Self-hosted DNS Resolver (Unbound)

[angristan]

As discussed in https://github.com/Angristan/OpenVPN-install/issues/4, having the option to use a local DNS server would be great for the following reasons :

• It will be fast all aroung the world, as it will allow a local cache and will communicate directly with the root servers
• It's neutral
• Logs will be disabled by default, and if they are enabled, they'll be only accessible on the server
• It does not depend on any third-party server, thus ensuring 100% availability and neutrality

I already made a script to install a local DNS server on a Linux machine : https://github.com/Angristan/Local-DNS-resolver

I will use unbound, and adapt the configuration to allow queries from the private network (10.8.0.0/24), and then use 10.8.0.1 as the DNS resolver in the OpenVPN configuration.

~If unbound is already installed on the server where the script is ran, I think I'll ask for a confirmation to overwrite /etc/ubound.conf, and if the answer is no, ask the user to select other DNS servers.~

Any suggestion is welcomed until I implement the feature.

[yolateng0]

Pourquoi ne pas installer directement Unbound lors de l’installe du script? Cela fonctionne, j'ai testé sur un fork de l'ancienne version. https://github.com/yolateng0/OpenVPN-install

Why not install Unbound directly when installing the script? This works, I tested on a fork of the old version. Https://github.com/yolateng0/OpenVPN-install

thanks for your work 0/ <3

[angristan]

That's what I'm going to do :)

[chpasswd]

Adblocking? like this but without the web interface, etc.

[angristan]

@chpasswd

Adblocking? like this but without the web interface, etc.

No.

[Leopere]

You could try to use Pi-Hole which also happens to have a fancy UI. It does blocking and things as well. I wonder if it'd work to do IP blocklists as well.

[angristan]

The goal is only to install a neutral DNS resolver. You can install Pi-Hole on your server if you want and use it with OpenVPN :)

[angristan]

Yep, the update to Local-DNS-resolver will help.

I guess we should add a check like if netstat -tuln | grep :53 is not empty then we don't install unbound or something

[Leopere]

@Angristan you could look into how the PiHole does it's stuff and maybe omit anything in their script that installs the web panel or something. OR include it as an option. It wouldn't work in my usage case as I'm hosting my own authoritative nameservers on my OpenVPN instance but some people might like the DNS blackholing capability.

[Leopere]

Oops, my apologies I didn't realize how many times in this thread people had mentioned PiHole and slammed the idea down. I think that PiHole has other benefits outside of simple adblocking it also helps thwart malicious attempts to call home to command and control nodes given that they are known threats.

At the end of the day I think that a great home VPN solution if we're taking this way further than we initially intended should probably help the user gain full control over their traffic.

There is too much background radiation in modern tech if we could help people get to a point where the background radiation is a bit more under control I think that's a pretty positive benefit to the internet as a whole.

I wonder how much of the internet is just background radiation now that I think of it.

[Leopere]

I was just reading @cezar97's response in #189 about a web panel and the security implications and it had me thinking.

What sort of collision would there be between this script and PiHole would it be reasonable to just add a test to see if PiHole is installed? Then if it is just to use that.

[Leopere]

The biggest value-add from a PiHole is the ability to whitelist domains it has the whole functionality already stitched in. Even if the script just offers you a suggestion/endorsement to go and install PiHole yourself it might be cool. I mostly just want to know if there are conflicts between the two scripts which is kind of hard to tell at first.

On Tue, Apr 3, 2018 at 12:35 PM cezar97 notifications@github.com wrote:

@Angristan https://github.com/Angristan I know others asked for it and you already answered, but if unbound gets selected for install, why not include ( with another option that can be chosen by user ) the pi-hole default blacklists and integrate them with unbound, so no need for installing other things? Why I'm asking it again, then? Because we are not talking just about ads but also trackers all around the web ( not to forget that ads often if not always are trackers too ). So at least while using VPN, trackers and other stuff like malware domains get blocked. That said, it remains up to you to decide: I'm sorry for re-asking if you're not fine with this. PS: I'm talking about pi-hole blacklists just because they don't block more than basic and necessary things and so sites don't get broken. @chamunks https://github.com/chamunks @chpasswd https://github.com/chpasswd

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/Angristan/OpenVPN-install/issues/5#issuecomment-378233991, or mute the thread https://github.com/notifications/unsubscribe-auth/ABBNVujEhMfj8PCvqXLDCdfqk3EsIC5Xks5tk2yCgaJpZM4LAhqn .

[angristan]

Installing Pi-Hole or any web interface is clearly no, but adding an option for a blacklist to the unbound option may be ok.

[Leopere]

Spectacular idea

On Tue, Apr 3, 2018 at 2:37 PM cezar97 notifications@github.com wrote:

@Angristan https://github.com/Angristan Thank you for your response. @chamunks https://github.com/chamunks Well, there aren't any kind of conflicts. I can tell you that because this was my setup for a while: I had a machine running openvpn and pihole was listening on the VPN interface 10.8.0.1 and another machine running an unbound caching resolver, just because both of them requires listening on port 53. The upstream for pihole was the ip of unbound. Later on I thought that it can be done on a single machine, too. Pihole can listen on 10.8.0.1:53/tcp-udp and unbound on 127.0.0.1:53/tcp-udp: it's possible because it is the same port but on different interfaces. So here as the upstream you just have to use 127.0.0.1.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/Angristan/OpenVPN-install/issues/5#issuecomment-378272852, or mute the thread https://github.com/notifications/unsubscribe-auth/ABBNVnZFwUTvKdqNmkngE-1pzZWXc5kLks5tk4kegaJpZM4LAhqn .

[Leopere]

Always nice to be good netizens and leave good records for future Googlers.

On Tue, Apr 3, 2018, 11:26 AM cezar97 notifications@github.com wrote:

@chamunks https://github.com/chamunks I'm glad it helped. BTW may I have a response on your # 179's and # 195's so maybe I can update the answer in case, too?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/Angristan/OpenVPN-install/issues/5#issuecomment-378290520, or mute the thread https://github.com/notifications/unsubscribe-auth/ABBNVs9Ykl26KnnlSomZkEFlZliqE4FXks5tk5SmgaJpZM4LAhqn .

[angristan]

Yes I think we shouldn't touch /etc/resolv.conf

[angristan]

It's been a long time since I decided to remove these, but if we use chattr to lock resolv.conf, it may not be needed...

[Leopere]

I personally have to also be careful as I'm using OpenVPN on the same machine as a mail server and authoritative DNS. Via MailInABox.

On Sat, Apr 14, 2018 at 2:20 PM Angristan notifications@github.com wrote:

It's been a long time since I decided to remove these, but if we use chattr to lock resolv.conf, it may not be needed...

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/Angristan/OpenVPN-install/issues/5#issuecomment-381349360, or mute the thread https://github.com/notifications/unsubscribe-auth/ABBNVtAqnzoG4khPmGVFBcmmDan7_PZwks5toj4IgaJpZM4LAhqn .

[angristan]

Enjoy :)