├── .github
    └── FUNDING.yml
├── LICENSE
├── README.md
└── unbound-install.sh


/.github/FUNDING.yml:
--------------------------------------------------------------------------------
1 | patreon: angristan
2 | liberapay: angristan
3 | ko_fi: angristan
4 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2018 Angristan
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Local DNS resolver installer for Linux
 2 | 
 3 | This script will install a local **Unbound** DNS resolver with **DNSSEC** support on your GNU/Linux computer/server, that will directly communicate with the root servers. This ensures speed, neutrality and no dependance on any third-party server (like your ISP's).
 4 | 
 5 | The resolver is "local" because Unbound will only listen on localhost and accept requests from localhost.
 6 | 
 7 | ## Support
 8 | 
 9 | The script is designed to work on the following OS:
10 | 
11 | * Debian 8+
12 | * Ubuntu 14+
13 | * CentOS 7
14 | * Fedora 25+
15 | * Arch Linux
16 | 
17 | Be sure to uninstall BIND or any other DNS services on your machine before running the script, otherwise Ubound won't be able to start.
18 | 
19 | ## Usage
20 | 
21 | First, download the script and make it executable:
22 | 
23 | ```
24 | wget https://raw.githubusercontent.com/Angristan/Local-DNS-resolver/master/unbound-install.sh
25 | chmod +x unbound-install.sh
26 | ```
27 | 
28 | Then run it as root:
29 | ```
30 | sudo ./unbound-install.sh
31 | ```
32 | 
33 | Enjoy!
34 | 
35 | ## Change DNS resolver
36 | 
37 | Later, if you want to edit `/etc/resolv.conf`, run this command to allow modifications :
38 | 
39 | `chattr -i /etc/resolv.conf` (`+i` to disallow again)
40 | 
41 | ## Check DNSSEC
42 | 
43 | DNSSEC should be enabled. To check if Unbound verifies DNSSEC signatures, run:
44 | 
45 | ```
46 | dig www.dnssec-failed.org | grep status
47 | ```
48 | Which should return `status: SERVFAIL` as the signature for this domain is broken.
49 | 
50 | ## Check for DNS leaks
51 | 
52 | Go to [dnsleaktest.com](https://dnsleaktest.com/) or [ipleak.net](https://ipleak.net/) with your browser. Only your IP should show up, or the one from your VPN provider.
53 | 


