[ what i sent around internally, in case it is of help to others ]
Replacing BIND with Unbound on FreeBSD 2008.04.11
Unbound is a validating, recursive, and caching DNS resolver. It is
designed to be highly scalable and tunable for large ISP deployment.
The C implementation of Unbound is developed and maintained by NLnet
Labs. The source code is under a BSD License.
Here is how I have installed it on a few servers.
o Fetch unbound sources from <http://unbound.net/>
o gmake, and gmake install. They will not step on anything, so
this is safe
o adduser to create account and group unbound:unbound
o Edit /etc/syslog.conf to add
!unbound
*.* /var/log/named
Make sure there is a usable logfile.
# touch /var/log/named
# chown unbound:unbound /var/log/named
# /etc/rc.d/syslogd restart
And be sure your /etc/newsyslog.conf has /var/log/named in it. My
entry in /etc/newsyslog.conf looks like
# logfilename [owner:group] mode count size when flags
/var/log/named unbound:unbound 600 3 * 24 Z
o Edit /etc/unbound/unbound.conf to taste. I hacked as follows:
--- unbound.conf~ 2008-04-11 02:28:45.000000000 +0000
+++ unbound.conf 2008-04-11 03:33:50.000000000 +0000
@@ -17,7 +17,7 @@
# print statistics to the log (for every thread) every N seconds.
# Set to "" or 0 to disable. Default is disabled.
- # statistics-interval: 0
+ statistics-interval: 3600
# number of threads to create. 1 disables threading.
# num-threads: 1
@@ -30,6 +30,8 @@
# interface: 192.0.2.153
# interface: 192.0.2.154
# interface: 2001:DB8::5
+ interface: 0.0.0.0
+ interface: ::0
# enable this feature to copy the source address of queries to reply.
# Socket options not be supported on all platforms. experimental.
@@ -133,6 +135,11 @@
# access-control: ::0/0 refuse
# access-control: ::1 allow
# access-control: ::ffff:127.0.0.1 allow
+ access-control: 0.0.0.0/0 allow
+ access-control: 127.0.0.0/8 allow
+ access-control: ::0/0 allow
+ access-control: ::1 allow
+ access-control: ::ffff:127.0.0.1 allow
# if given, a chroot(2) is done to the given directory.
# i.e. you can chroot to the working directory, for example,
@@ -143,7 +150,7 @@
# if given, user privileges are dropped (after binding port),
# and the given username is assumed. Default is user "unbound".
# If you give "" no privileges are dropped.
- # username: "unbound"
+ username: "unbound"
# the working directory.
# directory: "/etc/unbound"
@@ -154,14 +161,14 @@
# Log to syslog(3) if yes. The log facility LOG_DAEMON is used to
# log to, with identity "unbound". If yes, it overrides the logfile.
- # use-syslog: yes
+ use-syslog: yes
# the pid file.
# pidfile: "/etc/unbound/unbound.pid"
# file to read root hints from.
# get one from ftp://FTP.INTERNIC.NET/domain/named.cache
- # root-hints: ""
+ root-hints: "root.ca"
# enable to not answer id.server and hostname.bind queries.
# hide-identity: no
o Get a root hints file and put it in /etc/unbound. From very old
habits, i called it root.ca, but call it anything just so the name
matches what you have in /etc/unbound/unbound.conf.
o # chown -R unbound:unbound /etc/unbound
o In /etc/rc.conf, comment out
#named_enable=YES # Run named, the DNS server (or NO).
And add
unbound_enable=YES
o Copy the boot-time startup script
# cp ${builddir}/contrib/rc_d_unbound /usr/local/etc/rc.d/unbound
o Kill the running copy of BIND
o Run it!
# /usr/local/etc/rc.d/unbound start
-30-
