Difference between revisions of "Unbound"

From ArchWiki
Jump to: navigation, search
m (Configuring Unbound to Validate DNSSEC)
m (Configuring Unbound to Validate DNSSEC)
(One intermediate revision by the same user not shown)
Line 34: Line 34:
 
=== Adding unbound to boot process ===
 
=== Adding unbound to boot process ===
  
Edit {{ic|/etc/rc.conf}} (See also [[rc.conf]]):
+
  systemctl enable unbound.service
DAEMONS=(.. '''unbound''' ..)
+
 
+
Place unbound before daemons that require network access.
+
  
 
=== Set /etc/resolv.conf to use the local DNS server ===
 
=== Set /etc/resolv.conf to use the local DNS server ===
Line 46: Line 43:
 
== Configuring Unbound to Validate DNSSEC ==
 
== Configuring Unbound to Validate DNSSEC ==
  
Set the '/etc/unbound' directory to be owned by the unbound user:
+
Set the {{ic|/etc/unbound/}} directory to be owned by the unbound user:
  
 
   chown unbound /etc/unbound
 
   chown unbound /etc/unbound

Revision as of 15:53, 2 January 2013

Unbound is a validating, recursive, and caching DNS resolver.

Installation

Install unbound, and expat which is dependency for DNSSEC:

pacman -S unbound expat

Basic configuration

Unbound configuration

Unbound is easy to configure. Following configuration placed in /etc/unbound/unbound.conf is enough to run on both IPv4 and IPv6 without access restrictions:

server:
  username: "unbound"
  directory: "/etc/unbound"
  use-syslog: yes
  interface: 0.0.0.0
  interface: ::0
  verbosity: 1

To use specific servers for default forward zone (all queries will be forwarded to them, and then cached) add this to the configuration file:

forward-zone:
  name: "."
  forward-addr: 208.67.222.222
  forward-addr: 208.67.220.220

This will make unbound use OpenDNS servers as forward zone.

Note: OpenDNS strips DNSSEC records from responses. Do not use the above forward zone if you want to enable DNSSEC validation (below).

Adding unbound to boot process

 systemctl enable unbound.service

Set /etc/resolv.conf to use the local DNS server

Edit /etc/resolv.conf (See also resolv.conf):

nameserver 127.0.0.1

Configuring Unbound to Validate DNSSEC

Set the /etc/unbound/ directory to be owned by the unbound user:

 chown unbound /etc/unbound

Fetch the root trust anchor:

sudo -u unbound unbound-anchor -a /etc/unbound/auto-root.key

Edit unbound.conf, adding the following line to the server: block:

auto-trust-anchor-file: "/etc/unbound/auto-root.key"

Restart unbound:

systemctl restart unbound.service