From ArchWiki
Revision as of 17:00, 11 September 2012 by Nocko (talk | contribs) (Add DNSSEC validation basics)
Jump to: navigation, search

Unbound is a validating, recursive, and caching DNS resolver.


Install unbound, and expat which is dependency for DNSSEC:

pacman -S unbound expat

Basic configuration

Unbound configuration

Unbound is easy to configure. Following configuration placed in /etc/unbound/unbound.conf is enough to run on both IPv4 and IPv6 without access restrictions:

  username: "unbound"
  directory: "/etc/unbound"
  use-syslog: yes
  interface: ::0
  verbosity: 1

To use specific servers for default forward zone (all queries will be forwarded to them, and then cached) add this to the configuration file:

  name: "."

This will make unbound use OpenDNS servers as forward zone.

Note: OpenDNS strips DNSSEC records from responses. Do not use the above forward zone if you want to enable DNSSEC validation (below).

Adding unbound to boot process

Edit /etc/rc.conf (See also rc.conf):

DAEMONS=(.. unbound ..)

Place unbound before daemons that require network access.

Set /etc/resolv.conf to use the local DNS server

Edit /etc/resolv.conf (See also resolv.conf):


Configuring Unbound to Validate DNSSEC

Fetch the root trust anchor:

sudo -u unbound unbound-anchor -a /etc/unbound/auto-root.key

Edit unbound.conf, adding the following line to the server: block:

auto-trust-anchor-file: "/etc/unbound/auto-root.key"

Restart unbound:

rc.d restart unbound