Created
February 12, 2026 16:19
-
-
Save breiter/68a7d1244bb834a689dfabd0dcb18964 to your computer and use it in GitHub Desktop.
encrypt dns with unbound
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # start unbound service and bind DNS to localhost | |
| current_userid=$(id -u) | |
| if [ "$current_userid" -ne 0 ]; then | |
| echo "$(basename "$0") requires superuser privileges to run" >&2 | |
| exit 1 | |
| fi | |
| # unbound from macports | |
| echo "[*] Loading Unbound service..." | |
| /opt/local/bin/port load unbound | |
| # Give it a second to bind to port 53 | |
| sleep 1 | |
| # identify active services mapping to hardware devices | |
| networksetup -listnetworkserviceorder | grep "Hardware Port" | while read -r LINE; do | |
| SERVICE=$(echo "$LINE" | sed -E 's/.*Hardware Port: ([^,]+), Device: ([^)]+).*/\1/') | |
| DEVICE=$(echo "$LINE" | sed -E 's/.*Hardware Port: ([^,]+), Device: ([^)]+).*/\2/') | |
| # only target active connections with an IP | |
| if ifconfig "$DEVICE" 2>/dev/null | grep -q "status: active" && ifconfig "$DEVICE" | grep -q "inet "; then | |
| echo " [+] Setting $SERVICE ($DEVICE) to 127.0.0.1" | |
| networksetup -setdnsservers "$SERVICE" 127.0.0.1 | |
| fi | |
| done | |
| # flush dns cache | |
| echo "[*] Flushing DNS Cache..." | |
| dscacheutil -flushcache | |
| killall -HUP mDNSResponder | |
| echo "[SUCCESS] Unbound is active and network is configured." | |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # stop unbound service and revert to DHCP DNS config | |
| current_userid=$(id -u) | |
| if [ "$current_userid" -ne 0 ]; then | |
| echo "$(basename "$0") requires superuser privileges to run" >&2 | |
| exit 1 | |
| fi | |
| # unload unbound service via MacPorts | |
| echo "[*] Unloading Unbound service..." | |
| /opt/local/bin/port unload unbound | |
| # revert active interfaces to DHCP DNS | |
| networksetup -listnetworkserviceorder | grep "Hardware Port" | while read -r LINE; do | |
| SERVICE=$(echo "$LINE" | sed -E 's/.*Hardware Port: ([^,]+), Device: ([^)]+).*/\1/') | |
| DEVICE=$(echo "$LINE" | sed -E 's/.*Hardware Port: ([^,]+), Device: ([^)]+).*/\2/') | |
| if ifconfig "$DEVICE" 2>/dev/null | grep -q "status: active" && ifconfig "$DEVICE" | grep -q "inet "; then | |
| echo " [-] Resetting $SERVICE ($DEVICE) to DHCP" | |
| networksetup -setdnsservers "$SERVICE" Empty | |
| fi | |
| done | |
| # flush dns cache | |
| echo "[*] Flushing DNS Cache..." | |
| dscacheutil -flushcache | |
| killall -HUP mDNSResponder | |
| echo "[SUCCESS] Unbound is stopped and network is back to default." | |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #/opt/local/etc/unbound/unbound.conf | |
| server: | |
| # resolve private IP addresses within aws services | |
| private-domain: amazonaws.com | |
| # allow Okta to resolve wacky 127.0.0.1 results | |
| private-domain: authenticatorlocalprod.com | |
| domain-insecure: authenticatorlocalprod.com | |
| auto-trust-anchor-file: "/opt/local/etc/unbound/root.key" | |
| forward-zone: | |
| # forward dns queries to Cloudfare over TLS | |
| name: "." | |
| forward-tls-upstream: yes | |
| forward-first: no | |
| forward-addr: 2606:4700:4700::1111@853 | |
| forward-addr: 2606:4700:4700::1001@853 | |
| forward-addr: 1.1.1.1@853 | |
| forward-addr: 1.0.0.1@853 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment