Setup client to remote control another Unbound server

Sat May 21 00:30:12 CEST 2016

I have (the stock*) Unbound running on FreeBSD 10. I have unbound-control 
setup on the Unbound server itself and am successfully controlling via 

But I have another machine connected to the server via a backend 
connection on the 10.x.x.x private network. I want to run unbound-control 
on that machine and control the remote (albeit one backend hop away) 

I've been looking at docs and tutorials, and it's not clear what has to be 
configured where for this scenario.

I've run unbound-control on the remote client and it complains that I have 
no unbound.conf file. But is that file ONLY for the configuration of a 
server? Would I need to have an unbound.conf file on the client machine?

A couple things are not clear to me... Do I run unbound-control-setup on 
the client machine? I assume I'd have to copy keys to the server? But if 
so, how do I store them and refer to them without breaking my localhost 
control for unbound-control on the server itself?

I tried adding 'control-interface: <server backend IP>' to the 
remote-control section of unbound.conf on the server. I interpreted this 
to be that it should listen for control connections on that interface. But 
I got:

[1463783089] unbound-control[83533:0] error: connect: Connection refused for <server IP>

I suppose I might have some firewall concerns. But before I go off on that 
tangent, I'd just like to get straight:

1) Do I run unbound-control on the client machine?
2) What should I have in unbound.conf on the client machine (if at all)?
3) What should I have in unbound.conf on the server?
4) What key exchanging and referencing (in config files) do I need to keep 
control with unbound-control going on both the remote client and localhost?


