Track2Agenda: 02-dns-unbound-config.txt

File 02-dns-unbound-config.txt, 6.6 KB (added by Andy Linton, 7 years ago)
Line 
1Configuring Unbound
2-------------------
3
41. Log in using SSH/Putty/... to your RESOLVER machine:
5
6    (i.e. for group 1, you would use resolv.grp1.dns.nsrc.org)
7
8    $ ssh sysadm@resolv.grpXX.dns.nsrc.org
9
10    *** PLEASE MAKE SURE YOU ARE LOGGED IN TO YOUR 'RESOLV' MACHINE, AND ***
11                  *** NOT IN YOUR 'AUTH1' or 'AUTH2' ***
12                                 
13        Check the hostname is set up correctly as in the previous exercises.
14
152. On your RESOLVer machine (which you just logged into
16
17    $ cd /usr/local/etc/unbound/
18
19    Now, you have TWO choices. You can either create the unbound.conf from
20    nothing, using the example below (option I), or, if you feel comfortable
21    you can edit the file `unbound.conf` by hand, and make the changes.
22
23    The easiest is option I - your choice!
24
25    Option I:
26
27    If you want to save time:
28
29    Create the file unbound.conf, and copy and paste the data below:
30
31--------------------------- copy below here -----------------------------
32
33server:
34        verbosity: 1
35        # specify the interfaces to answer queries from by ip-address.
36        interface: 0.0.0.0
37
38        # control which clients are allowed to make (recursive) queries
39        access-control: 10.10.0.0/16 allow
40
41        # If you give "" no chroot is performed. The path must not end in a /.
42        chroot: ""
43
44        # file to read root hints from.
45        root-hints: "/usr/local/etc/unbound/named.root"
46
47        # a number of locally served zones can be configured.
48                local-zone: "10.10.in-addr.arpa." nodefault
49
50remote-control:
51
52        # Enable remote control with unbound-control(8) here.
53        control-enable: yes
54
55        # what interfaces are listened to for remote control.
56        control-interface: 0.0.0.0
57
58        # port number for remote control operations.
59        control-port: 953
60
61        # unbound control files
62        server-key-file: "/usr/local/etc/unbound/unbound_server.key"
63        server-cert-file: "/usr/local/etc/unbound/unbound_server.pem"
64        control-key-file: "/usr/local/etc/unbound/unbound_control.key"
65        control-cert-file: "/usr/local/etc/unbound/unbound_control.pem"
66
67--------------------------- copy above here -----------------------------
68
69    Option II:
70
71    If you'd rather make the changes yourself... Otherwise skip to the
72    next step!
73
74    $ sudo cp unbound.conf.sample unbound.conf
75    NOTE: Here, remember to use your favorite editor: ee, jed, joe, vi, ...
76
77    $ sudo ee unbound.conf
78or
79    $ sudo vi unbound.conf
80
81    ... and make the following changes:
82
83    a) enable listening - find the lines with:
84
85        # interface: ...
86        # interface: ...
87
88    and just under, add this line:
89
90        interface: 0.0.0.0
91
92    b) access control - find the lines with:
93
94        # access-control: ...
95        # access-control: ...
96
97    and just under, add this line:
98
99        access-control: 10.10.0.0/16 allow
100
101    c) chroot security - find the line
102   
103        # chroot: "/usr/local/etc/unbound"
104
105    and just under, add this line:
106
107        chroot: ""
108
109    NOTE: We would normally not turn off chroot, which is a security
110          mechanism, but we need to do this here in the lab, because of
111          restrictions from the virtualization environment. In a production
112          environment, we wouldn't do this.
