habibzain Just husband, father and enthusiastic men about System Administration. Love to write short article about it. Perhaps can help and be useful for others.

Install Unbound Ubuntu 20.04/22.04 with Compile

5 min read

Hi Dude. Today will install Unbound DNS Resolver in ubuntu 20.04/22.04 wih compile from source installer. As we know, Unbound is a validating, recursive, caching DNS resolver. It is designed to be fast and lean and incorporates modern features based on open standards.

Unbound runs on FreeBSD, OpenBSD, NetBSD, MacOS, Linux and Microsoft Windows, with packages available for most platforms. It is included in the base-system of FreeBSD and OpenBSD and in the standard repositories of most Linux distributions. Installation and configuration is designed to be easy. Setting up a resolver for your machine or network can be done with only a few lines of configuration.

It is free, open source software under the BSD license.

Download From Repository.

wget https://nlnetlabs.nl/downloads/unbound/unbound-latest.tar.gz
tar xzf unbound-latest.tar.gz

We’ll need some tools, such as a compiler and the make program.

sudo apt update
sudo apt install -y build-essential libssl-dev libunbound-dev libevent-dev libexpat1-dev libldns-dev net-tools bind9-utils

The library components Unbounds needs are: libssl libexpat, of which we need the “dev” version. Unbound also uses libldns, but this is included in the tarball we’ve already downloaded.

sudo apt install -y libssl-dev
sudo apt install -y libexpat1-dev

We’ll also need the tools to build the actual program. For this, Unbound uses make and internally it uses flex and yacc, which we need to download as well.

sudo apt-get install -y bison
sudo apt-get install -y flex

With all the requirements met, we can now start the compilation process in the Unbound directory. The first step here is configuring. With ./configure -h you can look at the extensive list of configurables for Unbound. A nice feature is that configure will tell you what it’s missing during configuration. A common error is for the paths to the two libraries we just installed, which can be manually specified with --with-ssl= and --with-libexpat=.

Install Unbound in Ubuntu With Compile

change to directory folder from result extract.

cd unbound-1.16.1
./configure --with-libevent

When configure gives no errors, we can continue to actually compiling Unbound. For this Unbound uses make. Be warned that compiling might take a while.

make 

When we have a successful compilation, we can install Unbound to make available for the machine. Lets install unbound in ubuntu with compile package.

sudo make install

Please note that the default configuration file is located at /usr/local/etc/unbound/unbound.conf and created during the make step. This file contains all possible configuration options for Unbound.

See also  Install Zimbra 8.8.15 in Ubuntu 20.04 (Part 2)

After install finished, add user “unbound”.

groupadd unbound
useradd -d /usr/local/etc/unbound -m -g unbound -s /bin/false unbound

Testing

A simple test to determine if the installation was successful is to invoke the unbound command with the -V option, which is the “version” option. This shows the version and build options used, as well as proving that the install was successful.

root@habibza:/usr/local/etc/unbound# unbound -V
Version 1.16.1

Configure line: --with-libevent
Linked libs: libevent 2.1.11-stable (it uses epoll), OpenSSL 1.1.1f  31 Mar 2020
Linked modules: dns64 respip validator iterator

BSD licensed, see LICENSE in source package for details.
Report bugs to [email protected] or https://github.com/NLnetLabs/unbound/issues

Set up Remote Control

Next, do unbound-control-setup. A useful functionality to enable is the use of the unbound-control command.

unbound-control-setup

This creates a number of files in the default install directory. The default install directory is /usr/local/etc/unbound/.

If you use a username like unbound in the config to run the daemon (which is the default setting), you can use sudo to create the files in that user’s name.

sudo -u unbound unbound-control-setup

if get error permission, give ‘chown -R unbound:unbound /usr/local/etc/unbound’

cd /usr/local/etc/unbound/

ls -al
drwxr-xr-x 3 root    root     4096 Jul 22 15:41 ..
-rw-r--r-- 1 unbound unbound 47708 Jul 22 15:41 unbound.conf
-rw------- 1 unbound unbound  2459 Jul 22 15:42 unbound_control.key
-rw-r----- 1 unbound unbound  1411 Jul 22 15:42 unbound_control.pem
-rw-r--r-- 1 unbound unbound     6 Jul 22 15:45 unbound.pid
-rw------- 1 unbound unbound  2459 Jul 22 15:42 unbound_server.key
-rw-r----- 1 unbound unbound  1549 Jul 22 15:42 unbound_server.pem

