Difference between revisions of "Unbound (1.9)"
Jump to navigation
Jump to search
(Created page with "I use unbound largely out of a habit to try different things. Your mileage will vary. '''Issue:''' Make sure unbound-anchor has its path specified in its init.d script. Think...") |
|||
Line 16: | Line 16: | ||
# I set most cache sizes to 32m - you'll want a lot more for more important servers, however. | # I set most cache sizes to 32m - you'll want a lot more for more important servers, however. | ||
# Turn on prefetching for results and keys. | # Turn on prefetching for results and keys. | ||
− | # auto-trust-anchor-file: "/etc/unbound/root.key" | + | # auto-trust-anchor-file: "/etc/unbound/dnssec/root.key" |
# control-enable: no under remote-control: | # control-enable: no under remote-control: | ||
+ | # do-deamonize: no (since we're under systemd now) | ||
== /etc/cron.daily/unbound-anchor == | == /etc/cron.daily/unbound-anchor == |
Revision as of 10:46, 6 July 2020
I use unbound largely out of a habit to try different things. Your mileage will vary.
Issue: Make sure unbound-anchor has its path specified in its init.d script. Think this got fixed in an update but if not, you may see it whine at you.
/etc/unbound/unbound.conf
- I start by copying over the sample configuration file. It's a decent starting point.
- Since I'm not using this for a major DNS server (it will never serve an external request), I set threads to 2.
- Set localhost and private interfaces
- Outgoing interfaces as appropriate - especially for IPv6
- Restrict ports to a smallish (~8k) range
- Largely so you know you have a safe range for other services.
- Be sure to add bound ipv6 addresses to /etc/network/interfaces - AnyIP only binds inbound.
- Don't forget access-control
- qname minimisation: yes
- I set most cache sizes to 32m - you'll want a lot more for more important servers, however.
- Turn on prefetching for results and keys.
- auto-trust-anchor-file: "/etc/unbound/dnssec/root.key"
- control-enable: no under remote-control:
- do-deamonize: no (since we're under systemd now)
/etc/cron.daily/unbound-anchor
Update the root key for DNSSec
#!/bin/sh #/etc/cron.daily/unbound-anchor if [ -f /usr/sbin/unbound-anchor ]; then /usr/sbin/unbound-anchor -a /etc/unbound/root.key fi
/etc/resolv.conf
Set this up so we actually query ourselves!
# Unless we're dealing with an intranet of some sort, set search to some nonsense tld. search invalid # Default timeout is 5, have had some issues with 1. options timeout:3 nameserver ::1 nameserver host.or.google.here nameserver host.or.google.here
watchdog.unbound.sh
Unbound sometimes chokes on me, if rarely, and my members then complain about not getting their notifications immediately. I wrote a watchdog script to take care of this:
#!/bin/sh run=`ps ax | grep "/usr/sbin/unbound" | grep -v grep | cut -c1-5 | paste -s -` if [ "$run" ]; then continue else /usr/bin/systemctl start unbound fi
And for /etc/cron.d/watchdog (or whatever)
*/2 * * * * root /root/watchdog.unbound.sh
If that's where you put your watchdog script. I'm lazy.