lifeofguenter · August 29, 2015 14:01
diff --git a/unbound.conf b/unbound.conf
 server:

 	## STATISTICS
 	# comment-out if you don't use munin
 	verbosity: 0
 	statistics-interval: 0
 	statistics-cumulative: no
 	extended-statistics: yes


 	## SYSTEM
 	# num-threads = number of available cpu-cores/threads
 	num-threads: 1
 	do-daemonize: yes
 	chroot: "/var/unbound"
 	directory: "/var/unbound"
 	use-syslog: yes 
 	log-time-ascii: yes
 	log-queries: no
 	# get one from ftp://FTP.INTERNIC.NET/domain/named.cache
 	root-hints: "named.cache"
 	hide-identity: yes
 	hide-version: yes
 	module-config: "validator iterator"


 	## NETWORK
 	interface: 127.0.0.1
 	port: 53

 	do-ip4: yes
 	do-ip6: no
 	do-udp: yes
 	do-tcp: yes


 	## GOOGLE DNS PREFETCH
 	prefetch: yes
 	prefetch-key: yes


 	## MEMORY
 	# set higher values if you have more memory available
 	rrset-cache-size: 128M
 	msg-cache-size: 64M
 	key-cache-size: 32M
 	neg-cache-size: 32M


 	## PERFORMANCE
 	# power of 2 close to num-threads
 	msg-cache-slabs: 2
 	rrset-cache-slabs: 2
 	infra-cache-slabs: 2
 	key-cache-slabs: 2
 	outgoing-range: 16384
 	num-queries-per-thread: 8192
 	so-rcvbuf: 4m
 	so-sndbuf: 4m


 	## SECURITY
 	# target-fetch-policy: "3 2 1 0 0"
 	harden-short-bufsize: yes
 	harden-large-queries: yes
 	harden-glue: yes
 	harden-dnssec-stripped: yes
 	# harden-below-nxdomain: no
 	# harden-referral-path: no
 	use-caps-for-id: yes
 	unwanted-reply-threshold: 10000000
 	# rrset-roundrobin: no
 	minimal-responses: yes
diff --git a/unbound.default b/unbound.default
 # If set, the unbound daemon will be started and stopped by the init script.
 UNBOUND_ENABLE=true

 # Whether to automatically update the root trust anchor file.
 ROOT_TRUST_ANCHOR_UPDATE=false

 # File in which to store the root trust anchor.
 ROOT_TRUST_ANCHOR_FILE=/var/lib/unbound/root.key
diff --git a/unbound.init b/unbound.init
 #!/bin/sh

 ### BEGIN INIT INFO
 # Provides:          unbound
 # Required-Start:    $network $remote_fs $syslog
 # Required-Stop:     $network $remote_fs $syslog
 # Default-Start:     2 3 4 5
 # Default-Stop:      0 1 6
 ### END INIT INFO

 NAME=unbound
 DESC="recursive DNS server"
 DAEMON=/usr/sbin/unbound
 PIDFILE="/var/unbound/unbound.pid"

 test -x $DAEMON || exit 0
 test -x ${DAEMON}-checkconf || exit 0

 . /lib/lsb/init-functions

 UNBOUND_ENABLE=true
 UNBOUND_CONF=/var/unbound/unbound.conf
 UNBOUND_BASE_DIR=$(dirname $UNBOUND_CONF)
 CHROOT_DIR=$(awk '{if ($1 ~ "^chroot" && $2 != "\"\"") print $2}' $UNBOUND_CONF|sed -e "s#\"##g")
 ROOT_TRUST_ANCHOR_UPDATE=false
 ROOT_TRUST_ANCHOR_FILE=/var/lib/unbound/root.key

 if [ -f /etc/default/$NAME ]; then
    . /etc/default/$NAME
    case "x$UNBOUND_ENABLE" in
        xtrue|x1|xyes)
            UNBOUND_ENABLE=true
            ;;
        *)
            UNBOUND_ENABLE=false
            ;;
    esac
    case "x$ROOT_TRUST_ANCHOR_UPDATE" in
        xtrue|x1|xyes)
            ROOT_TRUST_ANCHOR_UPDATE=true
            ;;
        *)
            ROOT_TRUST_ANCHOR_UPDATE=false
            ;;
    esac
 fi

 do_chroot_setup() {
    if [ -d "$CHROOT_DIR" -a "$CHROOT_DIR" != "$UNBOUND_BASE_DIR" ]; then
        cd /
        tar --overwrite -cf - $(echo $UNBOUND_BASE_DIR | sed 's#^/##') | (cd $CHROOT_DIR && tar -xf -)
    fi
 }

