SANOG 41 DNS workshop
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  1. Overview
  2. /
  3. Labs
  4. /
  5. Day 1
  6. /
  7. Unbound Setup

Unbound Setup

Recursive DNS Setup using unbound.

In this demo we will configure DNS server as recursive with unbound packages.


Goal: Configure recursive DNS and trigger queries

Login to the Server and install unbound.

  1. Update repo using apt.
sudo apt update -y

  1. Install unbound using apt.
sudo  apt install unbound -y

  1. Check if unbound is installed.
 unbound -V

  1. Now navigate to unbound configuration directory and make a new file for the custom config
 cd /etc/unbound/unbound.conf.d

  1. Create a custom config file name 01-server.conf and add the content starting from server:
 sudo vi 01-server.conf

server:
    interface: 0.0.0.0
    interface: ::0

  1. Now write and exit. You need to press Escape button first and type :wq! followed by enter to save.
Esc #press escape key
:wq! #followed by Enter

  1. Now, do the config checks.
unbound-checkconf /etc/unbound/unbound.conf

  1. Now, restart the unbound daemon and see.

sudo systemctl restart unbound

  1. Let’s troubleshoot for those if they are getting below error, without errors can continue further.
Job for unbound.service failed because the control process exited with error code.
See "systemctl status unbound.service" and "journalctl -xe" for details.

  1. Try to run unbound on debug mode and see the logs.

sudo unbound -d -vv -c /etc/unbound/unbound.conf

[1713351018] unbound[1761886:0] notice: Start of unbound 1.9.4.
[1713351018] unbound[1761886:0] error: can't bind socket: Address already in use for 0.0.0.0 port 53
[1713351018] unbound[1761886:0] fatal error: could not open ports

  1. If the error is showing “error could not open ports” find the service using the same and disable it.
ss -plantu

You will see a line with systemd-resolve on deamon process. Stop the process and disable it for good.

    Netid             State              Recv-Q             Send-Q                           Local Address:Port                           Peer Address:Port              Process
    udp               UNCONN             0                  0                                127.0.0.53%lo:53                                    0.0.0.0:*                  users:(("systemd-resolve",pid=840,fd=12))
    tcp               LISTEN             0                  4096                             127.0.0.53%lo:53                                  0.0.0.0:*                  users:(("systemd-resolve",pid=840,fd=13))

sudo rm /etc/resolv.conf 
sudo systemctl stop systemd-resolved.service; sudo systemctl disable systemd-resolved.service

  1. Now start the unbound service and check the status.

sudo systemctl start unbound

  1. Try the dig command to check the resolution.
dig @localhost learndns.info ns

  1. Put your IP as resolver on your server, open resolve.conf and add localhost as nameserver.

sudo vi /etc/resolv.conf 

 nameserver 127.0.0.1

 Esc
 :wq! #followed by enter

Now, secure your recursive to allow recursion only from your network.


  1. Add acl to restrict recursive server to allow only from your networks.
cd /etc/unbound/unbound.conf.d
sudo  vi 02-acl.conf

server: 
    access-control: 127.0.0.0/8 allow

Please see your server interfaces and guide to find your internal networks.


  1. Check whether your recursive server can validate DNSSEC.
dig @localhost apnic.net +dnssec