If you only want to forward queries to an external DNS server, skip ahead to #Forward all remaining requests.Īllow local network to use DNS Using openresolv The second should give an rcode of NOERROR. The first command should give an rcode of SERVFAIL. Here the response should include (BOGUS (security failure)).Īdditionally you can use drill to test the resolver as follows: The response should be the ip address with the word (secure) next to it. To test if DNSSEC is working, after starting rvice, do: Note: Including DNSSEC checking significantly increases DNS lookup times for initial lookups before the address is cached. If general #Forwarding queries have been set to DNS servers that do not support DNSSEC, their answers, whatever they are, should be considered insecure since no DNSSEC validation could be preformed. etc/unbound/trusted-key.key is copied from /etc/trusted-key.key, which is provided by the dnssec-anchors dependency, whose PKGBUILD generates the file with unbound-anchor(8).ĭNSSEC validation will only be done if the DNS server being queried supports it. etc/unbound/nf trust-anchor-file: trusted-key.key To use DNSSEC validation, the following setting for the server trust anchor should be under server:: See #Roothints systemd timer for an example.
This can be done manually or by using Systemd/Timers. When actually using this file, and not the builtin hints, it is a good idea to update root.hints every six months or so in order to make sure the list of root servers is up to date.
The simplest way to do this is to run the command: Then, put a root hints file into the unbound configuration directory. Otherwise, it is good practice to use a root-hints file since the builtin hints may become outdated.įirst point unbound to the root.hints file: Therefore, if the package is updated regularly, no manual intervention is required. Unbound comes with default builtin hints. You can now setup unbound such that it is #Forwarding queries, perhaps all queries, to the DNS servers of your choice.įor recursively querying a host that is not cached as an address, the resolver needs to start at the top of the server tree and query the root servers, to know where to go for the top level domain for the address being queried. See Domain name resolution#Lookup utilities on how to test your settings.Ĭheck specifically that the server being used is ::1 or 127.0.0.1 after making permanent changes to nf. Then run resolvconf -u to generate /etc/nf. Tip: A simple way to do this is to install openresolv and configure /etc/nf: Make sure to protect /etc/nf from modification as described in Domain name resolution#Overwriting of /etc/nf. If you want to use unbound as your local DNS server, set your nameserver to the loopback addresses ::1 and 127.0.0.1 in /etc/nf: Unless otherwise specified, any options listed in this section are to be placed under the server section in the configuration like so:
See nf(5) for other settings and more details. The following sections highlight different settings for the configuration file. 2.4.2.2 Manually specifying DNS serversĪdditionally, the expat package is required for #DNSSEC validation.Ī default configuration is already included at /etc/unbound/nf.2.4.1.2 Exclude local subnets from answers.
0 kommentar(er)
