To sidebar

mardi, 27. avril 2021

Installation d'unbound DNS

L'usage d'un serveur personnel sous un windows 10 pro ou home nous expose à pas mal de limitations.
Pour ma part, j'utilise hMailServer et Spamassassin sur l'un de mes serveurs perso, et j'ai été confronté à un problème assez pénible sur ce dernier...

En effet, certains tests de spamassassin n'autorisent pas l'usage de DNS grands publics.

C'est assez pénible, car cela rend spamassassin moins performant.
J'utilise pihole sur le reste de mon réseau, mais je cherchais à réduire au maximum les latences, et mieux, à avoir un cache local le plus facile à gérer possible.
C'est là qu'intervient unbound DNS.

Non seulement c'est gratuit, mais en plus cela fait tout ce que j'en attends !

Pour installer cela, il vous faudra essentiellement deux choses :

  1. Unbound DNS : https://nlnetlabs.nl/projects/unbound/download/
  2. Savoir cliquer ^^
En fait, il vous faut juste l'installer et faire pointer votre DNS sur 127.0.0.1, et, de base, cela suffit pour beaucoup.
Après, voici un exemple de configuration commenté :
# Unbound configuration file on windows.
# See example.conf for more settings and syntax
server:
    # verbosity level 0-4 of logging
    verbosity: 0

    # On windows you may want to make all the paths relative to the
    # directory that has the executable in it (unbound.exe).  Use this.
    directory: "%EXECUTABLE%"

    # if you want to log to a file use
    #logfile: "C:\unbound.log"
    # or use "unbound.log" and the directory clause above to put it in
    # the directory where the executable is.

    # on Windows, this setting makes reports go into the Application log
    # found in ControlPanels - System tasks - Logs
    use-syslog: yes

    # on Windows, this setting adds the certificates from the Windows
    # Cert Store.  For when you want to use forwarders with TLS.
    tls-win-cert: yes
    
    # Only give access to recursion clients from LAN IPs
    access-control: 172.16.0.0/16 allow
    access-control: 127.0.0.0/8 allow
    access-control: ::1/128 allow
    
    # Listen to for queries from clients and answer from this network interface
    # and port.
    interface: ::
    interface: 0.0.0.0
    
    # RFC 8198. Use the DNSSEC NSEC chain to synthesize NXDO-MAIN and other
    # denials, using information from previous NXDO-MAINs answers. In other
    # words, use cached NSEC records to generate negative answers within a
    # range and positive answers from wildcards. This increases performance,
    # decreases latency and resource utilization on both authoritative and
    # recursive servers, and increases privacy. Also, it may help increase
    # resilience to certain DoS attacks in some circumstances.
    aggressive-nsec: yes
    
    # Time to live maximum for RRsets and messages in the cache. If the maximum
    # kicks in, responses to clients still get decrementing TTLs based on the
    # original (larger) values. When the internal TTL expires, the cache item
    # has expired. Can be set lower to force the resolver to query for data
    # often, and not trust (very large) TTL values.
    cache-max-ttl: 86400
    
    # Time to live minimum for RRsets and messages in the cache. If the minimum
    # kicks in, the data is cached for longer than the domain owner intended,
    # and thus less queries are made to look up the data. Zero makes sure the
    # data in the cache is as the domain owner intended, higher values,
    # especially more than an hour or so, can lead to trouble as the data in
    # the cache does not match up with the actual data any more.
    cache-min-ttl: 300
    
    # Refuse id.server and hostname.bind queries
    hide-identity: yes
    
    # Refuse version.server and version.bind queries
    hide-version: yes
    
    # Send minimum amount of information to upstream servers to enhance
    # privacy (best privacy).
    qname-minimisation: yes
    
    # Rotates RRSet order in response (the pseudo-random number is taken from
    # the query ID, for speed and thread safety).
    rrset-roundrobin: yes
    
