Installing and configuring Unbound DNS Server

yum install unbound  bind-utils -y

Configuration

Do note that this is my configuration examples. My lab test is a DNS forward forwarding requests to 8.8.8.8 and 1.1.1.1 and also forwarding to other local DNS servers like designate in OpenStack.

unbound.conf

No real changes here to the default configuration.

Where the magic happens is in /etc/conf.d/

conf.d

Here is the file list in my configuration.

[root@dns unbound]# ll 
total 72
drwxr-xr-x. 2 root unbound   101 Apr 11 21:27 conf.d
-rw-r--r--. 1 root root     1261 Aug 12  2022 icannbundle.pem
drwxr-xr-x. 2 root unbound    29 Dec 25 16:35 keys.d
drwxr-xr-x. 2 root unbound    36 Dec 25 16:35 local.d
-rw-r--r--. 1 root root      555 Aug 12  2022 root.key
-rw-r--r--. 1 root root    48576 Dec 25 17:00 unbound.conf
-rw-------. 1 root unbound  2455 Dec 25 16:39 unbound_control.key
-rw-r-----. 1 root unbound  1411 Dec 25 16:39 unbound_control.pem
-rw-------. 1 root unbound  2459 Dec 25 16:39 unbound_server.key
-rw-r-----. 1 root unbound  1549 Dec 25 16:39 unbound_server.pem

[root@dns conf.d]# ll
total 16
-rw-r--r--. 1 root unbound 601 Aug 12  2022 example.com.conf
-rw-r--r--. 1 root root    166 Apr  6 14:49 forwarder.conf
-rw-r--r--. 1 root root    277 Apr 11 21:27 forward-zone.conf
-rw-r--r--. 1 root root    750 Mar 17 08:23 local-zones.conf

To give a brief understanding on the files in the last code block

  • forwarder.conf
    • Tells unbound to forward any unknown requests to these DNS servers.
forward-zone:
        name: "."
        forward-addr: 1.1.1.1
        forward-addr: 8.8.8.8
  • forward-zone.conf
    • Tells unbound to to forward any requests for osp.cbnode.com. to OpenStack designate Bind9 DNS server.

Take note of the period at the end of com. It is required.

forward-zone:
        name: "osp.cbnode.com."
        forward-addr: 172.22.60.246@53 #Openstack designate


forward-zone:
        name: "osp.example.com."
        forward-addr: 172.22.60.246@53 #Openstack designate
  • local-zones.conf
    • Tells unbound to “act” as an Authoritative DNS server for these zones.

h.cbnode.com is my Internal domain name.

server:
    local-zone: "git.h.cbnode.com" redirect
    local-data: "git.h.cbnode.com A 172.22.20.5"

    local-zone: "api.ocp.ocplab.h.cbnode.com" redirect
    local-data: "api.ocp.ocplab.h.cbnode.com A 172.22.60.182"

    local-zone: "apps.ocp.ocplab.h.cbnode.com" redirect
    local-data: "apps.ocp.ocplab.h.cbnode.com IN A 172.22.60.187"

    local-zone: "gitlab.h.cbnode.com" redirect
    local-data: "gitlab.h.cbnode.com IN A 172.22.30.5"

    local-zone: "node1.h.cbnode.com" redirect
    local-data: "node1.h.cbnode.com A 172.22.60.199"

    local-zone: "node2.h.cbnode.com" redirect
    local-data: "node2.h.cbnode.com A 172.22.60.199"

Service.

To enable the unbound service run this.

systemctl enable --now unbound

To reload any changes to the unbound configuration files in /etc/unbound, restart the service.
systemctl restart unbound

That’s it!