Table of Contents
Introduction to Unbound
Unbound is a nice single purpose DNS caching solution when using something like Bind is just too heavy and just too much.
Unfortunately the Unbound website isn’t entirely clear on how to install an MVP version on Ubuntu so you have to scout the internet and use quite a bit of trial and error when setting up. The basics are simple: Install the problem, set access control to your specific networks or hosts, and Bob’s your uncle. Unfortunately this doesn’t seem to work with the basic configuration and this isn’t clear in the Unbound documentation.
This article show how to install it on Ubuntu and has a working example configuration file and show a caveat or two when using this software.
Installation
apt install unbound
Check if it’s running (caveat #1, it will be running the 1st time, but not the 2nd time):
# service unbound status ● unbound.service - Unbound DNS server Loaded: loaded (/lib/systemd/system/unbound.service; enabled; vendor preset: enabled) Active: active (running) since Mon 2023-10-23 05:55:17 UTC; 11s ago ... Tasks: 1 (limit: 1102) Memory: 8.4M CPU: 65ms ... Oct 23 05:55:17 unbound1 systemd[1]: Starting Unbound DNS server... Oct 23 05:55:17 unbound1 package-helper[1152]: /var/lib/unbound/root.key does not exist, copying from /usr/share/dns/root.key
At first attempt Unbound is running. Now to configuration.
File locations
Unbound has it’s configuration in /etc/unbound. Furthermore unbound includes configuration further down in /etc/unbound/unbound.conf.d by way of this line in /etc/unbound/unbound.conf:
include-toplevel: "/etc/unbound/unbound.conf.d/*.conf"
Basic Configuration File
server: port: 53 interface: 0.0.0.0 access-control: 192.168.0.0/24 allow
But when you restart it using service unbound restart, then suddenly there is no service and not idea why either (cat /var/log/syslog):
Oct 23 06:13:05 unbound1 unbound[2187]: [1698041585] unbound[2187:0] error: can't bind socket: Address already in use for 0.0.0.0 port 53 Oct 23 06:13:05 unbound1 unbound[2187]: [1698041585] unbound[2187:0] fatal error: could not open ports
The problem with a default Ubuntu installation is it already has a default resolver running on port 53. When you first start Unbound without any configuration, these two apparently co-exist quite well. The problem is when you do a basic configuration might run into a problem.
You can what’s already running on port 53 this doing this:
# sudo netstat -tulpn | grep 53 tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 520/systemd-resolve tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 1156/unbound tcp 0 0 127.0.0.1:8953 0.0.0.0:* LISTEN 1156/unbound tcp6 0 0 ::1:8953 :::* LISTEN 1156/unbound tcp6 0 0 ::1:53 :::* LISTEN 1156/unbound udp 0 0 127.0.0.1:53 0.0.0.0:* 1156/unbound udp 0 0 127.0.0.53:53 0.0.0.0:* 520/systemd-resolve udp6 0 0 ::1:53 :::* 1156/unbound
If you don’t have netstat then apt install net-tools.
Getting rid of Ubuntu’s resolver
If you want to get rid of Ubuntu’s resolver, do this:
systemctl stop systemd-resolved.service systemctl disable systemd-resolved.service
A more advanced configuration file
Here is a more advanced configuration file:
server: port: 53 verbosity: 0 num-threads: 2 outgoing-range: 512 num-queries-per-thread: 1024 msg-cache-size: 32m interface: 0.0.0.0 rrset-cache-size: 64m cache-max-ttl: 86400 infra-host-ttl: 60 infra-lame-ttl: 120 access-control: 192.168.0.0/24 allow username: unbound directory: "/etc/unbound" logfile: "/var/log/unbound.log" use-syslog: yes hide-version: yes so-rcvbuf: 4m so-sndbuf: 4m do-ip4: yes do-ip6: no do-udp: yes do-tcp: yes remote-control: control-enable: yes control-port: 953 control-interface: 0.0.0.0
Problems with so-rcvbuf and so-sndbuf
However, running this will present this issue:
warning: so-rcvbuf 4194304 was not granted. Got 425984. To fix: start with root permissions(linux) or sysctl bigger net.core.rmem_max(linux) or kern.ipc.maxsockbuf(bsd) values.
The issue is so-rcvbuf want 4194304 and only got 425984. In more human readable language the send buffer want 4 megabytes but it’s only getting 416 kilobytes.
This fix is:
sysctl -w net.core.rmem_max=4194304
The next problem is this:
warning: so-sndbuf 4194304 was not granted. Got 425984. To fix: start with root permissions(linux) or sysctl bigger net.core.wmem_max(linux) or kern.ipc.maxsockbuf(bsd) values.
This fix is:
sysctl -w net.core.wmem_max=4194304
Note: These values must be persisted in /etc/sysctl.conf
error: Could not open logfile /var/log/unbound.log: Permission denied
One would think something like or touch /var/log/unbound.log and chown unbound:unbound would work, but uh-uh. Next one would think may it should be chmod 644 but also no go. The problem is more complex and seen by this:
apparmor_status
... 1 processes are in enforce mode. /usr/sbin/unbound (3495) ...
Next one would think this will solve the problem:
systemctl stop apparmor
Nope, you have to do this:
vim /etc/apparmor.d/local/usr.sbin.unbound
Then add this:
# Site-specific additions and overrides for usr.sbin.unbound. # For more details, please see /etc/apparmor.d/local/README. /var/log/unbound/unbound.log rw,
Then this:
apparmor_parser -r /etc/apparmor.d/usr.sbin.unbound service unbound restart
Yay! Finally a working log file.
Happy DNS’sing and leave us a comment if you have a comment.