix it to 14 days) cache-max-ttl: 1209600 # Enable the prefetch prefetch: aye  # Number of maximum threads CORES to use / zaib num-threads: 4  ### Tweaks and optimizations # Number of slabs to use (Must exist a multiple of num-threads value) msg-enshroud-slabs: 8 rrset-cache-slabs: 8 infra-enshroud-slabs: 8 primal-enshroud-slabs: 8 # Enshroud and buffer size (in mb) rrset-cache-size: 51m msg-enshroud-size: 25m so-rcvbuf: 1m  # Make sure your DNS Server care for your local network requests #private-address: 101.0.0.0/viii  # Add an unwanted reply threshold to clean the cache and avert when possible a DNS Poisoning unwanted-reply-threshold: 10000  # Qualify or not the localhost requests practise-not-query-localhost: no  # Use the root.key file for DNSSEC #motorcar-trust-anchor-file: "/var/lib/unbound/root.key" val-clean-additional: yes include: "/etc/unbound/unbound.conf.d/*.conf"

Example of /etc/unbound/myrecords.conf

You can use this file to add your custom records as well.

Create new file at

nano /etc/unbound/unbound.conf.d/myrecords.conf

local-data: "zaib.com A 1.2.3.4" local-data: "zaib2.com A one.two.3.4"        

Every time you make any changes to Unbound Config, make sure to restart or reload the configuration

service unbound restart OR service unbound reload

Test if UNBOUND service is started successfully.

service unbound status

Result:

â unbound.service - Unbound DNS server Loaded: loaded (/lib/systemd/system/unbound.service; enabled; vendor preset: enabled) Active: agile (running) since Tue 2019-12-10 12:28:59 PKT; 2s agone Docs: man:unbound(8) Process: 1588 ExecStartPre=/usr/lib/unbound/parcel-helper root_trust_anchor_update (lawmaking=exited, status=0/SUCCESS) Process: 1576 ExecStartPre=/usr/lib/unbound/package-helper chroot_setup (code=exited, status=0/SUCCESS) Main PID: 1610 (unbound) Tasks: 4 (limit: 2290) CGroup: /arrangement.slice/unbound.service ââ1610 /usr/sbin/unbound -d  Dec 10 12:28:58 u18 systemd[one]: Starting Unbound DNS server... Dec 10 12:28:59 u18 parcel-helper[1588]: /var/lib/unbound/root.central has content Dec 10 12:28:59 u18 bundle-helper[1588]: success: the anchor is ok Dec ten 12:28:59 u18 unbound[1610]: [1575962939] unbound[1610:0] warning: so-rcvbuf 1048576 was not granted. Got 425984. To fix: starting time with root permissions(linux) or sysctl bigger net.core.rmem_max Dec ten 12:28:59 u18 unbound[1610]: [1575962939] unbound[1610:0] discover: init module 0: subnet Dec 10 12:28:59 u18 unbound[1610]: [1575962939] unbound[1610:0] notice: init module one: validator Dec 10 12:28:59 u18 unbound[1610]: [1575962939] unbound[1610:0] notice: init module two: iterator Dec 10 12:28:59 u18 unbound[1610]: [1575962939] unbound[1610:0] info: start of service (unbound 1.6.7). Dec 10 12:28:59 u18 systemd[1]: Started Unbound DNS server.

Testing DNS service

Exam if DNS server is responding to DNS queries

dig @127.0.0.1 bbc.com

1st Outcome: [bank check the Query fourth dimension]

;  DiG 9.11.iii-1ubuntu1.11-Ubuntu  @127.0.0.ane bbc.com ; (ane server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16313 ;; flags: qr rd ra; QUERY: 1, Reply: 4, AUTHORITY: 0, ADDITIONAL: i  ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION Department: ;bbc.com. IN A  ;; Reply Department: bbc.com. 86400 IN A 151.101.192.81 bbc.com. 86400 IN A 151.101.128.81 bbc.com. 86400 IN A 151.101.0.81 bbc.com. 86400 IN A 151.101.64.81  ;; Query fourth dimension: 971 msec ;; SERVER: 127.0.0.i#53(127.0.0.1) ;; WHEN: Tue Dec x 07:04:21 UTC 2019 ;; MSG SIZE rcvd: 100        

