Unbound: Adding Custom DNS Records

(updated )

When I wrote my post on configuring DNS, DHCP and NTP on a Raspberry Pi, I forgot to include information on how to add your own DNS records to Unbound (straight forward as it is). So in this post, I'll give a very brief overview.

All changes should be made in an unbound configuration file (probably /etc/unbound/unbound.conf, though you could also put them into a file in local.d, depending on your distribution - see below)

 

Adding an A Record

Assuming we want to add an A record for 'mycomputer.home' which has an IP of 10.0.1.8

   local-data: "mycomputer.home A 10.0.1.8"

 

Adding a PTR Record

A PTR record (sometimes known as a reverse DNS record) allows you to request the hostname used by an IP (i.e. rather than running a DNS query for mycomputer.home, you're asking for the hostname of the machine at 10.0.1.8)

   local-data-ptr: "10.0.1.8 mycomputer.home"

 

CNAMEs

You can add a CNAME entry in local-data, however as Unbound isn't an Authoritative resolver it won't expand it. If a client makes a query for an A record they won't receive the CNAME in response. More info on the Unbound mailing lists

The only time your entry will be returned is if the client queries for a CNAME, which in practice means it'll probably be returned quite rarely

Still, if you want to add a CNAME anyway, then you can do this

   local-data: "computer1 CNAME mycomputer.home"

If you really need to have your local DNS server resolve the CNAMES, the trick is to configure BIND or NSD on another port and create a stub-zone within Unbound.

 

Using Unbound to block Ads

When using my PC, I've no real problem with seeing ads, there's plenty of real estate to use and they help offset the cost of providing content for free. On my phone, though, I can't abide them, especially those that insist on popping up in the middle of a game, just as you're touching the screen.

Using Unbound, you can easily blackhole the ad serving domains (albeit network wide), but given the number of domains in use it's not something you really want to be doing by hand.

With a simple BASH script, you can pull down a blocklist and generate the local-data entries

#!/bin/bash
#
# Update the dummy ads block
#
# From http://www.bentasker.co.uk/documentation/linux/279-unbound-adding-custom-dns-records

cd /etc/unbound/local.d/
rm ads.conf
for a in `wget -O - "http://www.bentasker.co.uk/adblock/autolist.txt"`; do echo "       local-data: \"$a A 127.0.0.2\"" >> ads.conf; done

service unbound reload

The autolist is refreshed regularly from pgl.yoyo.org and any of the domains that are blackholed as a result of that list will resolve to 127.0.0.2.

Add it as a cronjob to run at whatever interval you desire, or run it manually periodically.

 

Older versions of Unbound

One issue I did find with using this mechanism is that Unbound V1.4.17 doesn't seem to include (or support) a wildcard include of files in local.d. Version 1.4.21 comes pre-configured with support for it, but if you are running the older version you'll probably want to add this into unbound.conf (just after any local-data declarations)

include: /etc/unbound/local.d/ads.conf

 

Share this post on Twitter Share this post on Reddit Share this post on LinkedIN Share this post via Whatsapp Share this post via Telegram Share this post via QQ Share this post via Email