Support #677
Updated by Daniel Curtis about 10 years ago
This is a guide on installing an authoritative DNS server using the Unbound on FreeBSD 10.
h2. Prepare the Environment
* Make sure the system is up to date:
<pre>
pkg update && pkg upgrade
</pre>
h2. Install Unbound
*NOTE*: Unbound is a part of the FreeBSD base system as of 10.1
* Fetch the named.cache from internic:
<pre>
cd /var/unbound
fetch ftp://ftp.internic.net/domain/named.cache
</pre>
* Get the @root.key@ from IANA to verify DNSSEC extensions
<pre>
unbound-anchor -a "/var/unbound/root.key"
</pre>
* Fetch the @dlv.isc.org.key@ from ISC to verify DNSSEC extensions
<pre>
fetch http://ftp.isc.org/www/dlv/dlv.isc.org.key
</pre>
* Generate the keys Unbound needs to be safely controlled via unbound-control:
<pre>
unbound-control-setup
</pre>
* Create a config file for unbound:
<pre>
vi /var/unbound/unbound.conf
</pre>
#* And add the following:
<pre>
## Authoritative, validating, recursive caching DNS
server:
verbosity: 1
logfile: "/var/log/unbound.log"
interface: 0.0.0.0
port: 53
do-ip4: yes
do-udp: yes
do-tcp: yes
access-control: 127.0.0.0/8 allow
access-control: 10.0.0.0/16 allow
include: "/var/unbound/conf.d/*.conf"
root-hints: "/var/unbound/named.cache"
hide-identity: yes
hide-version: yes
harden-glue: yes
harden-dnssec-stripped: yes
use-caps-for-id: yes
prefetch: yes
forward-zone:
name: "."
forward-addr: 208.67.222.222
</pre>
* Create an unbound config for the example.com domain:
<pre>
vi /var/unbound/conf.d/example.com.conf
</pre>
#* And add the following:
<pre>
# example.com domain
local-zone: "example.com." static
local-data: "gateway.example.com. IN A 192.168.55.1"
local-data: "nas.example.com. IN A 192.168.55.2"
local-data: "pc1.example.com. IN A 192.168.55.3"
local-data: "pc2.example.com. IN A 192.168.55.4"
local-data: "wap1.example.com. IN A 192.168.55.5"
local-data: "dhcp1.example.com. IN A 192.168.55.6"
local-data: "dhcp2.example.com. IN A 192.168.55.7"
local-data-ptr: "192.168.55.1 gateway.example.com"
local-data-ptr: "192.168.55.2 nas.example.com"
local-data-ptr: "192.168.55.3 pc1.example.com"
local-data-ptr: "192.168.55.4 pc2.example.com"
local-data-ptr: "192.168.55.5 wap1.example.com"
local-data-ptr: "192.168.55.6 dhcp1.example.com"
local-data-ptr: "192.168.55.7 dhcp2.example.com"
</pre>
* Start and enable unbound at boot:
<pre>
echo 'local_unbound_enable="YES"' >> /etc/rc.conf
service local_unbound start
</pre>
*NOTE*: I needed to edit the local_unbound init script
<pre>
vi /etc/rc.d/local_unbound
</pre>
* And set the correct pid file:
<pre>
pidfile="/var/unbound/unbound.pid"
</pre>
* With unbound configured and running edit the resolve config file:
<pre>
vi /etc/resolv.conf
</pre>
#* And change the nameserver to the localhost:
<pre>
nameserver 127.0.0.1
</pre>
h2. Resources
* https://calomel.org/unbound_dns.html
* https://www.digitalocean.com/community/tutorials/how-to-set-up-the-unbound-caching-dns-resolver-on-freebsd-10-1
* http://www.prado.it/2012/04/23/how-to-configure-unbound-with-dnssec-validation-on-freebsd-9-0/