Agenda: dns-unbound-config.txt

File dns-unbound-config.txt, 3.1 KB (added by admin, 7 years ago)
Line 
1Configuring Unbound
2
31. Log in using SSH/Putty/... to your CACHE machine:
4
5        (i.e. for group 1, you would use cache.grp1.ws.nsrc.org)
6
7    $ ssh -l adm cache.grpXX.ws.nsrc.org
8
92. On CACHE:
10
11    # cd /usr/local/etc/unbound/
12    # cp unbound.conf.sample unbound.conf
13
14    Now edit the file unbound.conf, and make the following changes:
15
16    a) enable listening - find the lines with:
17
18        # interface: ...
19        # interface: ...
20
21    and just under, add this line:
22
23        interface: 0.0.0.0
24
25    b) access control - find the lines with:
26
27        # access-control: ...
28        # access-control: ...
29
30    and just under, add this line:
31
32        access-control: 10.10.0.0/16 allow
33
34    c) chroot security - find the line
35   
36        # chroot: "/usr/local/etc/unbound"
37
38    and just under, add this line:
39
40        chroot: ""
41
42    d) set the root-hints file - find the line with:
43
44        # root-hints: ""
45
46    and just under, add this line:
47
48        root-hints: "/usr/local/etc/unbound/named.root"
49
50    ... and download a copy of the named.root hints file from
51    your master host, like this:
52
53        # cd /usr/local/etc/unbound/
54        # scp adm@master.grp0.ws.nsrc.org:/etc/namedb/named.root .
55
56    e) re-enable the 10.in-addr.arpa zone - find the line with:
57
58        # local-data-ptr: "192.0.2.3 www.example.com"
59
60    and just under, add this line:
61
62        local-zone: "10.in-addr.arpa." nodefault
63
64    f) enable remote control - find the line with:
65
66        # control-enable: no
67
68    and CHANGE it (by removing # in front) to:
69
70        control-enable: yes
71
72    - find the line with:
73
74        # control-interface: 127.0.0.1
75
76    and CHANGE it to:
77
78        control-interface: 0.0.0.0
79
80    - find the line with:
81
82        # control-port: 953
83
84    and CHANGE it to:
85
86        control-port: 953
87       
88    - finally, uncomment the following lines:
89
90        # server-key-file: "/usr/local/etc/unbound/unbound_server.key"
91    becomes
92        server-key-file: "/usr/local/etc/unbound/unbound_server.key"
93 
94        # server-cert-file: "/usr/local/etc/unbound/unbound_server.pem"
95    becomes
96        server-cert-file: "/usr/local/etc/unbound/unbound_server.pem"
97 
98        # control-key-file: "/usr/local/etc/unbound/unbound_control.key"
99    becomes
100        control-key-file: "/usr/local/etc/unbound/unbound_control.key"
101 
102        # control-cert-file: "/usr/local/etc/unbound/unbound_control.pem"
103    becomes
104        control-cert-file: "/usr/local/etc/unbound/unbound_control.pem"
105
106
107    Save the file, exit.
108
1093. Create the control keys:
110
111    # unbound-control-setup
112
1134.  Test the configuration:
114
115    # unbound-checkconf
116
1175. edit /etc/rc.conf and add:
118
119    unbound_enable="YES"
120
1216. start unbound!
122
123    # /usr/local/etc/rc.d/unbound start
124
1257. Change your /etc/resolv.conf to use your newly configured Unbound,
126   on this machine (CACHE), but on MASTER as well:
127
128    # vi /etc/resolv.conf
129
130    Change the nameserver line to:
131
132        nameserver 10.10.XX.2
133
134    ... where XX is the number of your group
135
1368. Test
137
138    # dig
139    # dig noc.ws.nsrc.org
140    # dig MYTLD. NS
141
142        Make sure you see SERVER: ...(10.10.XX.2) at the bottom of
143        dig's output.
144
145    # dig version.bind txt chaos
146
147    What does the output say ?