arainho · September 16, 2024 11:26
diff --git a/archlinux_unbound.sh b/archlinux_unbound.sh
 # Unbound is a validating, recursive, and caching DNS resolver.
 https://wiki.archlinux.org/index.php/Unbound

 # install unbound, expat
 sudo pacman -Syy --noconfirm unbound expat ldns bind-tools

 # setup etckeeper
 sudo pacman -Syy --noconfirm etckeeper
 git config --global user.email "me@armory"
 git config --global user.name "Me Myself and I"
 cd /etc/ && etckeeper init && etckeeper commit "first commit"

 # create resolv.conf
 sudo cp --backup=numbered -av /etc/resolvconf.conf /etc/resolvconf.conf.backup
 sudo sed -i 's/#name_servers=127.0.0.1/name_servers="::1 127.0.0.1"/g' /etc/resolvconf.conf
 sudo resolvconf -u

 # change gadget-deadbeef default dns to localhost
 sed -i 's/DNS=8.8.8.8/DNS=127.0.0.1/g' /etc/systemd/network/gadget-deadbeef.network

 # prevent programs from overwriting /etc/resolv.conf
 #sudo chattr +i /etc/resolv.conf

 # Roothints systemd timer
 sudo bash -c 'cat > /etc/systemd/system/roothints.service' << EOF
 [Unit]
 Description=Update root hints for unbound
 After=network.target

 [Service]
 ExecStart=/usr/bin/curl -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache
 EOF

 sudo bash -c 'cat > /etc/systemd/system/roothints.timer' << EOF
 [Unit]
 Description=Run root.hints monthly

 [Timer]
 OnCalendar=monthly
 Persistent=true
 
 [Install]
 WantedBy=timers.target
 EOF

 # use DNSSEC validation
 sed -i 's/# auto-trust-anchor-file: "/etc/trusted-key.key"/auto-trust-anchor-file: "/etc/trusted-key.key"/g' /etc/unbound/unbound.conf

 sudo bash -c 'cat >> /etc/resolvconf.conf' << EOF

 # If don't want to forward the root zone and let the local resolver
 # recursively query the root servers directly,
 # simply mark all interfaces private.
 # You may need to do this if you enable DNSSEC in the local resolver but the
 # upstream DNS servers say from your router or ISP don't support DNSSEC.
 private_interfaces="*"

 # Write out unbound configuration file
 unbound_conf=/etc/unbound/resolvconf.conf
 EOF
 sudo resolvconf -u

 # start services
 systemctl restart unbound.service
 systemctl restart roothints.timer
 systemctl restart roothints.service

 # check
 #resolvectl status
 #drill @8.8.8.8 TXT google.pt
 #dig sigfail.verteiltesysteme.net @127.0.0.1 -p 53
 #dig sigok.verteiltesysteme.net @127.0.0.1 -p 53
	# Unbound is a validating, recursive, and caching DNS resolver.
	https://wiki.archlinux.org/index.php/Unbound

	# install unbound, expat
	sudo pacman -Syy --noconfirm unbound expat ldns bind-tools

	# setup etckeeper
	sudo pacman -Syy --noconfirm etckeeper
	git config --global user.email "me@armory"
	git config --global user.name "Me Myself and I"
	cd /etc/ && etckeeper init && etckeeper commit "first commit"

	# create resolv.conf
	sudo cp --backup=numbered -av /etc/resolvconf.conf /etc/resolvconf.conf.backup
	sudo sed -i 's/#name_servers=127.0.0.1/name_servers="::1 127.0.0.1"/g' /etc/resolvconf.conf
	sudo resolvconf -u

	# change gadget-deadbeef default dns to localhost
	sed -i 's/DNS=8.8.8.8/DNS=127.0.0.1/g' /etc/systemd/network/gadget-deadbeef.network

	# prevent programs from overwriting /etc/resolv.conf
	#sudo chattr +i /etc/resolv.conf

	# Roothints systemd timer
	sudo bash -c 'cat > /etc/systemd/system/roothints.service' << EOF
	[Unit]
	Description=Update root hints for unbound
	After=network.target

	[Service]
	ExecStart=/usr/bin/curl -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache
	EOF

	sudo bash -c 'cat > /etc/systemd/system/roothints.timer' << EOF
	[Unit]
	Description=Run root.hints monthly

	[Timer]
	OnCalendar=monthly
	Persistent=true

	[Install]
	WantedBy=timers.target
	EOF

	# use DNSSEC validation
	sed -i 's/# auto-trust-anchor-file: "/etc/trusted-key.key"/auto-trust-anchor-file: "/etc/trusted-key.key"/g' /etc/unbound/unbound.conf

	sudo bash -c 'cat >> /etc/resolvconf.conf' << EOF

	# If don't want to forward the root zone and let the local resolver
	# recursively query the root servers directly,
	# simply mark all interfaces private.
	# You may need to do this if you enable DNSSEC in the local resolver but the
	# upstream DNS servers say from your router or ISP don't support DNSSEC.
	private_interfaces="*"

	# Write out unbound configuration file
	unbound_conf=/etc/unbound/resolvconf.conf
	EOF
	sudo resolvconf -u

	# start services
	systemctl restart unbound.service
	systemctl restart roothints.timer
	systemctl restart roothints.service

	# check
	#resolvectl status
	#drill @8.8.8.8 TXT google.pt
	#dig sigfail.verteiltesysteme.net @127.0.0.1 -p 53
	#dig sigok.verteiltesysteme.net @127.0.0.1 -p 53