I use unbound largely out of a habit to try different things. Your mileage will vary.
If using DNSSec, you'll want to make an /etc/unbound/dnssec/ directory (or something similar) and have unbound own it.
- You may want to make this a tmpfs partition.
- I start by copying over the sample configuration file. It's a decent starting point.
- Since I'm not using this for a major DNS server (it will never serve an external request), I set threads to 2.
- Set localhost and private interfaces
- Outgoing interfaces as appropriate - especially for IPv6
- Restrict ports to a smallish (~8k) range
- Largely so you know you have a safe range for other services.
- Be sure to add bound ipv6 addresses to /etc/network/interfaces - AnyIP only binds inbound.
- Don't forget access-control
- qname minimisation: yes
- I set most cache sizes to 32m - you'll want a lot more for more important servers, however.
- Turn on prefetching for results and keys.
- control-enable: no under remote-control:
- do-deamonize: no (since we're under systemd now)
- auto-trust-anchor-file: "/etc/unbound/dnssec/root.key"
- owner /etc/unbound/*.key* rw,
- owner /etc/unbound/dnssec/*.key* rw,
systemctl restart apparmor
Update the root key for DNSSec
#!/bin/sh #/etc/cron.daily/unbound-anchor if [ -f /usr/sbin/unbound-anchor ]; then /usr/sbin/unbound-anchor -a /etc/unbound/dnssec/root.key fi
Set this up so we actually query ourselves!
# Unless we're dealing with an intranet of some sort, set search to some nonsense tld. search invalid # Default timeout is 5, have had some issues with 1. options timeout:3 nameserver ::1 nameserver host.or.google.here nameserver host.or.google.here
Unbound sometimes chokes on me, if rarely, and my members then complain about not getting their notifications immediately. I wrote a watchdog script to take care of this:
#!/bin/sh run=`ps ax | grep "/usr/sbin/unbound" | grep -v grep | cut -c1-5 | paste -s -` if [ "$run" ]; then continue else /usr/bin/systemctl start unbound fi
And for /etc/cron.d/watchdog (or whatever)
*/2 * * * * root /root/watchdog.unbound.sh
If that's where you put your watchdog script. I'm lazy.