Caching name servers using ‘Unbound‘ ( is a validating, recursive, and caching DNS server software ), back in RHEL/CentOS 6.x (where x is version number), we used bind software to configure DNS servers.
Here in this article, we are going to use ‘unbound‘ caching software to install and configure a DNS Server in RHEL/CentOS 7 systems.
DNS cache servers are used to resolve any DNS query they receive. If the server caches the query and in future the same queries requested by any clients the request will be delivered from DNS ‘unbound‘ cache, this can be done in milliseconds than the first time it resolved.
Caching will only act as a agent to resolve the query of client from any one of the forwarders. Using caching server, will reduce the loading time of webpages by keeping the cache database in unbound server.
My Server and Client Setup
For demonstration purpose, I will be using two systems. The first system will act as a Master (Primary) DNS server and the second system will act as a local DNS client.
Master DNS Server
Operating System : CentOS Linux release 7.0.1406 (Core) IP Address : 192.168.0.50 Host-name : ns.tecmintlocal.com
Client Machine
Operating System : CentOS 6 IP Address : 192.168.0.100 Host-name : client.tecmintlocal.com
Step 1: Check System Hostname and IP
1. Before setting up a caching DNS server, make sure that you’ve added correct hostname and configured correct static IP address for your system, if not set the system static IP address.
2. After, setting correct hostname and static IP address, you can verify them with the help of following commands.
# hostnamectl # ip addr show | grep inet
Step 2: Installing and Configuring Unbound
3. Before installing ‘Unbound’ package, we must update the our system to latest version, after that we can install the unbound package.
# yum update -y # yum install unbound -y
4. After package has been installed, make a copy of the unbound configuration file before making any changes to original file.
# cp /etc/unbound/unbound.conf /etc/unbound/unbound.conf.original
5. Next, use any of your favorite text editor to open and edit ‘unbound.conf‘ configuration file.
# vim /etc/unbound/unbound.conf
Once the file is opened for editing, make the following changes:
Interfaces
Search for Interface and enable the interface which we going to use or if our server have multiple interfaces we have to enable the interface 0.0.0.0.
Here Our server IP was 192.168.0.50, So, i’am going to use unbound in this interface.
Interface 192.168.0.50
Enable IPv4 and Protocol Supports
Search for the following string and make it ‘Yes‘.
do-ip4: yes do-udp: yes do-tcp: yes
Enable the logging
To enable the log, add the variable as below, it will log every unbound activities.
logfile: /var/log/unbound
Hide Identity and Version
Enable following parameter to hide id.server and hostname.bind queries.
hide-identity: yes
Enable following parameter to hide version.server and version.bind queries.
hide-version: yes
Access Control
Then search for access-control to allow. This is to allow which clients are allowed to query this unbound server.
Here I have used 0.0.0.0, that means anyone send query to this server. If we need to refuse query for some range of network we can define which network need to be refuse from unbound queries.
access-control: 0.0.0.0/0 allow
Note: Instead of allow, we can replace it with allow_snoop this will enable some additional parameters like dig and it support both recursive and non recursive.
Domain Insecure
Then search for domain-insecure. If our domain is works with DNS sec keys, we need to define our server available for domain-insecure. Here our domain will be treated as insecure.
domain-insecure: "tecmintlocal.com
Forward Zones
Then change the forwarders for our requested query not fulfilled by this server it will forward to root domain (. ) and resolve the query.
forward-zone:
name: "."
forward-addr: 8.8.8.8
forward-addr: 8.8.4.4
Finally, save and quit the configuration file using wq!.
6. After making the above configuration, now verify the unbound.conf file for any errors using the following command.
# unbound-checkconf /etc/unbound/unbound.conf
7. After file verification over without any errors, you can safely restart the ‘unbound’ service and enable it at system startup.
# systemctl start unbound.service # sudo systemctl enable unbound.service
Step 3: Test DNS Cache Locally
8. Now it’s time to check our DNS cache, by doing a ‘drill’ (query) one ‘india.com‘ domain. At first the ‘drill‘ command results for ‘india.com‘ domain will take some milliseconds, and then do a second drill and have a note on Query time it takes for both drills.
drill india.com @192.168.0.50
Did you see in the above output, the first query taken almost 262 msec to resolve and the second query takes 0 msec to resolve domain (india.com).
