Maintained by: NLnet Labs

[Unbound-users] Replacing BIND with Unbound on FreeBSD 2008.04.11

Randy Bush
Fri Apr 11 10:26:18 CEST 2008


[ what i sent around internally, in case it is of help to others ]

Replacing BIND with Unbound on FreeBSD  2008.04.11

Unbound is a validating, recursive, and caching DNS resolver.  It is
designed to be highly scalable and tunable for large ISP deployment.
The C implementation of Unbound is developed and maintained by NLnet
Labs.  The source code is under a BSD License.

Here is how I have installed it on a few servers.

 o Fetch unbound sources from <http://unbound.net/>

 o gmake, and gmake install.  They will not step on anything, so
   this is safe

 o adduser to create account and group unbound:unbound

 o Edit /etc/syslog.conf to add

     !unbound
     *.*              /var/log/named

   Make sure there is a usable logfile.

     # touch  /var/log/named
     # chown unbound:unbound  /var/log/named
     # /etc/rc.d/syslogd restart

   And be sure your /etc/newsyslog.conf has /var/log/named in it.  My
   entry in /etc/newsyslog.conf looks like

     # logfilename   [owner:group]  mode count size when  flags
     /var/log/named  unbound:unbound 600  3     *    24      Z


 o Edit /etc/unbound/unbound.conf to taste.  I hacked as follows:

   --- unbound.conf~       2008-04-11 02:28:45.000000000 +0000
   +++ unbound.conf        2008-04-11 03:33:50.000000000 +0000
   @@ -17,7 +17,7 @@

	   # print statistics to the log (for every thread) every N seconds.
	   # Set to "" or 0 to disable. Default is disabled.
   -       # statistics-interval: 0
   +       statistics-interval: 3600

	   # number of threads to create. 1 disables threading.
	   # num-threads: 1
   @@ -30,6 +30,8 @@
	   # interface: 192.0.2.153
	   # interface: 192.0.2.154
	   # interface: 2001:DB8::5
   +       interface: 0.0.0.0
   +       interface: ::0

	   # enable this feature to copy the source address of queries to reply.
	   # Socket options not be supported on all platforms. experimental.
   @@ -133,6 +135,11 @@
	   # access-control: ::0/0 refuse
	   # access-control: ::1 allow
	   # access-control: ::ffff:127.0.0.1 allow
   +       access-control: 0.0.0.0/0 allow
   +       access-control: 127.0.0.0/8 allow
   +       access-control: ::0/0 allow
   +       access-control: ::1 allow
   +       access-control: ::ffff:127.0.0.1 allow

	   # if given, a chroot(2) is done to the given directory.
	   # i.e. you can chroot to the working directory, for example,
   @@ -143,7 +150,7 @@
	   # if given, user privileges are dropped (after binding port),
	   # and the given username is assumed. Default is user "unbound".
	   # If you give "" no privileges are dropped.
   -       # username: "unbound"
   +       username: "unbound"

	   # the working directory.
	   # directory: "/etc/unbound"
   @@ -154,14 +161,14 @@

	   # Log to syslog(3) if yes. The log facility LOG_DAEMON is used to
	   # log to, with identity "unbound". If yes, it overrides the logfile.
   -       # use-syslog: yes
   +       use-syslog: yes

	   # the pid file.
	   # pidfile: "/etc/unbound/unbound.pid"

	   # file to read root hints from.
	   # get one from ftp://FTP.INTERNIC.NET/domain/named.cache
   -       # root-hints: ""
   +       root-hints: "root.ca"

	   # enable to not answer id.server and hostname.bind queries.
	   # hide-identity: no

 o Get a root hints file and put it in /etc/unbound.  From very old
   habits, i called it root.ca, but call it anything just so the name
   matches what you have in /etc/unbound/unbound.conf.

 o # chown -R unbound:unbound /etc/unbound

 o In /etc/rc.conf, comment out

     #named_enable=YES          # Run named, the DNS server (or NO).

   And add

     unbound_enable=YES

 o Copy the boot-time startup script

     # cp ${builddir}/contrib/rc_d_unbound /usr/local/etc/rc.d/unbound

 o Kill the running copy of BIND

 o Run it!

   # /usr/local/etc/rc.d/unbound start

-30-