Unbound (1.9)
Jump to navigation
Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
I use unbound largely out of a habit to try different things. Your mileage will vary.
If using DNSSec, you'll want to make an /etc/unbound/dnssec/ directory (or something similar) and have unbound own it.
- You may want to make this a tmpfs partition.
- In addition to unbound you probably want dnsutils, and possibly rblcheck depending on your needs.
/etc/unbound/unbound.conf
- I start by copying over the sample configuration file. It's a decent starting point.
- Since I'm not using this for a major DNS server (it will never serve an external request), I set threads to 2.
- Set localhost and private interfaces
- Outgoing interfaces as appropriate - especially for IPv6
- Restrict outgoing ports to a 'small' (~16k) range
- Largely so you know you have a safe range for other services.
- Be sure to add bound ipv6 addresses to /etc/network/interfaces - AnyIP only binds inbound.
- Don't forget access-control
- qname minimisation: yes
- ip-transparent: yes (Or ip-freebind)
- I set most cache sizes to 32m - you'll want a lot more for more important servers, however.
- Turn on prefetching for results and keys.
- control-enable: no under remote-control:
- do-deamonize: no (since we're under systemd now)
For DNSSEC:
- auto-trust-anchor-file: "/etc/unbound/dnssec/root.key"
/etc/apparmor.d/usr.sbin.unbound
Change
- owner /etc/unbound/*.key* rw,
To:
- owner /etc/unbound/dnssec/*.key* rw,
Then
systemctl restart apparmor
/etc/cron.daily/unbound-anchor
Update the root key for DNSSec
#!/bin/sh #/etc/cron.daily/unbound-anchor if [ -f /usr/sbin/unbound-anchor ]; then /usr/sbin/unbound-anchor -a /etc/unbound/dnssec/root.key fi
/etc/resolv.conf
Set this up so we actually query ourselves!
# Unless we're dealing with an intranet of some sort, set search to some nonsense tld. search invalid # Default timeout is 5, have had some issues with 1. options timeout:3 nameserver ::1 nameserver host.or.google.here nameserver host.or.google.here
watchdog.unbound.sh
Unbound sometimes chokes on me, if rarely, and my members then complain about not getting their notifications immediately. I wrote a watchdog script to take care of this:
#!/bin/sh run=`ps ax | grep "/usr/sbin/unbound" | grep -v grep | cut -c1-5 | paste -s -` if [ "$run" ]; then continue else /usr/bin/systemctl start unbound fi
And for /etc/cron.d/watchdog (or whatever)
*/2 * * * * root /root/watchdog.unbound.sh
If that's where you put your watchdog script. I'm lazy.