version=pmwiki-2.2.130 ordered=1 urlencoded=1 agent=w3m/0.5.3+git20210102 author=jrmu charset=UTF-8 csum= ctime=1597224841 host=38.81.163.143 name=Openbsd.Unbound rev=12 targets=Openbsd.Znc text=(:redirect Unbound.Configure:)%0aUnbound is a caching DNS resolver that comes as a part of OpenBSD base. You can use this to provide faster as well as more secure DNS lookup for the users on your network.%0a%0aHere's a sample /var/unbound/etc/unbound.conf:%0a%0a[@%0aserver:%0a interface: 127.0.0.1 # listen on localhost%0a interface: ::1%0a #interface: 10.0.0.1 # provide DNS for users on the IPSec internal network%0a #do-ip6: no%0a%0a access-control: 0.0.0.0/0 refuse # block all users by default%0a access-control: 10.0.0.0/8 allow # allow users on the internal network to use unbound%0a access-control: 127.0.0.0/8 allow # allow localhost to use unbound%0a access-control: ::0/0 refuse # block all IPv6 users by default%0a access-control: ::1 allow # allow IPv6 localhost to use unbound%0a%0a hide-identity: yes%0a hide-version: yes%0a%0aremote-control:%0a control-enable: yes%0a control-interface: /var/run/unbound.sock%0a%0aforward-zone:%0a name: "."%0a forward-addr: 185.117.154.144%0a forward-addr: 165.227.40.43%0a forward-addr: 217.144.132.169%0a forward-addr: 212.237.22.141%0a forward-addr: 165.227.108.86%0a@]%0a%0aThe forward-addr lines indicate which nameserver unbound will query. You can find a list of public servers on [[https://servers.opennic.org/|OpenNIC]].%0a%0aif you are using another server as a master, set forwarding from this server as a priority:%0a[@%0aforward-zone:%0a name: "example.com."%0a forward-addr: 10.10.10.10@53%0a forward-first: no%0a forward-no-cache: no%0a@]%0a%0aIf you need to store local zones, add a block to the "server" section about it:%0a[@%0a local-zone: "localhost." static%0a local-data: "localhost. 10800 IN NS localhost."%0a local-data: "localhost. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"%0a local-data: "localhost. 10800 IN A 127.0.0.1"%0a local-data: "localhost. 10800 IN AAAA ::1"%0a@]%0a%0aTo start unbound:%0a[@%0a$ doas rcctl enable unbound%0a$ doas rcctl start unbound%0a@]%0a%0aFor the computer that runs unbound, you'll want to make sure /etc/resolv.conf uses 127.0.0.1 as the nameserver (that is, you query unbound running on port 53). In /etc/resolv.conf:%0a%0a[@%0anameserver 127.0.0.1%0alookup file bind%0a@]%0a%0aCheck to make sure /etc/resolv.conf.tail does not contain any other name servers except 127.0.0.1. All your nameservers should instead be specified in /var/unbound/etc/unbound.conf.%0a%0aIf the computer running unbound uses DHCP for network configuration, you will want to include this line in /etc/dhclient.conf:%0a%0a[@%0aignore domain-name-servers;%0a@]%0a%0aThis tells OpenBSD's dhclient to ignore the name server provided by the dhcp server.%0a%0aIf the computer running unbound is also providing a dhcp server for your local network, you will want to add this line inside your /etc/dhcpd.conf blocks:%0a%0a[@%0aoption domain-name-servers 192.168.1.1;%0a@]%0a%0a%0aHere's how to use unbound as a local caching resolver:%0a%0aEdit /etc/resolv.conf so it queries localhost on port 53:%0a%0a[@%0a# Generated by age0 dhclient%0anameserver 127.0.0.1%0alookup file bind%0a@]%0a%0aInside /var/unbound/etc/unbound.conf, you will see this at the top:%0a%0a[@%0aserver:%0a interface: 127.0.0.1%0a interface: ::1%0a%0a # override the default "any" address to send queries; if multiple%0a # addresses are available, they are used randomly to counter spoofing%0a #outgoing-interface: 192.0.2.1%0a #outgoing-interface: 2001:db8::53%0a%0a access-control: 0.0.0.0/0 refuse%0a access-control: 127.0.0.0/8 allow%0a access-control: ::0/0 refuse%0a access-control: ::1 allow%0a@]%0a%0aMake sure you are listening on 127.0.0.1 (for localhost) so that your VPS can query localhost on port 53, and also ::1 on port 53 (for IPv6).