Sign in Subscribe
homelab

Home Lab: Private DNS

Home Lab: Private DNS
Netflix was my motivation to set this

This project was started few years back actually when Netflix was not officially available in where I live. I remember there was serial television title I wanted to watch legally and that was available on Netflix. For your information, in where I live when service provider is not officially supported you will be landed to a page which is called "Internet Positive". That is the same page when you try to access blocked website by government.

The idea is simple. When you visit the blocked or unsupported website service name server, default DNS by ISP will return you the address of Internet Positive webpage. If you can get the actual address of that blocked or unsupported website, you still can access that website. Previously I tried with VPN. That was absolutely work. But you will not get the full bandwidth of ISP provided. Since there are several layers that need to go through before reach the target site.

So, why not just change the DNS to available public DNS. e.g Google 8.8.8.8 in your DHCP config? When I tried to trace the request with that scenario, my ISP intercept that and redirect the DNS request to their own DNS, which use government regulated. That easy fix actually still worked on several ISP in here but that was not my case. Standard DNS is using non encrypted communication which can easily route to other DNS without you notice.

I had 1st version of unused Raspberry pi B, laying in my drawer, dusted. I saw that as the potential to save my lust to watch television series at Netflix without compromising the image quality. With VPN my speed reduced to almost 50% while at that time my ISP only provide 30Mbps of bandwidth. can you feel that?

ok, enough with the background. Let's jump into the execution

My OS choice fell straight to Debian since I already use that for servers of several previous projects and use Unbound service. Minimal Rasbian was the perfect choice since it has around 100Megs at that time. The Unbound installation was quite straight forward. Just used the apt and it was good to go. Now, it comes to the configuration.

At least you need make 2 configurations. One for service and another one for zone. But that depends on your taste. Actually you can combine it into only single file. My preference to split it, just to prevent confusion of future me. Place both in "/etc/unbound/unbound.conf.d"

server:
 tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
 tls-system-cert: yes
 logfile: /var/log/unbound/unbound.log
 tls-upstream: yes
 verbosity: 1
 qname-minimisation: yes
 do-tcp: yes
 do-udp: yes
 rrset-roundrobin: yes
 use-caps-for-id: no
 do-ip6: no
 interface: 0.0.0.0@53

# this part defines which address in your network can access this DNS
 access-control: 0.0.0.0/0 refuse
 access-control: 127.0.0.0/8 allow
 access-control: 192.168.1.100/24 allow

unbound_srv.conf

# forward zone definition. since you want to secure DNS, enable the forward tls upstream
# the hashtag after forward address is not comment. that defines the name server which will be verified with the certificate. redirection without notice will not be happened

forward-zone:
    name: "."
    forward-tls-upstream: yes
    forward-addr: 1.1.1.1@853#one.one.one.one
    forward-addr: 1.0.0.1@853#one.one.one.one
    forward-addr: 8.8.8.8@853#dns.google
    forward-addr: 8.8.4.4@853#dns.google

unbound_zone.conf

Once both files placed, restart the service and you roll

sudo service unbound restart

I hope this will be useful for future me or someone else out there. Have a nice day!

Comments ()