Personal tools
You are here: Home Linux dns Unbound as a recursive caching DNS Server on CentOS v7.1
 

Unbound as a recursive caching DNS Server on CentOS v7.1

Notes from a reinstall of unbound on a new CentOS v7.1 VM. This is one of two resolvers running ina split horizon DNS environment.

Install 

Install unbound:

# yum install unbound

Configure

Add a configuration file '/etc/unbound/unbound.conf'. This is a single purpose VM so the chroot support is disabled to simplify DNSSEC root key support. Local IPv4 and IPv6 networks are allowed access.

server:
        verbosity: 1
        num-threads: 2

        auto-trust-anchor-file: "/var/lib/unbound/root.key"
        chroot: ""

        interface: 0.0.0.0
        interface: ::0

        access-control: 0.0.0.0/0 refuse
        access-control: 10.20.0.0/16 allow
        access-control: 127.0.0.0/8 allow

        access-control: ::0/0 refuse
        access-control: ::1 allow
        access-control: ::ffff:127.0.0.1 allow
        access-control: fe80::/10 allow
        access-control: 2001:4428:225::0/48 allow
        access-control: fd0c:898b:471c::/48 allow

        local-zone: "10.in-addr.arpa." nodefault
        local-zone: "d.f.ip6.arpa." nodefault
        domain-insecure:  "d.f.ip6.arpa"

include: /etc/unbound/local.d/*.conf
include: /etc/unbound/conf.d/*.conf
Add local stub zones to '/etc/unbound/conf.d/internal.zones.conf' which direct requests to the internal authoritive servers:
stub-zone:
        name: "lucidsolutions.co.nz"
        stub-prime: yes
        stub-addr: fd0c:898b:471c:2::3
        stub-addr: fd0c:898b:471c:c::3
        stub-addr: 10.20.2.3
        stub-addr: 10.20.12.3

stub-zone:
        name: "otahuna.net"
        stub-prime: yes
        stub-addr: fd0c:898b:471c:2::3
        stub-addr: fd0c:898b:471c:c::3
        stub-addr: 10.20.2.3
        stub-addr: 10.20.12.3

stub-zone:
        name: "20.10.in-addr.arpa"
        stub-addr: fd0c:898b:471c:2::3
        stub-addr: fd0c:898b:471c:c::3
        stub-addr: 10.20.2.3
        stub-addr: 10.20.12.3

stub-zone:
        name: "5.2.2.0.8.2.4.4.1.0.0.2.ip6.arpa"
        stub-addr: fd0c:898b:471c:2::3
        stub-addr: fd0c:898b:471c:c::3
        stub-addr: 10.20.2.3
        stub-addr: 10.20.12.3

stub-zone:
        name: "c.1.7.4.b.8.9.8.c.0.d.f.ip6.arpa"
        stub-addr: fd0c:898b:471c:2::3
        stub-addr: fd0c:898b:471c:c::3
        stub-addr: 10.20.2.3
        stub-addr: 10.20.12.3

Start

Start and enable unbound:
# systemctl enable unbound
# systemctl start unbound

Firewall 

The local firewall should allow all outgoing DNS requests and allow incoming DNS requests from local networks.
 
IPv4:
-A tcpOut -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
-A udpOut -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
-A tcpIn -p tcp -m tcp --dport 53 --source 10.20.0.0/16 -m conntrack --ctstate NEW -j ACCEPT
-A udpIn -p udp -m udp --dport 53 --source 10.20.0.0/16 -m conntrack --ctstate NEW -j ACCEPT
IPv6:
-A tcpOut -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
-A udpOut -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
-A tcpIn -p tcp -m tcp --dport 53 --source fe80::/10 -m conntrack --ctstate NEW -j ACCEPT
-A udpIn -p udp -m udp --dport 53 --source fe80::/10 -m conntrack --ctstate NEW -j ACCEPT
-A tcpIn -p tcp -m tcp --dport 53 --source fd0c:898b:471c::/48 -m conntrack --ctstate NEW -j ACCEPT
-A udpIn -p udp -m udp --dport 53 --source fd0c:898b:471c::/48 -m conntrack --ctstate NEW -j ACCEPT
-A tcpIn -p tcp -m tcp --dport 53 --source 2001:4428:225::0/48 -m conntrack --ctstate NEW -j ACCEPT
-A udpIn -p udp -m udp --dport 53 --source 2001:4428:225::0/48 -m conntrack --ctstate NEW -j ACCEPT
Restart the firewalls to load the new rules:
# for S in iptables ip6tables ; do systemctl restart $S ; done

