[ what i sent around internally, in case it is of help to others ] Replacing BIND with Unbound on FreeBSD 2008.04.11 Unbound is a validating, recursive, and caching DNS resolver. It is designed to be highly scalable and tunable for large ISP deployment. The C implementation of Unbound is developed and maintained by NLnet Labs. The source code is under a BSD License. Here is how I have installed it on a few servers. o Fetch unbound sources from <http://unbound.net/> o gmake, and gmake install. They will not step on anything, so this is safe o adduser to create account and group unbound:unbound o Edit /etc/syslog.conf to add !unbound *.* /var/log/named Make sure there is a usable logfile. # touch /var/log/named # chown unbound:unbound /var/log/named # /etc/rc.d/syslogd restart And be sure your /etc/newsyslog.conf has /var/log/named in it. My entry in /etc/newsyslog.conf looks like # logfilename [owner:group] mode count size when flags /var/log/named unbound:unbound 600 3 * 24 Z o Edit /etc/unbound/unbound.conf to taste. I hacked as follows: --- unbound.conf~ 2008-04-11 02:28:45.000000000 +0000 +++ unbound.conf 2008-04-11 03:33:50.000000000 +0000 @@ -17,7 +17,7 @@ # print statistics to the log (for every thread) every N seconds. # Set to "" or 0 to disable. Default is disabled. - # statistics-interval: 0 + statistics-interval: 3600 # number of threads to create. 1 disables threading. # num-threads: 1 @@ -30,6 +30,8 @@ # interface: 192.0.2.153 # interface: 192.0.2.154 # interface: 2001:DB8::5 + interface: 0.0.0.0 + interface: ::0 # enable this feature to copy the source address of queries to reply. # Socket options not be supported on all platforms. experimental. @@ -133,6 +135,11 @@ # access-control: ::0/0 refuse # access-control: ::1 allow # access-control: ::ffff:127.0.0.1 allow + access-control: 0.0.0.0/0 allow + access-control: 127.0.0.0/8 allow + access-control: ::0/0 allow + access-control: ::1 allow + access-control: ::ffff:127.0.0.1 allow # if given, a chroot(2) is done to the given directory. # i.e. you can chroot to the working directory, for example, @@ -143,7 +150,7 @@ # if given, user privileges are dropped (after binding port), # and the given username is assumed. Default is user "unbound". # If you give "" no privileges are dropped. - # username: "unbound" + username: "unbound" # the working directory. # directory: "/etc/unbound" @@ -154,14 +161,14 @@ # Log to syslog(3) if yes. The log facility LOG_DAEMON is used to # log to, with identity "unbound". If yes, it overrides the logfile. - # use-syslog: yes + use-syslog: yes # the pid file. # pidfile: "/etc/unbound/unbound.pid" # file to read root hints from. # get one from ftp://FTP.INTERNIC.NET/domain/named.cache - # root-hints: "" + root-hints: "root.ca" # enable to not answer id.server and hostname.bind queries. # hide-identity: no o Get a root hints file and put it in /etc/unbound. From very old habits, i called it root.ca, but call it anything just so the name matches what you have in /etc/unbound/unbound.conf. o # chown -R unbound:unbound /etc/unbound o In /etc/rc.conf, comment out #named_enable=YES # Run named, the DNS server (or NO). And add unbound_enable=YES o Copy the boot-time startup script # cp ${builddir}/contrib/rc_d_unbound /usr/local/etc/rc.d/unbound o Kill the running copy of BIND o Run it! # /usr/local/etc/rc.d/unbound start -30-