%0a%0aFor access control, you want to refuse 0.0.0.0/0 (all IPv4s) but allow 127.0.0.0/8 (everything that originates locally). Again, refuse ::0/0 (all IPv6s) but allow ::1 (localhost).%0a%0aPut this at the bottom of the file:%0a%0a[@%0aforward-zone:%0a name: "." # use for ALL queries%0aforward-addr: 163.53.248.170%0aforward-addr: 103.236.162.119%0aforward-addr: 192.99.85.244%0aforward-addr: 31.171.251.118%0aforward-addr: 51.254.25.115%0aforward-addr: 46.101.70.183%0aforward-addr: 45.71.112.70%0aforward-addr: 87.98.175.85%0aforward-addr: 185.208.208.141%0aforward-addr: 89.35.39.64%0aforward-addr: 87.98.175.85%0aforward-addr: 172.98.193.42%0aforward-addr: 111.67.20.8%0a@]%0a%0aThese are IP addresses for DNS servers which I got from [[https://servers.opennic.org/]]. However, the servers change regularly so make sure you update the list.%0a%0a'''Tip''': To quickly get the IPs from OpenNIC, click on the OK button at the top, then open up your web browser's javascript console window and run this command:%0a%0a[@%0aclear();data=document.querySelectorAll("html body div#frame div#view div#srvlist div p");document.body.innerText="forward-addr: 9.9.9.9";data.forEach(line=>{%0a if (line.childNodes[0].childNodes[1].title == "No logs kept"){%0a document.body.innerHTML+=`%3cbr>forward-addr: ${line.childNodes[2].childNodes[0].data}`;%0a }%0a});%0a@]%0a%0aTo start unbound:%0a%0a[@%0a$ doas rcctl enable unbound%0a$ doas rcctl start unbound%0a@]%0a%0aTo test if unbound is working:%0a%0a[@%0a$ dig @127.0.0.1 google.com%0a@]%0a%0aYou should see something like this:%0a%0a[@%0a;; ANSWER SECTION:%0agoogle.com. 29 IN A 172.217.27.142%0a@]%0a%0a!! DNSSec%0a%0aIn /var/unbound/etc/unbound.conf, there are these two lines:%0a%0a# auto-trust-anchor-file: "/var/unbound/db/root.key"%0a# aggressive-nsec: no%0a%0aBoth should be commented to turn off DNSSEC. %0a%0aI have not yet found out how to turn on DNSSEC safely. The problem is that if you turn on DNSSEC it will refuse to serve DNS records that don't have DNSSEC enabled. This can cause [[openbsd/znc|segfaults in znc]]!%0a%0a!! Stale hostname%0a%0aIf you ever change your host's IP address, /etc/hosts may be intercepting the name lookup and giving you the old IP address.%0a%0aMake sure there is no entry in the /etc/hosts files that is causing your machine to use the old IP.%0a time=1624795975 author:1624795975=jrmu diff:1624795975:1616239235:=1d0%0a%3c (:redirect Unbound.Configure:)%0a184c183%0a%3c Make sure there is no entry in the /etc/hosts files that is causing your machine to use the old IP.%0a---%0a> Make sure there is no entry in the /etc/hosts files that is causing your machine to use the old IP.