Maintained by: NLnet Labs

New to Unbound

Eric Luehrsen
Fri Mar 17 01:13:54 CET 2017


>
> 1. BIND runs in a chroot environment. Should I continue this with 
> Unbound or is this not as much an issue?
>
Yes. Do chroot. Have init-start copy everything to /var/lib/unbound. 
Then allow Unbound only to operate there. Have your init-stop script 
copy back to /etc/ only non-poisoned updates. Example, double check 
RFC5011 root.key file.
> 2. Minimal responses to queries (I see how Unbound does that)
>
> 3. Resolve RFC1918 addresses (we currently forward those to our 
> authoritative servers and I believe I see how to do this with Unbound)
>
"stub:" clause to authoritative servers that normally respond to 
recursive queries. "forward:" clause to other recursive search or 
forwarding servers (not authoritative). RFC1918, RC4193...  see the 
section on private zone data under "unbound.conf" on the web page.
> 4. Gathering statistics and graphing queries per second (not sure how 
> to accomplish this)
>
Use the "unbound-control" tool. It has a lot of commands to enable, 
disable, read, purge, and other with Unbound statistics. It can change 
configuration on the fly. You can configure this tool for localhost only 
access or it has integrated SSL to communicate to Unbound for remote 
management.
> 5. Logging queries (I see how this is done)
>
> 6. keep multiple logs to help with troubleshooting (queries in one 
> log, errors in another, etc)
>
The "python:" plugin could be used for this. Maybe someone already has 
something out there for it.
> 7. Handle approx. 3,000 queries per second
Unbound is reasonably light and runs well even on a consumer grade 
router. It is easy to control its recursion behavior, allowed 
connections, and cache size.
>
> Some specific questions:
>
> 1. Can I define a specific set of name servers to forward queries to 
> and then use that "set" name in each forward statement? This way if 
> anything changes I only need to change the entries in the set instead 
> of in each config line
Yes. But you need to be careful or it won't boot strap. If those names 
are within the same forward domain, then you have circular no-go. You 
may need a "forward:" clause for those specific servers pointed an IP. 
You may have fixed "local-data:" installed in a server to point at a 
single IP for the boot strap. You may choose to get fancy and have 
init-start script write either of these methods with the DNS option 
field from DHCP.
> 2. Can I separate out logs into different files. For example, query 
> logs into one file, errors into another, etc.
--above
> 3. Regarding the "ip-ratelimit" config option: just to be sure, this 
> limits the number of queries accepted FROM AN IP ADDRESS? Sometimes 
> devices are setup without name services caching (ex. nscd, dnsmasq) 
> and our servers get flooded with thousands of queries per second. This 
> feature is marked as experimental but is it stable or should I avoid 
> it for now?
--i haven't tried this myself
> 4. For resolving RFC1918 addresses, should I use forward or stub 
> zones? Sometimes in-addr.arpa zones are delegated from the 
> authoritative servers and so the recursive server may get back 
> delegation information
--above