Unbound is an implementation of a DNS resolver that does caching and DNSSEC validation. It’is written and maintained by NLnet Labs. It’s recursive and caching so if you need an authoritative DNS nameserver please consider using NSD and reading my article “How to configure master and slave NSD on Ubuntu 11.10“.
I’m going to lead you through an easy step by step guide: install, configure and run Unbound in a chrooted environment.
[Jan Piet Mens @digdns suggests:
Tired of issuing sudo?
By the command sudo -i
you open a bash shell as root so…]
Ubuntu already has its Unbound package.
sudo apt-get install unbound
Make a copy of original unbound.conf
sudo cp /etc/unbound/unbound.conf /etc/unbound/unbound.conf.ORIG
Copy a sample configuration in /etc/unbound
sudo cp /usr/share/doc/unbound/examples/unbound.conf /etc/unbound/
Now let’s go through the configuration file
sudo vi /etc/unbound/unbound.conf
Uncomment the line
chroot: “/etc/unbound”
Edit more lines:
interface: 0.0.0.0
pidfile: “/etc/unbound/var/run/unbound.pid”
root-hints: “/etc/unbound/named.cache”
access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: ::1 allow
access-control: ::ffff:127.0.0.1 allow
Here you should add a line to make Unbound answer queries from your local net so:
access-control: 192.0.2.0/24 allow
Save unbound.conf and retrieve named.cache from Internic
wget -4 ftp://ftp.internic.net/domain/named.cache
sudo mv named.cache /etc/unbound/
sudo mkdir -p /etc/unbound/var/run
sudo mkdir /etc/unbound/dev
sudo mkdir /etc/unbound/var/lib
sudo touch /etc/unbound/dev/log
sudo touch /etc/unbound/dev/random
sudo cp /var/lib/unbound/root.key /etc/unbound/var/lib/
Fix the owner and then mount /dev/random and /dev/log:
sudo chown -R unbound:unbound /etc/unbound
sudo mount --bind -n /dev/log /etc/unbound/dev/log
sudo mount --bind -n /dev/random /etc/unbound/dev/random
Edit a script just to mount /dev/log and /dev/random each time Ubuntu restarts:
sudo vi /etc/init.d/unbound_dev_chroot
Paste the two following lines and save:
mount --bind -n /dev/log /etc/unbound/dev/log
mount --bind -n /dev/random /etc/unbound/dev/random
Make the script executable:
sudo chmod +x /etc/init.d/unbound_dev_chroot
Make it execute whenever Ubuntu starts:
sudo update-rc.d unbound_dev_chroot defaults
Restart Unbound:
sudo unbound-control stop
sudo unbound-control start
Verify the daemon is running
sudo netstat -antup|grep ':53'
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 3548/unbound
udp 0 0 0.0.0.0:53 0.0.0.0:* 3548/unbound
Now query Unbound:
dig @localhost -t A gnu.org
; <<>> DiG 9.7.3 <<>> @localhost -t A gnu.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER< ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 6
;; QUESTION SECTION:
;gnu.org. IN A
;; ANSWER SECTION:
gnu.org. 300 IN A 208.118.235.148
;; AUTHORITY SECTION:
gnu.org. 300 IN NS ns1.gnu.org.
gnu.org. 300 IN NS ns2.gnu.org.
gnu.org. 300 IN NS ns4.gnu.org.
gnu.org. 300 IN NS ns3.gnu.org.
;; ADDITIONAL SECTION:
ns1.gnu.org. 300 IN A 208.118.235.164
ns1.gnu.org. 300 IN AAAA 2001:4830:134:3::f
ns2.gnu.org. 300 IN A 87.98.253.102
ns3.gnu.org. 300 IN A 46.43.37.70
ns3.gnu.org. 300 IN AAAA 2001:41c8:20:2d3:216:3eff:febd:2c6d
ns4.gnu.org. 300 IN A 208.70.31.125
;; Query time: 3949 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Apr 14 23:11:37 2012
;; MSG SIZE rcvd: 233
This is a quick start to get Unbound working with a minimal setup. You are encouraged to read the manual:
man 5 unbound.conf