 case "$1" in
    start)
        if $UNBOUND_ENABLE; then
            do_chroot_setup
            if $ROOT_TRUST_ANCHOR_UPDATE; then
                unbound-anchor -a $ROOT_TRUST_ANCHOR_FILE -v 2>&1 | logger -p daemon.info -t unbound-anchor
                chown unbound:unbound $ROOT_TRUST_ANCHOR_FILE
            fi
            log_daemon_msg "Starting $DESC" "$NAME"
            if start-stop-daemon --start --quiet --oknodo --pidfile $PIDFILE --name $NAME --startas $DAEMON -- $DAEMON_OPTS; then
                log_end_msg 0
            else
                log_end_msg 1
            fi
        else
            log_warning_msg "Not starting $DESC $NAME, disabled via /etc/default/$NAME"
        fi
        ;;

    stop)
        if $UNBOUND_ENABLE; then
            log_daemon_msg "Stopping $DESC" "$NAME"
            if start-stop-daemon --stop --quiet --oknodo --pidfile $PIDFILE --name $NAME; then
                log_end_msg 0
            else
                log_end_msg 1
            fi
        fi
        ;;

    restart|force-reload)
        if $UNBOUND_ENABLE; then
            log_daemon_msg "Restarting $DESC" "$NAME"
            start-stop-daemon --stop --quiet --pidfile $PIDFILE --name $NAME --retry 5
            if start-stop-daemon --start --quiet --oknodo --pidfile $PIDFILE --name $NAME --startas $DAEMON -- $DAEMON_OPTS; then
                do_chroot_setup
                log_end_msg 0
            else
                log_end_msg 1
            fi
        fi
        ;;

    reload)
        if $UNBOUND_ENABLE; then
            log_daemon_msg "Reloading $DESC" "$NAME"
            if start-stop-daemon --stop --pidfile $PIDFILE --signal 1; then
                do_chroot_setup
                log_end_msg 0
            else
                log_end_msg 1
            fi
        fi
        ;;

    status)
        status_of_proc -p $PIDFILE $DAEMON $NAME && exit 0 || exit $?
        ;;

    *)
        N=/etc/init.d/$NAME
        echo "Usage: $N {start|stop|restart|status|reload|force-reload}" >&2
        exit 1
        ;;
 esac

 exit 0;
	server:

	## STATISTICS
	# comment-out if you don't use munin
	verbosity: 0
	statistics-interval: 0
	statistics-cumulative: no
	extended-statistics: yes


	## SYSTEM
	# num-threads = number of available cpu-cores/threads
	num-threads: 1
	do-daemonize: yes
	chroot: "/var/unbound"
	directory: "/var/unbound"
	use-syslog: yes
	log-time-ascii: yes
	log-queries: no
	# get one from ftp://FTP.INTERNIC.NET/domain/named.cache
	root-hints: "named.cache"
	hide-identity: yes
	hide-version: yes
	module-config: "validator iterator"


	## NETWORK
	interface: 127.0.0.1
	port: 53

	do-ip4: yes
	do-ip6: no
	do-udp: yes
	do-tcp: yes


	## GOOGLE DNS PREFETCH
	prefetch: yes
	prefetch-key: yes


	## MEMORY
	# set higher values if you have more memory available
	rrset-cache-size: 128M
	msg-cache-size: 64M
	key-cache-size: 32M
	neg-cache-size: 32M


	## PERFORMANCE
	# power of 2 close to num-threads
	msg-cache-slabs: 2
	rrset-cache-slabs: 2
	infra-cache-slabs: 2
	key-cache-slabs: 2
	outgoing-range: 16384
	num-queries-per-thread: 8192
	so-rcvbuf: 4m
	so-sndbuf: 4m


	## SECURITY
	# target-fetch-policy: "3 2 1 0 0"
	harden-short-bufsize: yes
	harden-large-queries: yes
	harden-glue: yes
	harden-dnssec-stripped: yes
	# harden-below-nxdomain: no
	# harden-referral-path: no
	use-caps-for-id: yes
	unwanted-reply-threshold: 10000000
	# rrset-roundrobin: no
	minimal-responses: yes
	# If set, the unbound daemon will be started and stopped by the init script.
	UNBOUND_ENABLE=true

