• View
• Edit
• History
• Print

Unbound

1- doas nano /var/unbound/etc/unbound.conf
2- doas nano /etc/resolv.conf
lookup file bind
nameserver 127.0.0.1

3- # $OpenBSD: unbound.conf,v 1.21 2020/10/28 11:35:58 sthen Exp $

server:
interface: 127.0.0.1
#interface: 127.0.0.1@5353 # listen on alternative port
interface: ::1
#do-ip6: no

# override the default "any" address to send queries; if multiple
# addresses are available, they are used randomly to counter spoofing
#outgoing-interface: 192.0.2.1
#outgoing-interface: 2001:db8::53

	access-control: 0.0.0.0/0 refuse
	access-control: 127.0.0.0/8 allow
	access-control: ::0/0 refuse
	access-control: ::1 allow

	hide-identity: yes
	hide-version: yes

# Perform DNSSEC validation.
#
#auto-trust-anchor-file: "/var/unbound/db/root.key"
val-log-level: 2

# Synthesize NXDOMAINs from DNSSEC NSEC chains.
# https://tools.ietf.org/html/rfc8198
#
#aggressive-nsec: yes

# Serve zones authoritatively from Unbound to resolver clients.
# Not for external service.
#
#local-zone: "local." static
#local-data: "mycomputer.local. IN A 192.0.2.51"
#local-zone: "2.0.192.in-addr.arpa." static
#local-data-ptr: "192.0.2.51 mycomputer.local"

# Use TCP for "forward-zone" requests. Useful if you are making
# DNS requests over an SSH port forwarding.
#
#tcp-upstream: yes

# CA Certificates used for forward-tls-upstream (RFC7858) hostname
# verification. Since it's outside the chroot it is only loaded at
# startup and thus cannot be changed via a reload.
#tls-cert-bundle: "/etc/ssl/cert.pem"

remote-control:
control-enable: yes
control-interface: /var/run/unbound.sock

# Use an upstream forwarder (recursive resolver) for some or all zones.
#
#forward-zone:
# name: "." # use for ALL queries
# forward-addr: 192.0.2.53 # example address only
# forward-first: yes # try direct if forwarder fails

# Use an upstream DNS-over-TLS forwarder and do not fall back to cleartext
# if that fails.
#forward-zone:
# name: "."
# forward-tls-upstream: yes # use DNS-over-TLS forwarder
# forward-first: no # do NOT send direct
# # the hostname after "#" is not a comment, it is used for TLS checks:
# forward-addr: 192.0.2.53@853#resolver.hostname.example
forward-zone:
name: "."
forward-addr: 9.9.9.9
forward-addr: 134.195.4.2
forward-addr: 5.132.191.104
forward-addr: 172.105.162.206
forward-addr: 142.4.204.111
forward-addr: 142.4.205.47
forward-addr: 142.93.148.79
forward-addr: 45.61.49.203
forward-addr: 198.50.135.212
forward-addr: 159.89.120.99
forward-addr: 66.70.228.164
forward-addr: 51.89.88.77
forward-addr: 94.130.96.6
forward-addr: 78.31.67.99
forward-addr: 94.16.114.254
forward-addr: 45.9.63.233
forward-addr: 185.84.81.194
forward-addr: 217.160.188.24
forward-addr: 78.47.243.3
forward-addr: 89.163.140.67
forward-addr: 88.198.92.222
forward-addr: 94.16.114.254
forward-addr: 194.36.144.87
forward-addr: 130.61.64.122
forward-addr: 195.10.195.195
forward-addr: 130.61.69.123
forward-addr: 185.120.22.15
forward-addr: 94.247.43.254
forward-addr: 95.217.16.205
forward-addr: 144.76.157.242
forward-addr: 95.217.229.211
forward-addr: 151.80.222.79
forward-addr: 172.105.49.243

4- To start unbound:
$ doas rcctl enable unbound
$ doas rcctl start unbound

Note: updating forward ips:
open page: https://servers.opennic.org , then type this in your broswer console:
clear();data=document.querySelectorAll("html body div#frame div#view div#srvlist div p");document.body.innerText="forward-addr: 9.9.9.9";data.forEach(line=>{
if (line.childNodes[0].childNodes[1].title == "No logs kept"){
document.body.innerHTML+=`<br>forward-addr: ${line.childNodes[2].childNodes[0].data}`;
}
});