Configuring Unbound DNS in pfSense.

Unbound DNS is a validating, recursive and caching DNS server software product. The C implementation of Unbound is developed and maintained by NLnet Labs, and is based on ideas and algorithms taken from a Java prototype developed by Verisign labs, Nominet, Kirei, and ep.net. It is distributed free of charge under the BSD license.

Unbound can run as a server, as a daemon in the background, answering DNS queries from the network. Alternatively, it can link to an application as a library, and answer DNS queries for the application. Here, we are concerned with running unbound as a server by installing the Unbound package in pfSense.

Unbound DNS: Installation and Configuration

To install the Unbound package, navigate to System -> Packages, and scroll down to the Unbound entry in the packages listing. On the right side of the listing, press the “plus” button to select the package. On the next page, press the “Confirm” button to confirm installation. Installation should complete within a few minutes. Once it is complete, you should see the following text:

Unbound setup instructions:
Please visit Services: Unbound DNS to configure the Unbound DNS service. Remember you will need to disable Services: DNS Forwarder before starting Unbound. Also note if your DHCP server makes use of pfSense as the DNS server, then you will now need to add the IP address of the respective interface to the DNS servers field, in the DHCP server configuration page.

After installation, there will be a new item on the Services menu called “Unbound DNS”. Navigate to Services -> Unbound DNS to begin configuration. The first tab, “Unbound DNS Settings”, allows you to configure the basic settings. First is the “Enable Unbound” check box, which lets you enable the use of Unbound as your DNS forwarder. Next is “Network Interface”, which allows you to specify the network interface(s) the server will listen on. “Query interfaces” allows you to specify different network interface(s) the server will use to send queries to authoritative servers.

Next is the “Enable DNSSEC” check box. DNSSEC (Domain Name System Security Extensions) is a suite of specifications for securing certain kinds of DNS information. It was designed to protect applications, as well as caching resolvers serving those applications, from using forged or manipulated DNS data. If you wish to use DNSSEC to validate your DNS queries, it is recommended that you disable forwarding (the next setting) and allow Unbound to do all your DNS resolving. You can leave the forwarding mode enabled, though, if you are certain that your upstream DNS servers also provide DNSSEC support. Forwarding mode will allow you to configure the server to make use of other DNS servers configured in System -> General Setup.

Next is the “Private Address support” check box. With this option enabled, RFC1918 address are stripped away from DNS answers. Additionally, the DNSSEC validator may mark the answers bogus. You will want to disable this if you have zones that return addresses that are private. With this option enabled, any domain overrides configured will be exempt from this check. The “Register DHCP static mappings” check box causes DHCP static mappings to be registered in the DNS forwarder, so their names can be resolved.

The next two options are “TXT Comment Support” and “Cache Restoration Support”. If the “TXT Comment Support” is checked, then any descriptions associated with host entgries and DHCP static mappings will create a corresponding TXT record. This allows you to view somments you have added using DNS. To view these comments, one would simply execute the following command: dig @<pfSense_ip> host_entry.txt. “Cache Restoration Support” ensures that the current Unbound cache containing all the DNS records is saved to disk. Thus, if the service or server is restarted, the cache is restored resulting in quicker responses in resolving DNS queries. Note that any old or wrong data will be restored.

Once these options are saved, you will be able to use Unbound in pfSense to do all your DNS resolving. In the next article, we will look at some of the other settings.

