Nethence Newdoc Olddoc Lab Your IP BBDock  

Setting up Unbound from scratch

on Ubuntu Server 16.04


as root

Note. In case you got NetworkManager up and running, consider disabling it or at least disable dnsmasq.

Install a few required libraries,

apt install libevent-dev libexpat1-dev

Note. libevent is optional but as stated in the README, it may be useful in case of using many outgoing ports (1000+). Use with --with-libevent at compilation time.

Package description (apt show libevent-dev) says,

Description: Asynchronous event notification library (development files)
 Libevent is an asynchronous event notification library that provides a
 mechanism to execute a callback function when a specific event occurs
 on a file descriptor or after a timeout has been reached.
 This package includes development files for compiling against libevent.


as user

Fetch the latest version of Unbound and compile it,

#SHA256 checksum: e297aa1229015f25bf24e4923cb1dadf1f29b84f82a353205006421f82cc104e
sha256sum unbound-1.6.5.tar.gz
tar xzf unbound-1.6.5.tar.gz
cd unbound-1.6.5/
./configure --with-libevent
sudo make install

Create a system user for Unbound to drop its priviledges,

as root

useradd -r unbound
grep unbound /etc/passwd
grep unbound /etc/group


as root

Generate the TLS key files for the unbound-control tool to work,

ls -lhF /usr/local/etc/unbound/unbound*.{key,pem}

Check how many cores you have got,

grep ^processor /proc/cpuinfo

Setup the caching name server,

cd /etc/
ln -s /usr/local/etc/unbound
cd /usr/local/etc/unbound/
cp -pi unbound.conf unbound.conf.dist
grep -Ev '^[[:space:]]*(#|$)' unbound.conf > unbound.conf.dist.clean
vi unbound.conf

        verbosity: 2
        num-threads: 1
        interface: ::0
        access-control: allow_snoop
        access-control: ::/0 allow_snoop
        pidfile: "/var/run/"
        root-hints: "named.cache"
        hide-identity: yes
        hide-version: yes
        do-not-query-localhost: no
        rrset-roundrobin: yes
        control-enable: yes
        name: ""
        stub-addr: ::1@54


as root

Always watch the logs in another window,

tail -F /var/log/syslog

Check the configuration,

unbound-checkconf /usr/local/etc/unbound/unbound.conf

Run the daemon,

unbound-control start

Check the status and see if port 53 is used,

unbound-control status
ls -alhF /var/run/
cat /var/run/
ps auxfw | grep ^unbound
netstat -antupe --inet --inet6 | grep -E ':53[[:space:]]'

To load the configuration changes,

unbound-control reload

Even if you are not using NetworkManager, you still have to tweak the Debian-style network configuration to get a grasp on the resolver without brutally disabling resolvconf:

cd /etc/network/interfaces.d/
cp -pi 50-cloud-init.cfg 50-cloud-init.cfg.dist
vi 50-cloud-init.cfg

auto eth0
iface eth0 inet dhcp
       dns-nameserver ::1
       dns-search us-east-2.compute.internal

systemctl restart networking


Testing local-zone,

host localhost localhost
host localhost

Testing cached public zone,

host localhost
host localhost

Testing cashed stub-zone,

host localhost


If Unbound service is listening but refusing to answer queries, fix access-control: as shown in the example above.


Home | GitHub | Donate | Contact