	# Whether to automatically update the root trust anchor file.
	ROOT_TRUST_ANCHOR_UPDATE=false

	# File in which to store the root trust anchor.
	ROOT_TRUST_ANCHOR_FILE=/var/lib/unbound/root.key
	#!/bin/sh

	### BEGIN INIT INFO
	# Provides: unbound
	# Required-Start: $network $remote_fs $syslog
	# Required-Stop: $network $remote_fs $syslog
	# Default-Start: 2 3 4 5
	# Default-Stop: 0 1 6
	### END INIT INFO

	NAME=unbound
	DESC="recursive DNS server"
	DAEMON=/usr/sbin/unbound
	PIDFILE="/var/unbound/unbound.pid"

	test -x $DAEMON \|\| exit 0
	test -x ${DAEMON}-checkconf \|\| exit 0

	. /lib/lsb/init-functions

	UNBOUND_ENABLE=true
	UNBOUND_CONF=/var/unbound/unbound.conf
	UNBOUND_BASE_DIR=$(dirname $UNBOUND_CONF)
	CHROOT_DIR=$(awk '{if ($1 ~ "^chroot" && $2 != "\"\"") print $2}' $UNBOUND_CONF\|sed -e "s#\"##g")
	ROOT_TRUST_ANCHOR_UPDATE=false
	ROOT_TRUST_ANCHOR_FILE=/var/lib/unbound/root.key

	if [ -f /etc/default/$NAME ]; then
	. /etc/default/$NAME
	case "x$UNBOUND_ENABLE" in
	xtrue\|x1\|xyes)
	UNBOUND_ENABLE=true
	;;
	*)
	UNBOUND_ENABLE=false
	;;
	esac
	case "x$ROOT_TRUST_ANCHOR_UPDATE" in
	xtrue\|x1\|xyes)
	ROOT_TRUST_ANCHOR_UPDATE=true
	;;
	*)
	ROOT_TRUST_ANCHOR_UPDATE=false
	;;
	esac
	fi

	do_chroot_setup() {
	if [ -d "$CHROOT_DIR" -a "$CHROOT_DIR" != "$UNBOUND_BASE_DIR" ]; then
	cd /
	tar --overwrite -cf - $(echo $UNBOUND_BASE_DIR \| sed 's#^/##') \| (cd $CHROOT_DIR && tar -xf -)
	fi
	}

	case "$1" in
	start)
	if $UNBOUND_ENABLE; then
	do_chroot_setup
	if $ROOT_TRUST_ANCHOR_UPDATE; then
	unbound-anchor -a $ROOT_TRUST_ANCHOR_FILE -v 2>&1 \| logger -p daemon.info -t unbound-anchor
	chown unbound:unbound $ROOT_TRUST_ANCHOR_FILE
	fi
	log_daemon_msg "Starting $DESC" "$NAME"
	if start-stop-daemon --start --quiet --oknodo --pidfile $PIDFILE --name $NAME --startas $DAEMON -- $DAEMON_OPTS; then
	log_end_msg 0
	else
	log_end_msg 1
	fi
	else
	log_warning_msg "Not starting $DESC $NAME, disabled via /etc/default/$NAME"
	fi
	;;

	stop)
	if $UNBOUND_ENABLE; then
	log_daemon_msg "Stopping $DESC" "$NAME"
	if start-stop-daemon --stop --quiet --oknodo --pidfile $PIDFILE --name $NAME; then
	log_end_msg 0
	else
	log_end_msg 1
	fi
	fi
	;;

	restart\|force-reload)
	if $UNBOUND_ENABLE; then
	log_daemon_msg "Restarting $DESC" "$NAME"
	start-stop-daemon --stop --quiet --pidfile $PIDFILE --name $NAME --retry 5
	if start-stop-daemon --start --quiet --oknodo --pidfile $PIDFILE --name $NAME --startas $DAEMON -- $DAEMON_OPTS; then
	do_chroot_setup
	log_end_msg 0
	else
	log_end_msg 1
	fi
	fi
	;;

	reload)
	if $UNBOUND_ENABLE; then
	log_daemon_msg "Reloading $DESC" "$NAME"
	if start-stop-daemon --stop --pidfile $PIDFILE --signal 1; then
	do_chroot_setup
	log_end_msg 0
	else
	log_end_msg 1
	fi
	fi
	;;

	status)
	status_of_proc -p $PIDFILE $DAEMON $NAME && exit 0 \|\| exit $?
	;;

	*)
	N=/etc/init.d/$NAME
	echo "Usage: $N {start\|stop\|restart\|status\|reload\|force-reload}" >&2
	exit 1
	;;
	esac

	exit 0;