Unbound (1.4)

I use unbound largely out of a habit to try different things. Your mileage will vary.

Issue: Make sure unbound-anchor has its path specified in its init.d script. Think this got fixed in an update but if not, you may see it whine at you.

/etc/unbound/unbound.conf

 * 1) I start by copying over the sample configuration file. It's a decent starting point.
 * 2) Since I'm not using this for a major DNS server (it will never serve an external request), I set threads to 2.
 * 3) Set localhost and private interfaces
 * 4) Outgoing interfaces as appropriate - especially for IPv6
 * 5) Outgoing range: 480
 * 6) Restrict ports to a smallish (~8k) range
 * 7) Largely so you know you have a safe range for other UDP services e.g. Mumble
 * 8) Be sure to add bound ipv6 addresses to /etc/network/interfaces - AnyIP only binds inbound.
 * 9) Don't forget access-control
 * 10) Outgoing/incoming tcp buffers 16
 * 11) I set most cache sizes to 32m - you'll want a lot more for more important servers, however.
 * 12) Slabs at 4 (equal to number of threads or so)
 * 13) Turn on prefetching for results and keys.
 * 14) auto-trust-anchor-file: "/var/lib/unbound/root.key"
 * 15) control-enable: no under remote-control:

/etc/resolv.conf
Set this up so we actually query ourselves!

search invalid options timeout:3 nameserver ::1 nameserver host.or.google.here nameserver host.or.google.here
 * 1) Unless we're dealing with an intranet of some sort, set search to some nonsense tld.
 * 1) Default timeout is 5, have had some issues with 1.

watchdog.unbound.sh
Unbound sometimes chokes on me, if rarely, and my members then complain about not getting their notifications immediately. I wrote a watchdog script to take care of this:

run=`ps ax | grep "/usr/sbin/unbound" | grep -v grep | cut -c1-5 | paste -s -` if [ "$run" ]; then continue else /etc/init.d/unbound start fi
 * 1) !/bin/sh

And for /etc/cron.d/unbound (or whatever)

3,23,43 *       *       *       *       root       /root/watchdog.unbound.sh

If that's where you put your watchdog script. I'm lazy.