sudo apt update
sudo apt install unbound
Once Unbound is installed, run the below systemctl command to verify the Unbound service and ensure that the service is enabled and running.
sudo systemctl is-enabled unbound
sudo systemctl status unbound
sudo nano /etc/unbound/unbound.conf
Copy This Text And This and editing the ip address
# Unbound configuration file for Debian.
#
# See the unbound.conf(5) man page.
#
# See /usr/share/doc/unbound/examples/unbound.conf for a commented
# reference config file.
#
# The following line includes additional configuration files from the
# /etc/unbound/unbound.conf.d directory.
include-toplevel: "/etc/unbound/unbound.conf.d/*.conf"
#Adding DNS-Over-TLS support
server:
use-syslog: yes
username: "unbound"
directory: "/etc/unbound"
tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
do-ip6: no
interface: 100.100.100.37
port: 53
prefetch: yes
root-hints: /usr/share/dns/root.hints
harden-dnssec-stripped: yes
cache-max-ttl: 14400
cache-min-ttl: 1200
aggressive-nsec: yes
hide-identity: yes
hide-version: yes
use-caps-for-id: yes
#control which clients are allowed to make (recursive) queries
access-control: 10.0.0.0/8 allow
access-control: 192.168.0.0/16 allow
access-control: 172.16.0.0/12 allow
# local zone
local-zone: "sohag.lan." static
local-data: "ns.sohag.lan. IN A 100.100.100.37"
local-data-ptr: "100.100.100.37 ns.sohag.lan"
num-threads: 4
msg-cache-slabs: 8
rrset-cache-slabs: 8
infra-cache-slabs: 8
key-cache-slabs: 8
rrset-cache-size: 256m
msg-cache-size: 128m
so-rcvbuf: 8m
forward-zone:
name: "."
forward-ssl-upstream: yes
## Also add IBM IPv6 Quad9 over TLS
forward-addr: 9.9.9.9@853#dns.quad9.net
forward-addr: 149.112.112.112@853#dns.quad9.net
# Google
forward-addr: 8.8.8.8@853
forward-addr: 4.4.4.4@853
sudo systemctl restart unbound
Create a new Rsyslog config file '/etc/rsyslog.d/unbound.conf' using the below nano editor command.
sudo nano /etc/rsyslog.d/unbound.conf
Add the following lines to the file. With this, Unbound logs will be stored at '/var/log/unbound.log'.
# Log messages generated by unbound application
if $programname == 'unbound' then /var/log/unbound.log
# stop processing it further
& stop
Save the file and exit the editor when finished.
Now run the below systemctl command utility to restart the 'rsyslog' service and apply the changes.
sudo systemctl restart rsyslog
Next, you will set up log rotation for the Unbound log file '/var/log/unbound.log'. And you can achieve this via the logrotate service.
Create a new logrotate config file '/etc/logrotate.d/unbound' using the below nano editor command.
sudo nano /etc/logrotate.d/unbound
Add the following lines to the file. This will create log rotation for the Unbound log file '/var/log/unbound.log' on a daily basis.
/var/log/unbound.log {
daily
rotate 7
missingok
create 0640 root adm
postrotate
/usr/lib/rsyslog/rsyslog-rotate
endscript
}
Save the file and exit the editor when finished.
Now run the below systemctl command utility to restart the logrotate service and apply the changes.
sudo systemctl restart logrotate
With this, you've now successfully installed and configured Unbound DNS server and configured logging via Rsyslog and Logrotate. Unbound logs will be saved to the file '/var/unbound/unbound.log'.