    # Use 0x20-encoded random bits in the query to foil spoof attempts. This
    # perturbs the lowercase and uppercase of query names sent to authority
    # servers and checks if the reply still has the correct casing.
    # This feature is an experimental implementation of draft dns-0x20.
    # Experimental option.
    use-caps-for-id: yes
    
    ###########################################################################
    # PERFORMANCE SETTINGS
    ###########################################################################
    # https://nlnetlabs.nl/documentation/unbound/howto-optimise/

    # Number of slabs in the infrastructure cache. Slabs reduce lock contention
    # by threads. Must be set to a power of 2.
    infra-cache-slabs: 4

    # Number of slabs in the key cache. Slabs reduce lock contention by
    # threads. Must be set to a power of 2. Setting (close) to the number
    # of cpus is a reasonable guess.
    key-cache-slabs: 4

    # Number  of  bytes  size  of  the  message  cache.
    # Unbound recommendation is to Use roughly twice as much rrset cache memory
    # as you use msg cache memory.
    msg-cache-size: 128525653

    # Number of slabs in the message cache. Slabs reduce lock contention by
    # threads. Must be set to a power of 2. Setting (close) to the number of
    # cpus is a reasonable guess.
    msg-cache-slabs: 4

    # The number of queries that every thread will service simultaneously. If
    # more queries arrive that need servicing, and no queries can be jostled
    # out (see jostle-timeout), then the queries are dropped.
    # This is best set at half the number of the outgoing-range.
    # This Unbound instance was compiled with libevent so it can efficiently
    # use more than 1024 file descriptors.
    num-queries-per-thread: 4096

    # The number of threads to create to serve clients.
    # This is set dynamically at run time to effectively use available CPUs
    # resources
    num-threads: 3

    # Number of ports to open. This number of file descriptors can be opened
    # per thread.
    # This Unbound instance was compiled with libevent so it can efficiently
    # use more than 1024 file descriptors.
    outgoing-range: 8192

    # Number of bytes size of the RRset cache.
    # Use roughly twice as much rrset cache memory as msg cache memory
    rrset-cache-size: 257051306

    # Number of slabs in the RRset cache. Slabs reduce lock contention by
    # threads. Must be set to a power of 2.
    rrset-cache-slabs: 4

    # Do no insert authority/additional sections into response messages when
    # those sections are not required. This reduces response size
    # significantly, and may avoid TCP fallback for some responses. This may
    # cause a slight speedup.
    minimal-responses: yes

    # # Fetch the DNSKEYs earlier in the validation process, when a DS record
    # is encountered. This lowers the latency of requests at the expense of
    # little more CPU usage.
    prefetch: yes

    # Fetch the DNSKEYs earlier in the validation process, when a DS record is
    # encountered. This lowers the latency of requests at the expense of little
    # more CPU usage.
    prefetch-key: yes

    # Have unbound attempt to serve old responses from cache with a TTL of 0 in
    # the response without waiting for the actual resolution to finish. The
    # actual resolution answer ends up in the cache later on.
    serve-expired: yes

    # Open dedicated listening sockets for incoming queries for each thread and
    # try to set the SO_REUSEPORT socket option on each socket. May distribute
    # incoming queries to threads more evenly.
    so-reuseport: yes

remote-control:
    # If you want to use unbound-control.exe from the command line, use
    #control-enable: yes
    #control-interface: 127.0.0.1
    #control-use-cert: no

server: auto-trust-anchor-file: "C:\Program Files\Unbound\root.key"
Comme vous pouvez le voir (ou pas) la majorité des réglages sont orientés performance, et rien ne dit que c'est une bonne configuration pour vous (ni pour moi, j'en suis aux débuts des réglages/tests/apprentissages).
Mais force est de constater que cela fonctionne bigrement bien.
Je me suis appuyé sur ce blog pour mes premiers pas, il est très instructifs : https://korben.info/installer-serveur-dns-unbound.html

Ajouter un commentaire

Le code HTML est affiché comme du texte et les adresses web sont automatiquement transformées.

Fil des commentaires de ce billet

© Le blog de bagu, after the WP Dusk To Dawn theme Propulsé par Dotclear