Sie sind auf Seite 1von 7

Install Unbound DNS Resolver for Windows

Download the latest version of unbound (currently 1.4.17) windows 32-bit installer from here
http://unbound.net/download.html
Unbound works pretty much out of the box.
If you just want the default configuration ignore the following steps 2,3 and 4.
During the install you have the option to install DNSSEC (DNS Security).
Few servers are using this at present so there's no great benefit but it is something which will become more
popular.
1. Install to the default folder -- c:\Program Files\Unbound
2. Rename the file service.conf to service.conf.orig
3. Copy the text service.conf found below, past to notepad and save as c:\Program
Files\Unbound\service.conf
4. Copy the text root.hints found below, past to notepad and save as c:\Program
Files\Unbound\root.hints
5. Change the DNS setting in the PC's Network Connection to Preferred DNS Server -- 127.0.0.1
6. Go to "services" find the service "Unbound DNS Validator". Right click on this service and select Stop.
7. Right click on the service and select Start. The service is restarted to make Unbound use the new
"service.conf" file.
8. If the service does not start within a few seconds then the PC's firewall is blocking Unbound.exe and / or
Unbound-anchor.exe outbound.
9. If running a software firewall on the PC, ensure unbound.exe, unbound-anchor.exe and anchoreupdate.exe have outbound permission.
10. That's it, fire up the browser and check the internet.

Text for the file service.conf


#

npr.me.uk

# File: service.conf
server:
directory: "c:\Program Files\Unbound"
root-hints: "c:\Program Files\Unbound\root.hints"
## Following line is only required for DNSSEC
auto-trust-anchor-file: "c:\Program Files\Unbound\root.key"

interface: 127.0.0.1
access-control: 127.0.0.0/8 allow_snoop
access-control: 192.168.0.0/16 allow_snoop
verbosity: 0
hide-identity: yes
hide-version: yes
prefetch: yes
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: no
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
private-address: 127.0.0.1/8

If your network is not in the IP range 192.168.0.1 to 192.168.255.255 then change "access-control:
192.168.0.0/16 allow " to suit.
If you have not installed the option DNSSEC, then delete the line "auto-trust-anchor-file: "c:\Program
Files\Unbound\root.key""

Text for the file root.hints


;
.
.
.
.
.
.
.
.

npr.me.uk
518400
518400
518400
518400
518400
518400
518400
518400

IN
IN
IN
IN
IN
IN
IN
IN

NS
NS
NS
NS
NS
NS
NS
NS

l.root-servers.net.
c.root-servers.net.
k.root-servers.net.
e.root-servers.net.
m.root-servers.net.
a.root-servers.net.
i.root-servers.net.
b.root-servers.net.

.
.
.
.
.

518400
518400
518400
518400
518400

a.root-servers.net.
b.root-servers.net.
c.root-servers.net.
d.root-servers.net.
e.root-servers.net.
f.root-servers.net.
g.root-servers.net.
h.root-servers.net.
i.root-servers.net.
j.root-servers.net.
k.root-servers.net.
l.root-servers.net.
m.root-servers.net.

IN
IN
IN
IN
IN

NS
NS
NS
NS
NS

3600000 IN
3600000 IN
3600000 IN
3600000 IN
3600000 IN
3600000 IN
3600000 IN
3600000 IN
3600000 IN
3600000 IN
3600000 IN
3600000 IN
3600000 IN

h.root-servers.net.
j.root-servers.net.
g.root-servers.net.
f.root-servers.net.
d.root-servers.net.
A
A
A
A
A
A
A
A
A
A
A
A
A

198.41.0.4
192.228.79.201
192.33.4.12
199.7.91.13
192.203.230.10
192.5.5.241
192.112.36.4
128.63.2.53
192.36.148.17
192.58.128.30
193.0.14.129
199.7.83.42
202.12.27.33

