Maintained by: NLnet Labs

[Unbound-users] unbound in jail: static port and log file issues

Sun Dec 22 18:02:31 CET 2013

Hello.  I'm running unbound in a FreeBSD jail as a caching proxy. As
part of the purpose of placing unbound in the jail, I will allow only
packets from specific ports to exit as well as enter the jail. I am
also chaining dnscrypt-proxy as "forward-addr: at 10040" AND
using socat to forward dns lookups to a TOR jail on the same network.
So, using the pf firewall, some rules like this will be required:
  pass out quick on $JialIf proto {tcp,udp} from $dns-jail to
$jdns-jail port 10053
  pass in quick on $JailIf proto {tcp,udp} from $dns-jail to $dns-jail
port 10040

My Questions:
1. Unbound does not seem to have an inherent structure of its own
which encypts dns traffic like dnscrypt-proxy does, nor does it have a
tor-forwarder. Am I correct to use these third-party tools for the
purpose or have I overlooked something?
2. I need to get unbound to always use the same port when talking to
dnscrypt-proxy and socat, so that I can place meaningful pass/allow
rules on the firewall. I tried with the below settings but the unbound
setup seemed to break. I would also like to minimize the resources
(the gateway services 3-4 casual users - no heavy duty stuff). How
should I correct these entries for a 4-core system?

    outgoing-port-permit: 10053
    num-threads: 1
#   num-queries-per-thread: 4096
    outgoing-range: 10
    msg-cache-slabs: 1
    rrset-cache-slabs: 1
    infra-cache-slabs: 1
    key-cache-slabs: 1
3. /dev in the jail is mounted read-only, and unbound is started as
"no chroot" ( chroot: ""). Since giving unbound r/w access to /dev
would  defeat some of the purposes of the jail, what other way can I
get logging started for unbound?

Thank you