I’ve enabled an OpenBSD unbound(8) daemon that is used as a central DNS cache resolver. Now I needed to know what it was doing and how it performed. The question was answered grabbing statistics from unbound and render them using Grafana.
The whole monitoring stack is composed of Net-SNMP, Telegraf and InfluxDB for the metrics part ; and syslogd(8), Logstash and Elasticsearch for the logs part. Of course, most of those run on OpenBSD (6.3) ; except Telegraf, which is not available (yet).
Continue reading “Monitoring unbound(8) using Net-SNMP, Telegraf, InfluxDB and Elasticsearch”
By default, a DHCP client gets an IP address, a network gateway and a DNS server. That’s fine most of the time. But if you own an OpenBSD cloud instance that has to use DHCP to get online, you might not be satisfied with the domain-name-servers option provided by your DHCP server. Hopefully, OpenBSD provides an easy way to force your DNS:
# vi /etc/dhclient.conf
prepend domain-name-servers 127.0.0.1;
Since then, OpenBSD will use our DNS resolver. Which is… unbound(8)
# rcctl enable unbound
# rcctl start unbound
Note that this configuration allows to use the DNS server provided by the DHCP server as a fallback.
I started replacing Bind with nsd/unbound on previous OpenBSD release. Now it’s time to update to OpenBSD 5.7 and ensure it still works.
Continue reading “Running nsd and unbound on OpenBSD 5.7”
I wrote about running unbound and nsd on OpenBSD 5.6 here.
The other day, the VM that runs those went to DDB. On reboot, I got the following error message :
unbound: [16897:0] error: ldns error while converting string to RR at15: Syntax error, could not parse the RR's type: spamd: \\[priv\\]
unbound: [16897:0] error: failed to load trust anchor from /db/root.key at line 1, skipping
unbound: [16897:0] error: failed to read /db/root.key
unbound: [16897:0] error: error reading auto-trust-anchor-file: /var/unbound/db/root.key
This means “root.key” went broken. To rebuild it, simple run those:
sudo -u _unbound unbound-anchor -a /var/unbound/db/root.key
Et voilà, solved!
I’ve been using Bind as a primary, slave or cache name server for all my IT life. But it seems Bind is being kicked out of OpenBSD. So far so good, I’m gonna use what’s provided by my favorite OS to do the job.
Here’s how to use nsd and unbound daemons to serve as an internal authoritative DNS nameserver and DNS resolver. Both will be running on the same machine.
Continue reading “From Bind to nsd and unbound on OpenBSD 5.6”