New to Unbound

Hello,

We currently run several BIND recursive, caching servers, with anycast and are looking to diversify with other DNS packages. This is my first exposure to Unbound and I'm soliciting any tips/tricks/links that might help in converting some of these BIND servers or for general use/configuration. So far I've been reading: "How to Setup", "How to Optimise", "How to Statistics", as well as other documents but we all know there's always those "gotchas", those config options/tricks, that you only learn once you've used something for awhile.

Servers:

1. Redhat Enterprise Linux (kernel 3.10)
2. OSPF (via quagga) for anycast
3. BIND 9 (built from source)

Here's what we're doing with our servers:

1. BIND runs in a chroot environment. Should I continue this with Unbound or is this not as much an issue?

2. Minimal responses to queries (I see how Unbound does that)

3. Resolve RFC1918 addresses (we currently forward those to our authoritative servers and I believe I see how to do this with Unbound)

4. Gathering statistics and graphing queries per second (not sure how to accomplish this)

5. Logging queries (I see how this is done)

6. keep multiple logs to help with troubleshooting (queries in one log, errors in another, etc)

7. Handle approx. 3,000 queries per second

Right now I've downloaded, compiled, and installed Unbound 1.6.1

Some specific questions:

1. Can I define a specific set of name servers to forward queries to and then use that "set" name in each forward statement? This way if anything changes I only need to change the entries in the set instead of in each config line

2. Can I separate out logs into different files. For example, query logs into one file, errors into another, etc.

3. Regarding the "ip-ratelimit" config option: just to be sure, this limits the number of queries accepted FROM AN IP ADDRESS? Sometimes devices are setup without name services caching (ex. nscd, dnsmasq) and our servers get flooded with thousands of queries per second. This feature is marked as experimental but is it stable or should I avoid it for now?

4. For resolving RFC1918 addresses, should I use forward or stub zones? Sometimes in-addr.arpa zones are delegated from the authoritative servers and so the recursive server may get back delegation information

1. BIND runs in a chroot environment. Should I continue this with
Unbound or is this not as much an issue?

Yes. Do chroot. Have init-start copy everything to /var/lib/unbound.
Then allow Unbound only to operate there. Have your init-stop script
copy back to /etc/ only non-poisoned updates. Example, double check
RFC5011 root.key file.

2. Minimal responses to queries (I see how Unbound does that)

3. Resolve RFC1918 addresses (we currently forward those to our
authoritative servers and I believe I see how to do this with Unbound)

"stub:" clause to authoritative servers that normally respond to
recursive queries. "forward:" clause to other recursive search or
forwarding servers (not authoritative). RFC1918, RC4193... see the
section on private zone data under "unbound.conf" on the web page.

4. Gathering statistics and graphing queries per second (not sure how
to accomplish this)

Use the "unbound-control" tool. It has a lot of commands to enable,
disable, read, purge, and other with Unbound statistics. It can change
configuration on the fly. You can configure this tool for localhost only
access or it has integrated SSL to communicate to Unbound for remote
management.

5. Logging queries (I see how this is done)

6. keep multiple logs to help with troubleshooting (queries in one
log, errors in another, etc)

The "python:" plugin could be used for this. Maybe someone already has
something out there for it.

7. Handle approx. 3,000 queries per second

Unbound is reasonably light and runs well even on a consumer grade
router. It is easy to control its recursion behavior, allowed
connections, and cache size.

Some specific questions:

1. Can I define a specific set of name servers to forward queries to
and then use that "set" name in each forward statement? This way if
anything changes I only need to change the entries in the set instead
of in each config line

Yes. But you need to be careful or it won't boot strap. If those names
are within the same forward domain, then you have circular no-go. You
may need a "forward:" clause for those specific servers pointed an IP.
You may have fixed "local-data:" installed in a server to point at a
single IP for the boot strap. You may choose to get fancy and have
init-start script write either of these methods with the DNS option
field from DHCP.

2. Can I separate out logs into different files. For example, query
logs into one file, errors into another, etc.

--above

3. Regarding the "ip-ratelimit" config option: just to be sure, this
limits the number of queries accepted FROM AN IP ADDRESS? Sometimes
devices are setup without name services caching (ex. nscd, dnsmasq)
and our servers get flooded with thousands of queries per second. This
feature is marked as experimental but is it stable or should I avoid
it for now?

--i haven't tried this myself

4. For resolving RFC1918 addresses, should I use forward or stub
zones? Sometimes in-addr.arpa zones are delegated from the
authoritative servers and so the recursive server may get back
delegation information

--above

I wanted to thank Eric for taking the time to answer my questions. Testing is going well and I'm putting these suggestions to work.

Oscar

​Hi,

I
​don’t
see all mailling, but this I know how to do.

​ ​4. Gathering statistics and graphing queries per second (not sure how
​ ​to accomplish this

​You can have a daemon, that grab statistics each second

​1 - Using ​’system’ ​unbound-control stats_noreset
2 -​ ​Or your own daemon, connecting via TCP+SSL, and making the command.

Each reply has a connection close, so you need to reconnect.

This 2, for me, isn’t the best way, because the CPU increase.

3 -​ ​Or, use the Shared Memory, so you can create a daemon and attach to SHM and get
needed​​ info.

https://github.com/jedisct1/unbound/commit/9f11a7300938e265d8b346b7f71739a0578e84d6

After getting the info, you need to populate some files or database.
With that info, you can create graphs.

Use your imagination and the data needed.

Here are some screenshots from one of our client, to show the ideia.

http://prntscr.com/enqrlj
http://prntscr.com/enqkoz
http://prntscr.com/enqmgj
http://prntscr.com/enqkkm
http://prntscr.com/enqmcu
http://prntscr.com/enqkz9
http://prntscr.com/enqlnv