# Unbound on a LAN



## balanga (Mar 7, 2021)

Can anyone point me to an article about setting up unbound() on a LAN?

I'm wanting to designate a particular host on the LAN as the nameserver for the LAN and am not sure whether unbound needs to be run on each host or how unbound integrates with my DHCP server...


----------



## ct85711 (Mar 7, 2021)

From what I am seeing on my system (hosting unbound for my network), it doesn't require much on resources.  My system is running with 8GB of ram with a single 10/100 ethernet, and memory is barely even being touched.  If anything, running grana stack and httpd both are using more than Unbound ever takes.  Of course, if you are expecting your network to have some heavier traffic, it may use more resources; but even then with 4-8GB should be  more than sufficient.  It probably will end up being any other services, that need more resources in the end.


----------



## obsigna (Mar 8, 2021)

balanga said:


> Can anyone point me to an article about setting up unbound() on a LAN?
> 
> I'm wanting to designate a particular host on the LAN as the nameserver for the LAN and am not sure whether unbound needs to be run on each host or how unbound integrates with my DHCP server...


Some years ago, I wrote a BLog article on this in German language:





						Netzwerkdienste DNS und DHCP auf dem FreeBSD-Home-Server
					






					obsigna.com
				




English by the Google translator:





						Netzwerkdienste DNS und DHCP auf dem FreeBSD-Home-Server
					






					translate.google.com
				




You want to use the settings from the German original, because the auto-translator placed some spaces and where it won’t belong. Since the writing-up, nothing has changed, and all the settings are still valid.


----------



## Snurg (Mar 8, 2021)

You might like this HOWTO.
Works fine on my router (Intel Atom with 4GB RAM, 5x ethernet and 1x WLAN).
I improved it by using an enhanced adblocker. (4 GB are sufficient to block >1 million domains.)
And made a pf() configuration for that, too.

(Will include installation and configuration of this in the postinstaller, too)


----------



## SirDice (Mar 8, 2021)

balanga said:


> I'm wanting to designate a particular host on the LAN as the nameserver for the LAN and am not sure whether unbound needs to be run on each host or how unbound integrates with my DHCP server...


Install and configure unbound on that host. Make sure unbound is listening on the LAN, not only on 127.0.0.1 (localhost). Then configure your DHCP service and set it to serve the correct IP address for your unbound server, DHCP is typically configured to provide, besides an IP address and gateway, one or two DNS servers. That's all. There is no "integration" in this respect.


----------



## balanga (Mar 8, 2021)

Unfortunately the DHCP server is built into my ISP provider's router - a Huawei HG8245Q2, which I am able to access, although a little concerned about 'messing' with...


----------



## SirDice (Mar 8, 2021)

balanga said:


> a Huawei HG8245Q2


Can't even read the manual on their website without being forced to login. I think I'll pass.


----------



## tyson (Mar 8, 2021)

Anyway, I think it should be possible to set ip of dns servers in that router dhcp configuration, so it points to your unbound local server, and some backup one.


----------



## Snurg (Mar 8, 2021)

SirDice said:


> Can't even read the manual on their website without being forced to login. I think I'll pass.


Seems like a worthless non-configurable thingy.

balanga, just a suggestion.
You know AVM supplies many German telecoms with their Fritzboxen.
So the used Fritzboxen get thrown away in lots, and sold on ebay for a few euros.
Maybe get one?
They have a web interface with incredible configurability, you can configure all possible things.

Just look through their excellent manuals and choose one to search for on ebay


----------



## SirDice (Mar 8, 2021)

Snurg said:


> Seems like a worthless non-configurable thingy.


Might be something similar as that piece of cr^H^H wonderful technology Ziggo (Dutch cable internet provider) supplies. Can't do anything with it. Luckily it does have a "modem" mode so I can just bypass all that builtin router stuff. DNS, DHCP, firewalling, NAT, etc, is done on a relatively small FreeBSD host. Much better.


Snurg said:


> So the used Fritzboxen get thrown away in lots, and sold on ebay for a few euros.


If his provider is anything like mine, not going to work. I can't even buy an alternate modem/router, they simply refuse to support anything but their own crappy boxes. Don't even think of just hooking up something yourself, if they find out they'll just turn off the signal. And you can forget about phoning support, Oh, no, that's not ours. Sorry, we don't support that *click*. Oh, you want to report an issue with an upstream router (somewhere on their bloody network, nowhere near my home). No, we have to plan an engineer to come to your house and do some measurements. You don't want that? What do you mean it's not necessary, the issue is not with your connection? Then we won't register your issue, good day sir.

(can you tell I'm somewhat frustrated with them? No, changing providers is not an option. They're the only ones allowed on the cable in this region. And don't get me started on the crap xDSL service I get here. I'd love to switch to fiber but I don't see that happening within the next 5-10 years.)


----------



## balanga (Mar 8, 2021)

As far as buying a modem/router goes, I don't know much about the available (modern) technology.... I have only ever bought ADSL devices previously and have no idea what interface is used for connection to optical fibre, but am more than happy to find out. I'd like to build my own at some point.


----------



## SirDice (Mar 8, 2021)

Does it have an option to switch to "modem" mode? Or something similar? That's the best option. Then you can simply hook up a FreeBSD to it with ethernet, run dhclient(8) and get your _external_ IP address directly on the FreeBSD host, add a second NIC to connect to your LAN. From there you can set it up as a DHCP, DNS, NAT, firewall etc.


----------



## Snurg (Mar 8, 2021)

OT:


SirDice said:


> Don't even think of just hooking up something yourself, if they find out they'll just turn off the signal.


Reminds me of the times when telecom here was still state monopoly.

