Beyond Linux® From Scratch (System V Edition) - Version 11.2

Chapter 23. Other Server Software

Unbound-1.16.2

Introduction to Unbound

Unbound is a validating, recursive, and caching DNS resolver. It is designed as a set of modular components that incorporate modern features, such as enhanced security (DNSSEC) validation, Internet Protocol Version 6 (IPv6), and a client resolver library API as an integral part of the architecture.

This package is known to build and work properly using an LFS-11.2 platform.

Package Information

  • Download (HTTP): https://nlnetlabs.nl/downloads/unbound/unbound-1.16.2.tar.gz

  • Download MD5 sum: 974cbd17e2e2373f36bfce0ad5b1d4a1

  • Download size: 5.9 MB

  • Estimated disk space required: 170 MB (with docs; add 10 MB for tests)

  • Estimated build time: 0.5 SBU (Using parallelism=4; with docs; add 0.3 SBU for tests)

Unbound Dependencies

Optional

libevent-2.1.12, Nettle-3.8.1, Python-2.7.18, SWIG-4.0.2 (for Python bindings), Doxygen-1.9.4 (for html documentation), dnstap, and Sphinx (for Python bindings documentation)

User Notes: https://wiki.linuxfromscratch.org/blfs/wiki/unbound

Installation of Unbound

There should be a dedicated user and group to take control of the unbound daemon after it is started. Issue the following commands as the root user: 

groupadd -g 88 unbound &&
useradd -c "Unbound DNS Resolver" -d /var/lib/unbound -u 88 \
        -g unbound -s /bin/false unbound

Install Unbound by running the following commands: 

./configure --prefix=/usr     \
            --sysconfdir=/etc \
            --disable-static  \
            --with-pidfile=/run/unbound.pid &&
make

If you have Doxygen-1.9.4 package installed and want to build html documentation, run the following command: 

make doc

To test the results, issue make check.

Now, as the root user: 

make install &&
mv -v /usr/sbin/unbound-host /usr/bin/

If you built the documentation, install it by running the following commands as the root user: 

install -v -m755 -d /usr/share/doc/unbound-1.16.2 &&
install -v -m644 doc/html/* /usr/share/doc/unbound-1.16.2

Command Explanations

--disable-static: This switch prevents installation of static versions of the libraries.

--with-libevent: This option enables libevent support allowing use of large outgoing port ranges.

--with-pyunbound: This option enables building of the Python bindings.

Configuring Unbound

Config Files

/etc/unbound/unbound.conf

Configuration Information

In the default configuration, unbound will bind to localhost (127.0.0.1 IP address) and allow recursive queries only from localhost clients. If you want to use unbound for local DNS resolution, run the following command as the root user: 

echo "nameserver 127.0.0.1" > /etc/resolv.conf

If you are using a DHCP client for connecting to a network, /etc/resolv.conf gets overwritten with values provided by DHCP server. You can override this, for example in DHCP-4.4.3, by running the following command as the root user: 

sed -i '/request /i\supersede domain-name-servers 127.0.0.1;' \
       /etc/dhcp/dhclient.conf

For advanced configuration see /etc/unbound/unbound.conf file and the documentation.

When Unbound is installed, some package builds fail if the file /etc/unbound/root.key is not found. This file is created by running the boot script (install instructions below). Alternatively, it can be created by running the following command as the root user: 

unbound-anchor

Boot Script

If you want the Unbound server to start automatically when the system is booted, install the /etc/rc.d/init.d/unbound init script included in the blfs-bootscripts-20220722 package: 

make install-unbound

Contents

Installed Programs: unbound, unbound-anchor, unbound-checkconf, unbound-control, unbound-control-setup, and unbound-host
Installed Library: libunbound.so and (optional) /usr/lib/python2.7/site-packages/_unbound.so
Installed Directories: /etc/unbound and /usr/share/doc/unbound-1.16.2 (optional)

Short Descriptions

unbound

is a DNS resolver daemon

unbound-anchor

performs setup or update of the root trust anchor for DNSSEC validation

unbound-checkconf

checks the unbound configuration file for syntax and other errors

unbound-control

performs remote administration on the unbound DNS resolver

unbound-control-setup

generates a self-signed certificate and private keys for the server and client

unbound-host

is a DNS lookup utility similar to host from BIND Utilities-9.18.6

libunbound.so

provides the Unbound API functions to programs