1 files changed, 62 insertions, 0 deletions

diff --git a/convert.sh b/convert.sh
new file mode 100755
index 0000000..f325d0c
--- /dev/null
+++ b/convert.sh
@@ -0,0 +1,62 @@
+#!/bin/bash
+set -e
+
+echo "🧹 Stopping and disabling AdGuardHome..."
+systemctl stop AdGuardHome || true
+systemctl disable AdGuardHome || true
+rm -f /etc/systemd/system/AdGuardHome.service
+rm -rf /opt/AdGuardHome
+rm -f /usr/bin/AdGuardHome
+
+echo "📦 Installing Unbound..."
+apt update
+apt install -y unbound curl
+
+echo "🌐 Fetching root hints..."
+curl -o /var/lib/unbound/root.hints https://www.internic.net/domain/named.cache
+
+echo "🔐 Setting up hardened Unbound config..."
+cat >/etc/unbound/unbound.conf <<EOF
+server:
+  interface: 0.0.0.0
+  access-control: 192.168.0.0/16 allow
+  access-control: 127.0.0.0/8 allow
+
+  num-threads: $(nproc)
+  msg-cache-size: 128m
+  rrset-cache-size: 256m
+  prefetch: yes
+  prefetch-key: yes
+
+  auto-trust-anchor-file: "/var/lib/unbound/root.key"
+  val-permissive-mode: no
+
+  root-hints: "/var/lib/unbound/root.hints"
+
+  qname-minimisation: yes
+  harden-dnssec-stripped: yes
+  harden-referral-path: yes
+  minimal-responses: yes
+
+remote-control:
+  control-enable: yes
+EOF
+
+echo "🔐 Disabling systemd-resolved stub listener if present..."
+if [ -f /etc/systemd/resolved.conf ]; then
+  sed -i 's/^#*DNSStubListener=.*/DNSStubListener=no/' /etc/systemd/resolved.conf
+  systemctl restart systemd-resolved
+fi
+
+echo "🚦 Restarting Unbound..."
+systemctl enable unbound
+systemctl restart unbound
+
+echo "✅ Verifying Unbound is listening..."
+ss -ulpn | grep :53 || echo "⚠️ Unbound might not be listening properly."
+
+echo "🧪 Test locally with:"
+echo "   dig +dnssec cloudflare.com @127.0.0.1"
+echo "   dig +dnssec dnssec-failed.org @127.0.0.1"
+
+echo "🎉 Conversion complete. Box is now a recursive DNS resolver!"