Setting up unbound DNS server: Difference between revisions
Ginjachris (talk | contribs) |
Ginjachris (talk | contribs) |
||
| Line 34: | Line 34: | ||
## Maximum lifetime of cached entries. Default is 86400 seconds (1 day). | ## Maximum lifetime of cached entries. Default is 86400 seconds (1 day). | ||
#cache-max-ttl: 172800 | #cache-max-ttl: 172800 | ||
##enable to not answer id.server and hostname.bind queries. | ##enable to not answer id.server and hostname.bind queries. | ||
hide-identity: yes | hide-identity: yes | ||
##enable to not answer version.server and version.bind queries. | ##enable to not answer version.server and version.bind queries. | ||
hide-version: yes | hide-version: yes | ||
python: | |||
remote-control: | |||
control-enable: no | |||
## Note for forward zones, the destination servers must be able to handle recursion to other DNS server | ## Note for forward zones, the destination servers must be able to handle recursion to other DNS server | ||
## Forward all *.example.com queries to the server at 192.168.1.1 | ## Forward all *.example.com queries to the server at 192.168.1.1 | ||
| Line 51: | Line 51: | ||
## Level3 Verizon | ## Level3 Verizon | ||
forward-addr: 4.2.2.1 | forward-addr: 4.2.2.1 | ||
forward-addr: 4.2.2.4</pre> | forward-addr: 4.2.2.4 | ||
</pre> | |||
= Set auto-start, start and test the daemon = | = Set auto-start, start and test the daemon = | ||
Revision as of 22:26, 12 November 2013
Unbound is a validating, recursive, and caching DNS resolver that supports DNSSEC.
Install
Install the unbound package:
apk add unbound
Configure
The following configuration is an example of a caching name server (in a production server, it's recommended to adjust the access-control parameter to limit access to your network). The forward-zone(s) section will forward all DNS queries to the specified servers.
- /etc/unbound/unbound.conf
server:
verbosity: 1
## Specify the interface address to listen on:
interface: 10.0.0.1
## To listen on all interfaces use the following line instead
# interface: 0.0.0.0
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes
do-daemonize: yes
access-control: 0.0.0.0/0 allow
## Other access control examples
#access-control: 192.168.1.0/24 action
## 'action' should be replaced by any one of:
#deny (drop message)
#refuse (sends a DNS rcode REFUSED error message back)
#allow (recursive ok)
#allow_snoop (recursive and nonrecursive ok).
## Minimum lifetime of cache entries in seconds. Default is 0.
#cache-min-ttl: 60
## Maximum lifetime of cached entries. Default is 86400 seconds (1 day).
#cache-max-ttl: 172800
##enable to not answer id.server and hostname.bind queries.
hide-identity: yes
##enable to not answer version.server and version.bind queries.
hide-version: yes
python:
remote-control:
control-enable: no
## Note for forward zones, the destination servers must be able to handle recursion to other DNS server
## Forward all *.example.com queries to the server at 192.168.1.1
#forward-zone:
# name: "example.com"
# forward-addr: 192.168.1.1
## Forward all other queries to the Verizon DNS servers
forward-zone:
name: "."
## Level3 Verizon
forward-addr: 4.2.2.1
forward-addr: 4.2.2.4
Set auto-start, start and test the daemon
Set to auto-start then start unbound:
rc-update add unbound rc-service unbound start
Test, for example:
dig nl.alpinelinux.org @10.0.0.1
or:
nslookup www.google.cz @10.0.0.1
or use drill, which requires the drill package:
drill www.bbc.co.uk @10.0.0.1
Further information
unbound.conf man page unbound.conf here or here
excellent unbound tutorial at calomel.org
General information via the Wikipedia pages on DNS, record types, zones, name servers and DNSsec