2nd Result: [check the Query time]

root@u18:/etc/unbound/unbound.conf.d# dig @127.0.0.1 bbc.com  ;  DiG 9.11.3-1ubuntu1.11-Ubuntu  @127.0.0.1 bbc.com ; (1 server establish) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, condition: NOERROR, id: 14171 ;; flags: qr rd ra; QUERY: one, ANSWER: four, Dominance: 0, Additional: 1  ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION Section: ;bbc.com. IN A  ;; Reply Department: bbc.com. 86398 IN A 151.101.192.81 bbc.com. 86398 IN A 151.101.128.81 bbc.com. 86398 IN A 151.101.0.81 bbc.com. 86398 IN A 151.101.64.81  ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.one) ;; WHEN: Tue Dec 10 07:04:23 UTC 2019 ;; MSG SIZE rcvd: 100

See the departure betwixt 1st & 2d response which shows that cache is working

---

Enabling LOG File [recommended for troubleshoot purposes only]

Create a Log file and assign rights to write logs:

mkdir /var/log/unbound touch /var/log/unbound/unbound.log chmod -R 777  /var/log/unbound/

Now enable it in the unbound config file & reload/restart UNBOUND service . I accept commented information technology in the configuration file.

An example of viewing logs:

sudo tail -f /var/log/unbound/unbound.log sudo tail -f /var/log/syslog

UNBOUND.LOG

[1575963664] unbound[1962:3] info: 101.11.11.161 bbc.com.agp1. A IN [1575963664] unbound[1962:3] info: resolving bbc.com.agp1. A IN [1575963664] unbound[1962:3] info: response for bbc.com.agp1. A IN [1575963664] unbound[1962:three] info: respond from  193.0.14.129#53 [1575963664] unbound[1962:3] info: query response was NXDOMAIN Reply [1575963664] unbound[1962:3] info: validate(nxdomain): sec_status_secure [1575963664] unbound[1962:three] info: validation success bbc.com.agp1. A IN [1575963664] unbound[1962:3] info: 101.eleven.11.161 bbc.com.agp1. AAAA IN [1575963664] unbound[1962:3] info: resolving bbc.com.agp1. AAAA IN [1575963664] unbound[1962:iii] info: response for bbc.com.agp1. AAAA IN [1575963664] unbound[1962:three] info: respond from  199.7.83.42#53 [1575963664] unbound[1962:iii] info: query response was NXDOMAIN ANSWER [1575963664] unbound[1962:iii] info: validate(nxdomain): sec_status_secure [1575963664] unbound[1962:3] info: validation success bbc.com.agp1. AAAA IN [1575963664] unbound[1962:1] info: 101.11.11.161 bbc.com. A IN [1575963664] unbound[1962:one] info: resolving bbc.com. A IN [1575963664] unbound[1962:1] info: resolving bbc.com. DS IN [1575963664] unbound[1962:1] info: NSEC3s for the referral proved no DS. [1575963664] unbound[1962:1] info: Verified that unsigned response is INSECURE [1575963672] unbound[1962:0] info: 101.11.11.161 bbc.com. AAAA IN

Case of cache export and import:

unbound-control dump_cache > backup unbound-control load_cache > backup

#Articulate 1 site from enshroud

unbound-control flush_zone google.com

# View buried DNS contents or count

unbound-control dump_cache

unbound-control dump_cache | wc -l

Offset UNBOUND in DEBUG mode

unbound -d -vvvv

---

Securing DNS by Firewall

Information technology is a skillful idea to allow only related ports to your unbound box from trusted/local sources only, and deny all other traffic.

