To begin you need to install the Unbound DNS server and the DNS tools you need to test your configuration.

To install Unbound:

1. Install by entering the following command: yum install unbound bind-utils
2. Verify the Unbound folder is present by entering the following command: cd /etc/unbound
   Make sure unbound.conf appears in this folder. This file is essential to the setup.

Next, configure the server by editing Unbound’s configuration file with a text editor.

To do this:

1. Open the configuration file /etc/unbound/unbound.conf with your preferred text editor.
2. Instruct the server to listen on all local network interfaces by locating and uncommenting the line: # interface: 0.0.0.0.
3. Enable the listening port by locating and uncommenting the line: # port: 53
4. Enable IPv4, UDP, and TCP queries to be answered and issued by locating and uncommenting the following:
   • do-ip4: yes
   • do-udp: yes
   • do-tcp: yes
     Ensure the value is set to yes and not no.
5. Log every unbound connection by adding the following: logfile: /var/log/unbound
6. Hide the id.server and hostname.bind queries by locating and uncommenting: # hide-identity: yes
   Ensure the value is set to yes and not no.
7. Hide the version.server and version.bind queries by locating and uncommenting: # hide-version: yes
   Ensure the value is set to yes and not no.
8. Allow select clients to query this unbound server. Locate and uncomment the access-control command and set it to the following: access-control: <IP netblock> allow
   The netblock can be entered as an IPv4 or IPv6 address and if you want to allow anyone to query this server, enter 0.0.0.0.
   You can replace allow with allow_snoop to enable recursive and non-recursive queries.
9. Once you have made your changes, save the file and exit the text editor.

Instruct the Unbound DNS server to generate RSA keys in order to provide DNSSEC support.

To do this:

• Enter the following command: unbound-control-setup
  Upon a successful configuration, you will see the following message:

setup in directory /etc/unbound
    generating unbound_server.key
    Generating RSA private key, 1536 bit long modulus
    .................++++
    .........++++
    e is 65537 (0x10001)
    generating unbound_control.key
    Generating RSA private key, 1536 bit long modulus
    .........++++
    ..................................++++
    e is 65537 (0x10001)
    create unbound_server.pem (self signed certificate)
    create unbound_control.pem (signed client certificate)
    Signature ok
    subject=/CN=unbound-control
    Getting CA Private Key
    Setup success. Certificates created. Enable in unbound.conf file to use

(Optional) Disable DNSSEC

If your upstream servers don't support DNSSEC, disable it for Unbound or you might not see responses for your dig requests.

To do this:

• Edit the Unbound configuration file /etc/unbound/unbounds.conf and uncomment: val-permissive-mode: yes
  Or,
• Run the following SED command: sed -i '/val-permissive-mode: yes$/s/#//' /etc/unbound/unbound.conf

After completing your initial installation, perform a check to ensure Unbound’s configuration doesn’t contain syntax or other errors. To do this:

• Enter the following command: unbound-checkconf
  
  If there are no errors, you will see the following message:
  unbound-checkconf: no errors in /etc/unbound/unbound.conf

Next, you need to configure DNS forwarders. These control how your DNS zones are split.

To do this:

1. Open /etc/unbound/conf.d with your preferred text editor.
2. Add forward zones. For each forward zone enter the following:
   • forward-zone: Leave this blank
   • name: Add a domain name. All queries to this domain go to the server you list in the following fields. Add "." as the name to forward all remaining queries.
   • forward-addr: Add the IP address for your server. You can choose to either list an IP address or a domain. The servers you list need to be capable of recursion to other nameservers.
   • forward-host: Add the domain for your server. You can choose to either list an IP address or a domain. The servers you list need to be capable of recursion to other nameservers.
3. Save and exit the configuration file.

Example Forward Zone Configuration

In the following sample configuration:

• All queries to internal.zscaler.com go the nameserver at 4.2.2.2
• All queries to prod.zpath.net go to the nameserver at fwd.example.com
• All other queries go to the name server at 8.8.4.4

forward-zone:
    name: "internal.zscaler.com"
    forward-addr: 4.2.2.2
    forward-zone:
    name: "prod.zpath.net"
    forward-host: fwd.example.com
    forward-zone:
    name: "."
    forward-addr: 8.8.4.
    

You need to start Unbound and set it to begin at startup.

To do this:

1. Enable Unbound by entering the following commands:
   sudo systemctl enable unbound
   sudo service unbound start
2. Make sure that the Unbound DNS server is running by checking its status. Enter the following command: service unbound status
3. Configure DNS resolution on an App Connector by editing /etc/resolv.conf and making sure the line nameserver has a value of 127.0.0.1
4. Open a DNS firewall port. This allows your local LAN clients to connect to the Unbound server. To do this, enter the following commands:
   firewall-cmd --permanent --add-service dns
   firewall-cmd --reload

After completing the configuration use tcpdump on the respective interfaces to verify that the correct DNS server is picked up.