 

Links

Appendices

yum install

# yum install unbound
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: ftp.jaist.ac.jp
 * extras: ftp.jaist.ac.jp
 * updates: ftp.jaist.ac.jp
Resolving Dependencies
--> Running transaction check
---> Package unbound.x86_64 0:1.4.20-19.el7 will be installed
--> Processing Dependency: unbound-libs(x86-64) = 1.4.20-19.el7 for package: unbound-1.4.20-19.el7.x86_64
--> Processing Dependency: ldns >= 1.6.13 for package: unbound-1.4.20-19.el7.x86_64
--> Processing Dependency: libunbound.so.2()(64bit) for package: unbound-1.4.20-19.el7.x86_64
--> Processing Dependency: libldns.so.1()(64bit) for package: unbound-1.4.20-19.el7.x86_64
--> Processing Dependency: libevent-2.0.so.5()(64bit) for package: unbound-1.4.20-19.el7.x86_64
--> Running transaction check
---> Package ldns.x86_64 0:1.6.16-7.el7 will be installed
---> Package libevent.x86_64 0:2.0.21-4.el7 will be installed
---> Package unbound-libs.x86_64 0:1.4.20-19.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

=============================================================================================
 Package                 Arch              Version                     Repository       Size
=============================================================================================
Installing:
 unbound                 x86_64            1.4.20-19.el7               base            471 k
Installing for dependencies:
 ldns                    x86_64            1.6.16-7.el7                base            473 k
 libevent                x86_64            2.0.21-4.el7                base            214 k
 unbound-libs            x86_64            1.4.20-19.el7               base            294 k

Transaction Summary
=============================================================================================
Install  1 Package (+3 Dependent packages)

Total download size: 1.4 M
Installed size: 4.4 M
Is this ok [y/d/N]: y
Downloading packages:
(1/4): unbound-libs-1.4.20-19.el7.x86_64.rpm                          | 294 kB  00:00:02
(2/4): ldns-1.6.16-7.el7.x86_64.rpm                                   | 473 kB  00:00:04
(3/4): libevent-2.0.21-4.el7.x86_64.rpm                               | 214 kB  00:00:04
(4/4): unbound-1.4.20-19.el7.x86_64.rpm                               | 471 kB  00:00:05
---------------------------------------------------------------------------------------------
Total                                                        263 kB/s | 1.4 MB  00:00:05
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : ldns-1.6.16-7.el7.x86_64                                                  1/4
  Installing : libevent-2.0.21-4.el7.x86_64                                              2/4
  Installing : unbound-libs-1.4.20-19.el7.x86_64                                         3/4
  Installing : unbound-1.4.20-19.el7.x86_64                                              4/4
  Verifying  : libevent-2.0.21-4.el7.x86_64                                              1/4
  Verifying  : unbound-1.4.20-19.el7.x86_64                                              2/4
  Verifying  : ldns-1.6.16-7.el7.x86_64                                                  3/4
  Verifying  : unbound-libs-1.4.20-19.el7.x86_64                                         4/4

Installed:
  unbound.x86_64 0:1.4.20-19.el7

Dependency Installed:
  ldns.x86_64 0:1.6.16-7.el7                      libevent.x86_64 0:2.0.21-4.el7
  unbound-libs.x86_64 0:1.4.20-19.el7

Complete! 
Related content
Document Actions