Unbound ricorsivo: hardening, DNSSEC e performance (standalone o sidecar con Pi-hole)
Resolver ricorsivo locale con DNSSEC e cache veloce. Ideale con Pi-hole o come forwarder per OpenWrt.
Installazione (Debian/Ubuntu)
sudo apt update && sudo apt install -y unbound
sudo curl -o /var/lib/unbound/root.hints https://www.internic.net/domain/named.root
sudo chown unbound:unbound /var/lib/unbound/root.hints
Config base sicura (127.0.0.1:5335)
cat | sudo tee /etc/unbound/unbound.conf.d/pihole.conf >/dev/null <<'CFG'
server:
interface: 127.0.0.1
port: 5335
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes
qname-minimisation: yes
prefetch: yes
prefetch-key: yes
harden-dnssec-stripped: yes
aggressive-nsec: yes
edns-buffer-size: 1232
msg-cache-size: 64m
rrset-cache-size: 128m
root-hints: "/var/lib/unbound/root.hints"
forward-zone:
name: "."
forward-tls-upstream: no
CFG
sudo systemctl enable --now unbound
Test
dig @127.0.0.1 -p 5335 example.com +short
dig @127.0.0.1 -p 5335 cloudflare.com +dnssec
Integrazione: in Pi-hole → DNS → 127.0.0.1#5335. Su OpenWrt: aggiungi server='127.0.0.1#5335' a dnsmasq.
Vedi anche: Pi-hole: guida completa · Cloudflared DoH