How to configure Unbound on Ubuntu 11.10

Prime knots chartUnbound is an implementation of a DNS resolver that does caching and DNSSEC validation. It’is written and maintained by NLnet Labs. It’s recursive and caching so if you need an authoritative DNS nameserver please consider using NSD and reading my article “How to configure master and slave NSD on Ubuntu 11.10“.

I’m going to lead you through an easy step by step guide: install, configure and run Unbound in a chrooted environment.

[Jan Piet Mens @digdns suggests:
Tired of issuing sudo?
By the command sudo -i you open a bash shell as root so…]

Ubuntu already has its Unbound package.
sudo apt-get install unbound

Make a copy of original unbound.conf
sudo cp /etc/unbound/unbound.conf /etc/unbound/unbound.conf.ORIG

Copy a sample configuration in /etc/unbound
sudo cp /usr/share/doc/unbound/examples/unbound.conf /etc/unbound/

Now let’s go through the configuration file
sudo vi /etc/unbound/unbound.conf

Uncomment the line
chroot: “/etc/unbound”

Edit more lines:
interface: 0.0.0.0
pidfile: “/etc/unbound/var/run/unbound.pid”
root-hints: “/etc/unbound/named.cache”
access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: ::1 allow
access-control: ::ffff:127.0.0.1 allow

Here you should add a line to make Unbound answer queries from your local net so:
access-control: 192.0.2.0/24 allow

Save unbound.conf and retrieve named.cache from Internic

wget -4 ftp://ftp.internic.net/domain/named.cache
sudo mv named.cache /etc/unbound/
sudo mkdir -p /etc/unbound/var/run
sudo mkdir /etc/unbound/dev
sudo mkdir /etc/unbound/var/lib
sudo touch /etc/unbound/dev/log
sudo touch /etc/unbound/dev/random
sudo cp /var/lib/unbound/root.key /etc/unbound/var/lib/

Fix the owner and then mount /dev/random and /dev/log:

sudo chown -R unbound:unbound /etc/unbound
sudo mount --bind -n /dev/log /etc/unbound/dev/log
sudo mount --bind -n /dev/random /etc/unbound/dev/random

Edit a script just to mount /dev/log and /dev/random each time Ubuntu restarts:
sudo vi /etc/init.d/unbound_dev_chroot

Paste the two following lines and save:

mount --bind -n /dev/log /etc/unbound/dev/log
mount --bind -n /dev/random /etc/unbound/dev/random

Make the script executable:
sudo chmod +x /etc/init.d/unbound_dev_chroot

Make it execute whenever Ubuntu starts:
sudo update-rc.d unbound_dev_chroot defaults

Restart Unbound:

sudo unbound-control stop
sudo unbound-control start

Verify the daemon is running
sudo netstat -antup|grep ':53'
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 3548/unbound
udp 0 0 0.0.0.0:53 0.0.0.0:* 3548/unbound

Now query Unbound:
dig @localhost -t A gnu.org

; <<>> DiG 9.7.3 <<>> @localhost -t A gnu.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER< ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 6

;; QUESTION SECTION:
;gnu.org. IN A

;; ANSWER SECTION:
gnu.org. 300 IN A 208.118.235.148

;; AUTHORITY SECTION:
gnu.org. 300 IN NS ns1.gnu.org.
gnu.org. 300 IN NS ns2.gnu.org.
gnu.org. 300 IN NS ns4.gnu.org.
gnu.org. 300 IN NS ns3.gnu.org.

;; ADDITIONAL SECTION:
ns1.gnu.org. 300 IN A 208.118.235.164
ns1.gnu.org. 300 IN AAAA 2001:4830:134:3::f
ns2.gnu.org. 300 IN A 87.98.253.102
ns3.gnu.org. 300 IN A 46.43.37.70
ns3.gnu.org. 300 IN AAAA 2001:41c8:20:2d3:216:3eff:febd:2c6d
ns4.gnu.org. 300 IN A 208.70.31.125

;; Query time: 3949 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Apr 14 23:11:37 2012
;; MSG SIZE rcvd: 233

This is a quick start to get Unbound working with a minimal setup. You are encouraged to read the manual:
man 5 unbound.conf

Creative Commons License
How to configure Unbound on Ubuntu 11.10 by Antonio Prado is licensed under a Creative Commons Attribution-ShareAlike 4.0 International

Leave a Reply