DrKK's Guide on DNS -- What It Is, and How to Install Your Own DNS Server on FreeNAS/BSD

[Atomic]

Everything works now. THX

 

[maglin]

BIND has been removed in FreeBSD 10 so the dig command doesn't work. It's now the drill command for anyone interested. I'm working on trying to setup my unbound server and it's taking me some time.

 

[DrKK]

BIND has been removed in FreeBSD 10 so the dig command doesn't work. It's now the drill command for anyone interested. I'm working on trying to setup my unbound server and it's taking me some time.

That is correct.

This is also relevant to FreeNAS 9.10 which is based on FreeBSD 10.

Thanks for the note. "dig" has indeed been replaced by "drill".

 

[maglin]

A few things to put here as I have a question or two.
1. my unbound server works as per your config but the unbound-controls do not.
I kept getting ssl errors in /var/unbound/ which isn't the directory it was installed in. I linked the files from /usr/local/etc/unbound/ but then I got a to many link levels error. I tried chroot in the config and even puting absolute paths to the cert files at the end of the unbound.conf file. None of that worked. So I copied all the files from /usr/local/etc/unbound/ to /var/unbound/ and now I can use unbound-control but I if I make any changes to either the .conf file or grab new certs I have to recopy them to the /var/unbound/ dir.

2. When the jail is restarted unbound doesn't start even though its in the rc.conf file. Nothing shows in the unbound.log as to it even trying to start.

update kind of: I wanted to ensure I had DNSSec working. Here is what I had to do and was easy, but still have the issue above that the geek inside of me is worries about. I got this information from https://www.unbound.net/documentation/howto_anchor.html. DSNSec can be tested at http://www.dnssec.cz/ and http://dnssec.vs.uni-due.de/. http://dnssectest.sidnlabs.nl/test.php shows a fail because DNSSEC is configured in "permissive mode" which I currently don't understand.

in the jail CLI:

Code:

# unbound-anchor -a root.key

followed by one addition to the /usr/local/etc/unbound/unbound.conf

Code:

server:
    # ... other stuff

    # root key file, automatically updated
    auto-trust-anchor-file: "/usr/local/etc/unbound/root.key"

Here is the /usr/local/etc/unboundunbound.conf file that I kept adding to. I went back to the original config in post 1 from DrKK and evenually got unbound-control to work but not neatly.

Code:

## DrKK's Simple recursive caching DNS pool
##
## Conservative system resource usage for ZFS/FreeNAS environment.
## ***NOT*** appropriate for a heavily loaded environment!
##
## This uses settings that are pretty minimal---i.e., I expect
## this keeps the memory footprint low, while generally offering
## full performance for the typical home/small business user.  These
## settings would be ridiculous for a large enterprise.
#
## DrKK can be found on the #FreeNAS irc channel, or in the forums
## at http://forums.freenas.org/
#
## The DNS forwarders listed below work well for me.  DO YOUR RESEARCH.
#
server:
#  chroot: "/usr/local/etc/unbound"
  interface: 0.0.0.0
  # interface: 127.0.0.1
# The following line assumes your LAN is on the usual 192.168.x.x network.  Change
# this setting if necessary.
    # access-control: 10.0.0.0/8 allow
    # access-control: 127.0.0.0/8 allow
    # access-control: 192.168.0.0/16 allow
    # access-control: 192.168.1.0/16 allow
    access-control: 192.168.1.0/24 allow
    verbosity: 1
  statistics-interval: 3600
  statistics-cumulative: yes
#  outgoing-range: 800
  outgoing-range: 256
  num-threads: 1
  msg-cache-size: 1m
  msg-cache-slabs: 1
  num-queries-per-thread: 128
  rrset-cache-size: 2m
  rrset-cache-slabs: 1
  infra-cache-numhosts: 16
  infra-cache-slabs: 1
  do-ip4: yes
  do-ip6: no
do-udp: yes
  do-tcp: no
  logfile: "unbound.log"
  use-syslog: no
  log-time-ascii: yes
  private-address: 10.0.0.0/8
  private-address: 172.16.0.0/12
  private-address: 192.168.1.0/24
  private-address: 169.254.0.0/16
  do-not-query-localhost: yes
  log-queries: no
  identity: "unbound DNS running on FreeNAS"
  target-fetch-policy: "0 0 0 0 0"
  prefetch: yes
  cache-max-ttl: 604800
  module-config: "iterator"


