Unbound 1.13 as Intranet DNS server

Modified on Tue, 13 Jun, 2023 at 9:39 AM

We can assume control over DNS name resolution, at least for a controlled network or a intranet, and with that be able to choose names for machines and services to use at will locally. 


In this guide, we will provide information on how it can be done in a Ubuntu 22.04 environment but it might be simple enough to be translated to other distributions. 


The network name "forest.local" is used here as an example, replace it with your own network in the following documentation. 


Information required:


  • The local network CIDR is the network CIDR that end-users computers are connected to, for example, 192.168.0.0/16 is a valid network CIDR.  

  • The name of the network to use instead of forest.local.

  • Current primary DNS server IP address used by your network. (if you don´t have any you can use the Google public DNS server 8.8.8.8 or any other)

  • Current secondary DNS server IP address used by your network. (if you don´t have any you can use the CloudFlare public DNS server 1.1.1.1 or any other )



Unbound installation:



$> sudo apt update
....comand output...
$> sudo apt install unbound
....comand output...


Other Linux distributions can download it directly from here


Configuring Unbound:

Make adjustments in the section "labview" in the file /etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf replacing variables with the corrected values. 


You should also replace:


  • The IP address: "192.168.15.51" by the IP where the Labforward applications are running.


This is the initial template for your configuration file:



# You can know more about configuring Unbound in: 
# https://nlnetlabs.nl/documentation/unbound/unbound.conf/ 
server:
    interface: 0.0.0.0
    interface: 127.0.0.53
    port: 53
    access-control: 192.168.0.0/16 allow #Which network can use this service
    access-control: 127.0.0.0/8 allow #Allow local services to use this service
    access-control-view: 192.168.0.0/16 labview #Apply the labview for clients from this network 
    access-control-view: 127.0.0.0/8 labview #Apply the labview for local services
    do-ip4: yes
    do-ip6: no
    do-udp: yes
    do-tcp: yes

    # Enable DNSSEC validation (optional but recommended)
    auto-trust-anchor-file: "/var/lib/unbound/root.key"
    # Forward DNS queries to upstream resolvers
    forward-zone:
        name: "."
        forward-addr: <Primary DNS IP>
        forward-addr: <Secondary DNS IP>
view:
    # Locally defined names and respective IP addresses
    name: "labview"
    # local-zone has the same value as domain property in the admin console.
    local-zone: "labforward.forest.local." static
    local-data: "account.labforward.forest.local.  10880 IN A 192.168.15.51"
    local-data: "labregister.forest.local.  10880 IN A 192.168.15.51"
    local-data: "labfolder.labforward.forest.local.  10880 IN A 192.168.15.51"
    local-data: "laboperator.labforward.forest.local.  10880 IN A 192.168.15.51"
    local-data: "fos.labforward.forest.local.  10880 IN A 192.168.15.51"
    local-data: "connector-manager.labforward.forest.local.  10880 IN A 192.168.15.51"
    local-data: "workflow-editor.labforward.forest.local.  10880 IN A 192.168.15.51"


Make sure that the new config file is correct and valid. You can test it with the following command:


$> unbound-checkconf /etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf 
unbound-checkconf: no errors in /etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf


If you don't get the “no error message” go back and fix the file.



Enabling Unbound:


$> sudo systemctl disable systemd-resolved.service 
....comand output...
$> sudo systemctl enable unbound
....comand output...

Check the service status to see if Unbound is running.


$> sudo systemctl status unbound
....comand output...



TL;DR;


Execute these commands on your server assuming the DNS intranet server job:

$> sudo apt update
....comand output...
$> sudo apt install unbound
....comand output...
$> sudo systemctl disable systemd-resolved.service 
....comand output...

Make sure that the new config file is correct and valid. You can test it with the following command:


$> unbound-checkconf /etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf 
unbound-checkconf: no errors in /etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf


If you don't get the “no error message” go back and fix the file.


$> sudo systemctl enable unbound
....comand output...


After Installation:

The computers on your network now need to be configured to use the IP address of the DNS intranet server. 


This can be done manually on each computer, and the process can vary according to the operating system.


This can also be done automatically by the network administrator.


Multiple options can be selected.







Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article