Maintained by: NLnet Labs

Configuration for local server

Ernie Luzar
Mon Sep 25 15:47:08 CEST 2017


Ludo via Unbound-users wrote:

snip

This is what I use on my Freebsd system.

#
#  FreeBSD 11.0 & newer, unbound quick start instructions.
#
#  1. In the /etc/rc.conf file
#     Comment out this if it's there  local_unbound_enable="YES"
#     add unbound_enable="YES"
#     Freebsd OS built-in local_unbound can not co-exist with port
#     version.
#
#  2. unbound comes with a built-in "root zone" which negates the need
#     for a "forward-zone: section" all together. This built-in
#     "root zone" sends DNS requests to the up-stream public DSN
#     servers. Verify that your host firewall doesn't have rules
#     restricting port 53 to using only your ISP's DNS IP addresses.
#
#  3. Delete the contents of the /etc/resolv.conf and add this line
#     nameserver 127.0.0.1
#     Then make it immutable using "chflags -R schg /etc/resolv.conf"
#     This makes it un-writable by anyone, Contents will never change.
#     Use "ls -lo /etc/resolv.conf" to see its flags.
#     Use "chflags -R noschg /etc/resolv.conf" to return to normal.
#     This stops /etc/resolv.conf being refreshed at boot time with DNS
#     information from your ISP over riding the nameserver 127.0.0.1
#     statement needed to drive host dns requests to unbound.
#
#  4. If you have a LAN behind this host and want those LAN device's
#     DNS requests to also go through the hosts unbound server.
#     Change the hosts DHCP server config file DNS ip address to the
#     LAN ip address assigned to the host network adapter the LAN is on.
#
#  5. Use  service unbound restart  command after making changes to the
#     content of your unbound.conf file. Note: Any unbound.conf content
#     errors causes the unbound server to not start. This means ALL DNS
#     requests go un-serviced, basically your host system and LAN users
#     are dead in the water until you fix things.
#     The  service unbound stop command results in the same thing.
#
#  6. Take note: The unbound man pages are not FreeBSD specific.
#     Unbound is open source software that runs on many different
#     platforms. Some statements and ideas expressed are incorrect based
#     on the FreeBSD way of doing things.
#
#  7. The /usr/local/etc/unbound/unbound.conf.sample file shows all the
#     possible options available in the unbound.conf file. The defaults
#     are designed to create a running unbound server. In most all cases
#     the following working unbound.conf file contains the default over
#     rides necessary for a working unbound server. Copy this content or
#     this file to /usr/local/etc/unbound/unbound.conf and your ready to
#     go.

# Start of the working unbound.conf file.
# Server config section.

server:

#  chroot: "/usr/local/etc/unbound"
    chroot: ""    # disable chroot

# Specify the interfaces to answer queries from by ip-address.
# The default is to listen to localhost (127.0.0.1 and ::1) only.
# Specify 0.0.0.0 and ::0 to bind to all available interfaces.
      interface: ::0        # listen on all ipv6 interfaces
      interface: 0.0.0.0    # listen on all ipv4 interfaces

# Control which clients are allowed to make (recursive) queries
# to this server. Specify classless netblocks with /size and action.
# By default everything is refused, except for localhost.
# Example 10.0.0.0/8 is the ip address block assigned to the LAN.
      access-control: 10.0.0.0/8 allow
      access-control: 127.0.0.0/8 allow

# Use this to include another text file content into this file.
# include: "/path/file-name"
      include: /usr/local/etc/unbound/void-zones-all
# This is where the statements go to block un-wanted fqdn
# local-zone: ads.youtube.com always_nxdomain

# Remote control config section.
# Remote control must be enabled before the unbound-control(8)
# command can be used to send commands to the running unbound server.
# To enable security, execute the unbound-control-setup command
# to set up the keys and certificates.
# This remote-control: section enables remote-control with
# security disabled.

remote-control:
    control-enable: yes
    control-interface: /var/run/unbound.ctl
    control-use-cert: no