Agenda: dns-unbound-config.txt

File dns-unbound-config.txt, 4.8 KB (added by admin, 7 years ago)
Line 
1Configuring Unbound
2
31. Log in using SSH/Putty/... to your CACHE machine:
4
5    (i.e. for group 1, you would use cache.grp1.ws.nsrc.org)
6
7    $ ssh -l adm cache.grpXX.ws.nsrc.org
8
9    *** PLEASE MAKE SURE YOU ARE LOGGED IN TO YOUR 'CACHE' MACHINE, AND ***
10                      *** NOT IN YOUR 'MASTER' ***
11
122. On your CACHE machine (which you just logged into
13
14    $ cd /usr/local/etc/unbound/
15    $ sudo cp unbound.conf.sample unbound.conf
16
17    Now edit the file unbound.conf:
18
19    NOTE: Here, remember to use your favorite editor: ee, jed, joe, vi, ...
20
21    $ sudo ee unbound.conf
22or
23    $ sudo vi unbound.conf
24
25    ... and make the following changes:
26
27    a) enable listening - find the lines with:
28
29        # interface: ...
30        # interface: ...
31
32    and just under, add this line:
33
34        interface: 0.0.0.0
35
36    b) access control - find the lines with:
37
38        # access-control: ...
39        # access-control: ...
40
41    and just under, add this line:
42
43        access-control: 10.10.0.0/16 allow
44
45    c) chroot security - find the line
46   
47        # chroot: "/usr/local/etc/unbound"
48
49    and just under, add this line:
50
51        chroot: ""
52
53    NOTE: We would normally not turn off chroot, which is a security
54          mechanism, but we need to do this here in the lab, because of
55          restrictions from the virtualization environment. In a production
56          environment, we wouldn't do this.
57
58    d) set the root-hints file - find the line with:
59
60        # root-hints: ""
61
62    and just under, add this line:
63
64        root-hints: "/usr/local/etc/unbound/named.root"
65
66    e) re-enable the 10.in-addr.arpa zone - find the line with:
67
68        # local-data-ptr: "192.0.2.3 www.example.com"
69
70    and just under, add this line:
71
72        local-zone: "10.in-addr.arpa." nodefault
73
74    f) enable remote control - find the line with:
75
76        # control-enable: no
77
78    and CHANGE it (by removing # in front) to:
79
80        control-enable: yes
81
82    - find the line with:
83
84        # control-interface: 127.0.0.1
85
86    and CHANGE it to:
87
88        control-interface: 0.0.0.0
89
90    - find the line with:
91
92        # control-port: 8953
93
94    and CHANGE it to:
95
96        control-port: 953
97       
98    - finally, uncomment the following lines:
99
100        # server-key-file: "/usr/local/etc/unbound/unbound_server.key"
101    becomes
102        server-key-file: "/usr/local/etc/unbound/unbound_server.key"
103 
104        # server-cert-file: "/usr/local/etc/unbound/unbound_server.pem"
105    becomes
106        server-cert-file: "/usr/local/etc/unbound/unbound_server.pem"
107 
108        # control-key-file: "/usr/local/etc/unbound/unbound_control.key"
109    becomes
110        control-key-file: "/usr/local/etc/unbound/unbound_control.key"
111 
112        # control-cert-file: "/usr/local/etc/unbound/unbound_control.pem"
113    becomes
114        control-cert-file: "/usr/local/etc/unbound/unbound_control.pem"
115
116
117    Save the file, exit.
118
119    You still need to download a copy of the named.root hints file from
120    your master host, like this:
121
122        $ cd /usr/local/etc/unbound/
123        $ sudo scp adm@master.grpX.ws.nsrc.org:/etc/namedb/named.root .
124
125        ... where X is the number of your group
126
1273. Create the control keys:
128
129    $ sudo unbound-control-setup
130
1314.  Test the configuration:
132
133    $ sudo unbound-checkconf
134
1355. edit /etc/rc.conf and add:
136
137    unbound_enable="YES"
138
1396. start unbound!
140
141    $ sudo service unbound start
142
1437. Change your /etc/resolv.conf to use your newly configured Unbound,
144   on this machine (CACHE), but on MASTER as well:
145
146    # vi /etc/resolv.conf
147
148    Change the nameserver line to:
149
150        nameserver 10.10.XX.2
151
152    ... where XX is the number of your group
153
1548. Test
155
156    $ dig
157    $ dig noc.ws.nsrc.org
158
159        Make sure you see SERVER: ...(10.10.XX.2) at the bottom of
160        dig's output.
161
162    $ dig version.bind txt chaos
163
164    What does the output say ?
165
1669. Remember that in the previous lab, we configured BIND on the MASTER
167   host to function as a recursive ?
168
169   The problem is, we're not supposed to use BIND as our recursive server!
170
171   So we need to go on our MASTER host, and change the resolv.conf.
172
173   Log on to your master (master.grpX.ws.nsrc.org), and change the
174   /etc/resolv.conf so that it now uses your newly configured unbound:
175
176    $ sudo ee /etc/resolv.conf
177
178And make it look like this:
179
180    search ws.nsrc.org
181    nameserver 10.10.X.2
182
183
184    ... where X is the number of your group
185
186    Then test that you can resolv *.ws.nsrc.org names:
187   
188    $ dig noc.ws.nsrc.org
189
190    Check the SERVER: statement at the bottom of the dig output to
191    make sure you are running with the correct server
192
193    Finally, turn off recursion on the MASTER host.
194
195    Edit /etc/namedb/named.conf (sudo ee ...) and make the following changes:
196
197    From this:
198
199allow-recursion { 127.0.0.1; 10.10.0.0/16; };
200
201    To this:
202
203//allow-recursion { 127.0.0.1; 10.10.0.0/16; };
204recursion no;
205
206    Save the file, and restart named:
207
208    $ sudo service named restart