tested on ubuntu/xenial/artful and slackware14.2
Build the latest version. Libevent useful for 1000+ outgoing ports.
wget https://nlnetlabs.nl/downloads/unbound/unbound-1.9.3.tar.gz sha256sum unbound-1.9.3.tar.gz #1b55dd9170e4bfb327fb644de7bbf7f0541701149dff3adf1b63ffa785f16dfa tar xzf unbound-1.9.3.tar.gz cd unbound-1.9.3/ ./configure --with-libevent nice make -j5 make install ldconfig
Create a system user for Unbound to drop its priviledges,
useradd --system -d /usr/local/etc/unbound -s /sbin/nologin unbound grep unbound /etc/passwd grep unbound /etc/group
(using named pipe instead) – Generate some key pairs for unbound-control to work
#unbound-control-setup
#ls -lF /usr/local/etc/unbound/unbound*.{key,pem}
ls -lF /var/unbound.control.pipe
mkfifo /var/unbound.control.pipe
you will notice the perms are updated by the daemon as such
srw-rw---- 1 unbound unbound 0 Oct 2 12:53 /var/unbound.control.pipe=
Check how many cores you have got,
grep ^processor /proc/cpuinfo
Setup the caching name server,
ln -s /usr/local/etc/unbound/unbound.conf cd /usr/local/etc/unbound/
Get the valid root hints
#wget http://www.internic.net/domain/named.root wget https://www.internic.net/domain/named.cache
Get also the root anchors
mkdir /var/unbound/ unbound-anchor -a /var/unbound/root.key chown -R unbound:unbound /var/unbound/
Then proceed with the setup (remove the authoritative zone part if you do not need it)
mv -i unbound.conf unbound.conf.dist
grep -Ev '^[[:space:]]*(#|$)' unbound.conf.dist > unbound.conf
vi unbound.conf
server:
verbosity: 1
#verbosity: 3
num-threads: HOW_MANY_CORES
interface: 0.0.0.0
#interface: ::0
access-control: 0.0.0.0/0 allow
#access-control: ::/0 allow
pidfile: "/var/run/unbound.pid"
root-hints: "/usr/local/etc/unbound/named.cache"
hide-identity: yes
hide-version: yes
#rrset-roundrobin: yes
qname-minimisation: yes
#chroot path
auto-trust-anchor-file: "/var/root.key"
do-not-query-localhost: no
domain-insecure: "example.local"
domain-insecure: "1.1.10.in-addr.arpa"
#local-zone: "example.local" transparent
#local-zone: "1.1.10.in-addr.arpa" transparent
remote-control:
control-enable: yes
control-interface: /var/unbound.control.pipe
stub-zone:
name: "example.local"
stub-addr: ::1@5353
stub-zone:
name: "1.1.10.in-addr.arpa"
stub-addr: ::1@5353
Start and enable
tail -n0 -F /var/log/* vi /etc/rc.local #partly self verbose /usr/local/sbin/unbound-checkconf /usr/local/etc/unbound/unbound.conf /usr/bin/mkfifo /var/unbound.control.pipe /usr/local/sbin/unbound-control start && echo Unbound started
Status (should run as unbound user)
unbound-control status #unbound-control stats_noreset netstat -lntup | grep -E ':53[[:space:]]' ps auxww | grep unbound
gives
root 8 0.0 0.0 0 0 ? I 15:42 0:00 [kworker/u8:0-events_unbound] root 268 0.0 0.0 0 0 ? I 15:42 0:00 [kworker/u8:6-events_unbound] root 1256 0.0 0.0 0 0 ? I 15:48 0:00 [kworker/u8:1-events_unbound] unbound 1258 2.0 0.1 258328 17568 ? Ssl 15:48 0:00 unbound -c /usr/local/etc/unbound/unbound.conf
Reload
unbound-control reload
Analyze the cache
unbound-control dump_cache > cache.dump less cache.dump
Flush the cache against a specific zone
unbound-control flush_zone example.local
Flush the overall cache,
unbound-control reload
Testing local-zone,
host localhost localhost host 127.0.0.1 localhost
Testing cached public zone,
host mx.nethence.com localhost host 62.210.110.7 localhost
Testing cashed stub-zone,
host example.local localhost host pxe.example.local localhost host INTERNAL_IP localhost
Ubuntu – make sure you do NOT have those installed: dnsmasq, resolvconf nor systemd-resolved unit, NetworkManager. If so, disable or remove them.
apt install libevent-dev libexpat1-dev ls -lF /var/lib/unbound/root.key #does not exist yet mkdir trash/ mv unbound.conf unbound.conf.d/ trash/ #systemctl restart unbound
Slackware
cat /var/log/packages/libevent*
If Unbound service is listening but refusing to answer queries, fix access-control: as shown in the example above.
With verbosity 3, if you get,
configured stub servers failed -- returning SERVFAIL
==> check do-not-query-localhost
Against a stub zone too, if you get,
info: query response was nodata ANSWER
==> if it is not signed, domain-insecure helps.
unbound.conf - Unbound configuration file. https://nlnetlabs.nl/documentation/unbound/unbound.conf/
unbound-anchor - Unbound anchor utility. https://nlnetlabs.nl/documentation/unbound/unbound-anchor/
Howto enable DNSSEC https://nlnetlabs.nl/documentation/unbound/howto-anchor/
Unbound-1.9.1 http://www.linuxfromscratch.org/blfs/view/svn/server/unbound.html
unbound/doc/example.conf.in https://github.com/NLnetLabs/unbound/blob/master/doc/example.conf.in old http://unbound.nlnetlabs.nl/svn/trunk/doc/example.conf.in
[Unbound-users] reverse lookup stub zone https://www.unbound.net/pipermail/unbound-users/2009-May/000583.html
Unbound DNS Server Cache Control https://abridge2devnull.com/posts/2016/03/unbound-dns-server-cache-control/
Unbound https://wiki.archlinux.org/index.php/unbound
Root Files https://www.iana.org/domains/root/files
Unbound DNS Server Cache Control https://abridge2devnull.com/posts/2016/03/unbound-dns-server-cache-control/