Here is my latest OpenBSD endeavor: Running multiple instances of the same daemon using different configuration files for each instance.
For the sixfw IPv6 firewall project we need multiple instances of the unbound resolver.
We use address family translation (NAT64) for traffic passing some interfaces.
For true v6-only networks and for the router itself, we don’t (or just can not) use address family translation.
Therefore we need one resolver that does expose
64:ff9b::/96-based DNS RRs for some interfaces, and a second one that refrains from using its DNS64 superpowers at all.
Our policy here at sixfw is to stay as close to OpenBSD and its best current practices as possible. Here is how we dealt with the problem:
Make sure you have both config files ready, one for each instance.
# ls /var/unbound/etc/ unbound.conf unbound64.conf
Now create a copy of the original daemon’s rc script. Avoid dashes in the name, underscores seem to be fine, though.
# cp /etc/rc.d/unbound /etc/rc.d/unbound64
_flags variable for the new instance in
It is important to define a separate config file for each instance.
unbound_flags="-c /var/unbound/etc/unbound.conf" unbound64_flags="-c /var/unbound/etc/unbound64.conf"
Now both instances are ready to be fired up.
# /etc/rc.d/unbound start unbound(ok) # /etc/rc.d/unbound64 start unbound64(ok)
If you like to have the instances auto-started each time the system boots, enable them using
# rcctl enable unbound # rcctl enable unbound64
In our case we additionally wanted to check if DNS64 is working as expected. Choose a hostname that is known to not have a AAAA RR, e.g. hosts of organizations that still think the Internet is Neuland. Now query the first instance for the RR:
# host bundesregierung.de ::1 bundesregierung.de has address 22.214.171.124
And the second instance, configured to use DNS64:
# host bundesregierung.de 2001:67c:26f4:a100::1 bundesregierung.de has IPv6 address 64:ff9b::2ef3:7e78 bundesregierung.de has address 126.96.36.199