Add this line, in unbound.conf.

remote-control:
        # enable remote-control
        control-enable: yes

        # location of the files created by unbound-control-setup
         server-key-file: "/usr/local/etc/unbound/unbound_server.key"
         server-cert-file: "/usr/local/etc/unbound/unbound_server.pem"
         control-key-file: "/usr/local/etc/unbound/unbound_control.key"
         control-cert-file: "/usr/local/etc/unbound/unbound_control.pem"

Or we can backup our original file unbound.conf, and create new file unbound.conf with this configuration

See also  Amavisd Bad Header Whitelist from Specific Mail Address

Starting Unbond

Lets start unbound with unbound-control start. The first time I did an unbound start, I got a failure. Because port 53 is already used by systemd-resolved.service.

root@habibza:/usr/local/etc/unbound# unbound-control start
[1658480141] unbound[20950:0] error: can't bind socket: Address already in use for 0.0.0.0 port 53
[1658480141] unbound[20950:0] fatal error: could not open ports

We can check port with netstat.

root@habibza:/usr/local/etc/unbound# netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      817/systemd-resolve
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      886/sshd: /usr/sbin
tcp6       0      0 :::22                   :::*                    LISTEN      886/sshd: /usr/sbin
udp        0      0 127.0.0.53:53           0.0.0.0:*                           817/systemd-resolve

As we see, port 53 taken by systemd-resolve.

This is because Ubuntu 20.04 shipped with systemd-resolved.service for resolver service. So i have to stop systemd-resolved.service.

systemctl stop systemd-resolved.service
systemctl disable systemd-resolved.service

Next remove file /etc/resolv.conf, because that symlink file associated with systemd-resolved.service

/etc/resol.conf symlink with systemd-resolved

Next, we have to delete /etc/resolv.conf and add new file

rm -rf /etc/resolv.conf

Add new file /etc/resolv.conf, fill with line nameserver 127.0.0.1.

vim /etc/resolv.conf

nameserver 127.0.0.1
install unbound ubuntu compile

Set up Trust Anchor (Enable DNSSEC)

sudo -u unbound unbound-anchor

With command above, create the root key file on /var/lib/unbound/root.key or /usr/local/etc/unbound/root.key.

install unbound ubuntu compile

When get error, libunbound.so.8 not found, we must installed package libunbound-dev.

install unbound ubuntu compile

To enable DNSSEC, we add auto-trust-anchor-file under the server clause in the config.

server:
        # enable DNSSEC
        auto-trust-anchor-file: "/var/lib/unbound/root.key"

If you were going to use this Unbound server as an authoritative DNS server, you would also want to make sure you have a root hints file, which is the zone file for the root DNS servers.

Get the file from InterNIC. It is easiest to download it directly where you want it. My preference is usually to go ahead and put it where unbound directory installed:

wget https://www.internic.net/domain/named.root -O /usr/local/etc/unbound/root.hints

Then add an entry to your unbound.conf file to let Unbound know where the hints file goes:

# file to read root hints from.
        root-hints: "/usr/local/etc/unbound/root.hints"

Finally, we want to add at least one entry that tells Unbound where to forward requests to for recursion. Note that we could forward specific domains to specific DNS servers. In this example, I’m just going to forward everything out to a couple of DNS servers on the Internet:

forward-zone:
        name: "."
        forward-addr: 1.1.1.1
        forward-addr: 8.8.8.8

This is my latest configuration.

My Server Spec is: CPU : 2 Core, Memory: 8GB.

