Configuring local_unbound in FreeBSD 11

Posted on September 9, 2017

Not to be confused with unbound.

Why local_unbound?

  1. I’m starting to use FreeBSD and OpenBSD more frequently, both for server stuff and to experience desktop life outside of the Linux-Windows-OSX trifecta. And I just want to know more about the system I’m using.
  2. I want to cache results from DNS queries to improve home LAN performance and reliability.
  3. I want greater visibility into query validation
  4. I want to experiment more with DNSSEC
  5. I want to use free resolvers (think OpenDNS) without being a prick about it.

I have a spare Dell Inspiron Micro I’ll eventually use for unbound some time later, but for now we’ll just play with FreeBSD’s built in offering.

Setup

This is simple, but surprisingly no one has put all the steps in one place yet. That and simply enabling local_unbound on installation (as of 10.3 and up) left me in a state where I couldn’t resolve any hosts. A couple of assumptions:

  1. You’re configured only for IPv4. Haven’t gotten around to messing with IPv6 in FreeBSD yet
  2. You’re taking your address via DHCP.
  3. You skipped setting up local_unbound during installation. If you didn’t, then your pretty much only your output won’t match. Nothing serious, just don’t be surprised if you don’t see things I’m reporting.

Here’s what I did to get in working condition:

$ su -
$ sysrc local_unbound_enable=YES
$ service local_unbound_enable onerestart
/var/unbound/lan-zones.conf not modified
/var/unbound/control.conf not modified
/var/unbound/unbound.conf not modified
Stopping local_unbound.
Starting local_unbound.
Waiting for nameserver to start... good
/etc/resolvconf.conf not modified
/etc/resolv.conf not modified

This is the weird part. I typically take DNS from my most immediate router, let’s call it 10.0.40.1. However, leaving local_unbound to operate off this forward address alone left me unable to resolve any names.

$ ping google.com
ping: cannot resolve google.com: Host name lookup failure

I had to add public resolver IPs to get this to work.

$ local-unbound-setup \
    10.0.40.1 \
    8.8.8.8 8.8.4.4 \
    208.67.222.222 208.67.220.220
$ service local_unbound onestart

Your config should look like this now

$ cat /var/unbound/forward.conf
# This file was generated by local-unbound-setup.
# Modifications will be overwritten.
forward-zone:
	name: .
	forward-addr: 10.0.40.1
	forward-addr: 8.8.8.8
	forward-addr: 8.8.4.4
	forward-addr: 208.67.222.222
	forward-addr: 208.67.220.220

$ cat /etc/resolvconf.conf
# This file was generated by local-unbound-setup.
# Modifications will be overwritten.
resolv_conf="/dev/null" # prevent updating /etc/resolv.conf
# Static DNS configuration

$ cat /etc/resolvconf.conf
# This file was generated by local-unbound-setup.
# Modifications will be overwritten.
resolv_conf="/dev/null" # prevent updating /etc/resolv.conf
# Static DNS configuration
[root@apollo ~]# ^C
[root@apollo ~]# cat /etc/resolv.conf
# Generated by resolvconf
# nameserver 10.0.40.1
options edns0
nameserver 127.0.0.1

And of course, you should get what you came here for:


# local
$ getent hosts ticonderoga.local
fe80::1816:e3d3:6f48:e5f6  ticonderoga.local
10.0.40.101       ticonderoga.local

# world
$ getent hosts google.com
2607:f8b0:4006:801::200e  google.com
172.217.9.238     google.com