Unbound and Dnscrypt-proxy on OSX via homebrew

Follow up from the previous post.
Quick and dirty howto adapted from instructions found at dnscrypt.org

The first step is to install unbound:

brew install unbound

Next, download the dnssec anchor to /usr/local/etc/unbound/

sudo unbound-anchor -a /usr/local/etc/unbound/root.key

Add the following things in /usr/local/etc/unbound/unbound.conf at the end of the server section. Note that unbound will be running under the nobody account and I’m assuming that dnscrypt-proxy is already running on port 40! For this, you must change the plist of dnscrypt-proxy. See the previous previous post for that.

auto-trust-anchor-file: "/usr/local/etc/unbound/root.key/root.key"
access-control: allow
chroot: ""
username: "nobody"
do-not-query-localhost: no
name: "."

Copy the plist config for launchd to /Library/LaunchDeamon:

sudo cp -fv /usr/local/opt/unbound/homebrew.mxcl.unbound.plist /Library/LaunchDaemons

Start unbound:

sudo launchctl load /Library/LaunchDaemons/homebrew.mxcl.unbound.plist

Test it with:

dig +dnssec . @localhost

You should see something like:

; <<>> DiG 9.8.3-P1 <<>> +dnssec .
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44948
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1 

If the ad flag is there then the response is dnssec validated.

One Comment

  1. When I try to use unbound-anchor I get a command not found error. It seems like Homebrew doesn’t install this utility (any longer?). If I continue – but remove the anchor-file line from the configuration file – I still see the ad flag when testing with dig, though. Should this work?

Leave a Reply

Your email address will not be published. Required fields are marked *