''root@cloudns0:~# ifconfig''
* ens13: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
* inet xxx.4.77.135 netmask 255.255.255.192 broadcast xxx.4.77.191
* inet6 fe80::a800:ff:fe79:5a1 prefixlen 64 scopeid 0x20<link>
* inet6 2403:4000:0:2::2 prefixlen 64 scopeid 0x0<global>
* ether aa:00:00:79:05:a1 txqueuelen 1000 (Ethernet)
* RX packets 213715417 bytes 14053348903 (13.0 GiB)
* RX errors 0 dropped 1 overruns 0 frame 0
* TX packets 9511552 bytes 958058087 (913.6 MiB)
* TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
*
* lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
* inet 127.0.0.1 netmask 255.0.0.0
* inet6 ::1 prefixlen 128 scopeid 0x10<host>
* loop txqueuelen 1000 (Local Loopback)
* RX packets 78633600 bytes 7941971840 (7.3 GiB)
* RX errors 0 dropped 0 overruns 0 frame 0
* TX packets 78633600 bytes 7941971840 (7.3 GiB)
* TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
*
root@cloudns0:~# cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
source /etc/network/interfaces.d/*
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
allow-hotplug ens13
iface ens13 inet static
address 210.xxx.77.1xxx/26
gateway 210.xxx.77.129
# dns-* options are implemented by the resolvconf package, if installed
dns-nameservers 210.4.77.135
dns-search bdcom.net
iface ens13 inet6 static
address 2403:xxx:0:2::2
netmask 64
gateway 2403:xxx:0:2::1
dns-nameservers 2403:xxx:0:2::2
root@cloudns0:~# cat /etc/unbound/unbound.conf
# Unbound configuration file for Debian.
#
# See the unbound.conf(5) man page.
#
# See /usr/share/doc/unbound/examples/unbound.conf for a commented
# reference config file.
#
# The following line includes additional configuration files from the
# /etc/unbound/unbound.conf.d directory.
include: “/etc/unbound/unbound.conf.d/*.conf”
#The configuration file is located at /etc/unbound/unbound.conf. Configure the interface to listen to using the “interface” directive. 0.0.0.0 will instruct unbound to listen on all interfaces.
#
# Enable logs
verbosity: 1 # uncomment and increase to get more
logfile: /var/log/unbound/unbound.log
log-queries: yes
#server:
# chroot: “”
# logfile: /var/log/unbound.log
# verbosity: 1
# log-queries: yes
#interface: 0.0.0.0@53
#interface: ::/0@53
interface: 0.0.0.0@53
interface: ::0@53
#
DNS request port, IP and protocol
port: 53
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes
#Setup clients that may make recursive queries:
# Authorized IPs to access the
DNS Server
access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.1 allow
access-control: ::1 allow
access-control: 210.4.64.0/24 allow
access-control: 210.4.77.0/24 allow
access-control: 10.255.0.0/16 allow
access-control: 2403:4000::/32 allow
#To require DNSSEC data for trust-anchored zones, use the “harden-dnssec-stripped” option:
harden-dnssec-stripped: yes
#Configure the TTLs for the
DNS cache in seconds. It is good practice to not keep the minimum higher than an hour since it could result in reading stale data which might have changed. This could especially be the case for the hostname resolutions to dynamic IP addresses.
#
cache-min-ttl: 3600
cache-max-ttl: 86400
#Performance tuning parameters to tune unbound depending on the number of clients that will depend on this server as well as the hardware on which it is running. My unbound server is on a 512MB 1vcpu VM and will only serve requests for clients within my home network, so I have deliberately tuned these down
#
num-threads: 2
msg-cache-slabs: 4
rrset-cache-slabs: 4
infra-cache-slabs: 4
key-cache-slabs: 4
rrset-cache-size: 128m
msg-cache-size: 32m
so-rcvbuf: 1m
#Lets now setup the private domain which this
DNS server will be an authority for. You should add all your local hosts that are present within your network for which this server will act as an authority for as local-data entries similar to below.
