Since your home network is connected only to your home server (right?), in order to be able to navigate and use the home network you must configure some services on your home server.

In detail, you will need:

• one DNS server, so that devices in the home network can resolve names to addresses (and filter ads)
• one DHCP server, so provide devices in the home network with automatic configuration
• one default gateway and router: to allow devices in the home network to access stuff on the internet

At first i have been using DNSmasq, which is a seemingly easy approach to both DNS and DHCP for the home network. After a lengthly and annoying debugging session with Android devices i found out that DNS has evolved a lot and DNSMasq is today a bit outdated.

I decided then to go straight to the Gentoo standard DHCP server and Unbound DNS resolver/forwarder, and i couldn't be happier.

For future reference, the older DNSMasq information has been moved to a separate page.

To create a router, you will be using the Linux built-in great nftables tools that today has replaced the older iptables.

The DNS (Domain Name System) is how _names_ are converted to _addresses_ on the internet. Historically one of the oldest Internet Services still in use today, it suffers from a lot of drawbacks and issues, specially on the privacy side of things. The original plain-text protocol (on port 53, UDP) has been extended over the years with a few improvements like DNS over TLS (DoT) and DNS over HTTPS (DoH). Both the new extensions provide more privacy, as the requests are encrypted your ISP and middleman cannot snoop every website you visit, and more robustness as, paired with DNSSEC, it is now more difficult to feed you malicious DNS responses and redirect your traffic to bad websites (think of malaware and such).

Unbound is a modern DNS server which is capable of resolving and forwarding your requests using DoT and DoH. I will show you how to use Unbound for your home network using DoT. DoH has some drawbacks (it requires port 443) and is currently not really standardized.

It's very simple to setup on Gentoo (see here) and it also support DNSSEC (which, at this time, i have not configured yet).

So, first of all emerge Unbound:

emerge unbound

I am using the following /etc/unbound/unbound.conf:

unbound.conf

server:
        verbosity: 1
        num-threads: 2
        interface: 10.0.0.1     # Listen to home interface
        interface: 127.0.0.1   #  and listen to localhost as well
        port: 53                      
        so-reuseport: yes
        cache-min-ttl: 300
        cache-max-ttl: 86400
        do-ip4: yes
        do-ip6: yes
        do-udp: yes
        do-tcp: yes
        use-systemd: no
        do-daemonize: yes
       # For security reasons, only clients on the home interface can use the DNS service        
       access-control: 10.0.0.0/24 allow   
        access-control: 127.0.0.1/8 allow     # and, of course, localhost as well
        use-syslog: yes
        hide-identity: yes
        hide-version: yes
        harden-short-bufsize: yes
        harden-large-queries: yes
        harden-glue: yes
        harden-dnssec-stripped: yes
        harden-below-nxdomain: yes
        harden-referral-path: yes
        harden-algo-downgrade: yes
        qname-minimisation: yes
        qname-minimisation-strict: no
        aggressive-nsec: yes
        use-caps-for-id: yes
        prefetch: yes
        rrset-roundrobin: yes
        minimal-responses: yes
        # This will enable DoT (upstream)
        tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"
        # This will add Ad blocking
        include: /etc/unbound/adservers.conf
       # Add a local resolve for the home server
        local-zone: "home.mydomain.com." redirect
        local-data: "casa.gardiol.org. A 10.0.0.1"

remote-control:
        control-enable: yes

forward-zone:
        name: "."
        # Use Google DNS as upstream DNS (put here your preferred ones if not Google)
        forward-tls-upstream: yes
        forward-addr: 8.8.8.8@853
        forward-addr: 8.8.4.4@853

This is the default Gentoo unbound configuration with a few changes here and there.

At this point, read the Ads Blocking page to create the /etc/unbound/adservers.conf file before continuing.

You need to populate your /etc/resolv.conf with Unbound as the default nameserver:

resolv.conf

# My own local DNS resolver (Unbound)
nameserver 127.0.0.1

Don't forget to autostart Unbound service:

rc-update add unbound default
/etc/init.d/unbound start

Installing DNSMasq is easy enough, but better enable a couple of specific use flags first:

 > echo net-dns/dnsmasq dhcp-tools dnssec >> /etc/portage/package.use/dnsmasq

dhcp-tools is needed to ensure dnsmasq will support DHCP, while dnssec will be useful to enable dnssec support on the home network.

Install the tool:

 > emerge dnsmasq

All you actually need to do it create a meaningful configuration file, take this one as example:

dnsmasq.conf

# Here put your home LAN interface
listen-address=10.0.0.1
bind-interfaces
# do not resolve your internal DNS names outside
domain-needed
# Never forward addresses in the non-routed address spaces
bogus-priv
# Enable dnssec support
#conf-file=/usr/share/dnsmasq/trust-anchors.conf
#dnssec
#dnssec-check-unsigned
# You can add your own ads filters here (only hosts format!)
#addn-hosts=/etc/adblock.hosts
# Use this custom-folder to add more blocklists;
# conf-dir=/etc/dnsmasq.d,*.conf
#  DHCP settings for internal network (from 100 to 250, under 100 are fixed ips)
dhcp-range=10.0.0.100,10.0.0.250,12h
# Send gateway and DNS values to the DHCP clients
dhcp-option=option:router,10.00.0.1
dhcp-option=option:dns-server,10.00.0.1
# Preassign fixed IPs via DHCP to specific hosts:
#dhcp-host=34:f3:9a:73:a6:a4,10.0.0.99
# DNSSEC
conf-file=/usr/share/dnsmasq/trust-anchors.conf
dnssec
dnssec-check-unsigned

Dnsmasq will operate only on your internal network by listening only on 10.0.0.1 IP address and being bind-ed to the associated interface. This is specially needed if you are using Unbound as DNS resolver.

Here i assign a pool od dynamic IP addresses (from 100 to 254) on the 10.0.0.0 subnet. Addresses under 100 can be used for static assignments. For example, i use static IPs for all my OpenWRT Access Points and wired security cameras, and dynamic for all other devices.

To be sure that all devices will use the home server both as DNS server and gateway, you need to set the two above dhcp options. This will not work for devices that use hard-coded DNS servers (like Fire Sticks and Google Chromecasts…) but there is a workaround for those too, and i will show you later on.

Well, this is almost all. Start dnsmasq service and make it start on boot:

 > rc-update add dnsmasq default
 > /etc/init.t/dnsmasq start

Now you can connect your devices to the home network and they will get an IP address and a full network configuration to go with it.

DNSMasq will use your home server /etc/hosts file to feed DNS to your home network. It means that's the perfect place to resolve your domain internally:

hosts

10.0.0.1 home.mydomain.com
10.0.0.1 mydomain.com

So that all devices inside your network will be able to reach your internal services like they are from outside, and mobile devices will only require one configuration both when they are inside and outside your home network.