KI5QKX: mw push

2026-04-30T18:52:37Z

mw push

← Older revision		Revision as of 18:52, 30 April 2026
Line 120:		Line 120:
	Congratulations! You have set up a caching, validating, recursive resolver that can serve DNS to any machine on AMPRNet.		Congratulations! You have set up a caching, validating, recursive resolver that can serve DNS to any machine on AMPRNet.

			[[Category:How-To]]
	[[Category:Reference]][[Category:How-To Guides]]		[[Category:Reference]][[Category:How-To Guides]]
	[[Category:DNS]]		[[Category:DNS]]
	[[Category:DNS Setup]]		[[Category:DNS Setup]]

KI5QKX: mw push

2026-03-01T00:14:31Z

mw push

← Older revision		Revision as of 00:14, 1 March 2026
Line 122:		Line 122:

	[[Category:Reference]][[Category:How-To Guides]]		[[Category:Reference]][[Category:How-To Guides]]
			[[Category:DNS]]
			[[Category:DNS Setup]]

KI5QKX: Moving OpenBSD resolver setup here from DNS/Overview

2026-02-04T22:30:19Z

Moving OpenBSD resolver setup here from DNS/Overview

New page

{{Section nav
| hub=DNS
| title=DNS
| category=DNS
}}

= Setting Up a Recursive Resolver on OpenBSD =

[https://www.openbsd.org OpenBSD] is a variant of Unix known for security and a focus on code correctness. It also comes bundled with a high performance caching, validating, recursive DNS resolver package called [https://www.nlnetlabs.nl/projects/unbound/about/ Unbound]. Unbound is easily configured, we will give an example of doing so here.

== Configuring the unbound server ==

The first step is to configure the server by editing its configuration file, <code>/var/unbound/etc/unbound.conf</code>. The format and allowable settings in this file are given in the man page, [https://man.openbsd.org/unbound.conf ''unbound.conf''(5)], but at a high level it contains several sections:

* A <code>server:</code> section allows us to set settings for the server itself.
* A <code>remote-control:</code> section lets setup access for a control client.
* An arbitrary number of optional zone-specific sections that allow us to configure options for those zones. This gives us the ability to forward to specific authoritative servers for a zone and so on.

Here's an example of what a configuration file might look like:

<nowiki>server:
interface: 0.0.0.0
interface: ::0

access-control: 0.0.0.0/0 refuse
access-control: ::0/0 refuse

access-control: 127.0.0.0/8 allow
access-control: ::1 allow

access-control: 44.0.0.0/9 allow
access-control: 44.128.0.0/10 allow

hide-identity: yes
hide-version: yes

# Perform DNSSEC validation.
auto-trust-anchor-file: "/var/unbound/db/root.key"
val-log-level: 2

# Synthesize NXDOMAINs from DNSSEC NSEC chains.
# https://tools.ietf.org/html/rfc8198
#
aggressive-nsec: yes

# Use TCP for "forward-zone" requests. Useful if you are making
# DNS requests over an SSH port forwarding.
#tcp-upstream: yes

# CA Certificates used for forward-tls-upstream (RFC7858) hostname
# verification. Since it's outside the chroot it is only loaded at
# startup and thus cannot be changed via a reload.
#tls-cert-bundle: "/etc/ssl/cert.pem"

remote-control:
control-enable: yes
control-interface: /var/run/unbound.sock

stub-zone:
name: "ampr.org."
stub-addr: 44.1.1.44
stub-host: ns2.us.ardc.org
stub-host: ns.ardc.org
stub-host: ns1.de.ardc.org
stub-host: a.gw4.uk

stub-zone:
name: "44.in-addr.arpa."
stub-addr: 44.1.1.44
stub-host: ns2.us.ardc.org
stub-host: ns.ardc.org
stub-host: ns1.de.ardc.org
stub-host: a.gw4.uk
stub-first: yes

stub-zone:
name: "128.44.in-addr.arpa."
stub-addr: 44.1.1.44
stub-host: ns2.us.ardc.org
stub-host: ns.ardc.org
stub-host: ns1.de.ardc.org
stub-host: a.gw4.uk
stub-first: yes
</nowiki>

This configuration sets some non-default options in the <code>server:</code> section, such as what interface to listen on for incoming connections, and options for what machines are allowed to send us queries. Here, we listen on all addresses on all interfaces for both IPv4 and IPv6 and we allow any AMPRNet host to send us queries.

The <code>remote-control:</code> section enables and configures a Unix domain socket that allows us to control the unbound daemon with the client control program, <code>unbound-control</code>; this way, we can ask it for performance and usage statistics, force it to flush its cache, etc, without stopping and restarting it.

The most interesting parts are the <code>stub-zone:</code> sections. These allow us to tell unbound about servers that are authoritative for particular zones, bypassing querying through the root for domains under those zones. In the three sections given here, we tell it to query the ARDC-administered non-recursive authoritative servers for the ''ampr.org'', ''44.in-addr.arpa'' and ''128.44.in-addr.arpa'' zones; that is, for anything related to AMPRNet, we forward directly to the authoritative servers.

Note the <code>stub-first: yes</code> lines for the two reverse domains: some reverse domains are ''delegated'' to other services. This line says to try the ARDC servers first, and if those return an error, to perform the standard query from the root.

Once the server is configured, we can enable it by adding a line to <code>/etc/rc.conf.local</code>:

<nowiki>unbound_flags=""</nowiki>

Now, if we reboot, we will find the unbound daemon running the next time we login. We should be able to direct DNS queries to the local server now, and we can edit the <code>/etc/resolv.conf</code> file to include a reference to our unbound instance. For example, our resolv.conf file might look something like:

<nowiki>lookup file bind
domain your-call.ampr.org
search your-call.ampr.org ampr.org
nameserver 127.0.0.1
</nowiki>

Of course, one likely wants to query one's own callsign based subdomain, not "your-call".

Now, other machines can be configured to connect to your unbound instance. Here is an example from a machine at KZ2X:

<nowiki>lookup file bind
domain kz2x.ampr.org
search kz2x.ampr.org ampr.org
nameserver 44.44.48.29
nameserver 8.8.8.8
nameserver 1.1.1.1
</nowiki>

Note that <code>44.44.48.29</code> is the machine that runs unbound.

Congratulations! You have set up a caching, validating, recursive resolver that can serve DNS to any machine on AMPRNet.

[[Category:Reference]][[Category:How-To Guides]]

DNS/Setup/OpenBSD Resolver - Revision history

KI5QKX: mw push

KI5QKX: mw push

KI5QKX: Moving OpenBSD resolver setup here from DNS/Overview