In the previous article, we introduced Unbound and covered some of the most common settings. In this article, we will cover some additional settings.
Under Services -> Unbound DNS, the “Unbound DNS Settings” tab has a subheading called “Statistics“. Unbound provides various statistics relating to the number of queries that Unbound handles. These statistics are printed to the Unbound log file, which can be found at /var/log/unbound.log. This log file is viewable via Status: Package logs or via the command line using the command “clog“.
There are a few configurable options. The “Enable Statistics” check box allows you to enable the use of statistics. Checking this will cause Unbound to generate statistics which can be used to generate other information. The “Statistics Interval” dropdown box allows you to select the time as to when statistics will be written to the Unbound log file (anywhere from 5 minutes to 2 hours). If “Yes” is selected in the “Enter Cumulative Statistics” dropdown box, the statistics collected will be cumulative and will not be cleared after each report has been logged. The “Extended Statistics” check box will cause Unbound to log the type of queries that have been handled by the resolver. Otherwise, Unbound only logs the total number of queries collected.
Advanced Settings and ACL Lists
The “Unbound DNS Advanced Settings” tab has a number of additional settings that may be useful. The “Hide Identity” check box will cause Unbound (if checked) to refuse id.server and hostname.bin queries. The “Hide Version” checkbox will cause Unbound (if checked) to refuse version.server and version.bind queries. As a result, any attempt to hack Unbound will potentially be thwarted by depriving the hacker of this vital information. The “Log level verbosity” check box allows you to select the logging verbosity. “Level 0” specifies no verbosity (only errors are logged), while each higher level of logging verbosity (up to Level 5) provides additional information. The “Message Cache Size” dropdown box allows you to alter the size of the message cache. The message cache stores DNS rcodes and validation statuses. The RRSet cache will automatically be set to twice this amount (the RRSet cache contains the RR data).
The “Outgoing TCP Buffers” dropdown box allows you to select the number of outgoing TCP buffers to allocate per thread. If the value is set to 0, no TCP queries to authoritative servers are done. The “Incoming TCP Buffers” dropdown box allows you to select the number of incoming TCP buffers to allocate per thread. Once again, if the value is set to 0, then no TCP queries from clients are accepted.
The next tab is “Unbound DNS ACLs“. Here you can define access control lists for Unbound. Click on the “plus” sign on the right side of the page to add a new ACL. The “ACL name” edit box allows you to provide an ACL name. The “Action” dropdown box allows you to choose what to do with DNS requests that match the specified criteria. “Deny” causes Unbound to stop queries from hosts within the specified netblock. “Refuse” will also stop queries from hosts within the specified netblock, but will send a DNS rcode REFUSED error message back to the client. “Allow” will allow queries from hosts within the specified netblock. “Allow Snoop” will allow recursive and nonrecursive access from hosts within the specified netblock.
At “Networks“, you can press the “plus” button and specify a netblock or series of netblocks (along with descriptions) to which the action will be applied. Finally, you can add a description in the “Description” edit box. When you are done setting up the ACL, press the “Save” button to save the changes (or “Cancel” to cancel).
Unbound also provides various command line utilities to manage your DNS cache server. To remove a name from the cache, type:
unbound-control flush [name]
where [name] is a record of any type (including A, AAAA, NS<SOA, CNAME, DNAME, MX, PTR, SRV and NAPTR). If you want to remove a name of a specific type, then type:
unbound-control flush_type [name] [type]
If you want to flush an entire zone, type:
unbound-control flush_zone [name]
This will remove all information at or below the name from the cache. For example, if you specify .com, all entries below .com will be removed.
To determine the name servers that will be queried to lookup a zone, type:
unbound-control lookup [name]