That means, the first query gets cached in our DNS Cache, so when we run ‘drill’ second time the query served from our local DNS cache, this way we can improve loading speed of websites.
Step 4: Flush Iptables and Add Firewalld Rules
9. We can’t use both iptables and firewalld at same time on same machine, if we do both will conflict with each other, thus removing ipables rules will be a good idea. To remove or flush the iptables, use the following command.
# iptables -F
10. After removing iptables rules permanently, now add the DNS service to firewalld list permanently.
# firewall-cmd --add-service=dns # firewall-cmd --add-service=dns --permanent
11. After adding DNS service rules, list the rules and confirm.
# firewall-cmd --list-all
Step 5: Managing and Troubleshooting Unbound
12. To get the current server status, use the following command.
# unbound-control status
Dumping DNS Cache
13. If in-case you would like to have a dump of a DNS cache information in a text file, you can redirect it to some file using below command for future use.
# unbound-control dump_cache > /tmp/DNS_cache.txt
14. To restore or import the cache from the dumped file, you can use following command.
# unbound-control dump_cache < /tmp/DNS_cache.txt
Flushing DNS Records
15. To check whether the specific address was resolved by our forwarders in unbound cache Server, use the below command.
# unbound-control lookup google.com
16. Some times if our DNS cache server will not reply our query, in mean time we can use to flush the cache to remove information such as A, AAA, NS, SO, CNAME, MX, PTR etc.. records from DNS cache. We can remove all information using flush_zone this will remove all informations.
# unbound-control flush www.digitalocean.com # unbound-control flush_zone tecmintlocal.com
17. To check which forwards are currently used to resolve.
# unbound-control list_forwards
Step 6: Client Side DNS Configuration
18. Here I’ve used a CentOS 6 server as my client machine, IP for this machine is 192.168.0.100 and I’m going to use my unbound DNS server IP (i.e Primary DNS) in it’s interface configuration.
Log-into the Client machine and set the Primary DNS server IP to our unbound server’s IP.
Run the setup command and choose network configuration from TUI network manager.
Then choose DNS configuration, insert the unbound DNS server’s IP as Primary DNS, but here i have used both in Primary and Secondary because I don’t have any other DNS server.
Primary DNS : 192.168.0.50 Secondary DNS : 192.168.0.50
Click OK –> Save&Quit –> Quit.
19. After adding Primary and Secondary DNS IP addresses, now it’s time to restart the network using following command.
# /etc/init.d/network restart
20. Now time to access any one of the website from client machine and check for the cache in unbound DNS server.
# elinks aol.com # dig aol.com
Conclusion
Earlier we were used to setup DNS cache server using bind package in RHEL and CentOS systems. Now, we have seen how to setup a DNS cache server using unbound package. Hope this will resolve your query request quicker than the bind pacakge.
Thanks for the article. Feel it very authoritatively. I don’t know if this is a typesetting problem, but the file log should be in quotes and the directory should have the user unbound. I.E.
should be more like:
where /var/log/unbound user and group is set to the unbound user like so:
hope this helps someone setting up logging!
Hi,
This is very useful article. Whenever I’m stuck, this website helps me a lot. Thanks to you.
Dear Babin Lonston,
Thanks for your guide, but i have a problem . When i do follow step by step above. I have a error when check unbound.conf file
[root@localhost unbound]# unbound-checkconf /etc/unbound/unbound.conf
/etc/unbound/unbound_server.key: No such file or directory
[1511340951] unbound-checkconf[9120:0] fatal error: server-key-file: “/etc/unbound/unbound_server.key” does not exist
How can i fix it ? I find out a command like “control-use-cert: no” in some unbound version. But it is not available for unbound 1.4.20 on Centos7 .
Thanks and wait for your reply :)
1.systemctl start unbound.service
2.sudo systemctl enable unbound.service
3.unbound-checkconf /etc/unbound/unbound.conf
Hi,
Very useful article
Thanks a lot
Hi, thank you for the post.
How did you manage to get all that options in the setup command in Red Hat 7? In Centos 7 I only have System Authentication and System Services.
I know nmtui, which is good to configure dns clientes, and firewall-config for firewall.
But it would be nice to try all that options from setup command.
Thanks in advance
RODOLFO
Setup command not available in Centos, RHEL 7 Instead you can use nmcli from command line or use the nmtui.