|
16 | 16 | 🔸 `Recursive` resolving from the root. **No** forwarding to other resolvers. |
17 | 17 | 🔸 Redis backend database for `persistent` cache. Works as second level cache. |
18 | 18 | 🔸 Network wide `Ads and Trackers` block. **No** pi-hole/adguard. **No** extra hop to resolve DNS. |
19 | | -🔸 Unbound `dashboard` is available at [unbound-dashboard](https://github.com/ar51an/unbound-dashboard). (_Optional_) |
| 19 | +🔸 Unbound `dashboard` is available at [unbound-dashboard](https://github.com/ar51an/unbound-dashboard). (_Optional_) |
| 20 | +🔸 Refer to `release.md` for changes and update. |
20 | 21 |
|
21 | 22 | #### Prerequisite: |
22 | | -* Unbound compilation and installation is validated on `RaspiOS/Debian`. `Post Install` startup service and scripts are reused from RaspiOS bullseye, they may require modification for other linux distributions. |
| 23 | +* Unbound compilation and installation is validated on `RaspberryPi OS/Debian`. `Post Install` startup service and scripts may require modification for other linux distributions. |
23 | 24 | * If unbound package is installed. Take a backup of current `unbound.conf`. Remove unbound package completely: |
24 | 25 |
|
25 | 26 | > `sudo apt --purge autoremove unbound` |
26 | 27 |
|
27 | 28 | #### Specs: |
28 | 29 | > |Unbound |OS |HW | |
29 | 30 | > |:-------|:----------------------------|:-----------------------| |
30 | | -> |`1.17.1`|`raspios-bullseye-arm64-lite`|`Raspberry Pi 4 Model B`| |
| 31 | +> |`1.19.0`|`raspios-bookworm-arm64-lite`|`Raspberry Pi 4 Model B`| |
31 | 32 |
|
32 | 33 | # |
33 | 34 | ### Steps |
34 | 35 | 🔸 Redis ➜ Unbound ➜ Post Install ➜ Config ➜ Timers & Services ➜ Blocklist ➜ Start |
35 | 36 | #### ❯ Redis |
36 | 37 | 🔸 Install ➜ Config |
37 | 38 | * **Install:** |
38 | | - There are 2 options **either** install redis (6.0.16) from RaspiOS bullseye **or** install redis (7.0.*) from RaspiOS bullseye backports. |
39 | | - * Install redis **(6.0.16)** from raspios bullseye: |
40 | | - > `sudo apt install redis-server` |
41 | | -
|
42 | | - * Install redis **(7.0.*)** from raspios bullseye backports: |
43 | | - > Enable backports. Edit sources list: |
44 | | - > `sudo nano /etc/apt/sources.list` |
45 | | - > Add backports source at the end: |
46 | | - > `deb http://deb.debian.org/debian bullseye-backports main` |
47 | | -
|
48 | | - > Install redis: |
49 | | - > `sudo apt install redis-server/bullseye-backports` |
| 39 | + > `sudo apt install redis-server` |
50 | 40 |
|
51 | 41 | * **Config:** |
52 | 42 | An optimized `redis.conf` for unbound is available in the release under `config` dir. Default _redis.conf_ from redis **7.0.*** is used as base config for the provided config. Some of the options may not be available or may be different if you are on an earlier version of redis. You can use _redis.conf_ **either** from the release **or** your preferred one. |
53 | 43 |
|
54 | | - If you installed redis **7.0.*** and going to use the provided _redis.conf_, below steps can be helpful: |
| 44 | + To use the provided _redis.conf_, below steps can be helpful: |
55 | 45 | > Edit redis config: |
56 | 46 | > `sudo nano /etc/redis/redis.conf` |
57 | 47 | > Delete everything in default redis config: |
58 | 48 | > `Ctrl+6` `Alt+t` `Ctrl+6` |
59 | 49 | > Copy and paste the provided `redis.conf`. Save and exit nano |
60 | 50 |
|
61 | 51 | > `ℹ️` **Note:** |
62 | | - > Provided `redis.conf` is tweaked after some thorough testing in small network. Like 8mb maxmemory has pretty optimal performance with enough cache and evict least recently used keys. Similarly snapshotting is used to save keys to database, current option will save after 2hrs if atleast 100 new keys were added or after 12hrs if at least 1 new key is added. Reboot will save database as long as snapshotting is enabled. Feel free to change them as preferred. |
63 | | -
|
64 | | -* **Startup Warning:** |
65 | | - For redis **7.0.*** from `backports`. Modify services to fix journal `⚠️` warning on redis startup. |
66 | | - > Edit: `sudo nano /usr/lib/systemd/system/redis-server.service` |
67 | | - > Edit: `sudo nano /usr/lib/systemd/system/redis-server@.service` |
68 | | - > Remove/Comment lines starting with `NoExecPaths` and `ExecPaths` from both above services |
69 | | - > Restart redis: `sudo systemctl restart redis-server` |
| 52 | + > Provided `redis.conf` is tweaked after some thorough testing in small network. Like 4mb maxmemory has pretty optimal performance with enough cache and evict least recently used keys. Similarly snapshotting is used to save keys to database, current option will save after 2hrs if atleast 100 new keys were added or after 12hrs if at least 1 new key is added. Reboot will save database as long as snapshotting is enabled. Feel free to change them as preferred. |
70 | 53 |
|
71 | 54 | <div align="center"> |
72 | 55 | <img src="https://user-images.githubusercontent.com/11185794/205388020-99c057ad-ee9d-440b-8df9-587f5c133f2e.png?raw=true" alt="divider"/> |
