From e5bf3b99d39bac5390bd780b08585f2897caf86d Mon Sep 17 00:00:00 2001
From: doc <doc@filenotfound.org>
Date: Sun, 29 Jun 2025 07:20:14 +0000
Subject: initial commit

---
 bootstrap-unbound.sh | 91 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 convert.sh           | 62 +++++++++++++++++++++++++++++++++++
 2 files changed, 153 insertions(+)
 create mode 100755 bootstrap-unbound.sh
 create mode 100755 convert.sh

diff --git a/bootstrap-unbound.sh b/bootstrap-unbound.sh
new file mode 100755
index 0000000..bed5ff1
--- /dev/null
+++ b/bootstrap-unbound.sh
@@ -0,0 +1,91 @@
+#!/usr/bin/env bash
+# bootstrap-unbound.sh
+# One-shot installer / hardener for an Unbound recursive resolver
+# Tested on Debian 11+/Ubuntu 22.04+   (systemd-based)
+
+set -euo pipefail
+IFS=$'\n\t'
+
+######################### 1.  Settings  ################################
+
+# Where you’ll listen for queries (adjust subnet as needed!)
+LISTEN_SUBNET="192.168.0.0/16"
+THREADS="$(nproc)"
+ROOT_HINTS="/var/lib/unbound/root.hints"
+UNBOUND_CONF="/etc/unbound/unbound.conf"
+
+######################### 2.  Install  #################################
+
+echo "📦 Installing Unbound..."
+apt-get update -qq
+DEBIAN_FRONTEND=noninteractive apt-get install -y unbound curl jq dnsutils
+
+######################### 3.  Root hints  ##############################
+
+echo "🌍 Fetching ICANN root hints..."
+curl -sSL https://www.internic.net/domain/named.root -o "$ROOT_HINTS"
+
+######################### 4.  Config file  #############################
+
+echo "🛠  Writing $UNBOUND_CONF ..."
+cat > "$UNBOUND_CONF" <<EOF
+server:
+  interface: 0.0.0.0
+  access-control: ${LISTEN_SUBNET} allow
+  access-control: 127.0.0.0/8 allow
+
+  # Performance
+  num-threads: ${THREADS}
+  msg-cache-size: 128m
+  rrset-cache-size: 256m
+  prefetch: yes
+  prefetch-key: yes
+
+  # DNSSEC
+  auto-trust-anchor-file: "/var/lib/unbound/root.key"
+  val-permissive-mode: no
+
+  # Root servers
+  root-hints: "${ROOT_HINTS}"
+
+  # Privacy
+  qname-minimisation: yes
+  minimal-responses: yes
+
+  # Hardening
+  harden-dnssec-stripped: yes
+  harden-referral-path: yes
+
+  # Logging (comment out if too chatty)
+  log-queries: no
+  log-replies:  no
+
+remote-control:
+  control-enable: yes
+EOF
+
+######################### 5.  Control certs  ###########################
+
+echo "🔑 Generating control-channel certificates..."
+unbound-control-setup 
+
+######################### 6.  Enable + start  ##########################
+
+echo "🚀 Enabling & starting Unbound..."
+systemctl enable --now unbound
+
+######################### 7.  Smoke tests  #############################
+
+echo -e "\n🔍 Quick DNSSEC validation tests:\n"
+
+GOOD_DOMAIN="cloudflare.com"
+BAD_DOMAIN="dnssec-failed.org"
+SERVER="127.0.0.1"
+
+good=$(dig +dnssec +adflag "$GOOD_DOMAIN" @"$SERVER" | grep -q "flags:.* ad" && echo "✅ Validated" || echo "❌ FAILED")
+bad=$(dig +dnssec +adflag "$BAD_DOMAIN" @"$SERVER" | grep -q "SERVFAIL" && echo "✅ Blocked  " || echo "❌ FAILED")
+
+printf "  %-25s %s\n" "$GOOD_DOMAIN" "$good"
+printf "  %-25s %s\n" "$BAD_DOMAIN"  "$bad"
+
+echo -e "\n🎉  All done. Point your LAN’s DNS to this server and enjoy DNSSEC-validated recursion."
diff --git a/convert.sh b/convert.sh
new file mode 100755
index 0000000..f325d0c
--- /dev/null
+++ b/convert.sh
@@ -0,0 +1,62 @@
+#!/bin/bash
+set -e
+
+echo "🧹 Stopping and disabling AdGuardHome..."
+systemctl stop AdGuardHome || true
+systemctl disable AdGuardHome || true
+rm -f /etc/systemd/system/AdGuardHome.service
+rm -rf /opt/AdGuardHome
+rm -f /usr/bin/AdGuardHome
+
+echo "📦 Installing Unbound..."
+apt update
+apt install -y unbound curl
+
+echo "🌐 Fetching root hints..."
+curl -o /var/lib/unbound/root.hints https://www.internic.net/domain/named.cache
+
+echo "🔐 Setting up hardened Unbound config..."
+cat >/etc/unbound/unbound.conf <<EOF
+server:
+  interface: 0.0.0.0
+  access-control: 192.168.0.0/16 allow
+  access-control: 127.0.0.0/8 allow
+
+  num-threads: $(nproc)
+  msg-cache-size: 128m
+  rrset-cache-size: 256m
+  prefetch: yes
+  prefetch-key: yes
+
+  auto-trust-anchor-file: "/var/lib/unbound/root.key"
+  val-permissive-mode: no
+
+  root-hints: "/var/lib/unbound/root.hints"
+
+  qname-minimisation: yes
+  harden-dnssec-stripped: yes
+  harden-referral-path: yes
+  minimal-responses: yes
+
+remote-control:
+  control-enable: yes
+EOF
+
+echo "🔐 Disabling systemd-resolved stub listener if present..."
+if [ -f /etc/systemd/resolved.conf ]; then
+  sed -i 's/^#*DNSStubListener=.*/DNSStubListener=no/' /etc/systemd/resolved.conf
+  systemctl restart systemd-resolved
+fi
+
+echo "🚦 Restarting Unbound..."
+systemctl enable unbound
+systemctl restart unbound
+
+echo "✅ Verifying Unbound is listening..."
+ss -ulpn | grep :53 || echo "⚠️ Unbound might not be listening properly."
+
+echo "🧪 Test locally with:"
+echo "   dig +dnssec cloudflare.com @127.0.0.1"
+echo "   dig +dnssec dnssec-failed.org @127.0.0.1"
+
+echo "🎉 Conversion complete. Box is now a recursive DNS resolver!"
-- 
cgit v1.2.3