How to install and configure Unbound

I will give an example of installing the Unbound caching DNS server.

You can install Unbound in Ubuntu with the command:

sudo apt-get install unbound

After installation, we look at the contents of the configuration file:

cat /etc/unbound/unbound.conf

In my case, there was only a line:

include: "/etc/unbound/unbound.conf.d/*.conf"

The line above means that from the unbound.conf.d directory all files with the .conf extension will be loaded.

So let’s create a new file in it:

sudo touch /etc/unbound/unbound.conf.d/test.conf

And open in a text editor:

sudo nano /etc/unbound/unbound.conf.d/test.conf

I will give an example configuration:

server:
port: 53
verbosity: 0
num-threads: 2
outgoing-range: 512
num-queries-per-thread: 1024
msg-cache-size: 16m
rrset-cache-size: 32m
cache-max-ttl: 86400
infra-host-ttl: 60
infra-lame-ttl: 120
interface: 127.0.0.1
interface: 192.168.5.5
outgoing-interface: 192.168.0.2
access-control: 127.0.0.0/8 allow
access-control: 192.168.5.0/24 allow
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes
username: unbound
directory: "/etc/unbound"
logfile: "/var/log/unbound.log"
use-syslog: no
hide-version: yes
so-rcvbuf: 4m
so-sndbuf: 4m

Create a log file and assign rights to write logs:

sudo touch /var/log/unbound.log
sudo chown unbound:unbound /var/log/unbound.log

Restart Unbound to load the new configuration file:

sudo service unbound restart

Make sure Unbound is running:

sudo service unbound status
sudo ps auxw | grep unbound
sudo netstat -anp | grep 53

I will describe several parameters from the configuration:
interface (interfaces on which Unbound will be launched and requests will be listened to)
outgoing-interface (external interface through which the Internet comes)
access-control (determines whose requests are allowed to be processed)
verbosity (log level from 0 to 4, 4 is debug)
use-syslog: no (do not write logs in syslog)
num-threads (the number of threads, you need to specify equal to the number of processor cores)
do-ip4: yes, do-udp: yes, do-tcp: yes (we allow IPv4, TCP, UDP)
do-ip6: no (disallow IPv6)
username (the user under which Unbound will run)
hide-version: yes (disable display of Unbound version)

An example of viewing logs:

sudo tail -f /var/log/syslog
sudo tail -f /var/log/unbound.log

Example of cache export and import:

unbound-control dump_cache > unbound.dump
cat unbound.dump | unbound-control load_cache

See also my articles:
Installing and Configuring DNS Server BIND9
IPTables rules for DNS

Did my article help you? How about buying me a cup of coffee as an encouragement? Buy me a coffe.

Leave a comment

Leave a Reply