Skip to content

Latest commit

 

History

History
62 lines (49 loc) · 3.47 KB

README.md

File metadata and controls

62 lines (49 loc) · 3.47 KB

Unbound file configuration and some others tweaks

🎯 This repository hosts a version of Unbound server for OpenBSD with some tweaks cleaning your web experience.

📝 Here the man for unbound configuration file.
📝 Here the documentation to optimize your Unbound with your ressources.
📝 Here the Response Policy Zones (RPZ) documentation.

🛡️ Secure your external DNS request with DNS over TLS, configure RPZ option and build lists for a better and more efficient (reducing your carbon impact) web experience.

Prerequisites

  • You need to have an account with doas set correctly.

  • Unbound enable and start:

    • rcctl enable unbound
    • rcctl start unbound
  • Activate modules here below in your configuration file unbound.conf:

    • module-config: "respip validator iterator"
  • Check your configuration file before reload:

    • unbound-checkconf /var/unbound/etc/unbound.conf
    • rcctl reload unbound

Usage

For unbound.conf change these values:

  • access-control: your_network_here/CIDR_prefix allow
  • interface: your_ip_here
  • private-address: your_network_here/CIDR_prefix

For unbound-ph15h1n9-001.sh update the backup path:

  • filebkp01="your_backup_path/2pz-l1s7-ph15h1n9-001.bkp"

Depend of the context but sometimes we need to play with redirect or with RPZ.

  • Redirect is used when you want to block all subdomains under a TLD, including those which do not yet exist.
  • RPZ in more fine tuning you can apply policy for eachs records, compare to redirect, if a record is not under RPZ policy, resolution is provided❗️

Redirect (2d2)

  • 2d2-l1s7-8l4ckh4t-001
    This list is a redirect receiving all TLD known as bad.
  • 2d2-l1s7-ph15h1n9-003.txt
    This list is a redirect receiving all TLD coming from 🇫🇷 SMS services not listed in the list 2d2-l1s7-ph15h1n9-001.txt.

RPZ (2pz)

Script

Blueteam - Check new settings

You can test your Unbound server configuration here:

🐡 Have fun!