Difference between revisions of "Unbound (1.9)"
Jump to navigation
Jump to search
(Created page with "I use unbound largely out of a habit to try different things. Your mileage will vary. '''Issue:''' Make sure unbound-anchor has its path specified in its init.d script. Think...") |
|||
(5 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
I use unbound largely out of a habit to try different things. Your mileage will vary. | I use unbound largely out of a habit to try different things. Your mileage will vary. | ||
− | ' | + | If using DNSSec, you'll want to make an /etc/unbound/dnssec/ directory (or something similar) and have unbound own it. |
+ | |||
+ | * You may want to make this a tmpfs partition. | ||
+ | * In addition to unbound you probably want dnsutils, and possibly rblcheck depending on your needs. | ||
== /etc/unbound/unbound.conf == | == /etc/unbound/unbound.conf == | ||
Line 9: | Line 12: | ||
# Set localhost and private interfaces | # Set localhost and private interfaces | ||
# Outgoing interfaces as appropriate - especially for IPv6 | # Outgoing interfaces as appropriate - especially for IPv6 | ||
− | # Restrict ports to a | + | # Restrict outgoing ports to a 'small' (~16k) range |
## Largely so you know you have a safe range for other services. | ## Largely so you know you have a safe range for other services. | ||
# Be sure to add bound ipv6 addresses to /etc/network/interfaces - AnyIP only binds inbound. | # Be sure to add bound ipv6 addresses to /etc/network/interfaces - AnyIP only binds inbound. | ||
# Don't forget access-control | # Don't forget access-control | ||
# qname minimisation: yes | # qname minimisation: yes | ||
+ | # ip-transparent: yes (Or ip-freebind) | ||
# I set most cache sizes to 32m - you'll want a lot more for more important servers, however. | # I set most cache sizes to 32m - you'll want a lot more for more important servers, however. | ||
# Turn on prefetching for results and keys. | # Turn on prefetching for results and keys. | ||
− | |||
# control-enable: no under remote-control: | # control-enable: no under remote-control: | ||
+ | # do-deamonize: no (since we're under systemd now) | ||
+ | |||
+ | For DNSSEC: | ||
+ | |||
+ | # auto-trust-anchor-file: "/etc/unbound/dnssec/root.key" | ||
+ | |||
+ | == /etc/apparmor.d/usr.sbin.unbound == | ||
+ | |||
+ | Change | ||
+ | |||
+ | * owner /etc/unbound/*.key* rw, | ||
+ | |||
+ | To: | ||
+ | |||
+ | * owner /etc/unbound/dnssec/*.key* rw, | ||
+ | |||
+ | Then | ||
+ | |||
+ | systemctl restart apparmor | ||
== /etc/cron.daily/unbound-anchor == | == /etc/cron.daily/unbound-anchor == | ||
Line 26: | Line 48: | ||
#/etc/cron.daily/unbound-anchor | #/etc/cron.daily/unbound-anchor | ||
if [ -f /usr/sbin/unbound-anchor ]; then | if [ -f /usr/sbin/unbound-anchor ]; then | ||
− | /usr/sbin/unbound-anchor -a /etc/unbound/root.key | + | /usr/sbin/unbound-anchor -a /etc/unbound/dnssec/root.key |
fi | fi | ||
Latest revision as of 09:53, 23 January 2021
I use unbound largely out of a habit to try different things. Your mileage will vary.
If using DNSSec, you'll want to make an /etc/unbound/dnssec/ directory (or something similar) and have unbound own it.
- You may want to make this a tmpfs partition.
- In addition to unbound you probably want dnsutils, and possibly rblcheck depending on your needs.
/etc/unbound/unbound.conf
- I start by copying over the sample configuration file. It's a decent starting point.
- Since I'm not using this for a major DNS server (it will never serve an external request), I set threads to 2.
- Set localhost and private interfaces
- Outgoing interfaces as appropriate - especially for IPv6
- Restrict outgoing ports to a 'small' (~16k) range
- Largely so you know you have a safe range for other services.
- Be sure to add bound ipv6 addresses to /etc/network/interfaces - AnyIP only binds inbound.
- Don't forget access-control
- qname minimisation: yes
- ip-transparent: yes (Or ip-freebind)
- I set most cache sizes to 32m - you'll want a lot more for more important servers, however.
- Turn on prefetching for results and keys.
- control-enable: no under remote-control:
- do-deamonize: no (since we're under systemd now)
For DNSSEC:
- auto-trust-anchor-file: "/etc/unbound/dnssec/root.key"
/etc/apparmor.d/usr.sbin.unbound
Change
- owner /etc/unbound/*.key* rw,
To:
- owner /etc/unbound/dnssec/*.key* rw,
Then
systemctl restart apparmor
/etc/cron.daily/unbound-anchor
Update the root key for DNSSec
#!/bin/sh #/etc/cron.daily/unbound-anchor if [ -f /usr/sbin/unbound-anchor ]; then /usr/sbin/unbound-anchor -a /etc/unbound/dnssec/root.key fi
/etc/resolv.conf
Set this up so we actually query ourselves!
# Unless we're dealing with an intranet of some sort, set search to some nonsense tld. search invalid # Default timeout is 5, have had some issues with 1. options timeout:3 nameserver ::1 nameserver host.or.google.here nameserver host.or.google.here
watchdog.unbound.sh
Unbound sometimes chokes on me, if rarely, and my members then complain about not getting their notifications immediately. I wrote a watchdog script to take care of this:
#!/bin/sh run=`ps ax | grep "/usr/sbin/unbound" | grep -v grep | cut -c1-5 | paste -s -` if [ "$run" ]; then continue else /usr/bin/systemctl start unbound fi
And for /etc/cron.d/watchdog (or whatever)
*/2 * * * * root /root/watchdog.unbound.sh
If that's where you put your watchdog script. I'm lazy.