Nethence Newdoc Olddoc Lab Your IP BBDock  

Setting up Unbound from scratch

on Ubuntu Server 16.04

Requirements

as root

Note. In case you got NetworkManager up and running, consider disabling it or at least disable dnsmasq.

Install a few required libraries,

apt install libevent-dev libexpat1-dev

Note. libevent is optional but as stated in the README, it may be useful in case of using many outgoing ports (1000+). Use with --with-libevent at compilation time.

Package description (apt show libevent-dev) says,

Description: Asynchronous event notification library (development files)
 Libevent is an asynchronous event notification library that provides a
 mechanism to execute a callback function when a specific event occurs
 on a file descriptor or after a timeout has been reached.
 .
 This package includes development files for compiling against libevent.

Installation

as user

Fetch the latest version of Unbound and compile it,

wget https://www.unbound.net/downloads/unbound-1.6.5.tar.gz
#SHA256 checksum: e297aa1229015f25bf24e4923cb1dadf1f29b84f82a353205006421f82cc104e
sha256sum unbound-1.6.5.tar.gz
tar xzf unbound-1.6.5.tar.gz
cd unbound-1.6.5/
./configure --with-libevent
make
sudo make install

Create a system user for Unbound to drop its priviledges,

as root

useradd -r unbound
grep unbound /etc/passwd
grep unbound /etc/group

Configuration

as root

Generate the TLS key files for the unbound-control tool to work,

unbound-control-setup
ls -lhF /usr/local/etc/unbound/unbound*.{key,pem}

Check how many cores you have got,

grep ^processor /proc/cpuinfo

Setup the caching name server,

cd /etc/
ln -s /usr/local/etc/unbound
cd /usr/local/etc/unbound/
wget https://www.internic.net/domain/named.cache
cp -pi unbound.conf unbound.conf.dist
grep -Ev '^[[:space:]]*(#|$)' unbound.conf > unbound.conf.dist.clean
vi unbound.conf

server:
        verbosity: 2
        num-threads: 1
        interface: 0.0.0.0
        interface: ::0
        access-control: 0.0.0.0/0 allow_snoop
        access-control: ::/0 allow_snoop
        pidfile: "/var/run/unbound.pid"
        root-hints: "named.cache"
        hide-identity: yes
        hide-version: yes
        do-not-query-localhost: no
        rrset-roundrobin: yes
python:
remote-control:
        control-enable: yes
stub-zone:
        name: "stdpierre.os3.site"
        stub-addr: ::1@54

Operations

as root

Always watch the logs in another window,

tail -F /var/log/syslog

Check the configuration,

unbound-checkconf /usr/local/etc/unbound/unbound.conf

Run the daemon,

unbound-control start

Check the status and see if port 53 is used,

unbound-control status
ls -alhF /var/run/unbound.pid
cat /var/run/unbound.pid
ps auxfw | grep ^unbound
netstat -antupe --inet --inet6 | grep -E ':53[[:space:]]'

To load the configuration changes,

unbound-control reload

Even if you are not using NetworkManager, you still have to tweak the Debian-style network configuration to get a grasp on the resolver without brutally disabling resolvconf:

cd /etc/network/interfaces.d/
cp -pi 50-cloud-init.cfg 50-cloud-init.cfg.dist
vi 50-cloud-init.cfg

auto eth0
iface eth0 inet dhcp
       dns-nameserver ::1
       #dns-nameserver 172.31.0.2
       dns-search stdpierre.os3.site us-east-2.compute.internal

systemctl restart networking

Acceptance

Testing local-zone,

host localhost localhost
host 127.0.0.1 localhost

Testing cached public zone,

host mx.nethence.com localhost
host 62.210.110.7 localhost

Testing cashed stub-zone,

host stdperre.os3.site localhost

Troubleshooting

If Unbound service is listening but refusing to answer queries, fix access-control: as shown in the example above.

References


Home | GitHub | Donate | Contact