This tutorial by user Chad Milios (DigitalOcean) shows us how to get Unbound (caching DNS resolver) set up on FreeBSD 10.1. DigitalOcean is a cloud infrastructure that offers many open source platforms, including FreeBSD.
The system of domain name servers (DNS) is a global hierarchy of databases dedicated to the simple but essential task of looking up host names like
www.digitalocean.comand turning them into one or more IP addresses. Whenever an email is sent or a connection to a host is initiated by its name, the DNS system is used. You can read this introduction to the DNS system for more information.
Such an essential and fundamental component of Internet infrastructure gets a lot of use. It is not uncommon for a busy system to make hundreds of name lookups per second or more. If services running on your server perform much work at all behind the scenes then it is likely that security and performance will benefit from verifying and caching within your own systems the name lookups that your service performs to conduct its operations.
In this tutorial, you will learn how to set up a FreeBSD server to remember all DNS lookups in a system-wide cache. Information will automatically expire from this cache, honoring each looked-up domain’s individual policy for rechecking.
In order to follow this tutorial, you will need:
- One FreeBSD 10.1 Droplet
Step 1 — Enabling Unbound
FreeBSD 10.1 includes the verifying caching resolver Unbound (version 1.4.22) as part of the base system.
Once you are logged into your server via SSH, enabling FreeBSD’s included resolver is as simple as issuing the following command:
- sudo sysrc local_unbound_enable=YES
Your Droplet is now configured to start Unbound at the next system reboot.
Step 2 — Starting Unbound
You can fire up the resolver immediately without performing a full system restart.
To start the resolver:
- sudo service local_unbound start
If Unbound starts successfully you should see output similar to the following:Output
Performing initial setup. Extracting forwarders from /etc/resolv.conf. /var/unbound/forward.conf created /var/unbound/lan-zones.conf created /var/unbound/unbound.conf created /etc/resolvconf.conf created original /etc/resolv.conf saved as /etc/resolv.conf.20150812.184225 Starting local_unbound.
You are now running the Unbound verifying caching name resolver. Any and all of the services you may already be running should now pick up and use the new resolver right away for servicing and caching their name lookups.
Step 3 — Preserving This Setup Through Droplet Restoration
Actions like restoring a backup image or using a snapshot image as the basis for a new Droplet would normally clobber the configuration we’ve done so far. We can solve this issue by ensuring a certain file
/etc/resolv.confis correct automatically at every system startup.
Copy the file as it currently exists to a backup file with this command:
- sudo cp /etc/resolv.conf /etc/resolv.conf.use_local
/etc/rc.localcontains commands your server will run at each startup. You will now need to add a single line to this file, so open it for editing using
eeor your favorite text editor.
- sudo ee /etc/rc.local
Add the following line to the bottom of the file.Line to add to /etc/rc.local
if service local_unbound onestatus; then cp /etc/resolv.conf.use_local /etc/resolv.conf; fi
This enacts an automatic repair of our configuration. Save and close the file.
That’s it! Your system will now reenable Unbound at every startup even if the system is restored to an entirely new Droplet.
In this tutorial you learned how to cache host name and domain name lookups on your system and why you might want to do so. You can learn more about FreeBSD’s caching resolver at the homepage for the Unbound project.