mkdir /temp bear upon /temp/fw.sh chmod +x /temp/fw.sh nano /temp/fw.sh

& paste following

            #!/bin/sh # ------------------------------------ # Syed Jahanzaib / aacable@hotmail.com # https://aacable.wordpress.com # Created: Jan, 2011 # Concluding Modified: seventh Jan, 2017 # Last Modified: 19th-SEP-2021 [for GT/KH] # ------------------------------------  # Change THIS NAME IF REQUIRED ALLOWED_IP_LIST=/temp/allowed_ip_list.txt  ################################### ################################### ################################### ### donot modify beneath this line ### ################################### ###################################  ## Setting default filter policy, Use it with CARE / zaib # Clear old firewall clear echo "1- Clearing existing firewall rules, and let all traffic for the time being ..." iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT Take iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X iptables -F iptables -X  # LOG everything, not recommended as it can put load on storage, make sure to exercise proper log rotation if its required #iptables -A INPUT -j LOG iptables -A INPUT -m state --state RELATED,ESTABLISHED -j Take  #Allow ICMP echo "2- Allowing ICMP bundle rules ..." iptables -A INPUT -p icmp --icmp-type eight -s 0/0 -chiliad land --state NEW,ESTABLISHED,RELATED -j Take iptables -A OUTPUT -p icmp --icmp-type 0 -s 0/0 -d 0/0 -chiliad land --state ESTABLISHED,RELATED -j Have  ## Unlimited admission to loop back iptables -A INPUT -i lo -j Have iptables -A OUTPUT -o lo -j ACCEPT  echo "3- Enforcing Firewalling, allowing just particular ports to below specific IP pool only ..." echo " TCP/UDP PORTS > 53,22 . Allowed IP POOL > ... " cat $ALLOWED_IP_LIST echo "..." for x in $(cat $ALLOWED_IP_LIST) exercise # Allow ip range to let port range admission on all interfaces , indistinguishable this dominion as needed iptables -A INPUT -s $ten -p tcp --friction match multiport --dports 22,53 -j Have iptables -A OUTPUT -south $ten -p tcp --lucifer multiport --dports 22,53 -j ACCEPT iptables -A INPUT -s $x -p udp --friction match multiport --dports 22,53 -j Have iptables -A OUTPUT -s $x -p udp --match multiport --dports 22,53 -j Accept  # Allow unmarried IP Address to access port 8080 # iptables -A INPUT --src one.2.3.iv -p tcp --dport 8080 -j ACCEPT  ################################### ################################### ## Driblet Everything else, use it at your ain.  washed iptables -A INPUT -j DROP  # script ends here  echo " Done"        

SAve & Go out.

Now create a IP pool file in which you will add trusted/local lan ip's

affect /temp/allowed_ip_list.txt nano /temp/allowed_ip_list.txt

& add the lan ip'south

10.0.0.0/8 172.16.0.0/16 192.168.0.0/xvi

Salvage & Go out. & reload the UNBOUND service

service unbound restart service unbound status

Don't forget to add the fw.sh information technology in /etc/rc.local and then that it tin start on every system reboot.

---

Clearing Firewall

To clear firewall you tin can use following CMD or make a bash file for convenience.

mkdir /temp bear on /temp/clear_fw.sh chmod +x /temp/clear_fw.sh nano /temp/clear_fw.sh

& paste following

#!/bin/sh # ------------------------------------ # Syed Jahanzaib / aacable@hotmail.com # https://aacable.wordpress.com # Created: January, 2011 # Last Modified: 7th Jan, 2017 # Last Modified: 27th-Aug-2021 [for galaxy tech khi/pk] # ------------------------------------  ## Setting default filter policy, Utilize it with CARE / zaib # Clear former firewall iptables -P INPUT Take iptables -P Frontwards ACCEPT iptables -P OUTPUT ACCEPT iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X iptables -F iptables -X

Salvage & Get out.

to execute apply below

/temp/fw.sh

---

Regard's
Syed Jahanzaib

24.913341 67.003669

How To Register Dns Ubuntu 18.04,

Source: https://aacable.wordpress.com/2019/12/10/short-notes-for-unbound-caching-dns-server-under-ubuntu-18/

Posted by: mullensracter1947.blogspot.com

Share this post