server:
# If no logfile is specified, syslog is used
logfile: "/var/log/unbound/unbound.log"
verbosity: 3
interface: 127.0.0.1
port: 5335
do-ip4: yes
do-udp: yes
do-tcp: yes
# May be set to yes if you have IPv6 connectivity
do-ip6: no
# You want to leave this to no unless you have *native* IPv6. With 6to4 and
# Terredo tunnels your web browser should favor IPv4 for the same reasons
prefer-ip6: no
# Use this only when you downloaded the list of primary root servers!
# If you use the default dns-root-data package, unbound will find it automatically
#root-hints: "/var/lib/unbound/root.hints"
# Trust glue only if it is within the server's authority
harden-glue: yes
# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
harden-dnssec-stripped: yes
# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
use-caps-for-id: no
# Reduce EDNS reassembly buffer size.
# Suggested by the unbound man page to reduce fragmentation reassembly problems
edns-buffer-size: 1472
# Perform prefetching of close to expired message cache entries
# This only applies to domains that have been frequently queried
prefetch: yes
# One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
num-threads: 1
# Ensure kernel buffer is large enough to not lose messages in traffic spikes
so-rcvbuf: 1m
# Ensure privacy of local IP ranges
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
private-address: fd00::/8
private-address: fe80::/10
I enabled the logging and changed verbosity to 3. Restarted service but the log stays empty…
Also, how do I get this graph (or some other stats on what unbound did/is doing):
many thanks for your message. basically there are already quite some enhancement planned for unbound on next release 6.35. This include an own config file
OK but this doesn’t resolve my question or I misunderstand.
Does the config file I edited work (or is it taken into account)? If yes, why is the log empty?
When 6.35 comes out should I uninstall unbound and then reinstall after the update or will the update take care of the existing installation and modify it accordingly?
I’m confused…
I’m not sure where the graph is taking the logs from, probably it needs a log file? By default we ship with zero logging for privacy reasons, aside of verbosity have a look at these settings in /etc/unbound/unbound.conf.d/dietpi.conf.
log-queries: no
log-replies: no
logfile: ''
Btw, many settings do not override each other, so adding another settings file will lead to multiple IP bindings etc. This is also why we’re currently reworking the implementation to use a single config file only: https://github.com/MichaIng/DietPi/pull/4022
G_CONFIG_INJECT ‘log-replies:[[:blank:]]’ ’ log-replies: yes’ /etc/unbound/unbound.conf.d/dietpi.conf[/code]
So there is a single config file only with query and reply logs enabled, log level 3 and a single IP binding at 127.0.0.1#5335, which is then your upstream. Logs will be going to syslog: journalctl -u unbound
I’m also running some tests and go through all the settings, adding some comment to each of it, what it does and why we set it.
Just to be sure, you didn’t setup a monitoring/graph page yet, right? The image you posted looks like Cacti as shown in Unbound docs here (bottom of page): https://www.nlnetlabs.nl/documentation/unbound/howto-statistics/
This requires the cacti package to be installed: https://packages.debian.org/buster/cacti
That again requires a webserver stack with MariaDB. Since there are many other possibilities to do this and it is not something natively baked into Unbound, it’s a bit out of scope for now. But we definitely need to add some more documentation/comments to the config file, also grouping all logs-related things together so that not parts at the top and parts at the bottom of the file need to be edited to configure it .
Okay, I see we have that monitor screenshot in our logs. Probably not the best idea to show something there that requires a lot of additional setup. But we’ll anyway tune those logs based on experience/feedback. I meanwhile updated our default config file to sort things and give some more information: https://github.com/MichaIng/DietPi/blob/unbound/.conf/dps_182/unbound.conf
Ah, this file is installed as /etc/unbound/unbound.conf.d/dietpi.conf. I just gave it the name unbound.conf so that the filename alone in the repository shows what it is for. /etc/unbound/unbound.conf should be kept as it is so that all files from the sub directory are loaded.
Yes, this is the natural downside of the usual service setup: Log files and/or directories mostly need to be pre-created so that the service user can access.
.
.