%0a\ No newline at end of file%0a host:1624795975=38.81.163.143 author:1616239235=jrmu diff:1616239235:1616239161:=138c138%0a%3c '''Tip''': To quickly get the IPs from OpenNIC, click on the OK button at the top, then open up your web browser's javascript console window and run this command:%0a---%0a> '''Tip''': Click on the OK button at the top, then open up your web browser's javascript console window and run this command:%0a host:1616239235=125.231.65.235 author:1616239161=jrmu diff:1616239161:1616238860:=137,146d136%0a%3c %0a%3c '''Tip''': Click on the OK button at the top, then open up your web browser's javascript console window and run this command:%0a%3c %0a%3c [@%0a%3c clear();data=document.querySelectorAll("html body div#frame div#view div#srvlist div p");document.body.innerText="forward-addr: 9.9.9.9";data.forEach(line=>{%0a%3c if (line.childNodes[0].childNodes[1].title == "No logs kept"){%0a%3c document.body.innerHTML+=`%3cbr>forward-addr: ${line.childNodes[2].childNodes[0].data}`;%0a%3c }%0a%3c });%0a%3c @]%0a host:1616239161=125.231.65.235 author:1616238860=jrmu diff:1616238860:1612084392:=167,173c167%0a%3c I have not yet found out how to turn on DNSSEC safely. The problem is that if you turn on DNSSEC it will refuse to serve DNS records that don't have DNSSEC enabled. This can cause [[openbsd/znc|segfaults in znc]]!%0a%3c %0a%3c !! Stale hostname%0a%3c %0a%3c If you ever change your host's IP address, /etc/hosts may be intercepting the name lookup and giving you the old IP address.%0a%3c %0a%3c Make sure there is no entry in the /etc/hosts files that is causing your machine to use the old IP.%0a\ No newline at end of file%0a---%0a> I have not yet found out how to turn on DNSSEC safely. The problem is that if you turn on DNSSEC it will refuse to serve DNS records that don't have DNSSEC enabled. This can cause [[openbsd/znc|segfaults in znc]]!%0a\ No newline at end of file%0a host:1616238860=125.231.65.235 author:1612084392=jrmu diff:1612084392:1609682822:=9c9%0a%3c #interface: 10.0.0.1 # provide DNS for users on the IPSec internal network%0a---%0a> interface: 10.0.0.1 # provide DNS for users on the IPSec internal network%0a host:1612084392=125.224.24.163 author:1609682822=jrmu diff:1609682822:1609681854:=9d8%0a%3c interface: 10.0.0.1 # provide DNS for users on the IPSec internal network%0a13d11%0a%3c access-control: 10.0.0.0/8 allow # allow users on the internal network to use unbound%0a host:1609682822=125.231.63.134 author:1609681854=Kont diff:1609681854:1608540573:=7a8%0a> interface: 192.168.1.1 # listen on 192.168.1.1 to provide DNS for users on a network%0a12a14%0a> access-control: 192.168.0.0/16 allow # allow users on your network to use unbound%0a host:1609681854=157.230.15.4 author:1608540573=jrmu diff:1608540573:1600657394:=156,167c156%0a%3c @]%0a%3c %0a%3c !! DNSSec%0a%3c %0a%3c In /var/unbound/etc/unbound.conf, there are these two lines:%0a%3c %0a%3c # auto-trust-anchor-file: "/var/unbound/db/root.key"%0a%3c # aggressive-nsec: no%0a%3c %0a%3c Both should be commented to turn off DNSSEC. %0a%3c %0a%3c I have not yet found out how to turn on DNSSEC safely. The problem is that if you turn on DNSSEC it will refuse to serve DNS records that don't have DNSSEC enabled. This can cause [[openbsd/znc|segfaults in znc]]!%0a\ No newline at end of file%0a---%0a> @]%0a\ No newline at end of file%0a host:1608540573=38.81.163.7 author:1600657394=gry csum:1600657394=formatting diff:1600657394:1597227009:=5c5%0a%3c [@%0a---%0a> %3ccode>%0a32,33c32,33%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a37c37%0a%3c [@%0a---%0a> %3ccode>%0a43,44c43,44%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a46c46%0a%3c [@%0a---%0a> %3ccode>%0a52,53c52,53%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a55c55%0a%3c [@%0a---%0a> %3ccode>%0a58,59c58,59%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a62c62%0a%3c [@%0a---%0a> %3ccode>%0a65,66c65,66%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a71c71%0a%3c [@%0a---%0a> %3ccode>%0a73,74c73,74%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a79c79%0a%3c [@%0a---%0a> %3ccode>%0a81,83c81,83%0a%3c @]%0a%3c %0a%3c %0a---%0a> %3c/code>%0a> %0a> %0a88c88%0a%3c [@%0a---%0a> %3ccode>%0a92,93c92,93%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a96c96%0a%3c [@%0a---%0a> %3ccode>%0a110,111c110,111%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a118c118%0a%3c [@%0a---%0a> %3ccode>%0a134,135c134,135%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a140c140%0a%3c [@%0a---%0a> %3ccode>%0a143,144c143,144%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a147c147%0a%3c [@%0a---%0a> %3ccode>%0a149,150c149,150%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a153c153%0a%3c [@%0a---%0a> %3ccode>%0a156c156%0a%3c @]%0a\ No newline at end of file%0a---%0a> %3c/code>%0a\ No newline at end of file%0a host:1600657394=203.129.25.247 author:1597227009=jrmu diff:1597227009:1597226988:=153,156c153%0a%3c %3ccode>%0a%3c ;; ANSWER SECTION:%0a%3c google.com. 29 IN A 172.217.27.142%0a%3c %3c/code>%0a\ No newline at end of file%0a---%0a> %3ccode>%0a\ No newline at end of file%0a host:1597227009=38.81.163.143 author:1597226988=jrmu diff:1597226988:1597224841:=81,153c81%0a%3c %3c/code>%0a%3c %0a%3c %0a%3c Here's how to use unbound as a local caching resolver:%0a%3c %0a%3c Edit /etc/resolv.conf so it queries localhost on port 53:%0a%3c %0a%3c %3ccode>%0a%3c # Generated by age0 dhclient%0a%3c nameserver 127.0.0.1%0a%3c lookup file bind%0a%3c %3c/code>%0a%3c %0a%3c Inside /var/unbound/etc/unbound.conf, you will see this at the top:%0a%3c %0a%3c %3ccode>%0a%3c server:%0a%3c interface: 127.0.0.1%0a%3c interface: ::1%0a%3c %0a%3c # override the default "any" address to send queries; if multiple%0a%3c # addresses are available, they are used randomly to counter spoofing%0a%3c #outgoing-interface: 192.0.2.1%0a%3c #outgoing-interface: 2001:db8::53%0a%3c %0a%3c access-control: 0.0.0.0/0 refuse%0a%3c access-control: 127.0.0.0/8 allow%0a%3c access-control: ::0/0 refuse%0a%3c access-control: ::1 allow%0a%3c %3c/code>%0a%3c %0a%3c Make sure you are listening on 127.0.0.1 (for localhost) so that your VPS can query localhost on port 53, and also ::1 on port 53 (for IPv6).%0a%3c %0a%3c For access control, you want to refuse 0.0.0.0/0 (all IPv4s) but allow 127.0.0.0/8 (everything that originates locally). Again, refuse ::0/0 (all IPv6s) but allow ::1 (localhost).%0a%3c %0a%3c Put this at the bottom of the file:%0a%3c %0a%3c %3ccode>%0a%3c forward-zone:%0a%3c name: "." # use for ALL queries%0a%3c forward-addr: 163.53.248.170%0a%3c forward-addr: 103.236.162.119%0a%3c forward-addr: 192.99.85.244%0a%3c forward-addr: 31.171.251.118%0a%3c forward-addr: 51.254.25.115%0a%3c forward-addr: 46.101.70.183%0a%3c forward-addr: 45.71.112.70%0a%3c forward-addr: 87.98.175.85%0a%3c forward-addr: 185.208.208.141%0a%3c forward-addr: 89.35.39.64%0a%3c forward-addr: 87.98.175.85%0a%3c forward-addr: 172.98.193.42%0a%3c forward-addr: 111.67.20.8%0a%3c %3c/code>%0a%3c %0a%3c These are IP addresses for DNS servers which I got from [[https://servers.opennic.org/]]. However, the servers change regularly so make sure you update the list.