This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
irc:openbsd:unbound [2019/11/09 10:39] jrmu removed |
irc:openbsd:unbound [2019/11/21 14:51] jrmu removed |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | Replace if0 with your own device name. Inside /etc/hostname.if0, put: | + | Unbound is a caching DNS resolver that comes as a part of OpenBSD base. You can use this to provide faster as well as more secure DNS lookup for the users on your network. |
| + | |||
| + | Here's a sample /var/unbound/etc/unbound.conf: | ||
| <code> | <code> | ||
| - | inet 192.169.1.2 255.255.255.0 | + | server: |
| - | inet alias 192.169.1.3 255.255.255.0 | + | interface: 127.0.0.1 # listen on localhost |
| - | inet6 2001:0db8:0000:0000:0000:0000:0000:0000 48 | + | interface: 192.168.1.1 # listen on 192.168.1.1 to provide DNS for users on a network |
| - | inet6 alias 2001:0db8:0000:0000:9b1d:3511:387e:143a 48 | + | interface: ::1 |
| - | inet6 alias 2001:0db8:0000:0000:1465:fed1:8daf:66ff 48 | + | #do-ip6: no |
| - | inet6 alias 2001:0db8:0000:0000:11b4:4a36:2941:d6bd 48 | + | |
| - | inet6 alias 2001:0db8:0000:0000:ad2c:5b99:2b1a:89d1 48 | + | access-control: 0.0.0.0/0 refuse # block all users by default |
| - | inet6 alias 2001:0db8:0000:0000:921d:28ad:4729:8d93 48 | + | access-control: 127.0.0.0/8 allow # allow localhost to use unbound |
| - | inet6 alias 2001:0db8:0000:0000:c9bb:45f7:c494:1fc1 48 | + | access-control: 192.168.0.0/16 allow # allow users on your network to use unbound |
| - | inet6 alias 2001:0db8:0000:0000:5142:9b81:dec2:186c 48 | + | access-control: ::0/0 refuse # block all IPv6 users by default |
| - | inet6 alias 2001:0db8:0000:0000:a118:dd85:a14f:72d7 48 | + | access-control: ::1 allow # allow IPv6 localhost to use unbound |
| - | inet6 alias 2001:0db8:0000:0000:91f2:4943:de98:c9d5 48 | + | |
| - | inet6 alias 2001:0db8:0000:0000:18a4:1ca3:5d31:2ddc 48 | + | hide-identity: yes |
| - | inet6 alias 2001:0db8:0000:0000:31af:1656:16cf:611a 48 | + | hide-version: yes |
| - | inet6 alias 2001:0db8:0000:0000:8d27:5b44:3e75:4b86 48 | + | |
| - | inet6 alias 2001:0db8:0000:0000:a259:79f6:fa54:a5e2 48 | + | remote-control: |
| - | inet6 alias 2001:0db8:0000:0000:59d8:f8ae:18a3:3644 48 | + | control-enable: yes |
| - | inet6 alias 2001:0db8:0000:0000:1dc7:c1c7:7b16:1151 48 | + | control-interface: /var/run/unbound.sock |
| - | inet6 alias 2001:0db8:0000:0000:1c46:b131:e9de:edc1 48 | + | |
| - | inet6 alias 2001:0db8:0000:0000:e72b:6165:b6fb:161f 48 | + | forward-zone: |
| - | inet6 alias 2001:0db8:0000:0000:244c:47c2:f8fd:4bc2 48 | + | name: "." |
| - | inet6 alias 2001:0db8:0000:0000:f664:e887:826d:64c5 48 | + | forward-addr: 185.117.154.144 |
| - | inet6 alias 2001:0db8:0000:0000:f8e7:1ca5:4852:9e78 48 | + | forward-addr: 165.227.40.43 |
| - | inet6 alias 2001:0db8:0000:0000:59e5:7568:ab7f:289f 48 | + | forward-addr: 217.144.132.169 |
| - | inet6 alias 2001:0db8:0000:0000:111e:6834:a1b1:64ff 48 | + | forward-addr: 212.237.22.141 |
| - | inet6 alias 2001:0db8:0000:0000:de32:1311:18d4:6f8b 48 | + | forward-addr: 165.227.108.86 |
| - | inet6 alias 2001:0db8:0000:0000:5714:1f81:156f:572b 48 | + | |
| - | inet6 alias 2001:0db8:0000:0000:2589:ad14:872a:fa94 48 | + | |
| - | inet6 alias 2001:0db8:0000:0000:5b15:e14f:812e:fa84 48 | + | |
| - | inet6 alias 2001:0db8:0000:0000:5982:9c11:c2eb:c6ed 48 | + | |
| - | inet6 alias 2001:0db8:0000:0000:abaf:88e4:69e1:f2a5 48 | + | |
| - | inet6 alias 2001:0db8:0000:0000:a52b:5de1:ceba:b65a 48 | + | |
| - | inet6 alias 2001:0db8:0000:0000:7e8b:f585:f2e7:66a1 48 | + | |
| - | inet6 alias 2001:0db8:0000:0000:46ad:1add:cb77:154b 48 | + | |
| - | inet6 alias 2001:0db8:0000:0000:b664:368a:d94b:3ce8 48 | + | |
| </code> | </code> | ||
| - | Sometimes, to restart networking, I will run: | + | The forward-addr lines indicate which nameserver unbound will query. You can find a list of public servers on [[https://servers.opennic.org/|OpenNIC]]. |
| + | To start unbound: | ||
| <code> | <code> | ||
| - | $ doas sh /etc/netstart | + | $ doas rcctl enable unbound |
| + | $ doas rcctl start unbound | ||
| </code> | </code> | ||
| - | But this doesn't seem to properly reset the networking sometimes. | + | For the computer that runs unbound, you'll want to make sure /etc/resolv.conf uses 127.0.0.1 as the nameserver (that is, you query unbound running on port 53). In /etc/resolv.conf: |
| + | |||
| + | <code> | ||
| + | nameserver 127.0.0.1 | ||
| + | lookup file bind | ||
| + | </code> | ||
| + | |||
| + | Check to make sure /etc/resolv.conf.tail does not contain any other name servers except 127.0.0.1. All your nameservers should instead be specified in /var/unbound/etc/unbound.conf. | ||
| + | |||
| + | If the computer running unbound uses DHCP for network configuration, you will want to include this line in /etc/dhclient.conf: | ||
| + | |||
| + | <code> | ||
| + | ignore domain-name-servers; | ||
| + | </code> | ||
| + | |||
| + | This tells OpenBSD's dhclient to ignore the name server provided by the dhcp server. | ||
| + | |||
| + | If the computer running unbound is also providing a dhcp server for your local network, you will want to add this line inside your /etc/dhcpd.conf blocks: | ||
| + | |||
| + | <code> | ||
| + | option domain-name-servers 192.168.1.1; | ||
| + | </code> | ||