Setting up unbound DNS server: Difference between revisions
Ginjachris (talk | contribs) m (→Configure) |
Ginjachris (talk | contribs) m (→Configure) |
||
Line 46: | Line 46: | ||
remote-control: | remote-control: | ||
control-enable: no | control-enable: no | ||
## Stub zones are like forward zones (see below) but must only contain authority server (no recursive servers) | |||
#stub-zone: | |||
# name: "my.test.com" | |||
# stub-addr: 172.16.1.1 | |||
# stub-addr: 172.16.1.2 | |||
## Note for forward zones, the destination servers must be able to handle recursion to other DNS server | ## Note for forward zones, the destination servers must be able to handle recursion to other DNS server | ||
## Forward all *.example.com queries to the server at 192.168.1.1 | ## Forward all *.example.com queries to the server at 192.168.1.1 |
Revision as of 12:27, 13 November 2013
Unbound is a validating, recursive, and caching DNS resolver that supports DNSSEC.
Install
Install the unbound package:
apk add unbound
Configure
The following configuration is an example of a caching name server (in a production server, it's recommended to adjust the access-control parameter to limit access to your network). The forward-zone(s) section will forward all DNS queries to the specified servers. Don't forget to change the 'interface' parameter to one of your local interfaces (or 0.0.0.0 to listen on all local IPv4 interfaces). The following is a minimal example with many options commented out.
- /etc/unbound/unbound.conf
server: verbosity: 1 ## Specify the interface address to listen on: interface: 10.0.0.1 ## To listen on all interfaces use the following line instead # interface: 0.0.0.0 do-ip4: yes do-ip6: no do-udp: yes do-tcp: yes do-daemonize: yes access-control: 0.0.0.0/0 allow ## Other access control examples #access-control: 192.168.1.0/24 action ## 'action' should be replaced by any one of: #deny (drop message) #refuse (sends a DNS rcode REFUSED error message back) #allow (recursive ok) #allow_snoop (recursive and nonrecursive ok). ## Minimum lifetime of cache entries in seconds. Default is 0. #cache-min-ttl: 60 ## Maximum lifetime of cached entries. Default is 86400 seconds (1 day). #cache-max-ttl: 172800 ## enable to not answer id.server and hostname.bind queries. hide-identity: yes ## enable to not answer version.server and version.bind queries. hide-version: yes ## default is to use syslog, which will log to /var/log/messages. use-syslog: yes ## to log elsewhere, set 'use-syslog' to 'no' and set the log file location below: #logfile: /var/log/unbound python: remote-control: control-enable: no ## Stub zones are like forward zones (see below) but must only contain authority server (no recursive servers) #stub-zone: # name: "my.test.com" # stub-addr: 172.16.1.1 # stub-addr: 172.16.1.2 ## Note for forward zones, the destination servers must be able to handle recursion to other DNS server ## Forward all *.example.com queries to the server at 192.168.1.1 #forward-zone: # name: "example.com" # forward-addr: 192.168.1.1 ## Forward all other queries to the Verizon DNS servers forward-zone: name: "." ## Level3 Verizon forward-addr: 4.2.2.1 forward-addr: 4.2.2.4
Set auto-start, start and test the daemon
Check the configuration for errors:
unbound-checkconf
and if no errors are reported, set to auto-start then start unbound:
rc-update add unbound rc-service unbound start
Test, for example:
dig nl.alpinelinux.org @10.0.0.1
or:
nslookup www.google.cz @10.0.0.1
or use drill:
drill www.bbc.co.uk @10.0.0.1
Further information
unbound.conf man page unbound.conf here or here
excellent unbound tutorial at calomel.org
General information via the Wikipedia pages on DNS, record types, zones, name servers and DNSsec