%0a%3c %0a%3c To start unbound:%0a%3c %0a%3c %3ccode>%0a%3c $ doas rcctl enable unbound%0a%3c $ doas rcctl start unbound%0a%3c %3c/code>%0a%3c %0a%3c To test if unbound is working:%0a%3c %0a%3c %3ccode>%0a%3c $ dig @127.0.0.1 google.com%0a%3c %3c/code>%0a%3c %0a%3c You should see something like this:%0a%3c %0a%3c %3ccode>%0a\ No newline at end of file%0a---%0a> %3c/code>%0a\ No newline at end of file%0a host:1597226988=38.81.163.143 author:1597224841=jrmu diff:1597224841:1597224841:=1,81d0%0a%3c Unbound is a caching DNS resolver that comes as a part of OpenBSD base. You can use this to provide faster as well as more secure DNS lookup for the users on your network.%0a%3c %0a%3c Here's a sample /var/unbound/etc/unbound.conf:%0a%3c %0a%3c %3ccode>%0a%3c server:%0a%3c interface: 127.0.0.1 # listen on localhost%0a%3c interface: 192.168.1.1 # listen on 192.168.1.1 to provide DNS for users on a network%0a%3c interface: ::1%0a%3c #do-ip6: no%0a%3c %0a%3c access-control: 0.0.0.0/0 refuse # block all users by default%0a%3c access-control: 127.0.0.0/8 allow # allow localhost to use unbound%0a%3c access-control: 192.168.0.0/16 allow # allow users on your network to use unbound%0a%3c access-control: ::0/0 refuse # block all IPv6 users by default%0a%3c access-control: ::1 allow # allow IPv6 localhost to use unbound%0a%3c %0a%3c hide-identity: yes%0a%3c hide-version: yes%0a%3c %0a%3c remote-control:%0a%3c control-enable: yes%0a%3c control-interface: /var/run/unbound.sock%0a%3c %0a%3c forward-zone:%0a%3c name: "."%0a%3c forward-addr: 185.117.154.144%0a%3c forward-addr: 165.227.40.43%0a%3c forward-addr: 217.144.132.169%0a%3c forward-addr: 212.237.22.141%0a%3c forward-addr: 165.227.108.86%0a%3c %3c/code>%0a%3c %0a%3c The forward-addr lines indicate which nameserver unbound will query. You can find a list of public servers on [[https://servers.opennic.org/|OpenNIC]].%0a%3c %0a%3c if you are using another server as a master, set forwarding from this server as a priority:%0a%3c %3ccode>%0a%3c forward-zone:%0a%3c name: "example.com."%0a%3c forward-addr: 10.10.10.10@53%0a%3c forward-first: no%0a%3c forward-no-cache: no%0a%3c %3c/code>%0a%3c %0a%3c If you need to store local zones, add a block to the "server" section about it:%0a%3c %3ccode>%0a%3c local-zone: "localhost." static%0a%3c local-data: "localhost. 10800 IN NS localhost."%0a%3c local-data: "localhost. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"%0a%3c local-data: "localhost. 10800 IN A 127.0.0.1"%0a%3c local-data: "localhost. 10800 IN AAAA ::1"%0a%3c %3c/code>%0a%3c %0a%3c To start unbound:%0a%3c %3ccode>%0a%3c $ doas rcctl enable unbound%0a%3c $ doas rcctl start unbound%0a%3c %3c/code>%0a%3c %0a%3c For the computer that runs unbound, you'll want to make sure /etc/resolv.conf uses 127.0.0.1 as the nameserver (that is, you query unbound running on port 53). In /etc/resolv.conf:%0a%3c %0a%3c %3ccode>%0a%3c nameserver 127.0.0.1%0a%3c lookup file bind%0a%3c %3c/code>%0a%3c %0a%3c Check to make sure /etc/resolv.conf.tail does not contain any other name servers except 127.0.0.1. All your nameservers should instead be specified in /var/unbound/etc/unbound.conf.%0a%3c %0a%3c If the computer running unbound uses DHCP for network configuration, you will want to include this line in /etc/dhclient.conf:%0a%3c %0a%3c %3ccode>%0a%3c ignore domain-name-servers;%0a%3c %3c/code>%0a%3c %0a%3c This tells OpenBSD's dhclient to ignore the name server provided by the dhcp server.%0a%3c %0a%3c If the computer running unbound is also providing a dhcp server for your local network, you will want to add this line inside your /etc/dhcpd.conf blocks:%0a%3c %0a%3c %3ccode>%0a%3c option domain-name-servers 192.168.1.1;%0a%3c %3c/code>%0a\ No newline at end of file%0a host:1597224841=38.81.163.143