Agenda: dns-unbound-config.txt

File dns-unbound-config.txt, 6.6 KB (added by trac, 5 years ago)
Line 
1Configuring Unbound
2-------------------
3
41. Log in using SSH/Putty/... to your RESOLVER machine:
5
6    (i.e. for group 1, you would use resolv.grp1.dns.nsrc.org)
7
8    $ ssh sysadm@resolv.grpXX.dns.nsrc.org
9
10    *** PLEASE MAKE SURE YOU ARE LOGGED IN TO YOUR 'RESOLV' MACHINE, AND ***
11                  *** NOT IN YOUR 'AUTH1' or 'AUTH2' ***
12
132. On your RESOLVer machine (which you just logged into
14
15    $ cd /usr/local/etc/unbound/
16
17    Now, you have TWO choices. You can either create the unbound.conf from
18    nothing, using the example below (option I), or, if you feel comfortable
19    you can edit the file `unbound.conf` by hand, and make the changes.
20
21    The easiest is option I - your choice!
22
23    Option I:
24
25    If you want to save time:
26
27    Create the file unbound.conf, and copy and paste the data below:
28
29--------------------------- copy below here -----------------------------
30
31server:
32        verbosity: 1
33        # specify the interfaces to answer queries from by ip-address.
34        interface: 0.0.0.0
35
36        # control which clients are allowed to make (recursive) queries
37        access-control: 10.10.0.0/16 allow
38
39        # If you give "" no chroot is performed. The path must not end in a /.
40        chroot: ""
41
42        # file to read root hints from.
43        root-hints: "/usr/local/etc/unbound/named.root"
44
45        # a number of locally served zones can be configured.
46                local-zone: "10.10.in-addr.arpa." nodefault
47
48remote-control:
49
50        # Enable remote control with unbound-control(8) here.
51        control-enable: yes
52
53        # what interfaces are listened to for remote control.
54        control-interface: 0.0.0.0
55
56        # port number for remote control operations.
57        control-port: 953
58
59        # unbound control files
60        server-key-file: "/usr/local/etc/unbound/unbound_server.key"
61        server-cert-file: "/usr/local/etc/unbound/unbound_server.pem"
62        control-key-file: "/usr/local/etc/unbound/unbound_control.key"
63        control-cert-file: "/usr/local/etc/unbound/unbound_control.pem"
64
65--------------------------- copy above here -----------------------------
66
67    Option II:
68
69    If you'd rather make the changes yourself... Otherwise skip to the
70    next step!
71
72    $ sudo cp unbound.conf.sample unbound.conf
73    NOTE: Here, remember to use your favorite editor: ee, jed, joe, vi, ...
74
75    $ sudo ee unbound.conf
76or
77    $ sudo vi unbound.conf
78
79    ... and make the following changes:
80
81    a) enable listening - find the lines with:
82
83        # interface: ...
84        # interface: ...
85
86    and just under, add this line:
87
88        interface: 0.0.0.0
89
90    b) access control - find the lines with:
91
92        # access-control: ...
93        # access-control: ...
94
95    and just under, add this line:
96
97        access-control: 10.20.0.0/16 allow
98
99    c) chroot security - find the line
100   
101        # chroot: "/usr/local/etc/unbound"
102
103    and just under, add this line:
104
105        chroot: ""
106
107    NOTE: We would normally not turn off chroot, which is a security
108          mechanism, but we need to do this here in the lab, because of
109          restrictions from the virtualization environment. In a production
110          environment, we wouldn't do this.
111
112    d) set the root-hints file - find the line with:
113
114        # root-hints: ""
115
116    and just under, add this line:
117
118        root-hints: "/usr/local/etc/unbound/named.root"
119
120    e) re-enable the 20.10.in-addr.arpa zone - find the line with:
121
122        # local-data-ptr: "192.0.2.3 www.example.com"
123
124    and just under, add this line:
125
126        local-zone: "20.10.in-addr.arpa." nodefault
127
128    f) enable remote control - find the line with:
129
130        # control-enable: no
131
132    and CHANGE it (by removing # in front) to:
133
134        control-enable: yes
135
136    - find the line with:
137
138        # control-interface: 127.0.0.1
139
140    and CHANGE it to:
141
142        control-interface: 0.0.0.0
143
144    - find the line with:
145
146        # control-port: 8953
147
148    and CHANGE it to:
149
150        control-port: 953
151       
152    - finally, uncomment the 4 following lines:
153
154        # server-key-file: "/usr/local/etc/unbound/unbound_server.key"
155    becomes
156        server-key-file: "/usr/local/etc/unbound/unbound_server.key"
157 
158        # server-cert-file: "/usr/local/etc/unbound/unbound_server.pem"
159    becomes
160        server-cert-file: "/usr/local/etc/unbound/unbound_server.pem"
161 
162        # control-key-file: "/usr/local/etc/unbound/unbound_control.key"
163    becomes
164        control-key-file: "/usr/local/etc/unbound/unbound_control.key"
165 
166        # control-cert-file: "/usr/local/etc/unbound/unbound_control.pem"
167    becomes
168        control-cert-file: "/usr/local/etc/unbound/unbound_control.pem"
169
170
171    Save the file, exit.
172
173    You still need to copy named.root root hints file where unbound
174    can find it.
175
176        $ cd /usr/local/etc/unbound
177        $ sudo cp /etc/namedb/named.root .
178
1793. Create the control keys:
180
181    $ sudo unbound-control-setup
182
1834.  Test the configuration:
184
185    $ sudo unbound-checkconf
186
1875. edit /etc/rc.conf and add:
188
189    unbound_enable="YES"
190
1916. start unbound!
192
193    $ sudo service unbound start
194
1957. Change your /etc/resolv.conf to use your newly configured Unbound,
196   on this machine (RESOLV), but on AUTH1 and AUTH2 as well:
197
198    # vi /etc/resolv.conf
199
200    Change the nameserver line to:
201
202        nameserver 10.20.XX.3
203
204    ... where XX is the number of your group
205
2068. Test
207
208    $ dig
209    $ dig noc.dns.nsrc.org
210
211        Make sure you see SERVER: ...(10.20.XX.3) at the bottom of
212        dig's output.
213
214    $ dig version.bind txt chaos
215
216    What does the output say ?
217
2189. Make sure that BIND on the AUTH1 host is NOT recursive.
219
220   NOTE: You do NOT need to do this unless you have enabled recursion
221   in your BIND config.
222
223   So we need to go on our AUTH1 host, and change the resolv.conf.
224
225   Log on to your master (auth1.grpX.dns.nsrc.org), and change the
226   /etc/resolv.conf so that it now uses your newly configured unbound:
227
228    $ sudo ee /etc/resolv.conf
229
230And make it look like this:
231
232    search dns.nsrc.org
233    nameserver 10.20.X.3
234
235
236    ... where X is the number of your group
237
238    Then test that you can resolv *.dns.nsrc.org names:
239   
240    $ dig noc.dns.nsrc.org
241
242    Check the SERVER: statement at the bottom of the dig output to
243    make sure you are running with the correct server
244
245    Finally, turn off recursion on the AUTH1 host.
246
247    Edit /etc/namedb/named.conf (sudo ee ...) and make the following changes:
248
249    From this:
250
251allow-recursion { 127.0.0.1; 10.20.0.0/16; };
252
253    To this:
254
255// allow-recursion { 127.0.0.1; 10.20.0.0/16; };
256recursion no;
257
258    If these statements aren't there, don't worry, just skip this step!
259
260    Save the file, and restart named:
261
262    $ sudo service named restart