Pages

Saturday, March 21, 2015

DNS Caching and Forwarding with Unbound

This howto shows the steps needed to configure unbound for DNS caching and forwarding from the 192.168.1.0/24 network. It assumes the server’s IP address is 192.168.1.22 and is running RHEL/CentOS 7.

Installation

[root@rhce-server ~]# yum install unbound

Configure Systemd

[root@rhce-server ~]# systemctl enable unbound
ln -s '/usr/lib/systemd/system/unbound.service' '/etc/systemd/system/multi-user.target.wants/unbound.service'
[root@rhce-server ~]# ^enable^start
systemctl start unbound

Configure the Firewall

[root@rhce-server ~]# firewall-cmd --add-service=dns
success
[root@rhce-server ~]# firewall-cmd --add-service=dns --permanent
success

Configure Unbound

Unbound’s configuration is stored in /etc/unbound/unbound.conf.
By default unbound only listens on the loopback interface. Specify which interface you would like to use.
interface: 192.168.1.22
Allow queries from 192.168.1.0/24.
access-control: 192.168.1.0/24 allow
Disable DNSSEC.
domain-insecure: *
Forward uncached requests to OpenDNS.
forward-zone:
    name: *
    forward-addr: 208.67.222.222
    forward-addr: 208.67.220.220

Check Your Configuration

[root@rhce-server ~]# unbound-checkconf 
unbound-checkconf: no errors in /etc/unbound/unbound.conf

Restart the Unbound Service

[root@rhce-server ~]# systemctl restart unbound

Verify it is Working

Test from a different system on the network.
mooose:~ jglemza$ dig fark.com A @192.168.1.22

; <<>> DiG 9.8.3-P1 <<>> fark.com A @192.168.1.22
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60299
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;fark.com.          IN  A

;; ANSWER SECTION:
fark.com.       43200   IN  A   64.191.171.200

;; Query time: 234 msec
;; SERVER: 192.168.1.22#53(192.168.1.22)
;; WHEN: Sat Mar 21 13:16:54 2015
;; MSG SIZE  rcvd: 42
Verify the record is now in unbound’s cache.
[root@rhce-server ~]# unbound-control dump_cache|grep fark.com
ns2.fark.com.   43197   IN  A   23.253.56.58
fark.com.   43197   IN  A   64.191.171.200
ns1.fark.com.   43197   IN  A   64.191.171.194
fark.com.   43197   IN  NS  ns1.fark.com.
fark.com.   43197   IN  NS  ns2.fark.com.
...

1 comment:

  1. As per the man page, name should be "." (with the quotes) not * in this config snippet :

    forward-zone:
    name: "."
    forward-addr: 208.67.222.222
    forward-addr: 208.67.220.220

    ReplyDelete