FreeBSD’s local_unbound in mobile environments

FreeBSD’s local_unbound DNS resolver was introduced in head in September 2013, and later in stable/10 when that branch became available. Its configuration out of the box, particularly its treatment of the /etc/resolvconf.conf, assumes the local_unbound resolver is the sole resolver to be used.

The reason for this blog entry is that I appreciate being able to resolve DNS domain names even when the local resolver is unavailable for whatever reason. The use of single user mode with the network interfaces enabled and without any services running is one example I can think of. I’m certain this also applies to some of you.

The originally generated /etc/resolvconf.conf file looks like this:

# Generated by local-unbound-setup
resolv_conf="/dev/null" # prevent updating /etc/resolv.conf
unbound_conf="/var/unbound/forward.conf"
unbound_pid="/var/run/local_unbound.pid"
unbound_service="local_unbound"
unbound_restart="service local_unbound reload"

Change the file into this and things are starting to look more elegantly:

name_servers="127.0.0.1"
resolv_conf_options="edns0"
unbound_conf="/var/unbound/forward.conf"
unbound_pid="/var/run/local_unbound.pid"
unbound_service="local_unbound"
unbound_restart="service local_unbound reload"

The resolvconf service and the /libexec/resolvconf/unbound subscriber takes care to update the /var/unbound/forward.conf file as you roam between your mobile environments.

If you use your upstream DNS servers as forwarders and they don’t support DNSSEC, then you must comment out the auto-trust-anchor-file line:

# Generated by local-unbound-setup
server:
        username: unbound
        directory: /var/unbound
        chroot: /var/unbound
        pidfile: /var/run/local_unbound.pid
#        auto-trust-anchor-file: /var/unbound/root.key

include: /var/unbound/forward.conf