|
81 | 64 | > ``` |
82 | 65 |
|
83 | 66 | * **Extract:** |
84 | | - [Download](https://github.com/NLnetLabs/unbound/archive/refs/tags/release-1.17.1.tar.gz) and extract unbound. |
| 67 | + [Download](https://github.com/NLnetLabs/unbound/archive/refs/tags/release-1.19.0.tar.gz) and extract unbound. |
85 | 68 | > Extract: |
86 | | - > `tar -xvzf unbound-release-1.17.1.tar.gz` |
| 69 | + > `tar -xvzf unbound-release-1.19.0.tar.gz` |
87 | 70 |
|
88 | 71 | * **CFLAGS:** |
89 | 72 | Remove debugging information, otherwise unbound binary size will be much larger. |
90 | 73 | > Set CFLAG: |
91 | 74 | > `export CFLAGS="-O2"` |
92 | 75 |
|
93 | 76 | > `ℹ️` **Note:** |
94 | | - > Unbound `1.17.1` binary size comparison: |
| 77 | + > Unbound binary size comparison: |
95 | 78 | >  ➟ _Debian Bookworm Prebuilt_ `Without Cachdb Module` |
96 | 79 | >  ➟ _Compiled Without Debug Info_ `With Cachdb Module` |
97 | 80 | >  ➟ _Compiled With Debug Info_ `With Cachdb Module` |
|
118 | 101 | > Run: `sudo ./post-install.sh` |
119 | 102 |
|
120 | 103 | > `ℹ️` **Note:** |
121 | | - > Startup service and scripts are reused from unbound package in RaspiOS bullseye. `root.hints` is downloaded from `internic`, it will be automated through systemd timer. |
| 104 | + > Startup service and scripts are reused from unbound package in RaspberryPi OS Bookworm. `root.hints` is downloaded from `internic`, it will be automated through systemd timer. |
122 | 105 | * Alternatively, create user manually and use your preferred startup service and scripts. |
123 | 106 |
|
124 | 107 | <div align="center"> |
|
260 | 243 |
|
261 | 244 | # |
262 | 245 | #### ❯ `ℹ️` Tips & Notes |
| 246 | +* **Enable Redis Unix Socket:** |
| 247 | + Unbound **(1.18.0)** added the option to connect to redis server over unix socket. It has better throughput. Follow below steps to enable unix socket connection between unbound and redis: |
| 248 | + * Redis config: |
| 249 | + > Edit: `sudo nano /etc/redis/redis.conf` |
| 250 | +
|
| 251 | + > Add options: |
| 252 | + > `unixsocket /var/run/redis/redis.sock` |
| 253 | + > `unixsocketperm 707` |
| 254 | +
|
| 255 | + > Restart redis: |
| 256 | + > `sudo systemctl restart redis-server` |
| 257 | +
|
| 258 | + * Unbound config: |
| 259 | + > Edit: `sudo nano /etc/unbound/unbound.conf` |
| 260 | +
|
| 261 | + > Modify under **`cachedb:`** tag: |
| 262 | + > > Add: |
| 263 | + > > `redis-server-path: "/var/run/redis/redis.sock"` |
| 264 | + > > Comment out: |
| 265 | + > > `#redis-server-host: 127.0.0.1` |
| 266 | + > > `#redis-server-port: 6379` |
| 267 | +
|
| 268 | + > Restart unbound: |
| 269 | + > `sudo systemctl restart unbound` |
| 270 | +
|
| 271 | + > `ℹ️` **Note:** |
| 272 | + > In order to use more restrictive option `unixsocketperm 770` in `redis.conf`, add unbound user to redis group. |
| 273 | + > Redis connectivity on TCP can be turned off with option `port 0` in redis.conf. When redis is not listening on TCP, specify socket path in cli cmds `redis-cli -s /var/run/redis/redis.sock` |
| 274 | +
|
263 | 275 | * **Resolver Configuration:** |
264 | | - Make sure `/etc/resolv.conf` has only one name server. |
265 | | - > `nameserver <RaspberryPi-IP>` **or** `nameserver 127.0.0.1` |
| 276 | + Make sure `/etc/resolv.conf` has only RaspberryPi IP name servers. `NetworkManager` in RaspberryPi OS Bookworm will make this change automatically if your router's LAN DNS is pointing to Raspberry Pi IP. |
| 277 | + > `nameserver <RaspberryPi-IP>` |
266 | 278 |
|
267 | 279 | * **Add LAN DNS:** |
268 | 280 | According to your router, change LAN DNS to Raspberry Pi IP. DNS setting under internet setup is WAN DNS, it is not same as LAN DNS. If router permits to change LAN DNS, it is usually under LAN setup. |
269 | 281 |
|
270 | 282 | * **Troubleshoot Blocked Domain:** |
271 | | - Below configuration logs only blocked domains, using that you can find domain causing the issue. |
| 283 | + Below option logs blocked domains, using that you can find domain causing the issue. |
272 | 284 | > Edit: `sudo nano unbound.conf` |
273 | | - > Set: `verbosity: 1` and `log-local-actions: yes` |
| 285 | + > Set: `log-local-actions: yes` |
274 | 286 |
|
275 | 287 | * **Block Selective:** |
276 | 288 | Specific domains can be blocked for specific IPs with tag options. It works on top of existing ads and trackers block. Provided `unbound.conf` has selective block configuration commented out under `|Block|`. If interested uncomment it and replace the IPs and domains. |
|
299 | 311 |
|
300 | 312 | After uninstall all the `Post Install` and `Timers & Services` steps can be easily reverted by running `post-remove.sh` provided in the release. |
301 | 313 | > `sudo ./post-remove.sh` |
302 | | -
|
303 | | -* **Update Unbound:** |
304 | | - Refer `UPDATE.md` for updating Unbound. |
305 | 314 | </div> |
0 commit comments