# how to set config in unbound.conf based compared from named.conf



## Kamolpat (Jan 31, 2015)

Hi,

How to set config in /etc/unbound/unbound.conf based on this /etc/named.conf?

In /etc/named.conf below, how to set the similar config in /etc/unbound/unbound.conf?

```
zone "abc.com" {
  type master;
  file "/etc/namedb/abc.com";
  allow-transfer {202.xxx.xxx.xx0;};
};
```
Because I have tried the following in /etc/unbound/unbound.conf:

```
local-data: "ns1.abc.com A 202.xxx.xxx.xxx"
local-data: "ns1  A 202.xxx.xxx.xxx"
local-data: "ns2  A 202.xxx.xxx.xx1"
local-data: "www  CNAME abc.com"
local-data: "ftp  CNAME abc.com"
local-data-ptr: "202.xxx.xxx.xxx ns1.abc.com"
local-data-ptr: "202.xxx.xxx.xx1 ns2.abc.com"
```
That's always syntax error.

Also in /etc/namedb/abc.com (a zone file). This "abc.com" also act as Name Server for the other domain.

```
TTL 3600
@  IN  SOA  ns1.abc.com. root.abc.com.(
  2015407005; Serial 2015407005 since 2015-01-29 12:49AM
  10800; Refresh
  3600; Retry
  604800; Expire
  3600); Minimum

;DNS Server
abc.com.  IN  NS  ns1.abc.com.

;Machine names
localhost             IN  A  202.xxx.xxx.xxx
ns1                     IN  A  202.xxx.xxx.xxx
mail                     IN  A  202.xxx.xxx.xxx
abc.com.             IN  A  202.xxx.xxx.xxx
mailout.abc.com. IN  A  202.xxx.xxx.xx2


;Aliases
www  IN  CNAME  abc.com.
ftp  IN  CNAME  abc.com.

;MX record
@  IN  MX 10  mail.abc.com.
@  IN  TXT  "v=spf1 a mx"
```

I've looked up https://www.unbound.net/documentation/unbound.conf.html. It seems like there's no example on their page.  Please help a little bit.

Notes:
1) BIND and Unbound run on different Server. I've try to set new Server to run DNS with Unbound. And have no idea how to reconfig it.
2) IP 202.xxx.xxx.xxx is main and for NS1, 202.xxx.xxx.xx1 is for NS2 and 202.xxx.xxx.xxx2 is for SMTP.
3) The line "localhost IN A 202.xxx.xxx.xxx" I'm not sure it's correct or not. Cause my intention is just PTR localhost to map IP 202.xxx.xxx.xxx only.

Thanks.


----------



## obsigna (Jan 31, 2015)

Kamolpat said:


> ...
> Cause I have tried following in /etc/unbound/unbound.conf
> 
> ```
> ...



Try prepending the local-data: ... section with local-zone:  "abc.com" transparent. In addition read the unbound.conf(5) for the format of the local data entries. The CNAME records won't work.


```
local-zone: "abc.com" transparent
local-data: "ns1.abc.com IN A 202.xxx.xxx.xxx"
...
```


----------



## Kamolpat (Jan 31, 2015)

Now I have changed /etc/unbound/unbound.conf to


```
##################### /etc/unbound.conf ##################
server:
  directory: "/etc/unbound"
  username: unbound
  # make sure  unbound can access entropy from inside the chroot.
  # e.g. on linux the  use these commands (on BSD, devfs(8) is used):
  #  mount --bind -n /dev/random /etc/unbound/dev/random
  # and  mount --bind  -n /dev/log /etc/unbound/dev/log
  chroot: "/etc/unbound"
  logfile: "/etc/unbound/unbound.log"  #uncomment to use logfile.
  pidfile: "/etc/unbound/unbound.pid"
  # verbosity: 1  # uncomment and increase to get more logging.
  # listen on  all interfaces, answer queries from the local subnet.
  interface: 0.0.0.0
  interface: ::0
  access-control: 10.0.0.0/8 allow
  access-control: 2001:DB8::/64 allow

  # root key file, automatically updated
  auto-trust-anchor-file: "/etc/unbound/root.key"
################# by kamolpat ##############
local-zone: "abc.com." transparent
local-data: "abc.com. 3600 IN SOA ns1.abc.com. root.abc.com
local-data: "abc.com. 3600 IN NS ns1.abc.com."
local-data: "abc.com. 3600 IN NS ns2.abc.com."
local-data: "ns1  IN A 202.xxx.xxx.xxx"
local-data: "ns2  IN A 202.xxx.xxx.xx1"
local-data: "mail  IN A 202.xxx.xxx.xx1"
local-data: "abc.com.  IN A 202.xxx.xxx.xxx"
local-data-ptr: "202.xxx.xxx.xxx ns1.abc.com."
local-data-ptr: "202.xxx.xxx.xx1 ns2.abc.com."
```

