Unbound is a validating, recursive, and caching DNS server software product from NLnet Labs, VeriSign Inc., Nominet, and Kirei. It is distributed free of charge in open source form under the BSD license.
Unbound is designed as a set of modular components that incorporate modern features, such as enhanced security (DNSSEC) validation, Internet Protocol Version 6 (IPv6), and a client resolver library API as an integral part of the architecture. Originally written for Posix-compatible Unix-like operating system, it runs on FreeBSD, OpenBSD, NetBSD, and Linux, as well as Microsoft Windows.
Several packages are available for configuring a caching name server, including bind, dnsmasq, and Unbound. Here I am configuring a Caching Name Server using Unbound and Main DNS server is created using bind. For more information on configuring DNS in RHEL I would recommend to use the following link :
The complete DNS Server configuration ,Testing & Troubleshooting in RHEL 6 (Primary DNS & Secondary DNS)
Caching Name server store DNS query result in local cache and remove resource records from the cache when their TTLs expire. It is common to setup caching name server to perform queries on behalf of client on local network. This greatly improves the efficiency of DNS name resolutions by reducing DNS traffic across the internet. As the cache grows, DNS performance improves as the caching name name server answers more and more client queries from its local cache.
Lets create the caching server now for that First we need to install the unbound package into the system. we could use yum install unbound command to install the package.
click the below link to know more on YUM configuration:
RHEL YUM (Yellow-dog Updater and Modifier) configuration using local DVD in RHEL 7.0
Enter "Y" to install this package . once the package is successfully installed run the following command to list the configuration files for unbound package.
#rpm -qlc unbound
Lets start and enable the unbound service now using the following commands.
#systemctl start unbound
#systemctl enable unbound
configure the network interface to listen on. By default ,Unbound listen on the local host network interface. To make unbound available to remote clients as a caching server,use the interface option in the server clause of /etc/unbound/unbound.conf to specify the network interface to listen on.
A value of 0.0.0.0 will configure unbound to listen on all network interface . or you can specify an IP address which you want the unbound to listen. Here i am mentioning the IP address (192.168.1.4/24) of my network interface. Here is the snip of the interface configuration.
Let us configure the client access now. By default unbound refuses recursive queries from all clients. In the Server clause of /etc/unbound/unbound.conf, use the access-control option to specify which clients are allowed to make recursive queries.
Here i am showing only allow access to the clients network. you could change to allow/refuse according to your requirement.
Now we need to configure forwarding ,In /etc/unbound/unbound.conf, create a forward-zone clause to specify which DNS server(s) to forward the queries to. DNS server can be specify by the hostname using the forward host option or IP address using the forward-addr option. For a caching nameserver , forward all queries by specifying a forward zone of "." .
My DNS server is 192.168.1.2 , here is the snip of the configuration.
By default, Unbound is enabled to perform DNSSEC validation to verify all the DNS response received. The domain-insecure option in the Server Clause of /etc/unbound/unbound.conf can be used to specify a domain for which DNSSEC validation should be skipped.
Here i am skipping the DNSSEC validation as its a internal domain and its unsigned. otherwise it will fail the validation.
Thats all for the Unbound Caching server. its simple right lets save all the changes that we made to /etc/unbound/unbound.conf and exit.
Check the /etc/unbound/unbound.conf file for any syntax errors. run the following command to check the unbound.conf file.
# unbound-checkconf /etc/unbound/unbound.conf
Restart the unbound service to get this configurations changes to the daemon.
# systemctl restart unbound
Configure the firewall to allow DNS traffic.
# firewall-cmd --add-service=dns --permanent
# firewall-cmd --reload
Lets do some test for name resolution from Caching server. its perfectly resolving the naming resolution from caching server. now you can update the IP address of caching server into /etc/resolv.conf of your clients for naming resolution .
# dig @foundation.vinzlinux.com A system1.vinzlinux.com
Lets check the DNS cache now you should be seeing the details of the recently queries informations.
you could view this using unbound-control dump_cache command.
suppose if you want to purge some records you could use to unbound-control flush command to do the same. here i am showing an example to purge the record of system1.vinzlinux.com from the cache. also you could flush a zone records using flush-zone sub command with unbound-control
#unbound-control flush system1.vinzlinux.com
We have one more useful command to take backup and restore the DNS cache. unbound-control load_cache this command is used to load the dump_cache output back to DNS cache.
Here is the sample output.
