• Edit /etc/default/grub, make sure that ipv6.disable=1 is present, e.g.:

  GRUB_CMDLINE_LINUX="ipv6.disable=1"

• Run:

  sudo update-grub

• Reboot

• Next steps are for optimizing/securing current environment.

• Put content of /etc/security/limits.conf into your limits.conf

• Put content of etc/sysctl.conf into your sysctl.conf

• If you want HT disabled but you cannot disable it in BIOS, make sure that nosmt is present in /etc/default/grub, e.g.:

  GRUB_CMDLINE_LINUX="nosmt"

• Apply it:

  sudo update-grub

• Use tuned package for network latency optimizations:

  sudo apt install tuned
  sudo tuned-adm profile network-latency
  sudo reboot

• Review current configuration of UFW:

  sudo ufw status

• To delete some particular rule run:

  sudo ufw status numbered
  sudo ufw delete <number>

• Verify that UFW has these configuration:

  sudo ufw allow 443
  sudo ufw limit 22/tcp

• If you want port 53 accessible to all:

  sudo ufw allow 53/udp

• For a specific IP address only:

  sudo ufw allow from <ip> proto udp to any port 53

• Apply rules:

  sudo ufw reload

• Setup steps for Unbound and Dnsdist contain possibility to compile services locally. This means that you'll need compiler :) In next sections it is supposed using standard compiler for your distributives.
• You can consider to use AOCC compiler if your processor is AMD. Many sources declare that code compiled by AOCC is faster on AMD. All you need is to follow instructions for AOCC.

• If you need to create some direcotory on startup, for instance /var/run/some-dir

vim /etc/tmpfiles.d/some-service.conf

• Put this content:

d /var/run/some-dir 0755 user user-group

• We need to compile it locally because default Unbound from apt does not include cachedb module.
• Even if you will not use Redis as Level 2 cache for Unbound I would anyway suggest to compile Unbound locally to have the latest version.

wget https://github.com/NLnetLabs/unbound/archive/refs/tags/release-1.19.3.zip
unzip release-1.19.3.zip
cd release-1.19.3
sudo apt install bison flex libevent-dev libexpat1-dev libhiredis-dev libnghttp2-dev libprotobuf-c-dev libssl-dev libsystemd-dev protobuf-c-compiler python3-dev swig

• Compilation flags (I used next but you are free to specify any you want)

export CFLAGS="-Ofast -pipe -march=native"
export CXXFLAGS="-Ofast -pipe -march=native"
export CPPFLAGS="-Ofast -pipe -march=native"

• Configure

./configure --prefix=/usr --includedir=\${prefix}/include --infodir=\${prefix}/share/info --mandir=\${prefix}/share/man --localstatedir=/var --runstatedir=/run --sysconfdir=/etc --with-chroot-dir= --with-dnstap-socket-path=/run/dnstap.sock --with-libevent --with-libhiredis --with-libnghttp2 --with-pidfile=/run/unbound.pid --with-pythonmodule --with-pyunbound --with-rootkey-file=/var/lib/unbound/root.key --disable-dependency-tracking --disable-flto --disable-maintainer-mode --disable-option-checking --disable-rpath --disable-silent-rules --enable-cachedb --enable-dnstap --enable-subnet --enable-systemd --enable-tfo-client --enable-tfo-server

• Make and install

make
sudo make install

• Unbound usually is running under chroot.

• Next steps usually are needed if Unbound is running under chroot, otherwise it will fail to create *.sock and *.log files.

sudo vim /etc/apparmor.d/local/usr.sbin.unbound

• Put next to this file

/var/log/unbound/unbound.log rw,
/var/unbound/run/unbound.sock rw,

• Apply it

sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.unbound

sudo mkdir /var/log/unbound
sudo chown unbound:unbound /var/log/unbound

• Put file /etc/logrotate.d/unbound to /etc/logrotate.d/

• Replace default configuration of Unbound with files from /etc/unbound.

• Review config, make appropriate changes for number of threads etc, default is 2 threads.

• Enable ipv6 if needed.

• Setup unbound-control:

sudo unbound-control-setup

• Setup root.hints and root.key

sudo apt install dns-root-data
sudo ln -s /usr/share/dns/root.key /var/lib/unbound/root.key
sudo ln -s /usr/share/dns/root.hints /var/lib/unbound/root.hints

• For DNS filtering put update-conf.sh into corresponding path

sudo chmod +x /opt/unbound/update-conf.sh
sudo mkdir /etc/unbound/rules
sudo sh /opt/unbound/update-conf.sh

• You can check which filters are used in /etc/unbound/unbound.conf.d/server.conf and /opt/unbound/update-conf.sh

• Put unbound-update-config.service and unbound-update-config.timer in corresponding path.

sudo systemctl daemon-reload
sudo systemctl enable --now unbound-update-config.timer`

• Put /etc/systemd/system/unbound.service from repo.

• Install Redis

sudo apt install redis-server

• Put /etc/redis/redis.conf from repo

sudo systemctl enable --now redis-server

• Dnsdist is used as facade for Unbound: to give DoH/DoH3/DoT/DoQ

sudo apt install autoconf automake libedit-dev libsodium-dev libtool-bin \
pkg-config protobuf-compiler libnghttp2-dev libh2o-evloop-dev libluajit-5.1-dev \
libboost-all-dev libsystemd-dev libbpf-dev libclang-dev git cmake

sudo ln /usr/local/lib/libdnsdist-quiche.so /usr/lib/libdnsdist-quiche.so

export CFLAGS="-Ofast -pipe -march=native"
export CXXFLAGS="-Ofast -pipe -march=native"
export CPPFLAGS="-Ofast -pipe -march=native"

wget https://downloads.powerdns.com/releases/dnsdist-1.9.1.tar.bz2
tar xjf dnsdist-1.9.1.tar.bz2
cd dnsdist-1.9.1
./configure --enable-dns-over-tls --enable-dns-over-https --enable-dns-over-http3 --enable-dns-over-quic --with-systemd --with-quiche
make
sudo make install

sudo chown root:dnsdist /usr/local/etc/dnsdist.conf

sudo systemctl daemon-reload

• Generate key to access dnsdist's console:

sudo dnsdist
>makeKey()

• Copy key to dnsdist.conf as

setKey("<key from console>")

• Generate password for webServerConfig

>hashPassword("<your password>")

• Put it to config

• Start dnsdist

sudo systemtl enable --now dnsdist.service

🔸 Follow next HOWTO

unbound-dashboard or forked one unbound-dashboard-forked

unbound-exporter or forked one unbound-exporter-forked