Using a non-state-certified (e.g. extreeeeemely overpriced) modem constituted a crime, and when they observed "abnormal use patterns" on telephone lines, they let their engineers take measurements to check for "illicit devices" connected.
Police raids with confiscation and forfeiture of all equipment illegally connected to the telephone line (eg modem, computer and peripherals) happened regularly.


----------



## balanga (Mar 8, 2021)

SirDice said:


> Can't even read the manual on their website without being forced to login. I think I'll pass.


The web page https://support.huawei.com/enterprise/en/access-network/echolife-hg8245q2-pid-21989531 may say if it is possible to switch to modem mode. I looked but there are so.. many options. Didn't know where to look. I'd register to download a manual but don't even know which might provide the info about modem mode.


----------



## Snurg (Mar 8, 2021)

balanga said:


> if it is possible to switch to modem mode.


Probably not. See post #8 for a link to the manual you can read without registering.


----------



## Mjölnir (Mar 8, 2021)

balanga, pull the plug & switch your ISP.  Period.  That's the only feedback they understand.  If you're not too busy, encourage other to do so as well, and write them an e-mail explaining the reason(s) of your withdrawal.


----------



## balanga (Mar 8, 2021)

Mjölnir said:


> balanga, pull the plug & switch your ISP.  Period.  That's the only feedback they understand.  If you're not too busy, encourage other to do so as well, and write them an e-mail explaining the reason(s) of your withdrawal.


A two year contract means that I have to pay for the remainder of my contract even if I change ISP...

I'm beginning to think it might be easier to maintain the same /etc/hosts on all the systems on my LAN...


----------



## Jose (Mar 8, 2021)

balanga said:


> A two year contract means that I have to pay for the remainder of my contract even if I change ISP...


Dunno where you're at, but in the US that's what Small Claims Court is for. I love hauling giants to my local courthouse. They don't like it so much.


balanga said:


> I'm beginning to think it might be easier to maintain the same /etc/hosts on all the systems on my LAN...


Going back to the ARPANET. Old school!


----------



## Mjölnir (Mar 8, 2021)

Yes.  You can submit that e.g. sysutils/cfengine315, but for only a few systems that might be overkill.  The only other technical option I see is to insert a host (with DHCP server for your LAN) between your LAN and that crappy modem/router and filter it's DHCP traffic.

OTT there might be legal options that allow you to drop the contract - it doesn't fit your needs.  Maybe the easiest is to intentionally cheat them by pretending you have withdrawn your flat because you want to move.  Usually that's a so-called "special circumstances" reason they have to and will accept without proper check.  Just fake a termination letter to your landlord & his/her confirmation.  You can even talk to your landlord (or the kind secretary) before, so should they ask s/he will lie in your interest.


----------



## Jose (Mar 8, 2021)

Mjölnir said:


> The only other technical option I see is to insert a host (with DHCP server for your LAN) between your LAN and that crappy modem/router and filter it's DHCP traffic.


Make sure it's a router and not a bridge, with at least two separate physical interfaces. You will experience DHCP sadness otherwise.


----------



## Mjölnir (Mar 8, 2021)

Jose said:


> Make sure it's a router and not a bridge, with at least two separate physical interfaces. You will experience DHCP sadness otherwise.


Don't we have filtering bridges?


----------



## Jose (Mar 8, 2021)

Mjölnir said:


> Don't we have filtering bridges?


Bridges work at layer 2 so they'll forward DHCP broadcasts. You'll have two DHCP servers in the same broadcast domain. I've tried this (not on purpose) and can tell you that hilarity will ensue.


----------



## Mjölnir (Mar 8, 2021)

I have dark, fuzzy memories that it's possible with some tricks & tweaks.  With a filtering bridge.


----------



## kumba (Mar 19, 2021)

balanga said:


> Can anyone point me to an article about setting up unbound() on a LAN?
> 
> I'm wanting to designate a particular host on the LAN as the nameserver for the LAN and am not sure whether unbound needs to be run on each host or how unbound integrates with my DHCP server...



If I read correctly, you want a local authoritative nameserver for your LAN?  You can't do that w/ Unbound.  Unbound is simply a recursive, caching nameserver.  It has no ability to host zones authoritatively.  This was a decision by the upstream developers to split the authoritative functions out into another piece of software, NSD (primarily to avoid the pitfalls that BIND got itself into by trying to do both).  What you likely want to do is to first setup and run NSD on a local loopback interface on TCP/53 and UDP/53, add a zone for your local LAN, test that you can query it directly w/ `dig` or `nslookup` on the machine, then setup Unbound to act as the recursive/caching nameserver for your network on the same machine.  In Unbound's config, you'll add a stub-zone statement to teach it to talk to the local NSD instance on loopback:53 for your LAN's local zone:


```
# forward zone for *.local
stub-zone:
        name: "local"
        stub-addr: 127.0.0.1@53

# reverse IPv4 zone for 10.0.0.0/8.
stub-zone:
        name: "10.in-addr.arpa"
        stub-addr: 127.0.0.1@53
```

Then on each system, either point it to the IP that Unbound listens on, or pass it through as a DHCP option on whatever system acts as your DHCP server.  Everything else you'll need to know is provided in Unbound and NSD's documentation.  Calomel's site also has two very good tutorials that go more in-depth:

NSD: https://calomel.org/nsd_dns.html
Unbound: https://calomel.org/unbound_dns.html
And for the crappy ISP modem issue, you might try seeing if it can be set as a transparent bridge, then you build a router and stick behind it.  Usually keeps ISPs happy because you're still using their hardware, but you have most of the control of what packets enter and exit your network.  Probably have to call the ISP for this, though.


----------

