Unbound (1.9)

From Hexwiki
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

I use unbound largely out of a habit to try different things. Your mileage will vary.

If using DNSSec, you'll want to make an /etc/unbound/dnssec/ directory (or something similar) and have unbound own it.

  • You may want to make this a tmpfs partition.
  • In addition to unbound you probably want dnsutils, and possibly rblcheck depending on your needs.

/etc/unbound/unbound.conf

  1. I start by copying over the sample configuration file. It's a decent starting point.
  2. Since I'm not using this for a major DNS server (it will never serve an external request), I set threads to 2.
  3. Set localhost and private interfaces
  4. Outgoing interfaces as appropriate - especially for IPv6
  5. Restrict outgoing ports to a 'small' (~16k) range
    1. Largely so you know you have a safe range for other services.
  6. Be sure to add bound ipv6 addresses to /etc/network/interfaces - AnyIP only binds inbound.
  7. Don't forget access-control
  8. qname minimisation: yes
  9. ip-transparent: yes (Or ip-freebind)
  10. I set most cache sizes to 32m - you'll want a lot more for more important servers, however.
  11. Turn on prefetching for results and keys.
  12. control-enable: no under remote-control:
  13. do-deamonize: no (since we're under systemd now)

For DNSSEC:

  1. auto-trust-anchor-file: "/etc/unbound/dnssec/root.key"

/etc/apparmor.d/usr.sbin.unbound

Change

  • owner /etc/unbound/*.key* rw,

To:

  • owner /etc/unbound/dnssec/*.key* rw,

Then 

systemctl restart apparmor

/etc/cron.daily/unbound-anchor

Update the root key for DNSSec 

#!/bin/sh
#/etc/cron.daily/unbound-anchor
if [ -f /usr/sbin/unbound-anchor ]; then
    /usr/sbin/unbound-anchor -a /etc/unbound/dnssec/root.key
fi

/etc/resolv.conf

Set this up so we actually query ourselves! 

# Unless we're dealing with an intranet of some sort, set search to some nonsense tld.
search invalid
# Default timeout is 5, have had some issues with 1.
options timeout:3
nameserver ::1
nameserver host.or.google.here
nameserver host.or.google.here

watchdog.unbound.sh

Unbound sometimes chokes on me, if rarely, and my members then complain about not getting their notifications immediately. I wrote a watchdog script to take care of this: 

#!/bin/sh
run=`ps ax | grep "/usr/sbin/unbound" | grep -v grep | cut -c1-5 | paste -s -`
if [ "$run" ];
  then
    continue
  else
    /usr/bin/systemctl start unbound
fi

And for /etc/cron.d/watchdog (or whatever) 

*/2     *       *       *       *       root       /root/watchdog.unbound.sh

If that's where you put your watchdog script. I'm lazy.

Debian Buster
Initial: Designing a Server - IPMI Installation - Second Steps

Core: Network - OpenSSH - Packages - sysctl.conf - Iptables - Security - User Management

Stack: Unbound - MariaDB - Nginx - PHP (7)

Mail

Mail Setup - Mail Tables - OpenDKIM - Mail and DNS - Spamassassin - ClamAV - Postfix - Dovecot - Reputation Management

Logs and Security: RKHunter - Logging - Logcheck - Backups - AppArmor
Retrieved from "http://hexwiki.com/w/index.php?title=Unbound_(1.9)&oldid=402"