Preface: the fortigate I am using at home sucks at DNS – in fact it sucks at many things when you are used to a FritzBox – but I am stubborn and I will do this because I work with fortigates and want the learning experience. (and because I am stubborn)
somehow the big models can all do forward DNS services but the FortiWifi40C somehow can’t even act as a DNS gateway / proxy without bringing the internet experience to a grinding halt here.
(I run a small network, about 5 devices and 4 mobiles and if I can feel it I don’t want to know what a small office will experience…)
But: I have this Raspberry that receives audio via zeroconf and is connected to the network and to my amplifier.
Why not have it act as a caching DNS resolver, too?
Easy with raspian:
# apt-get install unbound
add interfaces to the config and point it to your ISPs DNS server and it should roll.
But we want the full bells and whistles like IPv6 and DNSSEC so let’s do this the proper way:
install a root dns list:
# wget ftp://FTP.INTERNIC.NET/domain/named.cache -O /etc/unbound/root.hints
now edit config and call this file and enable interfaces, IPv6 and TCP as well as an ACL so we won’t turn into an open relay accidentially (the fortigate should prevent that but you never know…)
also disable remote control for now:
server:
# The following line will configure unbound to perform cryptographic
# DNSSEC validation using the root trust anchor.
auto-trust-anchor-file: "/var/lib/unbound/root.key"
#root dns list
root-hints: "/etc/unbound/root.hints"
#listen on all interfaces
interface: 0.0.0.0
interface: ::0
# access-control for local subnet
access-control: 127.0.0.0/8 allow
access-control: 192.168.0.0/16 allow
access-control: 10.0.0.0/8 allow
access-control: 2001:XXXX:XXXX::/32 allow
access-control: 2001:DB8::/64 allow
access-control: FE80::/8 allow
verbosity: 1
remote-control:
control-enable: no
#forward anything else to xs4all dns server
forward-zone:
name: "."
forward-addr: 194.109.6.66
forward-addr: 194.109.9.99
forward-addr: 194.109.104.104
forward-addr: 2001:888:0:6::66
forward-addr: 2001:888:0:9::99
this already works!
test by using dig with IPv4 and IPv6 address, then add the raspberry to your DHCP server and enjoy millisecond resolve times :)
tweaking for healthy memory consumption and adding forward and reverse zone for my LAN is next:
(thanks to https://www.the-hawkes.de/unbound-dns-on-raspberry-pi.html )
#my domain name and the available hosts
private-domain: "home."
include: /etc/unbound/forward.conf
include: /etc/unbound/reverse.conf
The forward lookup file (name -> ip)
/etc/unbound/forward.conf
local-zone: "home." static
local-data: "speedport.home. IN A 192.168.178.1"
local-data: "kasekuchen.home. IN A 192.168.178.21"
local-data: "raspberryone.home. IN A 192.168.178.200"
local-data: "rbone.home. IN A 192.168.178.200"
local-data: "rb1.home. IN A 192.168.178.200"
local-data: "htpc.home. IN A 192.168.178.245"
local-data: "wlan.home. IN A 192.168.178.253"
Reverse lookup (ip -> name)
/etc/unbound/reverse.conf
local-data-ptr: "192.168.178.1 speedport.home."
local-data-ptr: "192.168.178.21 kasekuchen.home."
local-data-ptr: "192.168.178.200 raspberryone.home."
local-data-ptr: "192.168.178.200 raspberrytwo.home."
local-data-ptr: "192.168.178.245 htpc.home."
local-data-ptr: "192.168.178.253 wlan.home."
and verifying mem and DNSSEC functionality:
see here:
https://calomel.org/unbound_dns.html
and here:
https://www.unbound.net/documentation/howto_anchor.html