Using a local DNS resolver cache can significantly boost the speed of a server, particularly one which does many DNS lookups. Shared web servers and mail servers in particular are partial to this tweak. These instructions are tailored towards Ubuntu 18 but should be compatible, with tweaks, for a number of Linux distros.
Step 1, install Unbound
sudo apt install unbound
Step 2, configure Unbound
We prefer the below configurtion but it can be changed if required.
nano /etc/unbound/unbound.conf
server:
access-control: 10.0.0.0/8 allow
access-control: 127.0.0.0/8 allow
access-control: 192.168.0.0/16 allow
cache-max-ttl: 14400
cache-min-ttl: 300
hide-identity: yes
hide-version: yes
interface: 127.0.0.1
minimal-responses: yes
num-threads: 4
prefetch: yes
qname-minimisation: yes
rrset-roundrobin: yes
use-caps-for-id: yes
verbosity: 1
do-ip6: no
forward-zone:
name: "."
forward-addr: 1.1.1.1 # Cloudflare
forward-addr: 9.9.9.9 # Quad9
forward-addr: 4.2.2.4 # Level(3)
forward-addr: 129.250.35.250 # NTT
forward-addr: 64.6.64.6 # Verisign
forward-addr: 216.146.36.36 # Dyn Public
forward-addr: 74.82.42.42 # Hurricane Electric
forward-addr: 208.67.222.222 # OpenDNS
Step 3, add a resolv.conf reset script
Many things might change the contents of resolv.conf, so we want to create a script that runs on bootup and periodically during the OS runtime so that our nameserver preferences are always active and used.
nano /scripts/resolvreset.sh
#!/bin/bash
echo "options timeout:1" > /etc/resolv.conf
echo "nameserver 127.0.0.1" >> /etc/resolv.conf
echo "nameserver 8.8.8.8" >> /etc/resolv.conf
This script firstly sets a maximum timeout of 1 second, which we use to determine whether a DNS resolver is alive or dead. By default, resolv.conf will look at the first nameserver and only fall back to the second/third etc nameserver if the first does not provide a response within the timeout period. We're allowing ourselves a fallback here, just in case something goes awry with our Unbound configuration and we can't get back into our server/VPS.
Step 4, delete resolv.conf
By default, resolv.conf is actually symlinked to another file controlled by resolvconf, so we want to just erase this symlink
rm /etc/resolv.conf
Step 5, apply our resolv.conf
Let's enable the nameserver changes we made:
sudo sh /scripts/resolvreset.sh
We want to ensure we apply these changes on bootup and periodically, so add the following crontab lines:
@reboot sleep 20 && sh /scripts/resolvreset.sh >/dev/null 2>&1
*/15 * * * * sh /scripts/resolvreset.sh >/dev/null 2>&1
Step 6, disable resolvconf
sudo systemctl disable systemd-resolved.service
sudo service systemd-resolved stop
Step 7, enable Unbound
Now that we have everything else in place, it's time to start/restart Unbound with our new config, and ensure it starts on boot
service unbound restart
systemctl enable unbound