Block Adverts or Bad Websites with Unbound


This is really easy to do with Unbound. It just requires two commands for each host or domain name you wish to
block.
eg: to block "badsite.com";
local-zone: "badsite.com" redirect
local-data: "badsite.com A 127.0.0.1"
These command can be place in the "service.conf" file. This is fine if it's only a hand full of hosts to block but can
become difficult to manage if it's a long list of blocked hosts.
The trick here is to create the block list in a file we'll call "filter.conf". We then use the command include:
["c:\Program Files\Unbound\filter.conf"] to include it in service.conf.
The new service.conf file
#
# File: service.conf
server:

npr.me.uk

directory: "c:\Program Files\Unbound"


root-hints: "root.hints"
interface: 127.0.0.1
access-control: 192.168.0.0/16 allow
access-control: 127.0.0.0/8 allow
verbosity: 0
prefetch: yes
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
private-address: 127.0.0.1/8
include: "c:\Program Files\Unbound\filter.conf"
First Part of A typical "filter.conf" file
# Ad server list for use with hosts files to block ads
#
# For more information about this list, see: http://pgl.yoyo.org/adservers/
# ---# last updated: Sun, 04 Mar 2012 10:37:18 GMT
# entries:
2774
# format:
hosts (hosts -- in hosts file format)
# credits:
Peter Lowe - pgl@yoyo.org - http://pgl.yoyo.org/
# this URL:
http://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts;showintro=0
# other formats: http://pgl.yoyo.org/adservers/formats.php
#
local-zone: "101com.com" redirect

local-data: "101com.com A 127.0.0.1"


local-zone: "101order.com" redirect
local-data: "101order.com A 127.0.0.1"
local-zone: "103bees.com" redirect
local-data: "103bees.com A 127.0.0.1"
local-zone: "1100i.com" redirect
local-data: "1100i.com A 127.0.0.1"
local-zone: "123banners.com" redirect
local-data: "123banners.com A 127.0.0.1"
local-zone: "123found.com" redirect
local-data: "123found.com A 127.0.0.1"

That's it, it's easy to block hosts using Unbound, but first we need a list of bad sites!
Fortunately there's plenty of such lists but are in the "hosts" file format and need to be converted to Unbound
format.
A hosts file list to block adverts:
http://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts;showintro=0
A huge hosts file lists of all sorts of bad sites:
http://someonewhocares.org/hosts/
Some useful reading about hosts files.
http://winhelp2002.mvps.org/hosts.htm -Utility to convert a standard hosts file list to the correct format for Unbound. makefilter.zip
As always, use at your own risk.
ReadMe
Makefilter.zip
-------------A utility to convert a standard hosts blocking file to Unbound DNS format.

Contents:
--------1) makefilter.bat -- A batch file script.
2) sed.exe -- Stream editor.
3) sort.exe -- Sort a text file to alphabetical order.
4) uniq.exe -- Remove duplicate consecutive lines in a text file.
5) Readme.txt -- This file.

These files should work in all versions of windows.


Instructions:
------------1) Extract the above files from "makefilter.zip" to a folder of your choice.
2) Download a hosts blocking file.
Or copy a hosts blocking file from the web and past to notepad.exe.
3) Rename the downloaded file to "hosts.txt"
4) Copy the file to the same folder as this "makefilter" utility.
5) Double click on makefilter.bat
6) The script works very quick, within a second or so the file "filter.conf"
should appear in the folder.
7) THe file filter.conf can be viewed in notepad if wished.
8) Copy and past "filter.conf" to the folder where Unbound resides.
9) Ensure [include: "c:\Program Files\Unbound\filter.conf"] has been added to service.conf.
10) For Unbound DNS to start using this block list we need to stop and restart the sevice "Unbound DNS
Validator":
a) Go to "services" find the service "Unbound DNS Validator". Right click on this service and select Stop.
b) Right click on the service and select Start.
c) If the service fails to start then there's a error in "filter.conf".
In this case remove the "include" command and try again.
If the service now starts, "filter.conf" needs to be investigated for errors.

npr.me.uk

Change DNS Settings for Windows


Manually change DNS settings
Use a batch file to switch DNS settings in seconds.
List of freely available DNS servers and batch file downloads.

Install a personal DNS caching resolver


DNS resolvers available for windows and where to download.

Install Bind for Windows Install Bind as a local caching DNS resolver.
DNS extras
Create your own root.hints file.
How to block adverts using Bind9.
DNS benchmark.

Raspberry Pi DNS Server


Install your networks DNS resolver on a Raspberry Pi.

Home Page
C opyright NPR 2010 - 2015

Disclaimer