The OpenBSD BASED Challenge Day 4

by Root BSD

My first time ever setting up local unbound(8)!

So awhile ago a friend of mine on the fediverse was talking about not trusting your ISP to do your DNS resolving, but resolving your DNS locally (i.e. rolling your own DNS server), for more privacy. I've used dnscrypt-proxy before in the past, but OpenBSD has it's own DNS validating resolver, unbound(8). I have never use unbound(8) before so I'm a total amatuer at this, take it easy on me, this was my first time setting something like this up!

I had a lot help from this guide here,

To begin we enable and start the unbound daemon,

doas rcctl enable unbound doas rcctl start unbound

Then we need to set /etc/resolv.conf to

doas rcctl stop resolvd

Replace the existing nameserver in the resolv.conf with this,


Test unbound(8) to make sure it's working with dig, a DNS lookup utility,


; <<>> dig 9.10.8-P1 <<>> ;; global options: +cmd ;; Got answer: ;; –>>HEADER<<– opcode: QUERY, status: NOERROR, id: 2971 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ; IN A


;; Query time: 449 msec ;; SERVER: ;; WHEN: Wed Jan 05 00:40:54 MST 2022 ;; MSG SIZE rcvd: 56

Voila! It works as expected. Then we can enable DNSSEC with unbound-anchor(8). unbound-anchor(8) performs setup or update of the root trust anchor for DNSSEC validation (per the manpage). This downloads something called the KSK or root key signing key.

doas unbound-anchor -a "/var/unbound/db/root.key"

Then you can configure unbound(8) via /var/unbound/etc/unbound.conf. The KSK is signing and verifying the DNS entries to ensure privacy and prevents something like DNS cache poisoning or spoofing. I chose to use a root-hints file, (unbound does have it's own as well), but this appeared to be a better option in the unbound.conf(8) manpage,

β€œRead the root hints from this file. Default is nothing, using builtin hints for the IN class. The file has the format of zone files, with root nameserver names and addresses only. The default may become outdated, when servers change, therefore it is good practice to use a root-hints file.”

root-hints: β€œ/var/unbound/db/root.hints” auto-trust-anchor-file: β€œ/var/unbound/db/root.key” qname-minimisation: yes

Then I retrieved a root.hints file, is a master list of primary root DNS servers worldwide. Using OpenBSD's native tools, ftp(1)

cd /var/unbound/db doas ftp && doas mv named.root root.hints

You can also do it like this,

ftp -S do -o /var/unbound/db/root.hints

Then we can use the unbound-checkconf(8) tool to make sure I didn't make any errors,

doas unbound-checkconf unbound-checkconf: no errors in /var/unbound/etc/unbound.conf doas rcctl restart unbound doas rcctl disable resolvd to disable overwriting of my /etc/resolv.conf

Everything works, I performed some tests from the article linked above, rebooted the machine and everything works great! DNS caching is resolved locally, I think I'm doing everything right. It was suggested in the article that I can use nsd(8) in conjunction with unbound. nsd(8) an implementation of an authoritative DNS nameserver. I will look into that at a later date.

I also enabled randomized MAC addresses to be assigned to my wifi for extra privacy and security, by adding this to my /etc/hostname.interface

lladdr random nwid (network id) wpakey (wifi passphrase)

The link layer address is set to random. I put on my tin foil hat and feel safer now!

All in all, I am happy to finally try out unbound(8) and learn more about these tools. As I said, this is my first time doing this so I'm a bit of a noob. Well that's all, happy hacking in OpenBSD!