user:gp68:unbound

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
user:gp68:unbound [2024-09-02T17:04:54Z] – [Refresh script] gp68user:gp68:unbound [2024-09-03T11:03:59Z] (current) gp68
Line 1: Line 1:
 ====== Unbound Howto ====== ====== Unbound Howto ======
  
 +This setup is build as an example to work as tier1 or tier2 server. \\
 +There is an update script which sets up all slave zones and does an tier1 anmd tiar2 server test after update. \\
 +The update script also checks dnssec basics and updates the files in git. \\
 +///etc/unbound// is a git repository in my setup.
 + 
 ===== Base setup ===== ===== Base setup =====
  
-<code>+<file txt unbound.conf>
 server: server:
  verbosity: 1  verbosity: 1
Line 10: Line 15:
  # ----------------------  # ----------------------
  # optimizations https://nlnetlabs.nl/documentation/unbound/howto-optimise/  # optimizations https://nlnetlabs.nl/documentation/unbound/howto-optimise/
 +        # adjust for your needs
  # ----------------------  # ----------------------
  num-threads: 2  num-threads: 2
Line 30: Line 36:
  stream-wait-size: 8m #default 4m  stream-wait-size: 8m #default 4m
  # ----------------------  # ----------------------
 +        # can be set to 0 if you don't need
 +        #
  statistics-interval: 1200  statistics-interval: 1200
  # ----------------------  # ----------------------
Line 42: Line 50:
  tls-service-key: /etc/unbound/privkey.pem  tls-service-key: /etc/unbound/privkey.pem
  tls-service-pem: /etc/unbound/fullchain.pem  tls-service-pem: /etc/unbound/fullchain.pem
-        # +        # i don't like files :-) 
  use-syslog: yes  use-syslog: yes
-        # first start+        # ------------------------------------- 
 +        # for the first start update files 
 +        # named.cache.opennic and opennic.dnskey 
 +        # manually 
 +        # -------------------------------------
  # drill . ns @161.97.219.84 > named.cache.opennic  # drill . ns @161.97.219.84 > named.cache.opennic
  # dig -t DNSKEY . @161.97.219.84 | dnssec-dsfromkey -1 -f - . > opennic.dnskey  # dig -t DNSKEY . @161.97.219.84 | dnssec-dsfromkey -1 -f - . > opennic.dnskey
Line 50: Line 62:
  root-hints: "/etc/unbound/named.cache.opennic"  root-hints: "/etc/unbound/named.cache.opennic"
  trust-anchor-file: "/etc/unbound/opennic.dnskey"  trust-anchor-file: "/etc/unbound/opennic.dnskey"
 +        # --------------------------------------------------
  # dnssec not working at the moment for all domains  # dnssec not working at the moment for all domains
 +        # --------------------------------------------------
  harden-dnssec-stripped: no  harden-dnssec-stripped: no
  harden-glue:  no  harden-glue:  no
- aggressive-nsec: no  + aggressive-nsec: no 
- do-not-query-localhost: no+        # access control for everyone ai and ipv6
  access-control: 0.0.0.0/0 allow  access-control: 0.0.0.0/0 allow
  access-control: ::0/0 allow  access-control: ::0/0 allow
- #+no identity needed
  hide-identity: yes  hide-identity: yes
  identity: "pope.vatican.va"  identity: "pope.vatican.va"
Line 63: Line 77:
  version:  "0.0"  version:  "0.0"
  tls-system-cert: yes  tls-system-cert: yes
 +        # DOS protection
  #ip-ratelimit-factor: 10  #ip-ratelimit-factor: 10
     #ip-ratelimit: 60     #ip-ratelimit: 60
     ratelimit: 100     ratelimit: 100
 +        # ---------------------------------------
 +        # for start make am empty file
 +        # will be updated by refresh script
 +        # 
  include: /etc/unbound/opennic_server.conf  include: /etc/unbound/opennic_server.conf
-  +
-local-zone: "168.192.in-addr.arpa." transparent +enable control via locahhost
-local-zone: "10.in-addr.arpa." transparent +
-local-zone: "16.172.in-addr.arpa." transparent +
-local-zone: "17.172.in-addr.arpa." transparent +
-local-zone: "18.172.in-addr.arpa." transparent +
-local-zone: "19.172.in-addr.arpa." transparent +
-local-zone: "20.172.in-addr.arpa." transparent +
-local-zone: "21.172.in-addr.arpa." transparent +
-local-zone: "22.172.in-addr.arpa." transparent +
-local-zone: "23.172.in-addr.arpa." transparent +
-local-zone: "24.172.in-addr.arpa." transparent +
-local-zone: "25.172.in-addr.arpa." transparent +
-local-zone: "26.172.in-addr.arpa." transparent +
-local-zone: "27.172.in-addr.arpa." transparent +
-local-zone: "28.172.in-addr.arpa." transparent +
-local-zone: "29.172.in-addr.arpa." transparent +
-local-zone: "30.172.in-addr.arpa." transparent +
-local-zone: "31.172.in-addr.arpa." transparent +
-local-zone: "0.in-addr.arpa." transparent +
-local-zone: "127.in-addr.arpa." transparent +
-local-zone: "254.169.in-addr.arpa." transparent +
-local-zone: "2.0.192.in-addr.arpa." transparent +
-local-zone: "100.51.198.in-addr.arpa." transparent +
-local-zone: "113.0.203.in-addr.arpa." transparent +
-local-zone: "255.255.255.255.in-addr.arpa." transparent +
-local-zone: "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." transparent +
-local-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." transparent +
-local-zone: "d.f.ip6.arpa." transparent +
-local-zone: "8.e.f.ip6.arpa." transparent +
-local-zone: "9.e.f.ip6.arpa." transparent +
-local-zone: "a.e.f.ip6.arpa." transparent +
-local-zone: "b.e.f.ip6.arpa." transparent +
-local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." transparent +
-local-zone: "onion." always_null +
-test local +
-just an example +
-#local-zone: "porno." static +
-#local-data: 'porno. IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800' +
-#local-data: 'rechner.porno. IN A 127.0.0.1' +
 remote-control: remote-control:
  control-enable: yes  control-enable: yes
-  + 
-</code>+include: /etc/unbound/opennic_domains.conf 
 +</file>
  
 ===== Refresh script ===== ===== Refresh script =====
  
 +Gets the opennic root nameserver from the web
  
-<code>+<file perl getroot_opennic.pl>
 #!/usr/bin/perl #!/usr/bin/perl
  
Line 152: Line 134:
     print $1 . "\n";     print $1 . "\n";
 } }
-</code>+</file> 
 + 
 +Refreshes the files 
 +  * opennic.dnskey          ( dnssec root key ) 
 +  * named.cache.opennic     ( dns root cache ) 
 +  * opennic_server.conf     ( allow unsecure dnssec queries for opennic domains ) 
 +  * opennic_domains.conf    ( opennic zones secondary ) 
 + 
 +The script locks for single usage and checks the serial of the root zone for changes.
  
-<code>+<file bash refresh_base.sh>
 #!/bin/bash #!/bin/bash
  
Line 341: Line 331:
 sleep 10 sleep 10
  
-wget -q --no-check-certificate -O test.txt 'https://report.opennicproject.org/t2log/t1.php?ip_addr=$MYIP'+wget -q --no-check-certificate -O test.txt "https://report.opennicproject.org/t2log/t1.php?ip_addr=$MYIP"
 if [ $(cat test.txt | perl -n -e 'if ( $p == 1 ) { /Passed/ && print "OK\n" ; $p = 0; } else { if ( /Test results:/ ) { $p=1; } }') != 'OK' ] ; then if [ $(cat test.txt | perl -n -e 'if ( $p == 1 ) { /Passed/ && print "OK\n" ; $p = 0; } else { if ( /Test results:/ ) { $p=1; } }') != 'OK' ] ; then
     echo "Opennic Tier1 TEST FAILED"     echo "Opennic Tier1 TEST FAILED"
Line 353: Line 343:
 sleep 10 sleep 10
  
-wget -q --no-check-certificate -O test.txt 'https://servers.opennicproject.org/srvtest3/test.php?ip=$MYIP&ns=$MYIP'+wget -q --no-check-certificate -O test.txt "https://servers.opennicproject.org/srvtest3/test.php?ip=$MYIP&ns=$MYIP"
 if [ $(cat test.txt | perl -n -e '/Server\sstatus(.*)$/ && print $1;'  | perl -n -e '/\[(.+)\]/ && print $1;') != '100%' ] ; then if [ $(cat test.txt | perl -n -e '/Server\sstatus(.*)$/ && print $1;'  | perl -n -e '/\[(.+)\]/ && print $1;') != '100%' ] ; then
     echo "Opennic Tier2 TEST FAILED"     echo "Opennic Tier2 TEST FAILED"
Line 371: Line 361:
  
 git commit -am "Serial: $serial" git commit -am "Serial: $serial"
-</code>+</file>
  
  • /wiki/data/attic/user/gp68/unbound.1725296694.txt.gz
  • Last modified: 6 months ago
  • by gp68