Hope this post will help you for configuring Unbound as a Caching server, share your feedback below. ! next post will be on send-only postfix configuration.
Unbound is designed as a set of modular components that incorporate modern features, such as enhanced security (DNSSEC) validation, Internet Protocol Version 6 (IPv6), and a client resolver library API as an integral part of the architecture. Originally written for Posix-compatible Unix-like operating system, it runs on FreeBSD, OpenBSD, NetBSD, and Linux, as well as Microsoft Windows.
Several packages are available for configuring a caching name server, including bind, dnsmasq, and Unbound. Here I am configuring a Caching Name Server using Unbound and Main DNS server is created using bind. For more information on configuring DNS in RHEL I would recommend to use the following link :
The complete DNS Server configuration ,Testing & Troubleshooting in RHEL 6 (Primary DNS & Secondary DNS)
Caching Name server store DNS query result in local cache and remove resource records from the cache when their TTLs expire. It is common to setup caching name server to perform queries on behalf of client on local network. This greatly improves the efficiency of DNS name resolutions by reducing DNS traffic across the internet. As the cache grows, DNS performance improves as the caching name name server answers more and more client queries from its local cache.
Lets create the caching server now for that First we need to install the unbound package into the system. we could use yum install unbound command to install the package.
click the below link to know more on YUM configuration:
RHEL YUM (Yellow-dog Updater and Modifier) configuration using local DVD in RHEL 7.0
Enter "Y" to install this package . once the package is successfully installed run the following command to list the configuration files for unbound package.
#rpm -qlc unbound
Lets start and enable the unbound service now using the following commands.
#systemctl start unbound
#systemctl enable unbound
configure the network interface to listen on. By default ,Unbound listen on the local host network interface. To make unbound available to remote clients as a caching server,use the interface option in the server clause of /etc/unbound/unbound.conf to specify the network interface to listen on.
A value of 0.0.0.0 will configure unbound to listen on all network interface . or you can specify an IP address which you want the unbound to listen. Here i am mentioning the IP address (192.168.1.4/24) of my network interface. Here is the snip of the interface configuration.
Let us configure the client access now. By default unbound refuses recursive queries from all clients. In the Server clause of /etc/unbound/unbound.conf, use the access-control option to specify which clients are allowed to make recursive queries.
Here i am showing only allow access to the clients network. you could change to allow/refuse according to your requirement.
Now we need to configure forwarding ,In /etc/unbound/unbound.conf, create a forward-zone clause to specify which DNS server(s) to forward the queries to. DNS server can be specify by the hostname using the forward host option or IP address using the forward-addr option. For a caching nameserver , forward all queries by specifying a forward zone of "." .
My DNS server is 192.168.1.2 , here is the snip of the configuration.
By default, Unbound is enabled to perform DNSSEC validation to verify all the DNS response received. The domain-insecure option in the Server Clause of /etc/unbound/unbound.conf can be used to specify a domain for which DNSSEC validation should be skipped.
Here i am skipping the DNSSEC validation as its a internal domain and its unsigned. otherwise it will fail the validation.
Thats all for the Unbound Caching server. its simple right lets save all the changes that we made to /etc/unbound/unbound.conf and exit.
Check the /etc/unbound/unbound.conf file for any syntax errors. run the following command to check the unbound.conf file.
# unbound-checkconf /etc/unbound/unbound.conf
Restart the unbound service to get this configurations changes to the daemon.
# systemctl restart unbound
Configure the firewall to allow DNS traffic.
# firewall-cmd --add-service=dns --permanent
# firewall-cmd --reload
Lets do some test for name resolution from Caching server. its perfectly resolving the naming resolution from caching server. now you can update the IP address of caching server into /etc/resolv.conf of your clients for naming resolution .
# dig @foundation.vinzlinux.com A system1.vinzlinux.com
Lets check the DNS cache now you should be seeing the details of the recently queries informations.
you could view this using unbound-control dump_cache command.
suppose if you want to purge some records you could use to unbound-control flush command to do the same. here i am showing an example to purge the record of system1.vinzlinux.com from the cache. also you could flush a zone records using flush-zone sub command with unbound-control
#unbound-control flush system1.vinzlinux.com
We have one more useful command to take backup and restore the DNS cache. unbound-control load_cache this command is used to load the dump_cache output back to DNS cache.
Here is the sample output.
Hope this post will help you for configuring Unbound as a Caching server, share your feedback below. ! next post will be on send-only postfix configuration.
No comments:
Post a Comment