Solved Howto: unbound+TLS with full logging via syslog (unbound in chroot)

[Deleted member 65380]

edit: this started as a unbound+syslog post but it has evolved into a howto. Because of the evolution it's a little out of sequence but it's complete.

Quick prerequisites: pkg install unbound, disable local_unbound. cd /usr/local/etc/unbound/ edit config. Tip, don't disable local_unbound before installing unbound (or pkg can't resolve things...)

I've seen many posts saying if unbound is in a chroot then set logfile: "/usr/local/etc/unbound/unbound.log", you can do that but you don't have to.

I am here to confirm that syslog works fine, with a tweak.

By default unbound+syslog will only catch the DEBUG messages so you only get a portion of the content as if you'd specified a log file, it is quite annoying. This is because unbound calls syslog with DEBUG, INFO and so on if you've configured "yes" to some of unbounds log-xxxxxx: options.

man syslog.conf:
The level describes the severity of the message, and is a keyword from
the following ordered list (higher to lower): emerg, crit, alert, err,
warning, notice, info and debug. These keywords correspond to similar
"LOG_" values specified to the syslog(3) library routine.

edit /usr/local/etc/unbound/unbound.conf and comment out the logfile

# logfile: "/usr/local/etc/unbound/unbound.log"

Configure syslog (how I did it):

# mkdir /usr/local/etc/syslog.d
# vi /usr/local/etc/syslog.d/unbound.conf
# cat /usr/local/etc/syslog.d/unbound.conf
!unbound
*.*             /var/log/unbound.log

I chose to put this config file here because /etc/syslogd.conf includes that directory and keeps the customization slightly out of the base OS (but the logs in one place).

chrbr had me in the right direction: https://forums.freebsd.org/threads/unbound-log-file.73205/

I still need to stop it logging to /var/log/debug.log though... was happy with the above so wanted to share it.

edit: to remove logging to debug.log unfortunately I had to modify /etc/syslog.conf, was unaltered prior, adding the unbound line like so:

!-devd
!-unbound
*.=debug                    /var/log/debug.log

 

[Deleted member 65380]

The actual point of the whole exercise was to config a TLS lookup with unbound. My comment stripped unbound config file follows ("hobby" status on a LAN to try it out.)

Prerequisites: pkg install ca_root_nss I wish this were more obvious and think the tls-cert-bundle should be predefined/commented in the config file pkg installs.

cat /usr/local/etc/unbound/unbound.conf
server:
    verbosity: 3
    interface: 0.0.0.0
    do-ip6: no
    access-control: 10.0.0.0/24 allow
    chroot: "/usr/local/etc/unbound"
    username: "unbound"
    directory: "/usr/local/etc/unbound"
    log-queries: yes
    log-replies: yes
    log-tag-queryreply: yes
    log-servfail: yes
    log-local-actions: yes
    pidfile: "/usr/local/etc/unbound/unbound.pid"
    tls-cert-bundle: "/usr/local/share/certs/ca-root-nss.crt"
forward-zone:
  name: "."
  forward-tls-upstream: yes
  forward-addr: 1.1.1.1@853#one.one.one.one

Being "hobby" I just restarted unbound on config change, hammer nail.

Note: with respect the above "do-ip6: no" put the following in /etc/rc.conf

unbound_anchorflags="-4"

Name           : unbound
Version        : 1.13.0_1
12.2-RELEASE-p2
FreeBSD eeepc 12.2-RELEASE-p1 FreeBSD 12.2-RELEASE-p1 GENERIC  i386

 

[Deleted member 65380]

My router device has no ability to do DNS over TLS. The router provides DNS to the LAN (via DHCP).

To work with this limitation I configured the router device to use unbound as the DNS server, then unbound forwards requests to 1.1.1.1 over TLS.

10.0.0.1 is router: DHCP, DNS to LAN
10.0.0.5 is FreeBSD+unbound
LAN clients do DNS requests to 10.0.0.1
10.0.0.1 requests DNS from 10.0.0.5
10.0.0.5 does the actual lookup over TLS to 1.1.1.1
That reply goes back to 10.0.0.1 which in turn responds to the original request

I like that I can watch the logs and see what DNS requests are occuring:

tail -F /var/log/unbound.log | egrep '\ (reply|query)\:\ '

I'll go back to letting the router handle DNS until I've got FreeBSD setup properly on my network, currently just testing on an old laptop i.e. I turn it off.

It was a fun exercise.

p.s. I'm not an advocate for 1.1.1.1, it's just easy to remember and use to test (since they're all DNS+TLS ready).

 

[Deleted member 65380]

And log rotation:

root@eeepc:~ # mkdir /usr/local/etc/newsyslog.conf.d
root@eeepc:~ # vi /usr/local/etc/newsyslog.conf.d/unbound.conf
root@eeepc:~ # cat /usr/local/etc/newsyslog.conf.d/unbound.conf
# configuration file for newsyslog (included by /etc/newsyslog.conf)
# logfilename        [owner:group]    mode    count    size    when    flags    [/pid_file]    [sig_num]
/var/log/unbound.log    root:wheel    640    28    *    @T00    JB