Setting up Unbound from scratch

tested on ubuntu/xenial/artful and slackware14.2

FROM SCRATCH

Build the latest version. Libevent useful for 1000+ outgoing ports.

wget https://nlnetlabs.nl/downloads/unbound/unbound-1.9.3.tar.gz
sha256sum unbound-1.9.3.tar.gz
#1b55dd9170e4bfb327fb644de7bbf7f0541701149dff3adf1b63ffa785f16dfa
tar xzf unbound-1.9.3.tar.gz
cd unbound-1.9.3/
./configure --with-libevent
nice make -j5
make install
ldconfig

Create a system user for Unbound to drop its priviledges,

useradd --system -d /usr/local/etc/unbound -s /sbin/nologin unbound
grep unbound /etc/passwd
grep unbound /etc/group

Generate some key pairs for unbound-control to work

unbound-control-setup
ls -lF /usr/local/etc/unbound/unbound*.{key,pem}

Configuration

Check how many cores you have got,

grep ^processor /proc/cpuinfo

Setup the caching name server,

ln -s /usr/local/etc/unbound/unbound.conf
cd /usr/local/etc/unbound/

Get the valid root hints

#wget http://www.internic.net/domain/named.root
wget https://www.internic.net/domain/named.cache

Get also the root anchors

mkdir /var/unbound/
unbound-anchor -a /var/unbound/root.key
chown -R unbound:unbound /var/unbound/

Then proceed with the setup (remove the authoritative zone part if you do not need it)

mv -i unbound.conf unbound.conf.dist
grep -Ev '^[[:space:]]*(#|$)' unbound.conf.dist > unbound.conf
vi unbound.conf

server:
        verbosity: 1
        #verbosity: 3
        num-threads: HOW_MANY_CORES
        interface: 0.0.0.0
        #interface: ::0
        access-control: 0.0.0.0/0 allow
        #access-control: ::/0 allow
        pidfile: "/var/run/unbound.pid"
        root-hints: "/usr/local/etc/unbound/named.cache"
        hide-identity: yes
        hide-version: yes
        #rrset-roundrobin: yes
        qname-minimisation: yes
        #chroot path
        auto-trust-anchor-file: "/var/root.key"
        do-not-query-localhost: no

        domain-insecure: "example.local"
        domain-insecure: "1.1.10.in-addr.arpa"
        #local-zone: "example.local" transparent
        #local-zone: "1.1.10.in-addr.arpa" transparent

remote-control:
        control-enable: yes

stub-zone:
        name: "example.local"
        stub-addr: ::1@5353

stub-zone:
        name: "1.1.10.in-addr.arpa"
        stub-addr: ::1@5353

Operations

Start and enable

tail -n0 -F /var/log/*
vi /etc/rc.local

#partly self verbose
/usr/local/sbin/unbound-checkconf /usr/local/etc/unbound/unbound.conf && /usr/local/sbin/unbound-control start && echo unbound started

Status (should run as unbound user)

unbound-control status
ps auxww | grep unbound
netstat -lntup | grep -E ':53[[:space:]]'
#unbound-control stats_noreset

Reload

unbound-control reload

Analyze the cache

unbound-control dump_cache > cache.dump
less cache.dump

Flush the cache against a specific zone

unbound-control flush_zone example.local

Flush the overall cache,

unbound-control reload

Acceptance

Testing local-zone,

host localhost localhost
host 127.0.0.1 localhost

Testing cached public zone,

host mx.nethence.com localhost
host 62.210.110.7 localhost

Testing cashed stub-zone,

host example.local localhost
host pxe.example.local localhost
host INTERNAL_IP localhost

Notes

Ubuntu – make sure you do NOT have those installed: dnsmasq, resolvconf nor systemd-resolved unit, NetworkManager. If so, disable or remove them.

apt install libevent-dev libexpat1-dev

ls -lF /var/lib/unbound/root.key #does not exist yet

mkdir trash/
mv unbound.conf unbound.conf.d/ trash/

#systemctl restart unbound

Slackware

cat /var/log/packages/libevent*

Troubleshooting

If Unbound service is listening but refusing to answer queries, fix access-control: as shown in the example above.

With verbosity 3, if you get,

configured stub servers failed -- returning SERVFAIL

==> check do-not-query-localhost

Against a stub zone too, if you get,

info: query response was nodata ANSWER

==> if it is not signed, domain-insecure helps.

Resources

unbound.conf - Unbound configuration file. https://nlnetlabs.nl/documentation/unbound/unbound.conf/

unbound-anchor - Unbound anchor utility. https://nlnetlabs.nl/documentation/unbound/unbound-anchor/

Howto enable DNSSEC https://nlnetlabs.nl/documentation/unbound/howto-anchor/

Unbound-1.9.1 http://www.linuxfromscratch.org/blfs/view/svn/server/unbound.html

unbound/doc/example.conf.in https://github.com/NLnetLabs/unbound/blob/master/doc/example.conf.in old http://unbound.nlnetlabs.nl/svn/trunk/doc/example.conf.in

[Unbound-users] reverse lookup stub zone https://www.unbound.net/pipermail/unbound-users/2009-May/000583.html

Unbound DNS Server Cache Control https://abridge2devnull.com/posts/2016/03/unbound-dns-server-cache-control/

Unbound https://wiki.archlinux.org/index.php/unbound

Root Files https://www.iana.org/domains/root/files

Unbound DNS Server Cache Control https://abridge2devnull.com/posts/2016/03/unbound-dns-server-cache-control/


Nethence | Pub | Lab | Pbraun | SNE Russia | xhtml