# some optimisation options.
server:

	#show log and statistic
	verbosity: 1
	statistics-interval: 120
	logfile: "/usr/local/etc/unbound/unbound.log"
	use-syslog: no
    	
	# use all CPUs
    	num-threads: 2

   	# power of 2 close to num-threads
   	msg-cache-slabs: 2
   	rrset-cache-slabs: 2
   	infra-cache-slabs: 2
	key-cache-slabs: 2

   	 # more cache memory, rrset=msg*2
   	 rrset-cache-size: 100m
 	 msg-cache-size: 50m

  	  # more outgoing connections
  	  # depends on number of cores: 1024/cores - 50
  	  outgoing-range: 450
 	  num-queries-per-thread: 250	
   
  	  # Larger socket buffer.  OS may need config.
  	  so-rcvbuf: 4m
  	  so-sndbuf: 4m

   	 # Faster UDP with multithreading (only on Linux).
   	 so-reuseport: yes

         directory: "/usr/local/etc/unbound"
         username: unbound
         chroot: "/usr/local/etc/unbound"
         pidfile: "/usr/local/etc/unbound/unbound.pid"
         root-hints: "/usr/local/etc/unbound/root.hints"
         interface: 0.0.0.0
	hide-identity: yes
	hide-version: yes
	harden-glue: yes
	do-not-query-address: 127.0.0.1/8
	do-not-query-localhost: no
        
        access-control: 10.0.0.0/8 allow
	access-control: 192.168.0.0/16 allow
	access-control: 0.0.0.0/0 deny
	
	forward-zone:
    		name: "."
    		forward-addr: 8.8.8.8
		forward-addr: 1.1.1.1	
        	
remote-control:
	control-enable: yes
	control-interface: 127.0.0.1
	control-port: 953
	server-key-file: "/usr/local/etc/unbound/unbound_server.key"
	server-cert-file: "/usr/local/etc/unbound/unbound_server.pem"
	control-key-file: "/usr/local/etc/unbound/unbound_control.key"
	control-cert-file: "/usr/local/etc/unbound/unbound_control.pem"

Unbound can use it to efficiently use more than 1024 file descriptors. Install libevent (and libevent-devel, if it exists) with your favorite package manager. Before compiling unbound run ./configure --with-libevent.

Now you can give any number you like for outgoing-range. Also increase the num-queries-per-thread value.

# with libevent
outgoing-range: 8192
num-queries-per-thread: 4096

Testing

We can testing with dig command. For example dig mx bloomberg.com or domain else you want. First result, get query time 388 msec. Second result get query time 0 msec. That unbound work for caching dns.

See also  Install Zimbra MTA - Zimbra Multi Server on Ubuntu 20.04 (Part 3)
install unbound ubuntu compile
unbounf test
install unbound ubuntu compile
unbound.log

See Statistics

We can easy see statistics unbound with unbound-control stats.

root@habibza:/usr/local/etc/unbound# unbound-control stats
thread0.num.queries=0
thread0.num.queries_ip_ratelimited=0
thread0.num.cachehits=0
thread0.num.cachemiss=0
thread0.num.prefetch=0
thread0.num.expired=0
thread0.num.recursivereplies=0
thread0.requestlist.avg=0
thread0.requestlist.max=0
thread0.requestlist.overwritten=0
thread0.requestlist.exceeded=0
...

Ok, done. That is short article about install unbound in ubuntu with compile method. Next article is Install Unbound Ubuntu 20.04/22.04 With Package Manager. I hope this is useful for you.


Let's Buy Me Coffee.

Buy Me a Coffee at ko-fi.com

https://saweria.co/habibzain
https://ko-fi.com/habibzain
habibzain Just husband, father and enthusiastic men about System Administration. Love to write short article about it. Perhaps can help and be useful for others.

Easy Create Laravel Project with Composer

Requirement Laravel, a popular PHP framework, is renowned for its elegant syntax and robust features, making it a top choice for web developers. One...
habibzain
1 min read

Virtualbox Change Storage Size

Changing the storage size of a virtual machine in VirtualBox involves a few steps. Here’s a general guide. Backup your Virtual Machine (VM) Before...
habibzain
35 sec read

Easy Setup Logrotate Nginx Ubuntu

Log rotation is an important aspect of managing log files on a Linux system, including those generated by Nginx. Logrotate is a utility that...
habibzain
1 min read

One Reply to “Install Unbound Ubuntu 20.04/22.04 with Compile”

  1. Thank you for nice guide. Usually i installed unbound with apt get. Now i decided to compile it. Very detailed guided, also I do these stept to upgrade unbound.

Leave a Reply

Your email address will not be published. Required fields are marked *

Never miss good article from us, get weekly updates in your inbox