forward-zone:
## This is a good set of resolvers for the eastern US.  Recommend
## that you investigate the best servers for your location.  I recommend
## Steve Gibson's DNSBench: https://www.grc.com/dns/benchmark.htm
  name: "."
  forward-addr: 68.105.29.11
  forward-addr: 68.105.28.12
  forward-addr: 68.105.29.12
  forward-addr: 68.105.28.11
  forward-addr: 68.13.16.30
  forward-addr: 68.13.16.25
  forward-addr: 68.12.16.30
  forward-addr: 68.12.16.25
  forward-addr: 64.94.33.1
  forward-addr: 216.52.129.1
  forward-addr: 64.94.33.33
  forward-addr: 208.67.222.123
  forward-addr: 129.250.35.251
  forward-addr: 74.82.42.42
  forward-addr: 129.250.35.250
  forward-addr: 8.8.8.8
  forward-addr: 204.194.232.200
  forward-addr: 8.8.4.4

# OPTIONAL REMOTE CONTROL SETTINGS (comment out if desired)
# You must run unbound-control-setup before unbound-control can be used.
remote-control:
  control-enable: yes
  control-interface: 0.0.0.0
  server-key-file: /usr/local/etc/unbound/unbound_server.key
  server-cert-file: /usr/local/etc/unbound/unbound_server.pem
  control-key-file: /usr/local/etc/unbound/unbound_control.key
  control-cert-file: /usr/local/etc/unbound/unbound_control.pem

and the unbound.conf file that I'm using right now.

Code:

## DrKK's Simple recursive caching DNS pool
##
## Conservative system resource usage for ZFS/FreeNAS environment.
## ***NOT*** appropriate for a heavily loaded environment!
##
## This uses settings that are pretty minimal---i.e., I expect
## this keeps the memory footprint low, while generally offering
## full performance for the typical home/small business user.  These
## settings would be ridiculous for a large enterprise.
#
## DrKK can be found on the #FreeNAS irc channel, or in the forums
## at http://forums.freenas.org/
#
## The DNS forwarders listed below work well for me.  DO YOUR RESEARCH.
#
server:
  interface: 0.0.0.0
# The following line assumes your LAN is on the usual 192.168.x.x network.  Change
# this setting if necessary.
  access-control: 192.168.1.0/16 allow
  verbosity: 1
  statistics-interval: 3600
  statistics-cumulative: yes
#  outgoing-range: 800
  outgoing-range: 256
  num-threads: 1
  msg-cache-size: 1m
  msg-cache-slabs: 1
  num-queries-per-thread: 128
  rrset-cache-size: 2m
  rrset-cache-slabs: 1
  infra-cache-numhosts: 16
  infra-cache-slabs: 1
  do-ip4: yes
  do-ip6: no
  do-udp: yes
  do-tcp: no
  logfile: "unbound.log"
  use-syslog: no
  log-time-ascii: yes
  private-address: 10.0.0.0/8
  private-address: 172.16.0.0/12
  private-address: 192.168.0.0/16
  private-address: 169.254.0.0/16
  do-not-query-localhost: yes
  log-queries: no
  identity: "unbound DNS running on FreeNAS"
  target-fetch-policy: "0 0 0 0 0"
  prefetch: yes
  cache-max-ttl: 604800
  module-config: "iterator"


forward-zone:
## This is a good set of resolvers for the eastern US.  Recommend
## that you investigate the best servers for your location.  I recommend
## Steve Gibson's DNSBench: https://www.grc.com/dns/benchmark.htm
  name: "."
  forward-addr: 68.105.29.11
  forward-addr: 68.105.28.12
  forward-addr: 68.105.29.12
  forward-addr: 68.105.28.11
  forward-addr: 68.13.16.30
  forward-addr: 68.13.16.25
  forward-addr: 68.12.16.30
  forward-addr: 68.12.16.25
  forward-addr: 64.94.33.1
  forward-addr: 216.52.129.1
  forward-addr: 64.94.33.33
  forward-addr: 208.67.222.123
  forward-addr: 129.250.35.251
  forward-addr: 74.82.42.42
  forward-addr: 129.250.35.250
  forward-addr: 8.8.8.8
  forward-addr: 204.194.232.200
  forward-addr: 8.8.4.4