And when I do
`unbound-checkconf /etc/unbound/unbound.conf`

No error but it's still not working

Also when I do
`unbound -c /etc/unbound/unbound.conf`

It can be run, no error show in /etc/unbound/unbound.log file

Then I go back to check in /etc/hosts

```
# Host Database
::1  localhost  localhost.abc.com
127.0.0.1  localhost  localhost.abc.com
202.xxx.xxx.xxx  ns1.abc.com  ns1
202.xxx.xxx.xx1  ns2.abc.com  ns2
```

Also in my /etc/resolv.conf

```
search ns1.abc.com
nameserver 202.xxx.xxx.xxx   //<<<<====as NS1 ip in /etc/hosts (my server IP NS1)
nameserver 202.xxx.xxx.xxx   //<<<<====as NS2 ip in /etc/hosts (my server IP NS2)
nameserver 202.xxx.xxx.xx8  //<<<<====as authoritative NS of ISP Provider 1
nameserver 202.xxx.xxx.xx9  //<<<<====as authoritative NS of ISP Provider 2
```

Unbound still not working properly. I mean still can't access "www.abc.com" in my browser , can't access www.abc.com to my server.  So, where should I do check? And how can I do test with any method.  Thanks.


----------



## kpa (Jan 31, 2015)

If you need an authoritative nameserver (such a BIND but want to use something else) your choice would be dns/nsd instead of dns/unbound. Unbound is really just a caching and validating resolver and not an authoritative nameserver.


----------



## usdmatt (Jan 31, 2015)

I agree with kpa. Unbound is a great resolver and I side with the devs on their decision to replace Bind with it. However, it's not an actual replacement for Bind. FreeBSD only really needs a resolver in base, and Unbound is great for that, possibly better than Bind. It's also much smaller, with Bind basically being the kitchen sink of DNS software. The devs expect people who want full DNS services to install a port (such as Bind or nsd). Not only do they get a smaller, more focused, easier to configure resolver in base, but people who want Bind can get the latest version from ports/pkg (rather than whatever is baked into the release they're installing), and can easily update it independently from the OS.

I'm sure people will come to confirm that Unbound can do everything you need, but if you're used to Bind and trying to do more than just resolving with the odd simple local zone, you're probably better off just installing Bind.


----------



## Kamolpat (Feb 1, 2015)

My intention was not to be an authoritative nameserver. And I already provide the necessary info for get help. Yes, I just prefer to change to Unbound cause many have said it's better and more secure, and I prefer to try it out. And I come to here, the forum, for asking how to transform of technical issue, not ask for your opinion. It's so shame.


----------



## usdmatt (Feb 1, 2015)

Sorry if I got the wrong end on the stick. You did not mention specifically wanting to change from Bind to Unbound for security, and you are obviously making the server authoratitive by adding zone data to it. At first I just assumed that you were one of the many people who appear to think Unbound has replaced Bind, and that it should be completely used in its place.

Back to the Unbound config, according to the man page, a transparent zone should be created automatically (if not already specified) when it encounters a local-data entry, so while the local-zone line is good to have for completeness, it shouldn't technically be required. I'm also not sure whether those local-data lines you have with no domain+dot on the end will work the same as they do in Bind, and the man page doesn't mention it, so you may be best to make every local-data line contain a FQDN. Also what does the following output. (It's the first thing I'd run to test records on a local DNS server. I don't know why people jump straight to trying their clients, which could fail for a multitude of reasons.)


```
drill @localhost any abc.com
```


----------



## junovitch@ (Feb 1, 2015)

With what you have so far, you should be able to check with a local query like usdmatt mentioned above.

`drill ns1`
`drill abc.com.`

Here's the deal though, it would be one thing putting a single local-data record in.  But putting in SOA, A, and CNAME records it certainly is trying to shoehorn Unbound into being an authoritative name server.  The simple fact is that Unbound is the recursive component and NSD from the same organization with the same security reputation is the way to go to handle the authoritative piece.

The correct way to do this would be to `pkg install [PORT]dns/nsd[/PORT]`, configure NSD with your zone as it can use your BIND zone file, and use something like this in your unbound.conf.  The assumption is NSD would be configured on the same machine with a different port.  If it is one a different machine then you do not need the do-no-query-localhost directive and can use port 53.
unbound.conf

```
do-not-query-localhost: no
...
stub-zone:
        name: "abc.com."
        stub-addr: 127.0.0.1@5353
```


----------



## Kamolpat (Feb 3, 2015)

Thanks for both of your answers. Seemlike I should have relax time to study Unbound, seem like it's so different in many dimensions. Now, I make re-decision to back on BIND99.


----------

