Unbound (1.9)

From Hexwiki
Revision as of 09:53, 23 January 2021 by Vekseid (talk | contribs) (→‎/etc/unbound/unbound.conf)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

I use unbound largely out of a habit to try different things. Your mileage will vary.

If using DNSSec, you'll want to make an /etc/unbound/dnssec/ directory (or something similar) and have unbound own it.

  • You may want to make this a tmpfs partition.
  • In addition to unbound you probably want dnsutils, and possibly rblcheck depending on your needs.

/etc/unbound/unbound.conf

  1. I start by copying over the sample configuration file. It's a decent starting point.
  2. Since I'm not using this for a major DNS server (it will never serve an external request), I set threads to 2.
  3. Set localhost and private interfaces
  4. Outgoing interfaces as appropriate - especially for IPv6
  5. Restrict outgoing ports to a 'small' (~16k) range
    1. Largely so you know you have a safe range for other services.
  6. Be sure to add bound ipv6 addresses to /etc/network/interfaces - AnyIP only binds inbound.
  7. Don't forget access-control
  8. qname minimisation: yes
  9. ip-transparent: yes (Or ip-freebind)
  10. I set most cache sizes to 32m - you'll want a lot more for more important servers, however.
  11. Turn on prefetching for results and keys.
  12. control-enable: no under remote-control:
  13. do-deamonize: no (since we're under systemd now)

For DNSSEC:

  1. auto-trust-anchor-file: "/etc/unbound/dnssec/root.key"

/etc/apparmor.d/usr.sbin.unbound

Change

  • owner /etc/unbound/*.key* rw,

To:

  • owner /etc/unbound/dnssec/*.key* rw,

Then

systemctl restart apparmor

/etc/cron.daily/unbound-anchor

Update the root key for DNSSec

#!/bin/sh
#/etc/cron.daily/unbound-anchor
if [ -f /usr/sbin/unbound-anchor ]; then
    /usr/sbin/unbound-anchor -a /etc/unbound/dnssec/root.key
fi

/etc/resolv.conf

Set this up so we actually query ourselves!

# Unless we're dealing with an intranet of some sort, set search to some nonsense tld.
search invalid
# Default timeout is 5, have had some issues with 1.
options timeout:3
nameserver ::1
nameserver host.or.google.here
nameserver host.or.google.here

watchdog.unbound.sh

Unbound sometimes chokes on me, if rarely, and my members then complain about not getting their notifications immediately. I wrote a watchdog script to take care of this:

#!/bin/sh
run=`ps ax | grep "/usr/sbin/unbound" | grep -v grep | cut -c1-5 | paste -s -`
if [ "$run" ];
  then
    continue
  else
    /usr/bin/systemctl start unbound
fi

And for /etc/cron.d/watchdog (or whatever)

*/2     *       *       *       *       root       /root/watchdog.unbound.sh

If that's where you put your watchdog script. I'm lazy.