Saturday, May 8, 2010

Unbound DNS

Setup Unbound (validating, recursive, and caching DNS resolver) recently, and was surprised by how quick it was to setup.
Quite like it so far, seems fairly lightweight (compared to Bind), and config is straightforward.

After installing, full config is:
server:
trusted-keys-file: "/etc/pki/dnssec-keys//production/reverse/*.conf"
trusted-keys-file: "/etc/pki/dnssec-keys//production/*.conf"
verbosity: 1
statistics-interval: 0
statistics-cumulative: no
extended-statistics: yes
num-threads: 2
interface: 0.0.0.0
interface: ::0
interface-automatic: yes
access-control: 127.0.0.0/8 allow
access-control: ::1 allow
access-control: ::ffff:127.0.0.1 allow
access-control: 0.0.0.0/0 refuse
access-control: ::0/0 refuse
chroot: ""
username: "unbound"
directory: "/etc/unbound"
pidfile: "/var/run/unbound/unbound.pid"
root-hints: "/etc/unbound/named.cache"
harden-glue: yes
harden-dnssec-stripped: yes
harden-referral-path: yes
use-caps-for-id: yes
private-address: 10.1.0.0/24
private-address: 192.168.10.0/24
private-address: 192.168.20.0/24
private-address: fd00::/8
private-address: fe80::/10
private-domain: "initd.net"
unwanted-reply-threshold: 10000000
dlv-anchor-file: "/etc/unbound/dlv.isc.org.key"
val-clean-additional: yes
val-permissive-mode: no
remote-control:
control-enable: yes
control-interface: 127.0.0.1
control-interface: ::1
control-port: 953
server-key-file: "/etc/unbound/unbound_server.key"
server-cert-file: "/etc/unbound/unbound_server.pem"
control-key-file: "/etc/unbound/unbound_control.key"
control-cert-file: "/etc/unbound/unbound_control.pem"

Note, be sure to add allowed IP ranges in access-control section.
private-domain refers to domains where RFC1918 addresses are allowed.

Once this is done, you just need to run:
unbound-control-setup
To allow control via unbound-control, then a cron job weekly/monthly to do:
wget -q ftp://FTP.INTERNIC.NET/domain/named.cache -O /etc/unbound/named.cache

No comments:

Post a Comment