Sanitised OISD and Unbound
I recently learned that the OISD list exists and wanted to configure the recursive resolver (Unbound) in my home network to use it. This post relates to my Unbound deployment on OpenBSD, but I’m sure it can be easily adapted to other platforms.
The OISD folks helpfully provide a pre-generated Unbound configuration but, being paranoid, I’m not going to blindly start using that, and also I would like to whitelist some things. Awk seemed like a reasonable tool to postprocess the configuration.
The whitelist is a simple file with one domain per line. Domains in the OISD list that match lines in this file don’t make it into the final generated configuration. Easy.
With that script and whitelist created in a file unbound.never_block
in the current directory, I can run the script and save the output to a
file:
ftp -o - https://big.oisd.nl/unbound \
| ./extract-oisd.awk \
> /tmp/oisd.new.conf
After inspecting it for sanity, I can put it where chrooted Unbound will be
able to find it, and make sure it has correct permissions/ownership:
cp /tmp/oisd.new.conf /var/unbound/etc/oisd.conf
chown root:wheel /var/unbound/etc/oisd.conf
chmod 0755 /var/unbound/etc/oisd.conf
Tell Unbound to read it by adding a line to unbound.conf:
# head -3 unbound.conf
# $OpenBSD: unbound.conf,v 1.21 2020/10/28 11:35:58 sthen Exp $
include: /var/unbound/etc/oisd.conf
Finally, tell Unbound to reread its configuration (but let’s also see if adopting the OISD list increases memory usage notably):
# ps auxwww | awk 'NR == 1 || /un[b]ound/'
USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
_unbound 70608 12.6 0.7 28888 30960 ?? Rc/1 11Jun26 33:42.51 /usr/sbin/unbound -c /var/unbound/etc/unbound.conf
# rcctl reload unbound
unbound(ok)
# ps auxwww | awk 'NR == 1 || /un[b]ound/'
USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
_unbound 70608 0.0 3.3 135020 136772 ?? Sc 11Jun26 34:31.47 /usr/sbin/unbound -c /var/unbound/etc/unbound.conf
We can see here that Unbound’s resident set size (RSS) increased notably.
I’m OK with this but if you were running it on a machine with limited memory
like an early Raspberry Pi, this may be a major problem.
We can use unbound-control to see how many local zones it has configured:
# unbound-control list_local_zones | wc -l
477807
Let’s try looking for NS records for one of the listed domains:
# grep -m1 '^local-zone:' /var/unbound/etc/oisd.conf
local-zone: "0--foodwarez.da.ru." always_null
# dig +short 0--foodwarez.da.ru
0.0.0.0
We can verify that this is definitely being blocked by Unbound by removing it from the blocklist, reloading Unbound and trying again:
# dig +short 0--foodwarez.da.ru
155.212.167.46
Happy enough with that (and restored it to the blocklist).
I will test-drive this configuration for a while and if I’m happy with it, will look at what I can do to make automatically updating the list a safer operation. Not comfortable doing that just yet.