Monitoring unbound(8) using Net-SNMP, Telegraf, InfluxDB and Elasticsearch

I’ve enabled an OpenBSD unbound(8) daemon that is used as a central DNS cache resolver. Now I needed to know what it was doing and how it performed. The question was answered grabbing statistics from unbound and render them using Grafana.

The whole monitoring stack is composed of Net-SNMP, Telegraf and InfluxDB for the metrics part ; and syslogd(8), Logstash and Elasticsearch for the logs part. Of course, most of those run on OpenBSD (6.3) ; except Telegraf, which is not available (yet).

Continue reading “Monitoring unbound(8) using Net-SNMP, Telegraf, InfluxDB and Elasticsearch”

Force OpenBSD to use unbound(8) DNS resolver in DHCP client mode

By default, a DHCP client gets an IP address, a network gateway and a DNS server. That’s fine most of the time. But if you own an OpenBSD cloud instance that has to use DHCP to get online, you might not be satisfied with the domain-name-servers option provided by your DHCP server. Hopefully, OpenBSD provides an easy way to force your DNS:

# vi /etc/dhclient.conf
prepend domain-name-servers;

Since then, OpenBSD will use our DNS resolver. Which is… unbound(8)

# rcctl enable unbound
# rcctl start unbound

Note that this configuration allows to use the DNS server provided by the DHCP server as a fallback.

Solve unbound error about root.key

I wrote about running unbound and nsd on OpenBSD 5.6 here.
The other day, the VM that runs those went to DDB. On reboot, I got the following error message :
unbound: [16897:0] error: ldns error while converting string to RR at15: Syntax error, could not parse the RR's type: spamd: \\[priv\\]
unbound: [16897:0] error: failed to load trust anchor from /db/root.key at line 1, skipping
unbound: [16897:0] error: failed to read /db/root.key
unbound: [16897:0] error: error reading auto-trust-anchor-file: /var/unbound/db/root.key

This means “root.key” went broken. To rebuild it, simple run those:
rm /var/unbound/db/root.key
sudo -u _unbound unbound-anchor -a /var/unbound/db/root.key

Et voilà, solved!