Skip to content

Instantly share code, notes, and snippets.

@lifeofguenter
Last active Aug 29, 2015
Embed
What would you like to do?
unbound debian wheezy post-installation
server:
## STATISTICS
# comment-out if you don't use munin
verbosity: 0
statistics-interval: 0
statistics-cumulative: no
extended-statistics: yes
## SYSTEM
# num-threads = number of available cpu-cores/threads
num-threads: 1
do-daemonize: yes
chroot: "/var/unbound"
directory: "/var/unbound"
use-syslog: yes
log-time-ascii: yes
log-queries: no
# get one from ftp://FTP.INTERNIC.NET/domain/named.cache
root-hints: "named.cache"
hide-identity: yes
hide-version: yes
module-config: "validator iterator"
## NETWORK
interface: 127.0.0.1
port: 53
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes
## GOOGLE DNS PREFETCH
prefetch: yes
prefetch-key: yes
## MEMORY
# set higher values if you have more memory available
rrset-cache-size: 128M
msg-cache-size: 64M
key-cache-size: 32M
neg-cache-size: 32M
## PERFORMANCE
# power of 2 close to num-threads
msg-cache-slabs: 2
rrset-cache-slabs: 2
infra-cache-slabs: 2
key-cache-slabs: 2
outgoing-range: 16384
num-queries-per-thread: 8192
so-rcvbuf: 4m
so-sndbuf: 4m
## SECURITY
# target-fetch-policy: "3 2 1 0 0"
harden-short-bufsize: yes
harden-large-queries: yes
harden-glue: yes
harden-dnssec-stripped: yes
# harden-below-nxdomain: no
# harden-referral-path: no
use-caps-for-id: yes
unwanted-reply-threshold: 10000000
# rrset-roundrobin: no
minimal-responses: yes
# If set, the unbound daemon will be started and stopped by the init script.
UNBOUND_ENABLE=true
# Whether to automatically update the root trust anchor file.
ROOT_TRUST_ANCHOR_UPDATE=false
# File in which to store the root trust anchor.
ROOT_TRUST_ANCHOR_FILE=/var/lib/unbound/root.key
#!/bin/sh
### BEGIN INIT INFO
# Provides: unbound
# Required-Start: $network $remote_fs $syslog
# Required-Stop: $network $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
### END INIT INFO
NAME=unbound
DESC="recursive DNS server"
DAEMON=/usr/sbin/unbound
PIDFILE="/var/unbound/unbound.pid"
test -x $DAEMON || exit 0
test -x ${DAEMON}-checkconf || exit 0
. /lib/lsb/init-functions
UNBOUND_ENABLE=true
UNBOUND_CONF=/var/unbound/unbound.conf
UNBOUND_BASE_DIR=$(dirname $UNBOUND_CONF)
CHROOT_DIR=$(awk '{if ($1 ~ "^chroot" && $2 != "\"\"") print $2}' $UNBOUND_CONF|sed -e "s#\"##g")
ROOT_TRUST_ANCHOR_UPDATE=false
ROOT_TRUST_ANCHOR_FILE=/var/lib/unbound/root.key
if [ -f /etc/default/$NAME ]; then
. /etc/default/$NAME
case "x$UNBOUND_ENABLE" in
xtrue|x1|xyes)
UNBOUND_ENABLE=true
;;
*)
UNBOUND_ENABLE=false
;;
esac
case "x$ROOT_TRUST_ANCHOR_UPDATE" in
xtrue|x1|xyes)
ROOT_TRUST_ANCHOR_UPDATE=true
;;
*)
ROOT_TRUST_ANCHOR_UPDATE=false
;;
esac
fi
do_chroot_setup() {
if [ -d "$CHROOT_DIR" -a "$CHROOT_DIR" != "$UNBOUND_BASE_DIR" ]; then
cd /
tar --overwrite -cf - $(echo $UNBOUND_BASE_DIR | sed 's#^/##') | (cd $CHROOT_DIR && tar -xf -)
fi
}
case "$1" in
start)
if $UNBOUND_ENABLE; then
do_chroot_setup
if $ROOT_TRUST_ANCHOR_UPDATE; then
unbound-anchor -a $ROOT_TRUST_ANCHOR_FILE -v 2>&1 | logger -p daemon.info -t unbound-anchor
chown unbound:unbound $ROOT_TRUST_ANCHOR_FILE
fi
log_daemon_msg "Starting $DESC" "$NAME"
if start-stop-daemon --start --quiet --oknodo --pidfile $PIDFILE --name $NAME --startas $DAEMON -- $DAEMON_OPTS; then
log_end_msg 0
else
log_end_msg 1
fi
else
log_warning_msg "Not starting $DESC $NAME, disabled via /etc/default/$NAME"
fi
;;
stop)
if $UNBOUND_ENABLE; then
log_daemon_msg "Stopping $DESC" "$NAME"
if start-stop-daemon --stop --quiet --oknodo --pidfile $PIDFILE --name $NAME; then
log_end_msg 0
else
log_end_msg 1
fi
fi
;;
restart|force-reload)
if $UNBOUND_ENABLE; then
log_daemon_msg "Restarting $DESC" "$NAME"
start-stop-daemon --stop --quiet --pidfile $PIDFILE --name $NAME --retry 5
if start-stop-daemon --start --quiet --oknodo --pidfile $PIDFILE --name $NAME --startas $DAEMON -- $DAEMON_OPTS; then
do_chroot_setup
log_end_msg 0
else
log_end_msg 1
fi
fi
;;
reload)
if $UNBOUND_ENABLE; then
log_daemon_msg "Reloading $DESC" "$NAME"
if start-stop-daemon --stop --pidfile $PIDFILE --signal 1; then
do_chroot_setup
log_end_msg 0
else
log_end_msg 1
fi
fi
;;
status)
status_of_proc -p $PIDFILE $DAEMON $NAME && exit 0 || exit $?
;;
*)
N=/etc/init.d/$NAME
echo "Usage: $N {start|stop|restart|status|reload|force-reload}" >&2
exit 1
;;
esac
exit 0;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment