kirby/documentation
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
documentation/ansible/roles/unbound_resolver/README.md
kirby dd1900fffe add unbound_resolver role
2025-05-28 11:15:47 +02:00

2.7 KiB
Raw Blame History

Unbound

This role install and configure an Unbound resolver. It also install a prometheus exporter compiled from letsencrypt/unbound_exporter

Targets

  • Debian

Role variables

  • unbound_interfaces: list of interfaces Unbound has to listen on. If not specified, Unbound will listen on 0.0.0.0.
  • unbound_authorized_cidrs: list of authorized CIDRS to query the resolver. As Unbound rejects everything by default, if none is set, the resolver won't answer to anyone.
  • unbound_threads: number of threads Unbound runs on. (default: 1)
  • unbound_cache_size: size of Unbound cache, in Mb. (default: 100)
  • unbound_zones: dictionnary about zones that need to be forwarded to another DNS server. It contains info for every managed zone : name: name of the zone forward_ip: list of the servers to forward queries to private: boolean, has to be specified for dummies zones (ex: .priv). It disables DNSSEC validation for thoses zones.

Zones that are not explicitely specified in forwards will be forwarded to root servers.

Prometheus exporter

  • For the exporter to work properly you need to run the following command on each resolver :
unbound-control-setup
  • You also need to ensure that the "extended-statistics: yes" directive is in the conf (it is here).
  • The exporter configuration can be change by modifying the systemd service template.

Unbound logging

In order to enable query log, you need to do the following :

  • Add the following directives to the config :
    logfile: "/var/log/unbound/unbound.log"
    log-time-ascii: yes
    log-queries: yes
    log-replies: yes # will log informations about the reply, slows response time.
  • Add the following line in /etc/apparmor.d/usr.sbin.unbound (with the comma) :
  /var/log/unbound/unbound.log rw,
  • Run the following commands to create both directory and file for logging :
mkdir /var/log/unbound
touch /var/log/unbound/unbound.log
chown -R unbound:unbound /var/log/unbound
apparmor_parser -r /etc/apparmor.d/usr.sbin.unbound
  • Restart unbound.

Example

In this example, we specify to forward queries for domain aaa.com to xxx.xxx.xxx.xxx, bbb.com to yyy.yyy.yyy.yyy or xxx.xxx.xxx.xxx as a failover, and requests for a private zone to zzz.zzz.zzz.zzz :

unbound_interfaces:
  - "aaa.aaa.aaa.aaa"

unbound_authorized_cidrs:
  - "aaa.aaa.aaa.0/24"
  - "bbb.bbb.bbb.bbb/32"

unbound_threads: 2
unbound_cache_size: 1536

unbound_zones:
  - name: "aaa.com"
    forward_ip:
      - xxx.xxx.xxx.xxx
  - name: "bbb.com"
    forward_ip:
      - yyy.yyy.yyy.yyy
      - xxx.xxx.xxx.xxx
  - name: "mysuperprivatezone.priv"
    forward_ip:
      - zzz.zzz.zzz.zzz
    private: true