--------------------------------------------------------------------------------
/unbound-install.sh:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | 
  3 | if [[ "$UID" -ne 0 ]]; then
  4 |   echo "Sorry, you need to run this as root"
  5 |   exit 1
  6 | fi
  7 | 
  8 | lsof -i :53 > /dev/null 2>&1
  9 | if [ $? -eq 0 ]; then
 10 |   echo "It looks like another software is listnening on port 53:"
 11 |   echo ""
 12 |   lsof -i :53
 13 |   echo ""
 14 |   echo "Please disable or uninstall it before installing unbound."
 15 |   while [[ $CONTINUE != "y" && $CONTINUE != "n" ]]; do
 16 |     read -rp "Do you still want to run the script? Unbound might not work... [y/n]: " -e CONTINUE
 17 |   done
 18 |   if [[ "$CONTINUE" = "n" ]]; then
 19 |     exit 2
 20 |   fi
 21 | fi
 22 | 
 23 | if [[ -e /etc/debian_version ]]; then
 24 |   # Detects all variants of Debian, including Ubuntu
 25 |   OS="debian"
 26 | elif [[ -e /etc/centos-release || -e /etc/redhat-release || -e /etc/system-release && ! -e /etc/fedora-release ]]; then
 27 |   OS="centos"
 28 | elif [[ -e /etc/fedora-release ]]; then
 29 |   OS="fedora"
 30 | elif [[ -e /etc/arch-release ]]; then
 31 |   OS="arch"
 32 | else
 33 |   echo "Looks like you aren't running this installer on a Debian, Ubuntu, CentOS, Fedora or Arch Linux system"
 34 |   exit 3
 35 | fi
 36 | 
 37 | echo ""
 38 | echo "Welcome! This script will install and configure Unbound, and set it as your default system DNS resolver."
 39 | echo ""
 40 | read -n1 -r -p "Press any key to continue..."
 41 | echo ""
 42 | 
 43 | if [[ "$OS" = "debian" ]]; then
 44 |   # Install Unbound
 45 |   apt-get update
 46 |   apt-get install -y unbound
 47 | 
 48 |   # Configuration
 49 |   echo 'interface: 127.0.0.1
 50 | hide-identity: yes
 51 | hide-version: yes
 52 | use-caps-for-id: yes
 53 | prefetch: yes' >> /etc/unbound/unbound.conf
 54 | 
 55 |   # Needed for the chattr command
 56 |   apt-get install -y e2fsprogs
 57 | fi
 58 | 
 59 | if [[ "$OS" = "centos" ]]; then
 60 |   # Install Unbound
 61 |   yum install -y unbound
 62 | 
 63 |   # Configuration
 64 |   sed -i 's|# interface: 0.0.0.0$|interface: 127.0.0.1|' /etc/unbound/unbound.conf
 65 |   sed -i 's|# hide-identity: no|hide-identity: yes|' /etc/unbound/unbound.conf
 66 |   sed -i 's|# hide-version: no|hide-version: yes|' /etc/unbound/unbound.conf
 67 |   sed -i 's|use-caps-for-id: no|use-caps-for-id: yes|' /etc/unbound/unbound.conf
 68 | fi
 69 | 
 70 | if [[ "$OS" = "fedora" ]]; then
 71 |   # Install Unbound
 72 |   dnf install -y unbound
 73 | 
 74 |   # Configuration
 75 |   sed -i 's|# interface: 0.0.0.0$|interface: 127.0.0.1|' /etc/unbound/unbound.conf
 76 |   sed -i 's|# hide-identity: no|hide-identity: yes|' /etc/unbound/unbound.conf
 77 |   sed -i 's|# hide-version: no|hide-version: yes|' /etc/unbound/unbound.conf
 78 |   sed -i 's|# use-caps-for-id: no|use-caps-for-id: yes|' /etc/unbound/unbound.conf
 79 | fi
 80 | 
 81 | if [[ "$OS" = "arch" ]]; then
 82 |   # Install Unbound
 83 |   pacman -Syu unbound
 84 | 
 85 |   # Get root servers list
 86 |   wget -O /etc/unbound/root.hints https://www.internic.net/domain/named.cache
 87 | 
 88 |   # Configuration
 89 |   mv /etc/unbound/unbound.conf /etc/unbound/unbound.conf.old
 90 |   echo 'server:
 91 |   use-syslog: yes
 92 |   do-daemonize: no
 93 |   username: "unbound"
 94 |   directory: "/etc/unbound"
 95 |   trust-anchor-file: trusted-key.key
 96 |   root-hints: root.hints
 97 |   interface: 127.0.0.1
 98 |   access-control: 127.0.0.1 allow
 99 |   port: 53
100 |   num-threads: 2
101 |   use-caps-for-id: yes
102 |   harden-glue: yes
103 |   hide-identity: yes
104 |   hide-version: yes
105 |   qname-minimisation: yes
106 |   prefetch: yes' > /etc/unbound/unbound.conf
107 | fi
108 | 
109 | if [[ ! "$OS" =~ (fedora|centos) ]];then
110 |   # DNS Rebinding fix
111 |   echo "private-address: 10.0.0.0/8
112 | private-address: 172.16.0.0/12
113 | private-address: 192.168.0.0/16
114 | private-address: 169.254.0.0/16
115 | private-address: fd00::/8
116 | private-address: fe80::/10
117 | private-address: 127.0.0.0/8
118 | private-address: ::ffff:0:0/96" >> /etc/unbound/unbound.conf
119 | fi
120 | 
121 | if pgrep systemd-journal; then
122 |   systemctl enable unbound
123 |   systemctl restart unbound
124 | else
125 |   service unbound restart
126 | fi
127 | 
128 | # Allow the modification of the file
129 | chattr -i /etc/resolv.conf
130 | 
131 | # Disable previous DNS servers
132 | sed -i "s|nameserver|#nameserver|" /etc/resolv.conf
133 | sed -i "s|search|#search|" /etc/resolv.conf
134 | 
135 | # Set localhost as the DNS resolver
136 | echo "nameserver 127.0.0.1" >> /etc/resolv.conf
137 | 
138 | # Disallow the modification to prevent the file from being overwritten by the system.
139 | # Use -i to enable modifications
140 | chattr +i /etc/resolv.conf
141 | 
142 | echo "The installation is done."
143 | 


--------------------------------------------------------------------------------