Hi,
i have build Unbound 1.5.9 as addon for IPFire. Later this can completly replace dnsmaqs on IPFire. I myself run unbound over 6 weeks on more than 8 IPfire installations wihtout any problems! (x86 and x64). In this time i optimizing the config and the scripts. Now i think it's time to push my work to the mailing list... :)
Addon Description: Unbound is a validating, recursive, and caching DNS resolver. It is designed as a set of modular components that incorporate modern features, such as enhanced security (DNSSEC) validation, Internet Protocol Version 6 (IPv6), and a client resolver library API as an integral part of the architecture.
https://www.unbound.net/ http://www.linuxfromscratch.org/blfs/view/svn/server/unbound.html
Configuration: The main config file is the "/etc/unbound/unbound.conf" (default). I created a cleared config file with no descriptions and with all necessary and useful settings. (The original unbound.conf was renamed to unbound_org.conf). Unbound runs with this config in chroot mode under a separate user ("unbound" created while installing the addon). The config file is prepared for IPv6, but is disabled with "do-ip6: no". The logfile is located at /etc/unbound/log/. In chroot mode the only working location! The logrotate script moves the log daily to /var/log/unbound/. Nice statistcis are possible for IPFire's WebIF. Take a look to https://www.unbound.net/documentation/howto_statistics.html. I have written two addintional scripts and the init scripts to integrate Unbound into IPFire.
The second deamon is a watcher for the dhcpd lease file. It is only started if the DNS-Update (RFC2136) in WebIF is enabled. The unbound init script checks the WebIf valve and stats the watcher daemon automatically. I need a working solution to start a deamon from Webif with nobody rights when click "save" on dhcp server section.
New folders: /etc/unbound - main config folder /etc/unbound/blocklists - for block lists, named as "*.conf" /etc/unbound/log - contains undbound.log /etc/unbound/zones - for extra zone files, named as "*.conf" and contains local.conf /var/log/unbound - contains the older logfiles
The /etc/unbound/forward.conf can be edit for extra DNS-Server independently from IPFire setup. More than 2 servers are possible.
Needed scripts: /usr/sbin/unbound-switch Switching between dnsmasq and unbound. Creates and removes the autostart links for unbound und dnsmasq and switches the network init script
/usr/sbin/unbound-zone Reading current IPFire's network, domain and static hosts config and create IPFire's DNS-Zone file (/etc/unbound/zones/local.conf)
/src/initscripts/init.d/unbound The init script for unbound under IPFire. This Srcipt creates the needed interface.conf and dnssec.conf under /etc/unbound/. These values are read from the files /var/ipfire/ethernet/settings and /var/ipfire/red/resolv.conf
/src/initscripts/init.d/network-unbound A copy from /src/initscripts/init.d/network with removed workarounds for dnsmasq. It's not a perfect solution, but i have no better idea to remove error messages in boot log.
/src/initscripts/init.d/unbound-dhcpd The init script for python written dhcp watcher daemon
/usr/sbin/watcherdhcpd.py This script and the additional python files comes from the OPNsense Firewall disribution. I modified the watcher script to work with universal standard times in the IPFire's dhcp lease file (/var/state/dhcp/dhcpd.leases)
Additional python files under /usr/lib/python2.7/site-packages daemonize.py for demonizing the python watcher script dhcpd.py needed file for watcherdhcpd.py (read the lease file) params.py needed file for watcherdhcpd.py (procces python daemon args)
Special init scipt options (default settings): CONTROL_INTERFACE_FILE=1 - enable or disable creation/updating of /etc/unbound/interfaces.conf CONTROL_ACCESS_FILE=1 - enable or disable creation/updating of /etc/unbound/access.conf USE_CUSTOM_FORWARDS=0 - enable or disable the unsing of custom DNS forwards file /etc/unbound/forward.conf ENABLE_DNSSEC=1 - enable or disable DNSSEC (deactivates unbounds validator module) /etc/unbound/dnssec.conf
As an goodie, my patch include a block list for microsoft (skynet) windows telemetry hosts to disable phone home. The /etc/unbound/blocklists/ms-telemetry.conf file can be removed or renamed if not needed.
The second goodie: the /etc/fcron.weekly/update_unbound_anchor script downloads an ad-server block list zone file for unbound from http://pgl.yoyo.org/adservers/#unbound. This is a very nice block list for ads. If not needed remove the line: "curl -sS -L --compressed "http://pgl.yoyo.org/adservers/serverlist.php?hostformat=unbound&showintr..." > /etc/unbound/blocklists/ad-servers.conf" from the file.
I hope this small description is useful for all. Hints and suggestions are welcome.
Greetings, Marcel