If you want a speed and privacy increase while… well, being on the internet, setting up a local DNS server is an important first step.
For a introduction to DNS, check the top of the page of my DNS service.
I’ll cover how to set up Unbound on Linux in this tutorial. As mentioned here, you can install it on Windows too. If you are interested in privacy, consider switching to Linux (especially if you’re not planning on gaming, Linus…)
The DNS server we’ll be using, Unbound, caches DNS queries using Redis for fast resolutions.
|3.1 Changing resolver|
|3.1.1 Without GUI (Linux)|
|5 Captive portals|
Using third-party DNS resolvers (e.g.
22.214.171.124) poses a security and privacy risk.
When using Linux (especially Arch), the default is probably to use your Wi-Fi’s DNS. That’s a disaster.
The DNS server you use can log and track you each time you visit a website. By default on many low-level Linux distros, a DNS cache isn’t used. This worsens the problem.
I offer a DNS service, physically located in Scandinavia
(i.e. speed will only beat
126.96.36.199’s if you’re physically near me, as they have servers all around the globe),
with guarantees to never collect any data.
If you don’t trust me or Cloudflare (provider of
188.8.131.52), I’ll show you how to set up your own Unbound server,
just as I have it configured.
Install the packages
unbound. These should be available in your package manager.
The aforementioned are the names
Next, let’s configure Redis.
/etc/redis/redis.conf, change the line with
hz 10 to
hz 2 and add the line
maxmemory 67108864 (2^26B, 64MiB) after
# maxmemory <bytes>.
/etc/unbound/unbound.conf, change the following lines. I state the value (by default commented out in the config) and what the line should contain.
These are all in the
# This can sometimes help if you don't have IPv6 or if the connection is unreliable. do-ip6: no qname-minimisation: yes module-config: "validator cachedb iterator" serve-expired: yes serve-expired-ttl: 0
Paste the following at the end of the config file.
cachedb: backend: "redis" redis-server-host: 127.0.0.1 redis-server-port: 6379
The configuration is nearly done. Skip to Running to start the server. Then run
drill icelk.dev. @127.0.0.1 to test Unbound.
If that succeeds, we need to tell all the programs using DNS (e.g.
ntp) to use our local DNS.
If you are using a graphical network manager (this is applicable for Windows too), change the DNS server there to
127.0.0.1 for IPv4 &
::1 for IPv6.
Without GUI (Linux)
First, we need to disable overriding of
If you’re using
dhcpcd, add this line at the bottom of
That stops using the LAN’s set DNS. See the link above on how to disable this using other network managers.
/etc/resolv.conf with the following.
nameserver ::1 nameserver 127.0.0.1 options trust-ad
Windows users can start, enable on startup, and restart the service
To run now and on startup, run this as root.
# systemctl enable --now redis unbound
Check for any errors:
$ journalctl -eu unbound $ journalctl -eu redis
EDIT: I’ve made a script which automatically connects to the captive portal (in some cases, see the network usage in your browser’s dev tools to modify the POST data of the script).
For me, the captive portal detection in Firefox works great.
If you’re using Chromium or derivatives, I’ve heard great things about captive browser.