Difference between revisions of "Unbound (1.9)"

From Hexwiki
Jump to navigation Jump to search
(Created page with "I use unbound largely out of a habit to try different things. Your mileage will vary. '''Issue:''' Make sure unbound-anchor has its path specified in its init.d script. Think...")
 
 
(5 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
I use unbound largely out of a habit to try different things. Your mileage will vary.
 
I use unbound largely out of a habit to try different things. Your mileage will vary.
  
'''Issue:''' Make sure unbound-anchor has its path specified in its init.d script. Think this got fixed in an update but if not, you may see it whine at you.
+
If using DNSSec, you'll want to make an /etc/unbound/dnssec/ directory (or something similar) and have unbound own it.
 +
 
 +
* You may want to make this a tmpfs partition.
 +
* In addition to unbound you probably want dnsutils, and possibly rblcheck depending on your needs.
  
 
== /etc/unbound/unbound.conf ==
 
== /etc/unbound/unbound.conf ==
Line 9: Line 12:
 
# Set localhost and private interfaces
 
# Set localhost and private interfaces
 
# Outgoing interfaces as appropriate - especially for IPv6
 
# Outgoing interfaces as appropriate - especially for IPv6
# Restrict ports to a smallish (~8k) range
+
# Restrict outgoing ports to a 'small' (~16k) range
 
## Largely so you know you have a safe range for other services.
 
## Largely so you know you have a safe range for other services.
 
# Be sure to add bound ipv6 addresses to /etc/network/interfaces - AnyIP only binds inbound.
 
# Be sure to add bound ipv6 addresses to /etc/network/interfaces - AnyIP only binds inbound.
 
# Don't forget access-control  
 
# Don't forget access-control  
 
# qname minimisation: yes
 
# qname minimisation: yes
 +
# ip-transparent: yes (Or ip-freebind)
 
# I set most cache sizes to 32m - you'll want a lot more for more important servers, however.
 
# I set most cache sizes to 32m - you'll want a lot more for more important servers, however.
 
# Turn on prefetching for results and keys.
 
# Turn on prefetching for results and keys.
# auto-trust-anchor-file: "/etc/unbound/root.key"
 
 
# control-enable: no under remote-control:
 
# control-enable: no under remote-control:
 +
# do-deamonize: no (since we're under systemd now)
 +
 +
For DNSSEC:
 +
 +
# auto-trust-anchor-file: "/etc/unbound/dnssec/root.key"
 +
 +
== /etc/apparmor.d/usr.sbin.unbound ==
 +
 +
Change
 +
 +
* owner /etc/unbound/*.key* rw,
 +
 +
To:
 +
 +
* owner /etc/unbound/dnssec/*.key* rw,
 +
 +
Then
 +
 +
systemctl restart apparmor
  
 
== /etc/cron.daily/unbound-anchor ==
 
== /etc/cron.daily/unbound-anchor ==
Line 26: Line 48:
 
  #/etc/cron.daily/unbound-anchor
 
  #/etc/cron.daily/unbound-anchor
 
  if [ -f /usr/sbin/unbound-anchor ]; then
 
  if [ -f /usr/sbin/unbound-anchor ]; then
     /usr/sbin/unbound-anchor -a /etc/unbound/root.key
+
     /usr/sbin/unbound-anchor -a /etc/unbound/dnssec/root.key
 
  fi
 
  fi
  

Latest revision as of 09:53, 23 January 2021

I use unbound largely out of a habit to try different things. Your mileage will vary.

If using DNSSec, you'll want to make an /etc/unbound/dnssec/ directory (or something similar) and have unbound own it.

  • You may want to make this a tmpfs partition.
  • In addition to unbound you probably want dnsutils, and possibly rblcheck depending on your needs.

/etc/unbound/unbound.conf

  1. I start by copying over the sample configuration file. It's a decent starting point.
  2. Since I'm not using this for a major DNS server (it will never serve an external request), I set threads to 2.
  3. Set localhost and private interfaces
  4. Outgoing interfaces as appropriate - especially for IPv6
  5. Restrict outgoing ports to a 'small' (~16k) range
    1. Largely so you know you have a safe range for other services.
  6. Be sure to add bound ipv6 addresses to /etc/network/interfaces - AnyIP only binds inbound.
  7. Don't forget access-control
  8. qname minimisation: yes
  9. ip-transparent: yes (Or ip-freebind)
  10. I set most cache sizes to 32m - you'll want a lot more for more important servers, however.
  11. Turn on prefetching for results and keys.
  12. control-enable: no under remote-control:
  13. do-deamonize: no (since we're under systemd now)

For DNSSEC:

  1. auto-trust-anchor-file: "/etc/unbound/dnssec/root.key"

/etc/apparmor.d/usr.sbin.unbound

Change

  • owner /etc/unbound/*.key* rw,

To:

  • owner /etc/unbound/dnssec/*.key* rw,

Then

systemctl restart apparmor

/etc/cron.daily/unbound-anchor

Update the root key for DNSSec

#!/bin/sh
#/etc/cron.daily/unbound-anchor
if [ -f /usr/sbin/unbound-anchor ]; then
    /usr/sbin/unbound-anchor -a /etc/unbound/dnssec/root.key
fi

/etc/resolv.conf

Set this up so we actually query ourselves!

# Unless we're dealing with an intranet of some sort, set search to some nonsense tld.
search invalid
# Default timeout is 5, have had some issues with 1.
options timeout:3
nameserver ::1
nameserver host.or.google.here
nameserver host.or.google.here

watchdog.unbound.sh

Unbound sometimes chokes on me, if rarely, and my members then complain about not getting their notifications immediately. I wrote a watchdog script to take care of this:

#!/bin/sh
run=`ps ax | grep "/usr/sbin/unbound" | grep -v grep | cut -c1-5 | paste -s -`
if [ "$run" ];
  then
    continue
  else
    /usr/bin/systemctl start unbound
fi

And for /etc/cron.d/watchdog (or whatever)

*/2     *       *       *       *       root       /root/watchdog.unbound.sh

If that's where you put your watchdog script. I'm lazy.