Install Unbound for local network lookups

I am running a local server for some private websites. The problem is that from within the local network I cannot lookup the public DNS entries that are set for these websites. My router does not understand where to route the requests to. I used to solve this by creating a separate DNS entry prefix with l. for every domain name. Recently I found that you can run a local DNS server that is only to be used locally, which can translate the lookups to the local IP address instead of the public one. Unbound is a DNS server which can provide this. It will proxy all DNS requests and only alter the ones that are configured to be redirected locally. Below I’ve have described manual installation and installation using the apt-get package manager on raspbian.

Installing

Manually from source

I am running a server with Archlinux which did not provide a package, so I had to install it manually. I used the following commands:

cd /tmp
wget https://unbound.net/downloads/unbound-latest.tar.gz
./configure --prefix=/usr --sysconfdir=/etc
make
make install

This will compile and install unbound in /usr/bin and its configuration to /etc/unbound.

Service on Archlinux

With the manual installation I needed to also define a service to start and stop unbound. I create the file /usr/lib/systemd/system/unbound.service:

[Unit]
Description=Unbound DNS Resolver
After=network.target

[Service]
PIDFile=/run/unbound.pid
ExecStart=/usr/bin/unbound -d
ExecReload=/bin/kill -HUP $MAINPID
Restart=always

[Install]
WantedBy=multi-user.target

I also need to add a user to run unbound for:

useradd unbound

Using apt-get

apt-get install unbound

Configuration

I placed two configuration files in the /etc/unbound folder. This will configure the unbound server to listen to all bound IP addresses and to allow DNS request from the local network (in my case 192.168.1.*, and from localhost. It will also include a file that defines the static internal IP addresses for the domain names which are hosted locally.

The first line, local-zone, defines that for the root domain example.com all requests can be forwarded to the actual DNS server, if there is no exception defined. local-data defines an exception for a specific entry.

/etc/unbound/unbound.conf
server:
# The following line will configure unbound to perform cryptographic
# DNSSEC validation using the root trust anchor.
auto-trust-anchor-file: "/var/lib/unbound/root.key"

include: "/etc/unbound/localnetwork.conf"
interface: 0.0.0.0
access-control: 192.168.1.0/24 allow
access-control: 127.0.0.0/8 allow

/etc/unbound/localnetwork.conf
local-zone: "example.com." transparent
local-data: "foo.example.com. IN A 192.168.1.1"

In order for the server itself to also use these IP address I updated /etc/resolv.conf to also use this DNS server:

nameserver 192.168.1.1