Recommended improvement for unbound guide


#1

Hey together,
just a suggestion to consider an update of the unbound.conf in the guide?

You may use all private IP ranges in the config, that may occur and are suggested in the manpage of unbound (refers to RFC1918) like

private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
private-address: fd00::/8
private-address: fe80::/10

Also it may be a good idea to use

logfile: “/etc/unbound/unbound.log”

or another explicit place (ie in /var) to not flood the syslog.

Just my five cents and great thank you for your work.
Tho


FTLDNS and Unbound Combined For Your Own All-Around DNS Solution
FTLDNS+ Unbound on OpenWrt install
#2

Just for clarification of the origin of these addresses: RFC 1918 mentions only those we already include:

3. Private Address Space
The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private internets:

10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

From the unbound.conf manpage:

That would enable private addresses for 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16 fd00::/8 and fe80::/10, since the RFC standards say these addresses should not be visible on the public internet.


I agree, we should probably put it in /var/log/unbound/unbound.log or somewhere similar, but /etc/ doesn’t seem suitable. Suggestions are welcome.


#3

I would go with /var/log/unbound.log

But, how much logging is unbound actually doing to the syslog? In my syslog, there are only start/stop entries for unbound at reboots, which don’t happen very often. Yesterday no unbound entries at all.


#4

I concur:

[1535549105] unbound[939:0] info: service stopped (unbound 1.4.22).
[1535549106] unbound[939:0] info: start of service (unbound 1.4.22).
[1535549107] unbound[939:0] info: service stopped (unbound 1.4.22).
[1535549107] unbound[939:0] info: start of service (unbound 1.4.22).
[1535646414] unbound[939:0] info: service stopped (unbound 1.4.22).
[1535646425] unbound[1179:0] info: start of service (unbound 1.4.22).

Note: I have verbosity: 0 in my /etc/unbound/unbound.conf.d/recursive.conf which may affect this.


#5

Unbound configuration file(s):

   use-syslog: <yes or no>
          Sets unbound to send log messages to  the  syslogd,  using  sys-
          log(3).   The  log  facility  LOG_DAEMON  is used, with identity
          "unbound".  The logfile setting is overridden when use-syslog is
          turned on.  The default is to log to syslog.

logfile: <filename>
              If  ""  is given, logging goes to stderr, or nowhere once daemo-
              nized.  The logfile is appended to, in the following format:
              [seconds since 1970] unbound[pid:tid]: type: message.
              If this option is given, the use-syslog  is  option  is  set  to
              "no".  The logfile is reopened (for append) when the config file
              is reread, on SIGHUP.

# logfile: "/etc/unbound/unbound.log" #uncomment to use logfile.

I would not suggest to log in /etc/unbound but to log in /var/log/

Source: https://www.nlnetlabs.nl/documentation/unbound/unbound.conf/


#6

From the same source:

       logfile: <filename>
              If  ""  is given, logging goes to stderr, or nowhere once daemo-
              nized.  The logfile is appended to, in the following format:
              [seconds since 1970] unbound[pid:tid]: type: message.
              If this option is given, the use-syslog  is  option  is  set  to
              "no".  The logfile is reopened (for append) when the config file
              is reread, on SIGHUP.

So I propose to add the following (at the corresponding places):

    logfile: "/var/log/unbound/unbound.log"
    verbosity: 0

    private-address: 172.16.0.0/12
    private-address: fd00::/8
    private-address: fe80::/10

#7

#8

I have verbosity: 1


#9

I used a higher verbosity to watch unbound working. Therefore an explicit logfile is great.

@DL6ER Don’t forget 169.254.0.0/16 in the private ip range. 172.16.0.0/12 is already part of the guide.


#10

Yes, I have seen this. The pull request should be fine.