OpenBSD Home Server - Basic unbound.conf                     06 Sep 2020
------------------------------------------------------------------------

Yesterday, I set up Unbound on my OpenBSD home server, and manually set
some other devices on the network to use it as their nameserver. So far,
so good.

The configuration that I settled on forwards requests to Cloudflare and
Quad9, using DNS-over-TLS. That means the requests are encrypted between
my server and the upstream DNS server to prevent snooping or tampering.
It's not end-to-end encryption, however, since the upstream server has
to (eventually) query authoritative nameservers using regular DNS. But
it's better than nothing.

There's still a few things left to do:

- Figure out a way to get everything on my network to use my DNS server
  without having to manually configure them all. Since AT&T's gateway
  doesn't let you specify a DNS server, that it's probably going to
  involve some DHCP shenanigans.

- Set up a blocklist, so Unbound returns invalid response for ad servers
  and malware sites.

But in the meantime, here's the current Unbound config file:

---
# /var/unbound/etc/unbound.conf
server:
	# Listen on all interfaces.
	interface: 0.0.0.0
	interface: ::0

	# Answer IPv4 requests from localhost and the local network.
	access-control: 192.168.1.0/24 allow
	access-control: 127.0.0.0/8 allow
	# Answer IPv6 requests from localhost (for now).
	access-control: ::1 allow

	# Cert bundle to use for DNS over TLS.
	tls-cert-bundle: "/etc/ssl/cert.pem"

	# Set the initial trust anchor for DNSSEC, and log validation
	# errors.
	auto-trust-anchor-file: "/var/unbound/db/root.key"
	val-log-level: 2

	# Use cached NSEC records to generate negative responses.
	aggressive-nsec: yes

# Enable use of the unbound-control CLI tool.
remote-control:
	control-enable: yes
	control-interface: /var/run/unbound.sock

# Forward all requests to some upstream nameservers using DNS-over-TLS.
# Unbound will spread its requests around between each of the configured
# forward-addrs.
forward-zone:
	name: "."
	forward-tls-upstream: yes

	# Cloudflare DNS
	forward-addr: 1.1.1.1@853#cloudflare-dns.com
	forward-addr: 1.0.0.1@853#cloudflare-dns.com
	forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
	forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com

	# Quad9
	forward-addr: 9.9.9.9@853#dns.quad9.net
	forward-addr: 149.112.112.112@853#dns.quad9.net
	forward-addr: 2620:fe::fe@853#dns.quad9.net
	forward-addr: 2620:fe::9@853#dns.quad9.net