Skip to content
Advertisements

Unbound Pi-hole

As you know by now Pi-hole is one of my most recommended Raspberry Pi projects not only does it work great as a network wide ad-blocker but it is always getting better. The Pi-hole team is always making things better and the latest improvement to come is integration with Unbound which allows you to run your own local recursive DNS server giving you a level of security that really has never been seen in the DIY space.

Integrating Unbound into your Raspberry Pi based Pi-hole system removes your dependency on the middleman Recursive DNS servers run by Google, OpenDNS and CloudFare which does a couple of things for you. First it stops you from giving your data to a company that could be using it for any number of reasons and it also makes you less susceptible to attacks on these big name DNS servers. But this level of security and data privacy does not come without some drawbacks, it should be notes that because you are running the Recursive DNS server locally things might slow down a little bit for you the first time you try to load a new website as Unbound needs to trace the path itself to the destination. In my testing however I have not see any noticeable decline in speed and once the site is cached you should not see any difference.

Setup of Unbound and Pi-hole is pretty simple all you need to do is follow the steps below and obviously if you already have Pi-hole up and running you can ignore the initial setup steps.

First what will you need?

To begin the installation process you will need a MicroSD Memory Card, and the ability to format and burn an image to that MicroSD Memory Card. I am sure most of you know how to do these steps already, but I will give my recommendations, for formatting I prefer to use SD Memory Card Formatter for Windows and to burn the image Etcher.

Memory Card Preparation:

  1. Insert MicroSD Memory Card into a computer
  2. Open SD Memory Card Formatter for Windows
  3. In SD Memory Card Formatter for Windows Select the Drive that corresponds to your Memory Card
  4. In SD Memory Card Formatter for Windows Click Format and wait for it to finish
  5. Download the Raspbian disk image from https://www.raspberrypi.org/downloads/raspbian/
  6. Open Etcher.
  7. In Etcher Select the previously Downloaded Image
  8. In Etcher Select the Drive that corresponds to your Memory Card
  9. In Etcher Click Flash and wait for Etcher to Finish

Raspberry Pi Setup:

  1. From the Raspbian Desktop launch Terminal
  2. From Terminal install Pi-hole using the following command
  1. When the installer finished we need to switch over to the FTLDNS beta by running the following commands in Terminal
  • echo "FTLDNS" | sudo tee /etc/pihole/ftlbranch
  • pihole checkout core FTLDNS
  • pihole checkout web FTLDNS
  1. Once you are on the FTLDNS beta branch you will need to install, configure and run Unbound by running the following commands
  • sudo apt install unbound
  • sudo nano /etc/unbound/unbound.conf.d/pi-hole.conf
  • server:
        verbosity: 1
        port: 5353
        do-ip4: yes
        do-udp: yes
        do-tcp: yes
    
        # May be set to yes if you have IPv6 connectivity
        do-ip6: no
    
        # Use this only when you downloaded the list of primary root servers!
        root-hints: "/var/lib/unbound/root.hints"
    
        # Trust glue only if it is within the servers authority
        harden-glue: yes
    
        # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
        harden-dnssec-stripped: yes
    
        # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
        # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
        use-caps-for-id: no
    
        # Reduce EDNS reassembly buffer size.
        # Suggested by the unbound man page to reduce fragmentation reassembly problems
        edns-buffer-size: 1472
    
        # TTL bounds for cache
        cache-min-ttl: 3600
        cache-max-ttl: 86400
    
        # Perform prefetching of close to expired message cache entries
        # This only applies to domains that have been frequently queried
        prefetch: yes
    
        # One thread should be sufficient, can be increased on beefy machines
        num-threads: 1
    
        # Ensure kernel buffer is large enough to not loose messages in traffic spikes
        so-rcvbuf: 1m
    
        # Ensure privacy of local IP ranges
        private-address: 192.168.0.0/16
        private-address: 172.16.0.0/12
        private-address: 10.0.0.0/8
  • sudo service unbound start
    
  1. Next we need to configure Pi-hole to use Unbound which can be done through your Pi-hole Admin Console and entering the information below for the Upstream DNS Server

RecursiveResolver

Hopefully many of you are using Pi-hole as I can not possibly recommend it enough. If you are please let me know your thoughts of using Unbound to have your own local Recursive DNS Server in conjunction with Pi-hole in the comments below.

 

Advertisements

Mike View All

I am passionate about the IoT and connected devices. Using connectivity to automate our lives will empower civilization to achieve greatness.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: