This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision | |||
|
irc:openbsd:unbound [2019/11/21 14:51] jrmu removed |
— (current) | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | Unbound is a caching DNS resolver that comes as a part of OpenBSD base. You can use this to provide faster as well as more secure DNS lookup for the users on your network. | ||
| - | Here's a sample /var/unbound/etc/unbound.conf: | ||
| - | |||
| - | <code> | ||
| - | server: | ||
| - | interface: 127.0.0.1 # listen on localhost | ||
| - | interface: 192.168.1.1 # listen on 192.168.1.1 to provide DNS for users on a network | ||
| - | interface: ::1 | ||
| - | #do-ip6: no | ||
| - | |||
| - | access-control: 0.0.0.0/0 refuse # block all users by default | ||
| - | access-control: 127.0.0.0/8 allow # allow localhost to use unbound | ||
| - | access-control: 192.168.0.0/16 allow # allow users on your network to use unbound | ||
| - | access-control: ::0/0 refuse # block all IPv6 users by default | ||
| - | access-control: ::1 allow # allow IPv6 localhost to use unbound | ||
| - | |||
| - | hide-identity: yes | ||
| - | hide-version: yes | ||
| - | |||
| - | remote-control: | ||
| - | control-enable: yes | ||
| - | control-interface: /var/run/unbound.sock | ||
| - | |||
| - | forward-zone: | ||
| - | name: "." | ||
| - | forward-addr: 185.117.154.144 | ||
| - | forward-addr: 165.227.40.43 | ||
| - | forward-addr: 217.144.132.169 | ||
| - | forward-addr: 212.237.22.141 | ||
| - | forward-addr: 165.227.108.86 | ||
| - | </code> | ||
| - | |||
| - | The forward-addr lines indicate which nameserver unbound will query. You can find a list of public servers on [[https://servers.opennic.org/|OpenNIC]]. | ||
| - | |||
| - | To start unbound: | ||
| - | <code> | ||
| - | $ doas rcctl enable unbound | ||
| - | $ doas rcctl start unbound | ||
| - | </code> | ||
| - | |||
| - | For the computer that runs unbound, you'll want to make sure /etc/resolv.conf uses 127.0.0.1 as the nameserver (that is, you query unbound running on port 53). In /etc/resolv.conf: | ||
| - | |||
| - | <code> | ||
| - | nameserver 127.0.0.1 | ||
| - | lookup file bind | ||
| - | </code> | ||
| - | |||
| - | Check to make sure /etc/resolv.conf.tail does not contain any other name servers except 127.0.0.1. All your nameservers should instead be specified in /var/unbound/etc/unbound.conf. | ||
| - | |||
| - | If the computer running unbound uses DHCP for network configuration, you will want to include this line in /etc/dhclient.conf: | ||
| - | |||
| - | <code> | ||
| - | ignore domain-name-servers; | ||
| - | </code> | ||
| - | |||
| - | This tells OpenBSD's dhclient to ignore the name server provided by the dhcp server. | ||
| - | |||
| - | If the computer running unbound is also providing a dhcp server for your local network, you will want to add this line inside your /etc/dhcpd.conf blocks: | ||
| - | |||
| - | <code> | ||
| - | option domain-name-servers 192.168.1.1; | ||
| - | </code> | ||