Maintained by: NLnet Labs

New to Unbound

Oscar Ricardo Silva
Tue Mar 21 21:15:33 CET 2017


On 03/16/2017 07:13 PM, Eric Luehrsen wrote:
>
>>
>> 1. BIND runs in a chroot environment. Should I continue this with
>> Unbound or is this not as much an issue?
>>
> Yes. Do chroot. Have init-start copy everything to /var/lib/unbound.
> Then allow Unbound only to operate there. Have your init-stop script
> copy back to /etc/ only non-poisoned updates. Example, double check
> RFC5011 root.key file.
>> 2. Minimal responses to queries (I see how Unbound does that)
>>
>> 3. Resolve RFC1918 addresses (we currently forward those to our
>> authoritative servers and I believe I see how to do this with Unbound)
>>
> "stub:" clause to authoritative servers that normally respond to
> recursive queries. "forward:" clause to other recursive search or
> forwarding servers (not authoritative). RFC1918, RC4193...  see the
> section on private zone data under "unbound.conf" on the web page.
>> 4. Gathering statistics and graphing queries per second (not sure how
>> to accomplish this)
>>


I wanted to thank Eric for taking the time to answer my questions. 
Testing is going well and I'm putting these suggestions to work.



Oscar