Agenda: dns-unbound-config.txt

File dns-unbound-config.txt, 4.9 KB (added by admin, 6 years ago)
Line 
1Configuring Unbound
2-------------------
3
41. Log in using SSH/Putty/... to your RESOLVER machine:
5
6    (i.e. for group 1, you would use resolv.grp1.ws.nsrc.org)
7
8    $ ssh -l adm resolv.grpXX.ws.nsrc.org
9
10    *** PLEASE MAKE SURE YOU ARE LOGGED IN TO YOUR 'RESOLV' MACHINE, AND ***
11                              *** NOT IN YOUR 'AUTH1' or 'AUTH2' ***
12
132. On your RESOLVer machine (which you just logged into
14
15    $ cd /usr/local/etc/unbound/
16    $ sudo cp unbound.conf.sample unbound.conf
17
18    Now edit the file unbound.conf:
19
20    NOTE: Here, remember to use your favorite editor: ee, jed, joe, vi, ...
21
22    $ sudo ee unbound.conf
23or
24    $ sudo vi unbound.conf
25
26    ... and make the following changes:
27
28    a) enable listening - find the lines with:
29
30        # interface: ...
31        # interface: ...
32
33    and just under, add this line:
34
35        interface: 0.0.0.0
36
37    b) access control - find the lines with:
38
39        # access-control: ...
40        # access-control: ...
41
42    and just under, add this line:
43
44        access-control: 10.10.0.0/16 allow
45
46    c) chroot security - find the line
47   
48        # chroot: "/usr/local/etc/unbound"
49
50    and just under, add this line:
51
52        chroot: ""
53
54    NOTE: We would normally not turn off chroot, which is a security
55          mechanism, but we need to do this here in the lab, because of
56          restrictions from the virtualization environment. In a production
57          environment, we wouldn't do this.
58
59    d) set the root-hints file - find the line with:
60
61        # root-hints: ""
62
63    and just under, add this line:
64
65        root-hints: "/usr/local/etc/unbound/named.root"
66
67    e) re-enable the 10.in-addr.arpa zone - find the line with:
68
69        # local-data-ptr: "192.0.2.3 www.example.com"
70
71    and just under, add this line:
72
73        local-zone: "10.in-addr.arpa." nodefault
74
75    f) enable remote control - find the line with:
76
77        # control-enable: no
78
79    and CHANGE it (by removing # in front) to:
80
81        control-enable: yes
82
83    - find the line with:
84
85        # control-interface: 127.0.0.1
86
87    and CHANGE it to:
88
89        control-interface: 0.0.0.0
90
91    - find the line with:
92
93        # control-port: 8953
94
95    and CHANGE it to:
96
97        control-port: 953
98       
99    - finally, uncomment the following lines:
100
101        # server-key-file: "/usr/local/etc/unbound/unbound_server.key"
102    becomes
103        server-key-file: "/usr/local/etc/unbound/unbound_server.key"
104 
105        # server-cert-file: "/usr/local/etc/unbound/unbound_server.pem"
106    becomes
107        server-cert-file: "/usr/local/etc/unbound/unbound_server.pem"
108 
109        # control-key-file: "/usr/local/etc/unbound/unbound_control.key"
110    becomes
111        control-key-file: "/usr/local/etc/unbound/unbound_control.key"
112 
113        # control-cert-file: "/usr/local/etc/unbound/unbound_control.pem"
114    becomes
115        control-cert-file: "/usr/local/etc/unbound/unbound_control.pem"
116
117
118    Save the file, exit.
119
120    You still need to copy named.root root hints file where unbound
121        can find it.
122
123                $ cd /usr/local/etc/unbound
124        $ sudo cp /etc/namedb/named.root .
125
1263. Create the control keys:
127
128    $ sudo unbound-control-setup
129
1304.  Test the configuration:
131
132    $ sudo unbound-checkconf
133
1345. edit /etc/rc.conf and add:
135
136    unbound_enable="YES"
137
1386. start unbound!
139
140    $ sudo service unbound start
141
1427. Change your /etc/resolv.conf to use your newly configured Unbound,
143   on this machine (RESOLV), but on AUTH1 and AUTH2 as well:
144
145    # vi /etc/resolv.conf
146
147    Change the nameserver line to:
148
149        nameserver 10.10.XX.3
150
151    ... where XX is the number of your group
152
1538. Test
154
155    $ dig
156    $ dig noc.ws.nsrc.org
157
158        Make sure you see SERVER: ...(10.10.XX.3) at the bottom of
159        dig's output.
160
161    $ dig version.bind txt chaos
162
163    What does the output say ?
164
1659. In a previous lab, you may have configured BIND on the AUTH1 host
166   to function as a recursive.
167
168   If so, now is the time to turn it off.
169
170   NOTE: You do NOT need to do this unless you have enabled recursion
171   in your BIND config.
172
173   So we need to go on our AUTH1 host, and change the resolv.conf.
174
175   Log on to your master (auth1.grpX.ws.nsrc.org), and change the
176   /etc/resolv.conf so that it now uses your newly configured unbound:
177
178    $ sudo ee /etc/resolv.conf
179
180And make it look like this:
181
182    search ws.nsrc.org
183    nameserver 10.10.X.3
184
185
186    ... where X is the number of your group
187
188    Then test that you can resolv *.ws.nsrc.org names:
189   
190    $ dig noc.ws.nsrc.org
191
192    Check the SERVER: statement at the bottom of the dig output to
193    make sure you are running with the correct server
194
195    Finally, turn off recursion on the AUTH1 host.
196
197    Edit /etc/namedb/named.conf (sudo ee ...) and make the following changes:
198
199    From this:
200
201allow-recursion { 127.0.0.1; 10.10.0.0/16; };
202
203    To this:
204
205// allow-recursion { 127.0.0.1; 10.10.0.0/16; };
206recursion no;
207
208    If these statements aren't there, don't worry, just skip this step!
209
210    Save the file, and restart named:
211
212    $ sudo service named restart