-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Randy, Thank you very much for sharing this. I can see it very useful to other people that want to run unbound. Couple nits: o you are running an open resolver in this way. It is discouraged by dnsop-wg from IETF. access-control: 10.0.0.0/8 allow is nicer (if you are running on a local subnet). You can also use a firewall of course. o you may need to symbolic link /dev/random to /your_chroot/dev/random, so that openssl can get entropy. (or dev/urandom, depending on SSL config) Best regards, ~ Wouter Randy Bush wrote: | [ what i sent around internally, in case it is of help to others ] | | Replacing BIND with Unbound on FreeBSD 2008.04.11 | | Unbound is a validating, recursive, and caching DNS resolver. It is | designed to be highly scalable and tunable for large ISP deployment. | The C implementation of Unbound is developed and maintained by NLnet | Labs. The source code is under a BSD License. | | Here is how I have installed it on a few servers. | | o Fetch unbound sources from <http://unbound.net/> | | o gmake, and gmake install. They will not step on anything, so | this is safe | | o adduser to create account and group unbound:unbound | | o Edit /etc/syslog.conf to add | | !unbound | *.* /var/log/named | | Make sure there is a usable logfile. | | # touch /var/log/named | # chown unbound:unbound /var/log/named | # /etc/rc.d/syslogd restart | | And be sure your /etc/newsyslog.conf has /var/log/named in it. My | entry in /etc/newsyslog.conf looks like | | # logfilename [owner:group] mode count size when flags | /var/log/named unbound:unbound 600 3 * 24 Z | | | o Edit /etc/unbound/unbound.conf to taste. I hacked as follows: | | --- unbound.conf~ 2008-04-11 02:28:45.000000000 +0000 | +++ unbound.conf 2008-04-11 03:33:50.000000000 +0000 | @@ -17,7 +17,7 @@ | | # print statistics to the log (for every thread) every N seconds. | # Set to "" or 0 to disable. Default is disabled. | - # statistics-interval: 0 | + statistics-interval: 3600 | | # number of threads to create. 1 disables threading. | # num-threads: 1 | @@ -30,6 +30,8 @@ | # interface: 192.0.2.153 | # interface: 192.0.2.154 | # interface: 2001:DB8::5 | + interface: 0.0.0.0 | + interface: ::0 | | # enable this feature to copy the source address of queries to reply. | # Socket options not be supported on all platforms. experimental. | @@ -133,6 +135,11 @@ | # access-control: ::0/0 refuse | # access-control: ::1 allow | # access-control: ::ffff:127.0.0.1 allow | + access-control: 0.0.0.0/0 allow | + access-control: 127.0.0.0/8 allow | + access-control: ::0/0 allow | + access-control: ::1 allow | + access-control: ::ffff:127.0.0.1 allow | | # if given, a chroot(2) is done to the given directory. | # i.e. you can chroot to the working directory, for example, | @@ -143,7 +150,7 @@ | # if given, user privileges are dropped (after binding port), | # and the given username is assumed. Default is user "unbound". | # If you give "" no privileges are dropped. | - # username: "unbound" | + username: "unbound" | | # the working directory. | # directory: "/etc/unbound" | @@ -154,14 +161,14 @@ | | # Log to syslog(3) if yes. The log facility LOG_DAEMON is used to | # log to, with identity "unbound". If yes, it overrides the logfile. | - # use-syslog: yes | + use-syslog: yes | | # the pid file. | # pidfile: "/etc/unbound/unbound.pid" | | # file to read root hints from. | # get one from ftp://FTP.INTERNIC.NET/domain/named.cache | - # root-hints: "" | + root-hints: "root.ca" | | # enable to not answer id.server and hostname.bind queries. | # hide-identity: no | | o Get a root hints file and put it in /etc/unbound. From very old | habits, i called it root.ca, but call it anything just so the name | matches what you have in /etc/unbound/unbound.conf. | | o # chown -R unbound:unbound /etc/unbound | | o In /etc/rc.conf, comment out | | #named_enable=YES # Run named, the DNS server (or NO). | | And add | | unbound_enable=YES | | o Copy the boot-time startup script | | # cp ${builddir}/contrib/rc_d_unbound /usr/local/etc/rc.d/unbound | | o Kill the running copy of BIND | | o Run it! | | # /usr/local/etc/rc.d/unbound start | | -30- | _______________________________________________ | Unbound-users mailing list | Unbound-users at unbound.net | http://unbound.net/mailman/listinfo/unbound-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFH/yazkDLqNwOhpPgRApMjAJ42TwVAXPXKaUwWb9Z0utGfQL16wACgsgtS vWI5UvKDHU/nxTxofbUgbI8= =sOdW -----END PGP SIGNATURE-----