A few things to put here as I have a question or two.
1. my unbound server works as per your config but the unbound-controls do not.
I kept getting ssl errors in /var/unbound/ which isn't the directory it was installed in. I linked the files from /usr/local/etc/unbound/ but then I got a to many link levels error. I tried chroot in the config and even puting absolute paths to the cert files at the end of the unbound.conf file. None of that worked. So I copied all the files from /usr/local/etc/unbound/ to /var/unbound/ and now I can use unbound-control but I if I make any changes to either the .conf file or grab new certs I have to recopy them to the /var/unbound/ dir.
2. When the jail is restarted unbound doesn't start even though its in the rc.conf file. Nothing shows in the unbound.log as to it even trying to start.
update kind of: I wanted to ensure I had DNSSec working. Here is what I had to do and was easy, but still have the issue above that the geek inside of me is worries about. I got this information from
https://www.unbound.net/documentation/howto_anchor.html. DSNSec can be tested at
http://www.dnssec.cz/ and
http://dnssec.vs.uni-due.de/.
http://dnssectest.sidnlabs.nl/test.php shows a fail because DNSSEC is configured in "permissive mode" which I currently don't understand.
in the jail CLI:
Code:
# unbound-anchor -a root.key
followed by one addition to the /usr/local/etc/unbound/unbound.conf
Code:
server:
# ... other stuff
# root key file, automatically updated
auto-trust-anchor-file: "/usr/local/etc/unbound/root.key"
Here is the /usr/local/etc/unboundunbound.conf file that I kept adding to. I went back to the original config in post 1 from DrKK and evenually got unbound-control to work but not neatly.
Code:
## DrKK's Simple recursive caching DNS pool
##
## Conservative system resource usage for ZFS/FreeNAS environment.
## ***NOT*** appropriate for a heavily loaded environment!
##
## This uses settings that are pretty minimal---i.e., I expect
## this keeps the memory footprint low, while generally offering
## full performance for the typical home/small business user. These
## settings would be ridiculous for a large enterprise.
#
## DrKK can be found on the #FreeNAS irc channel, or in the forums
## at http://forums.freenas.org/
#
## The DNS forwarders listed below work well for me. DO YOUR RESEARCH.
#
server:
# chroot: "/usr/local/etc/unbound"
interface: 0.0.0.0
# interface: 127.0.0.1
# The following line assumes your LAN is on the usual 192.168.x.x network. Change
# this setting if necessary.
# access-control: 10.0.0.0/8 allow
# access-control: 127.0.0.0/8 allow
# access-control: 192.168.0.0/16 allow
# access-control: 192.168.1.0/16 allow
access-control: 192.168.1.0/24 allow
verbosity: 1
statistics-interval: 3600
statistics-cumulative: yes
# outgoing-range: 800
outgoing-range: 256
num-threads: 1
msg-cache-size: 1m
msg-cache-slabs: 1
num-queries-per-thread: 128
rrset-cache-size: 2m
rrset-cache-slabs: 1
infra-cache-numhosts: 16
infra-cache-slabs: 1
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: no
logfile: "unbound.log"
use-syslog: no
log-time-ascii: yes
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.1.0/24
private-address: 169.254.0.0/16
do-not-query-localhost: yes
log-queries: no
identity: "unbound DNS running on FreeNAS"
target-fetch-policy: "0 0 0 0 0"
prefetch: yes
cache-max-ttl: 604800
module-config: "iterator"
forward-zone:
## This is a good set of resolvers for the eastern US. Recommend
## that you investigate the best servers for your location. I recommend
## Steve Gibson's DNSBench: https://www.grc.com/dns/benchmark.htm
name: "."
forward-addr: 68.105.29.11
forward-addr: 68.105.28.12
forward-addr: 68.105.29.12
forward-addr: 68.105.28.11
forward-addr: 68.13.16.30
forward-addr: 68.13.16.25
forward-addr: 68.12.16.30
forward-addr: 68.12.16.25
forward-addr: 64.94.33.1
forward-addr: 216.52.129.1
forward-addr: 64.94.33.33
forward-addr: 208.67.222.123
forward-addr: 129.250.35.251
forward-addr: 74.82.42.42
forward-addr: 129.250.35.250
forward-addr: 8.8.8.8
forward-addr: 204.194.232.200
forward-addr: 8.8.4.4
# OPTIONAL REMOTE CONTROL SETTINGS (comment out if desired)
# You must run unbound-control-setup before unbound-control can be used.
remote-control:
control-enable: yes
control-interface: 0.0.0.0
server-key-file: /usr/local/etc/unbound/unbound_server.key
server-cert-file: /usr/local/etc/unbound/unbound_server.pem
control-key-file: /usr/local/etc/unbound/unbound_control.key
control-cert-file: /usr/local/etc/unbound/unbound_control.pem
and the unbound.conf file that I'm using right now.
Code:
## DrKK's Simple recursive caching DNS pool
##
## Conservative system resource usage for ZFS/FreeNAS environment.
## ***NOT*** appropriate for a heavily loaded environment!
##
## This uses settings that are pretty minimal---i.e., I expect
## this keeps the memory footprint low, while generally offering
## full performance for the typical home/small business user. These
## settings would be ridiculous for a large enterprise.
#
## DrKK can be found on the #FreeNAS irc channel, or in the forums
## at http://forums.freenas.org/
#
## The DNS forwarders listed below work well for me. DO YOUR RESEARCH.
#
server:
interface: 0.0.0.0
# The following line assumes your LAN is on the usual 192.168.x.x network. Change
# this setting if necessary.
access-control: 192.168.1.0/16 allow
verbosity: 1
statistics-interval: 3600
statistics-cumulative: yes
# outgoing-range: 800
outgoing-range: 256
num-threads: 1
msg-cache-size: 1m
msg-cache-slabs: 1
num-queries-per-thread: 128
rrset-cache-size: 2m
rrset-cache-slabs: 1
infra-cache-numhosts: 16
infra-cache-slabs: 1
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: no
logfile: "unbound.log"
use-syslog: no
log-time-ascii: yes
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
do-not-query-localhost: yes
log-queries: no
identity: "unbound DNS running on FreeNAS"
target-fetch-policy: "0 0 0 0 0"
prefetch: yes
cache-max-ttl: 604800
module-config: "iterator"
forward-zone:
## This is a good set of resolvers for the eastern US. Recommend
## that you investigate the best servers for your location. I recommend
## Steve Gibson's DNSBench: https://www.grc.com/dns/benchmark.htm
name: "."
forward-addr: 68.105.29.11
forward-addr: 68.105.28.12
forward-addr: 68.105.29.12
forward-addr: 68.105.28.11
forward-addr: 68.13.16.30
forward-addr: 68.13.16.25
forward-addr: 68.12.16.30
forward-addr: 68.12.16.25
forward-addr: 64.94.33.1
forward-addr: 216.52.129.1
forward-addr: 64.94.33.33
forward-addr: 208.67.222.123
forward-addr: 129.250.35.251
forward-addr: 74.82.42.42
forward-addr: 129.250.35.250
forward-addr: 8.8.8.8
forward-addr: 204.194.232.200
forward-addr: 8.8.4.4
# OPTIONAL REMOTE CONTROL SETTINGS (comment out if desired)
# You must run unbound-control-setup before unbound-control can be used.
remote-control:
control-enable: yes
control-interface: 0.0.0.0
Maybe someone can see where I messed up and I can do away with the copied files in /var/unbound. Thank you for any help. I'm sure I just missed something easy. I've read the man pages for the unbound.conf and I think I maybe don't understand how some of the arguments work properly.