113
114    d) set the root-hints file - find the line with:
115
116        # root-hints: ""
117
118    and just under, add this line:
119
120        root-hints: "/usr/local/etc/unbound/named.root"
121
122    e) re-enable the 10.10.in-addr.arpa zone - find the line with:
123
124        # local-data-ptr: "192.0.2.3 www.example.com"
125
126    and just under, add this line:
127
128        local-zone: "10.10.in-addr.arpa." nodefault
129
130    f) enable remote control - find the line with:
131
132        # control-enable: no
133
134    and CHANGE it (by removing # in front) to:
135
136        control-enable: yes
137
138    - find the line with:
139
140        # control-interface: 127.0.0.1
141
142    and CHANGE it to:
143
144        control-interface: 0.0.0.0
145
146    - find the line with:
147
148        # control-port: 8953
149
150    and CHANGE it to:
151
152        control-port: 953
153       
154    - finally, uncomment the 4 following lines:
155
156        # server-key-file: "/usr/local/etc/unbound/unbound_server.key"
157    becomes
158        server-key-file: "/usr/local/etc/unbound/unbound_server.key"
159 
160        # server-cert-file: "/usr/local/etc/unbound/unbound_server.pem"
161    becomes
162        server-cert-file: "/usr/local/etc/unbound/unbound_server.pem"
163 
164        # control-key-file: "/usr/local/etc/unbound/unbound_control.key"
165    becomes
166        control-key-file: "/usr/local/etc/unbound/unbound_control.key"
167 
168        # control-cert-file: "/usr/local/etc/unbound/unbound_control.pem"
169    becomes
170        control-cert-file: "/usr/local/etc/unbound/unbound_control.pem"
171
172
173    Save the file, exit.
174
175    You still need to copy named.root root hints file where unbound
176    can find it.
177
178        $ cd /usr/local/etc/unbound
179        $ sudo cp /etc/namedb/named.root .
180
1813. Create the control keys:
182
183    $ sudo unbound-control-setup
184
1854.  Test the configuration:
186
187    $ sudo unbound-checkconf
188
1895. edit /etc/rc.conf and add:
190
191    unbound_enable="YES"
192
1936. start unbound!
194
195    $ sudo service unbound start
196
1977. Change your /etc/resolv.conf to use your newly configured Unbound,
198   on this machine (RESOLV), but on AUTH1 and AUTH2 as well:
199
200    # vi /etc/resolv.conf
201
202    Change the nameserver line to:
203
204        nameserver 10.10.XX.3
205
206    ... where XX is the number of your group
207
2088. Test
209
210    $ dig
211    $ dig noc.dns.nsrc.org
212
213        Make sure you see SERVER: ...(10.10.XX.3) at the bottom of
214        dig's output.
215
216    $ dig version.bind txt chaos
217
218    What does the output say ?
219
2209. Make sure that BIND on the AUTH1 host is NOT recursive.
221
222   NOTE: You do NOT need to do this unless you have enabled recursion
223   in your BIND config.
224
225   So we need to go on our AUTH1 host, and change the resolv.conf.
226
227   Log on to your master (auth1.grpX.dns.nsrc.org), and change the
228   /etc/resolv.conf so that it now uses your newly configured unbound:
229
230    $ sudo ee /etc/resolv.conf
231
232And make it look like this:
233
234    search dns.nsrc.org
235    nameserver 10.10.X.3
236
237
238    ... where X is the number of your group
239
240    Then test that you can resolv *.dns.nsrc.org names:
241   
242    $ dig noc.dns.nsrc.org
243
244    Check the SERVER: statement at the bottom of the dig output to
245    make sure you are running with the correct server
246
247    Finally, turn off recursion on the AUTH1 host.
248
249    Edit /etc/namedb/named.conf (sudo ee ...) and make the following changes:
250
251    From this:
252
253allow-recursion { 127.0.0.1; 10.10.0.0/16; };
254
255    To this:
256
257// allow-recursion { 127.0.0.1; 10.10.0.0/16; };
258recursion no;
259
260    If these statements aren't there, don't worry, just skip this step!
261
262    Save the file, and restart named:
263
264    $ sudo service named restart