RIY

Run IT Yourself!

User Tools

Site Tools


resolver

Intro



DNS is at the heart of the Internet, whenever we click a link or use an app, there is DNS resolution going on in the background. A DNS resolver translates domain names that humans can understand and remember into IP addresses, that are much more computer friendly.

Running your own DNS resolver has always been an easy job, yet it scared many people away from doing it. It's literally as easy as installing and starting a small piece of software such as Unbound.

In this example we'll be using Unbound, as mentioned above, which is multiplatform, free and open source software. We'll set it up on the local computer, in other words the localhost or in IP parlance… 127.0.0.1.


Windows Setup



In Windows open your browser and go to http://unbound.net/download.html and download the EXE file.

Once downloaded proceed with the installation; as usual it's a Next-Next-Finish procedure, no need to modify the defaults. By the end of it your local DNS resolver will be up and running.

To double check the resolver is listening to requests we can use the netstat and nslookup commands as per the picture below.

If you don't get the expected results it's better to stop as you may end up with broken name resolution on your machine.

Now you need to ask your OS to use it instead of the old name server supplied either via DHCP or manully. Open up your network settings and modify the IPv4 settings and input 127.0.0.1 in the DNS server field.

Aaand you're pretty much done, enjoy navigating the Internet with your own personal DNS resolver!


Linux Setup



Setting up a resolver on Linux is as easy if not easier. In this example I'm using CentOS 7.

First let's install the same software as above: unbound.

yum -y install unbound

Now let's check there isn't already anything listening on 127.0.0.1:53 as it will create problems.

netstat -lun|grep 127.0.0.1:53

If netstat returns nothing, we're good to go. Let's start the service and enable it at boot time.

service unbound start
systemctl enable unbound

Let's check that name resolution works, this can be done via dig or host commands from bind-utils package.

host www.riy.ro 127.0.0.1

The command above should return a valid IP address to which www.riy.ro resolves, e.g.

Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases: 

www.riy.ro is an alias for riy.ro.
riy.ro has address 217.19.15.108

If you don't get the expected results it's better to stop as you may end up with broken name resolution on your machine.

Now it's time to instruct the OS to use our new resolver. This can be done either via the NetworkManager UI or the command line.

Using the NetworkManager UI is very simple, right-click the applet and click on Edit Connections. Choose the desired connection, click Edit, set the Method to “Automatic (DHCP) addresses only” and in the DNS servers field put 127.0.0.1, like in the image below.

If you prefer the command line, then just edit /etc/sysconfig/network-scripts/ifcfg-eno1 or which ever is your interface and modify that file so that the only instance of PEERDNS is set to “no” and the only DNS1 entry is set to 127.0.0.1 like below.

PEERDNS=no
DNS1=127.0.0.1

Now restart your network and in /etc/resolv.conf you should only see “nameserver 127.0.0.1”.


Considerations



I've written this small tutorial in the hope that more people will be running their own resolvers, instead of using the public ones out there such as the Google's, Cloudflare's or Quad9's ones.

Running your own resolver will not necessarily give you speedier results or more privacy, the opposite could be argued.

Really good privacy will only happen when the ROOT DNS servers will be able return results via encrypted channels and this will take a while to become reality. Once that happens though, combined with technologies such as DNSCurve and DNSSEC we can hope to have more private lives.

So then, why the effort? Well, several reasons:

  1. Running your own resolver is still the best we can do for now and it will, in most cases, give you the speediest and most private results, as much as that is possible.
  2. DNS is one of the oldest Internet protocols and is by excellence decentralised, it would be a damn shame if this changed.
  3. And last, but not least, because using Google's or Cloudflare's public resolvers would give these corporations even more data on you and hence more power over you. They can already see big chunks of what you are browsing on the WWW, why would you want them to also see ALL the name resolution happening in your network or your computers, phones and other devices?
resolver.txt · Last modified: 2018/04/06 15:04 by riy