# OPTIONAL REMOTE CONTROL SETTINGS (comment out if desired)
# You must run unbound-control-setup before unbound-control can be used.
remote-control:
  control-enable: yes
  control-interface: 0.0.0.0

Maybe someone can see where I messed up and I can do away with the copied files in /var/unbound. Thank you for any help. I'm sure I just missed something easy. I've read the man pages for the unbound.conf and I think I maybe don't understand how some of the arguments work properly.

 

[MrUnknownEMC]

Hi, Great guide.

I have setup all the DNS settings and seem to start up correctly and I have changed my routers DNS and seem to able to able to resolve website fine, and certainly increase browsing speeds. I just wanted to check on the unbound but when i tried to do command such as "unbound-control stats" it response was " error: could not open /var/unbfound.conf: No such file or directory. Pretty much any command doesn't work via unbound-control,

I have only thing i have edit in the config is the forwarding address and access control.

I am pretty sure the DNS bound is working correctly as I have set my DNS bound as only DNS resolver and usually most of client personal websites takes a few seconds (5 seconds) to load, but after I have load the website for the first time the next time from different devices it load instantly.

Have i setup something wrong? I just want to make sure everything is working.

 

[DrKK]

Hi, Great guide.

I have setup all the DNS settings and seem to start up correctly and I have changed my routers DNS and seem to able to able to resolve website fine, and certainly increase browsing speeds. I just wanted to check on the unbound but when i tried to do command such as "unbound-control stats" it response was " error: could not open /var/unbfound.conf: No such file or directory. Pretty much any command doesn't work via unbound-control,

I have only thing i have edit in the config is the forwarding address and access control.

I am pretty sure the DNS bound is working correctly as I have set my DNS bound as only DNS resolver and usually most of client personal websites takes a few seconds (5 seconds) to load, but after I have load the website for the first time the next time from different devices it load instantly.

Have i setup something wrong? I just want to make sure everything is working.

Sir,

Have you run

Code:

unbound-control-setup

in the unbound directory, as per https://www.unbound.net/documentation/unbound-control.html ??

 

[MrUnknownEMC]

Sir,

Have you run

Code:

unbound-control-setup

in the unbound directory, as per https://www.unbound.net/documentation/unbound-control.html ??

Oh ok, i have tired that into directory it gives me this error after i try do dump cache commmand

Code:

error: Error setting up SSL_CTX client key and cert
34388867800:error:02001002:system library:fopen:No such file or directory:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:398:fopen('/var/unbound/unbound_control.pem','r')
34388867800:error:20074002:BIO routines:FILE_CTRL:system lib:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:400:
34388867800:error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/ssl_rsa.c:687:

When i manually into the log file i can see log, it essentially the same thing from dump_cache. I pretty sure i setup it correctly right.

 

[DrKK]

Oh ok, i have tired that into directory it gives me this error after i try do dump cache commmand

Code:

error: Error setting up SSL_CTX client key and cert
34388867800:error:02001002:system library:fopen:No such file or directory:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:398:fopen('/var/unbound/unbound_control.pem','r')
34388867800:error:20074002:BIO routines:FILE_CTRL:system lib:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:400:
34388867800:error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/ssl_rsa.c:687:

When i manually into the log file i can see log, it essentially the same thing from dump_cache. I pretty sure i setup it correctly right.

So I think what's happening here, is you have a conflict between the now built-in unbound in FreeBSD (it wasn't built in at the time of guide), and the unbound that you installed in ports.

The easiest thing for you to do is to use the "ln -s" command to set /var/unbound to point to /usr/local/etc/unbound
(/usr/local/etc/unbound *is* your unbound install directory, yes?)

 

[Ericloewe]

Dear Leader, feel like copying this to the Resources section? If so, just ping me afterwards so I can associate the Resource with this thread.

