Re: local-unbound vs. dns/unbound

From: Sad Clouds <cryintothebluesky_at_gmail.com>
Date: Wed, 27 Mar 2024 08:03:48 UTC
On 26 Mar 2024 18:01:34 -0400
"John R. Levine" <johnl@iecc.com> wrote:

> >>
> >> It's a copy of unbound with a setup script that configures it as
> >> a cache to run on 127.0.0.1.  It looks in /etc/resolv.conf to use
> >> any DNS forwarding you've set up and some other places for
> >> stuff that seems more exotic.
> 
> > Thanks. I'm not too fussed about using the latest version, as long as
> > functionality is mostly the same. I'll play around with local-unbound
> > and see if I can make it work for my use cases.
> 
> As far as I know, it's the same program with a different setup script.
> 
> My main concern is that the setup script might overrwrite your changes 
> when you do a system upgrade.
> 
> Regards,
> John Levine, johnl@taugh.com, Primary Perpetrator of "The Internet for Dummies",
> Please consider the environment before reading this e-mail. https://jl.ly

Hello, I had a look at it and it appears people already thought of this:

# ls -l /var/unbound/
total 24
drwxr-xr-x  2 unbound unbound 512 Nov 10 07:07 conf.d
-rw-r--r--  1 root    unbound 193 Mar 27 07:25 control.conf
-rw-r--r--  1 root    unbound 223 Mar 27 07:25 forward.conf
-rw-r--r--  1 root    unbound 189 Mar 27 07:25 lan-zones.conf
-rw-r--r--  1 unbound unbound 758 Mar 27 07:25 root.key
-rw-r--r--  1 root    unbound 411 Mar 27 07:25 unbound.conf

In the conf.d directory I can put my customisations that get included
via unbound.conf

The only issue I found is that the logic in /etc/rc.d/local_unbound
script is a bit buggy.

With no config files in /var/unbound it generates correct config:

# sysrc local_unbound_enable=YES
# sysrc local_unbound_tls=YES
# sysrc local_unbound_forwarders="1.0.0.1@853#one.one.one.one 1.1.1.1@853#one.one.one.one"
# service local_unbound start
Performing initial setup.
destination: 
Extracting forwarders from /etc/resolv.conf.
/var/unbound/forward.conf created
/var/unbound/lan-zones.conf created
/var/unbound/control.conf created
/var/unbound/unbound.conf created
/etc/resolvconf.conf created
Original /etc/resolv.conf saved as /var/backups/resolv.conf.
20240327.070818 Starting local_unbound.

However if I later decide for example, to disable TLS:

# service local_unbound stop
# sysrc local_unbound_tls=NO
local_unbound_tls: YES -> NO
# service local_unbound start
Starting local_unbound.
Waiting for nameserver to start... good

No config files are updated and TLS is still enabled:

# cat /var/unbound/forward.conf
# This file was generated by local-unbound-setup.
# Modifications will be overwritten.
forward-zone:
        name: .
        forward-tls-upstream: yes
        forward-addr: 1.0.0.1@853#one.one.one.one
        forward-addr: 1.1.1.1@853#one.one.one.one

This is due to this function in /etc/rc.d/local_unbound which runs
setup only if unbound config file is missing.

local_unbound_prestart()
{
        # Create configuration file
        if [ ! -f ${local_unbound_config} ] ; then
                run_rc_command setup
        fi

        # Retrieve DNSSEC root key
        if [ ! -s ${local_unbound_anchor} ] ; then
                run_rc_command anchor
        fi
}

I guess the workaround is to "rm -f /var/unbound/*" after changes to
rc.conf