#
#private-domain: “home.asrivas.me”
#local-zone: “home.asrivas.me” static
#local-data: “webserver.home.asrivas.me IN A 192.168.1.143”
#One really useful aspect of running your own
DNS server is the ability to block a number of ad servers by creating a blackhole for those domains. This is especially useful for mobile devices where it is difficult to configure ad-blocking. The following servers actually server majority of the ads over the internet:
local-zone: “doubleclick.net” redirect
local-data: “doubleclick.net A 127.0.0.1”
local-zone: “googlesyndication.com” redirect
local-data: “googlesyndication.com A 127.0.0.1”
local-zone: “googleadservices.com” redirect
local-data: “googleadservices.com A 127.0.0.1”
local-zone: “google-analytics.com” redirect
local-data: “google-analytics.com A 127.0.0.1”
local-zone: “ads.youtube.com” redirect
local-data: “ads.youtube.com A 127.0.0.1”
local-zone: “adserver.yahoo.com” redirect
local-data: “adserver.yahoo.com A 127.0.0.1”
local-zone: “ask.com” redirect
local-data: “ask.com A 127.0.0.1”
#Lastly, you should setup forwarding queries to the appropriate public
DNS server for queries that cannot be answered by this server:
forward-zone:
name: “.”
forward-addr: 1.0.0.1@53#one.one.one.one
forward-addr: 1.1.1.1@53#one.one.one.one
forward-addr: 8.8.4.4@53#dns.google
forward-addr: 8.8.8.8@53#dns.google
forward-addr: 9.9.9.9@53#dns.quad9.net
forward-addr: 149.112.112.112@53#dns.quad9.net
forward-addr: 2606:4700:4700::1003@53#cloudfare.ipv6
forward-addr: 2606:4700:4700::1113@53#cloudfare.ipv6
forward-addr: 2403:4000:0:2::3@53#BDCOM.ipv6
forward-addr: 2403:4000:0:2::4@53#BDCOM.ipv6
—————— logs ———–
https://askubuntu.com/questions/1082972/unbound-dns-sever-does-not-log-anything-when-i-make-a-query
Step 2
Make sure BOTH the log file & parent folder are owned by unbound user:
sudo chown unbound:unbound /var/log/unbound /var/log/unbound/unbound.log
At this point it was still not working for me (or you).
After this I noticed it was still logging to syslog after turning up verbosity to debug. I also noticed kernel logging showing “apparmor” was logging “DENIED” for the unbound log location access:
sudo cat /var/log/syslog | grep DENIED
Example in syslog:
Dec 30 16:41:48 ip-192-168-1-1 kernel: [ 1368.641789] audit: type=1400 audit(1577724108.624:29): apparmor=“DENIED” operation=“open” profile=“/usr/sbin/unbound” name=“/var/log/unbound/unbound.log” pid=2247 comm=“unbound” requested_mask=“ac” denied_mask=“ac” fsuid=112 ouid=112
Step 3
To correct this, I added a local override to apparmor.d area:
sudo nano /etc/apparmor.d/local/usr.sbin.unbound
Add this single line to it:
/var/log/unbound/unbound.log rw,
(Yes, with comma on end) Save.
Step 4
Reload apparmor entries for unbound:
sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.unbound
Step 5
Restart Unbound:
sudo systemctl restart unbound
Check log:
https://askubuntu.com/questions/1285370/trying-to-allocate-more-ram-to-unbound-and-getting-a-warning-to-fix-start-with
warning: so-rcvbuf 1048576 was not granted. Got 425984. To fix: start with root
https://aacable.wordpress.com/tag/unbound-debug-mode/
$ sudo tail -f /var/log/unbound/unbound.log
[1577725445] unbound[2721:0] info: start of service (unbound 1.6.7).