 

[MrUnknownEMC]

So I think what's happening here, is you have a conflict between the now built-in unbound in FreeBSD (it wasn't built in at the time of guide), and the unbound that you installed in ports.

The easiest thing for you to do is to use the "ln -s" command to set /var/unbound to point to /usr/local/etc/unbound
(/usr/local/etc/unbound *is* your unbound install directory, yes?)

Yes /usr/local/etc/unbound is the install directory? What example of the command layout?

 

[DrKK]

Dear Leader, feel like copying this to the Resources section? If so, just ping me afterwards so I can associate the Resource with this thread.

Eric, what do you need me to do? I have a lot of posts that should probably go in the resources section.

 

[Ericloewe]

Eric, what do you need me to do? I have a lot of posts that should probably go in the resources section.

Well, for whatever you feel is appropriate in the Resources section, just create a new Resource and choose the appropriate type (uploaded file, external file, no file - mostly no file). In most cases, you can just copy-paste the OP or whatever into the Resource body. That'll create a new discussion thread, but we just installed a plugin that allows us to set existing threads as the discussion thread, so just ping me when it's done.

Any questions, just ask.

 

[MrUnknownEMC]

So I think what's happening here, is you have a conflict between the now built-in unbound in FreeBSD (it wasn't built in at the time of guide), and the unbound that you installed in ports.

The easiest thing for you to do is to use the "ln -s" command to set /var/unbound to point to /usr/local/etc/unbound
(/usr/local/etc/unbound *is* your unbound install directory, yes?)

Yes.

/usr/local/etc/unbound is the install directory?

What example of the command layout?

 

[trentk10]

Oh ok, i have tired that into directory it gives me this error after i try do dump cache commmand

Code:

error: Error setting up SSL_CTX client key and cert
34388867800:error:02001002:system library:fopen:No such file or directory:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:398:fopen('/var/unbound/unbound_control.pem','r')
34388867800:error:20074002:BIO routines:FILE_CTRL:system lib:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:400:
34388867800:error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/ssl_rsa.c:687:

When i manually into the log file i can see log, it essentially the same thing from dump_cache. I pretty sure i setup it correctly right.

I was getting this as well, so I read through the unbound.conf.example, played around with settings and did some internet searches on the errrors, until I got it to work, then made those changes to the unbound.conf from the beginning of the thread. I ultimately think adding the "control-use-cert: no" section is what made it work. Not certian, but I am guessing the older version of unbound didn't have this setting available at the time this how to guide was made.

Code:

# OPTIONAL REMOTE CONTROL SETTINGS (comment out if desired)
# You must run unbound-control-setup before unbound-control can be used.
remote-control:
  control-enable: yes
  control-interface: 0.0.0.0
# Set to no and use an absolute path as control-interface to use
# a unix local named pipe for unbound-control.
  control-use-cert: no
# unbound server key file.
  server-key-file: "/usr/local/etc/unbound/unbound_server.key"
# unbound server certificate file.
  server-cert-file: "/usr/local/etc/unbound/unbound_server.pem"
# unbound-control key file.
  control-key-file: "/usr/local/etc/unbound/unbound_control.key"
# unbound-control certificate file.
  control-cert-file: "/usr/local/etc/unbound/unbound_control.pem"

So I think what's happening here, is you have a conflict between the now built-in unbound in FreeBSD (it wasn't built in at the time of guide), and the unbound that you installed in ports.

The easiest thing for you to do is to use the "ln -s" command to set /var/unbound to point to /usr/local/etc/unbound
(/usr/local/etc/unbound *is* your unbound install directory, yes?)

I had to do this part as well using this as an example
ln -s /path/to/file /path/to/symlink
what I actully used in my system
ln -s /usr/local/etc/unbound/unbound.conf /var/unbound/unbound.conf

DrKK....thanks for the how to guide !!!!

 

[Mike77]

I love this, and am going to try it.

Are there any hardware recommendations (will this run on a raspberry pi?)

 

[catnas]

@DrKK I am using

Code:

local-zone: "website" inform_deny

to black hole undesirable sites/ads/etc. However, it is slowing down my DNS fetching before ultimately failing to return an IP address. Is there any way to speed this up?