In my previous post I explained how to build a DNS sinkhole with Unbound by downloading block lists from different sources. I also tried to use dnscrypt in the setup, but I had to disable it because the service provided was unreliable.

Yesterday Cloudflare announced that they were providing a “privacy-first consumer DNS service”, whatever it means.





Since it’s Easter and I have more free time than usual, I thought it would be cool to have a look and update my DNS sinkhole at home.

While I was searching for information related to DNS over TLS, that is one of the main features provided by Cloudflare, I came across Quad9, that it’s offering the same service. They have been in the news a lot but I didn’t play attention because the media outlets only reported it as an alternative to Google DNS and back then I was too busy.

In a nutshell, Quad9 is a sinkhole that blocks DNS requests to malicious domains, that is pretty much the same I am doing at home with Unbound and a shell script, but with more resources. My blackhole hast more than 30K domains blacklisted, that is not bad at all :)

At the end, I decided to use the DNS over TLS resolvers from Quad9, but you can find the resolvers from Cloudflare commented out in the configuration file. I will keep my own list of blocked domains for the time being, but I may kill it in the future because my configuration fails every now and then when the domain names have non-acii characters.

The minimum configuration options are:

  • ssl-upstream tells Unbound to use TLS to communicate with the upstream server.
  • ip_add@port to define the upstream server.

Additionally I am using configuration parameters that come in handy:

  • minimal-responses: yes

    Reduces the size of the response when possible to improve the performance a bit.

  • prefetch: yes

    Fetch the about to expire cache elements.

  • qname-minimisation: yes

    Best effort to send minimum amount of info to the upstream servers but not super helpful.

Notice that Unbound is not running daemonized because it’s being monitored by the Daemontools supervisor. That is also why the configuration and control files are not placed in the usual locations.

server:
        interface: 10.10.10.10
        access-control: 127.0.0.0/8 allow
        access-control: 10.10.10.0/24 allow
        do-daemonize: no
        logfile: ""

        username: unbound
        directory: /usr/local/var/service/unbound
        chroot: /usr/local/var/service/unbound
        pidfile: /usr/local/var/service/unbound/unbound.pid
        verbosity: 1

        minimal-responses: yes
        prefetch: yes
        qname-minimisation: yes

        # we are doing DNS over TLS
        ssl-upstream: yes

        root-hints: /usr/local/var/service/unbound/config/root.hints
        # my DNS zone at home
        include:    /usr/local/var/service/unbound/config/local.zone
        # autogenerated every night to block malicious domains
        include:    /usr/local/var/service/unbound/config/blackhole.zone


forward-zone:
   name: "."
   forward-addr: 9.9.9.9@853         # quad9.net primary
   forward-addr: 149.112.112.112@853 # quad9.net secondary
   #forward-addr: 1.1.1.1@853        # cloudflare primary
   #forward-addr: 1.0.0.1@853        # cloudflare secondary


remote-control:
       control-enable: yes
       control-interface: /usr/local/var/service/unbound/control.clt
       control-use-cert: no