Table of content
Setup
$ apt install unbound
unbound-control
With unbound-control you can interact with the cache of unbound, like flushing zones, dump the full cache or even load a full cache.
Setup and preperation for unbound-control
To use unbound-control you have to fist initialise it.
unbound-control requiers an authentication over certificate. To generate local authentication files, you can run the command unbound-control-setup
This will give you an output like that:
$ unbound-control-setup
setup in directory /etc/unbound
Generating RSA private key, 3072 bit long modulus (2 primes)
...........................................++++
.................++++
e is 65537 (0x010001)
Signature ok
subject=CN = unbound-control
Getting CA Private Key
removing artifacts
Setup success. Certificates created. Enable in unbound.conf file to use
Inside of your unbound.conf the control function needs to be enabled now by adding the lines:
remote-control:
control-enable: yes
server-cert-file: "/etc/unbound/unbound_server.pem"
control-key-file: "/etc/unbound/unbound_control.key"
control-cert-file: "/etc/unbound/unbound_control.pem"
if you are only using the controler from localhost, you can also think about adding the parameter controle-use-cert with value no, like this:
remote-control:
control-enable: yes
control-use-cert: no
server-cert-file: "/etc/unbound/unbound_server.pem"
control-key-file: "/etc/unbound/unbound_control.key"
control-cert-file: "/etc/unbound/unbound_control.pem"
Than you dont need to take care about the certificates, but recomended is to is than to have the access-control inside of your server: section limited to localhost
server:
access-control: 127.0.0.0/24 allow
Add data to cache
Using DNS to block ad servers is a pretty common tactic nowadays. Entries can be added to return ‘0.0.0.0’ instead the actual ad server IP - preventing communication with the ad servers:
$ unbound-control local_zone "random-ad-server.com" redirect
$ unbound-control local_data "random-ad-server.com A 0.0.0.0"
Show cache
Unbound will allow you to interrogate it’s cache in multiple ways, one of which is by simply dumping the cache:
$ unbound-control dump_cache
Import cache
You may already have been wondering if Unbound would allow cache data to be imported: Yes, it does.
Simply dump the cache to a file:
$ unbound-control dump_cache > unbound.dump
Then, import the dump:
$ cat unbound.dump | unbound-control load_cache
Flush cache
Flush all data for zone
Suppose you wanted to clear all cache data for google.com. The following command will clear everything related to google.com from the cache:
$ unbound-control flush_zone google.com
This command has the potential to be slow especially for a zone like google.com. Chances are, there are many entries for google.com in your cache and Unbound needs to go looking for every one of them in the cache.
You may want to drill or dig for multiple record types related to google.com before running this command. You should notice that the TTLs start decrementing before running the command. After running the command, you should notice that the TTLs jump back up.
Flush partial zone data
Maybe you only want to clear instances of ‘www’ from the google.com zone in the cache and not others such as ‘maps’ or ‘mail’. The following will delete A, AAAA, NS, SOA, CNAME, DNAME, MX, PTR, SRV and NAPTR records associated with www.google.com:
$ unbound-control flush www.google.com
Flush specific data for zone
A specific record type can also be specified in case you want clear one type and not others. For example, if you wanted to remove AAAA records but keep A records for www.google.com:
$ unbound-control flush_type name www.google.com
Error mesages
Error setting up SSL_CTXX client cert - key too small
This error refers to your local key generated by unbound-control-setup. Just remove the files /etc/unbound/unbound_control.{key,pem} and re-run the unbound-control-setup