Maintained by: NLnet Labs

[Unbound-users] Replacing BIND with Unbound on FreeBSD 2008.04.11

Wouter Wijngaards
Fri Apr 11 10:52:03 CEST 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Randy,

Thank you very much for sharing this. I can see it very useful to other
people that want to run unbound.

Couple nits:
o you are running an open resolver in this way. It is discouraged by
dnsop-wg from IETF. access-control: 10.0.0.0/8 allow is nicer (if you
are running on a local subnet). You can also use a firewall of course.
o you may need to symbolic link /dev/random to /your_chroot/dev/random,
so that openssl can get entropy. (or dev/urandom, depending on SSL config)

Best regards,
~   Wouter

Randy Bush wrote:
| [ what i sent around internally, in case it is of help to others ]
|
| Replacing BIND with Unbound on FreeBSD  2008.04.11
|
| Unbound is a validating, recursive, and caching DNS resolver.  It is
| designed to be highly scalable and tunable for large ISP deployment.
| The C implementation of Unbound is developed and maintained by NLnet
| Labs.  The source code is under a BSD License.
|
| Here is how I have installed it on a few servers.
|
|  o Fetch unbound sources from <http://unbound.net/>
|
|  o gmake, and gmake install.  They will not step on anything, so
|    this is safe
|
|  o adduser to create account and group unbound:unbound
|
|  o Edit /etc/syslog.conf to add
|
|      !unbound
|      *.*              /var/log/named
|
|    Make sure there is a usable logfile.
|
|      # touch  /var/log/named
|      # chown unbound:unbound  /var/log/named
|      # /etc/rc.d/syslogd restart
|
|    And be sure your /etc/newsyslog.conf has /var/log/named in it.  My
|    entry in /etc/newsyslog.conf looks like
|
|      # logfilename   [owner:group]  mode count size when  flags
|      /var/log/named  unbound:unbound 600  3     *    24      Z
|
|
|  o Edit /etc/unbound/unbound.conf to taste.  I hacked as follows:
|
|    --- unbound.conf~       2008-04-11 02:28:45.000000000 +0000
|    +++ unbound.conf        2008-04-11 03:33:50.000000000 +0000
|    @@ -17,7 +17,7 @@
|
| 	   # print statistics to the log (for every thread) every N seconds.
| 	   # Set to "" or 0 to disable. Default is disabled.
|    -       # statistics-interval: 0
|    +       statistics-interval: 3600
|
| 	   # number of threads to create. 1 disables threading.
| 	   # num-threads: 1
|    @@ -30,6 +30,8 @@
| 	   # interface: 192.0.2.153
| 	   # interface: 192.0.2.154
| 	   # interface: 2001:DB8::5
|    +       interface: 0.0.0.0
|    +       interface: ::0
|
| 	   # enable this feature to copy the source address of queries to reply.
| 	   # Socket options not be supported on all platforms. experimental.
|    @@ -133,6 +135,11 @@
| 	   # access-control: ::0/0 refuse
| 	   # access-control: ::1 allow
| 	   # access-control: ::ffff:127.0.0.1 allow
|    +       access-control: 0.0.0.0/0 allow
|    +       access-control: 127.0.0.0/8 allow
|    +       access-control: ::0/0 allow
|    +       access-control: ::1 allow
|    +       access-control: ::ffff:127.0.0.1 allow
|
| 	   # if given, a chroot(2) is done to the given directory.
| 	   # i.e. you can chroot to the working directory, for example,
|    @@ -143,7 +150,7 @@
| 	   # if given, user privileges are dropped (after binding port),
| 	   # and the given username is assumed. Default is user "unbound".
| 	   # If you give "" no privileges are dropped.
|    -       # username: "unbound"
|    +       username: "unbound"
|
| 	   # the working directory.
| 	   # directory: "/etc/unbound"
|    @@ -154,14 +161,14 @@
|
| 	   # Log to syslog(3) if yes. The log facility LOG_DAEMON is used to
| 	   # log to, with identity "unbound". If yes, it overrides the logfile.
|    -       # use-syslog: yes
|    +       use-syslog: yes
|
| 	   # the pid file.
| 	   # pidfile: "/etc/unbound/unbound.pid"
|
| 	   # file to read root hints from.
| 	   # get one from ftp://FTP.INTERNIC.NET/domain/named.cache
|    -       # root-hints: ""
|    +       root-hints: "root.ca"
|
| 	   # enable to not answer id.server and hostname.bind queries.
| 	   # hide-identity: no
|
|  o Get a root hints file and put it in /etc/unbound.  From very old
|    habits, i called it root.ca, but call it anything just so the name
|    matches what you have in /etc/unbound/unbound.conf.
|
|  o # chown -R unbound:unbound /etc/unbound
|
|  o In /etc/rc.conf, comment out
|
|      #named_enable=YES          # Run named, the DNS server (or NO).
|
|    And add
|
|      unbound_enable=YES
|
|  o Copy the boot-time startup script
|
|      # cp ${builddir}/contrib/rc_d_unbound /usr/local/etc/rc.d/unbound
|
|  o Kill the running copy of BIND
|
|  o Run it!
|
|    # /usr/local/etc/rc.d/unbound start
|
| -30-
| _______________________________________________
| Unbound-users mailing list
| Unbound-users at unbound.net
| http://unbound.net/mailman/listinfo/unbound-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFH/yazkDLqNwOhpPgRApMjAJ42TwVAXPXKaUwWb9Z0utGfQL16wACgsgtS
vWI5UvKDHU/nxTxofbUgbI8=
=sOdW
-----END PGP SIGNATURE-----