Setup unbound as caching DNS on OpenBSD

The purpose of a LAN cache for DNS in is to allow queries from LAN clients to end up in the DNS cache rather than the originating DNS. This will help with performance and lower traffic towards to originating DNS.

To do this we need a set of steps ...

1. Setup the caching DNS service
2. Make sure router make use of local DNS service
3. Make sure local clients get informed of caching DNS server via DHCP

It is assumed that dhcpd is already setup, otherwise take a look at Setting up a DHCP server on OpenBSD 6.7.

Install was made on OpenBSD 7.2.

Setup unbound

unbound(8) in part of base system so it does not need to be installed.

Default configuration file is /var/unbound/etc/unbound.conf.

cat /var/unbound/etc/unbound.conf 

# $OpenBSD: unbound.conf,v 1.21 2020/10/28 11:35:58 sthen Exp $

server:
	interface: 192.168.2.1
	interface: 127.0.0.1
	do-ip6: no

	access-control: 192.168.2.0/24 allow
	access-control: 127.0.0.0/8 allow
	access-control: ::0/0 refuse
	access-control: ::1 refuse

...	

forward-zone:
        name: "."
        forward-addr: 8.8.8.8
        forward-addr: 8.8.4.4

Just make sure that interface, access-control and forward-addr is configured for your local network and originating DNS servers. I am using sample values here.

You may test config by

unbound -d -vv -c /var/unbound/etc/unbound.conf

If it works. Start and enable unbound using rcctl.

rcctl start unbound
rcctl enable unbound

Use unbound in router

To force router to make use of local unbound server the loopback address is prepended in dhclient.conf.

cat /etc/dhclient.conf
...              
prepend domain-name-servers 127.0.0.1;

This means that local unbound service is used before other DNS servers provided to router via DHCP.

Add local DNS to DHCP server

To inform local clients of new caching DNS server this server (assumed with IP 192.168.2.1) must be added to DNS server list of you DHCP server.

cat /etc/dhclient.conf
...
option  domain-name-servers 192.168.2.1, 8.8.8.8, 8.8.4.4;

References

• Unbound DNS
• Setting up a DHCP server on OpenBSD 6.7
• Force OpenBSD to use unbound(8) DNS resolver in DHCP client mode
• Ads blocking with OpenBSD unbound(8)

This site is maintained by Peter Ljung using the powers of OpenBSD, Ruby, Sinatra combined as WebFactory