Running multiple instances of unbound daemon on OpenBSD
Here is my latest OpenBSD endeavor: Running multiple instances of the same daemon using different configuration files for each instance.
For the sixfw IPv6 firewall project we need multiple
instances of the unbound resolver. We use address family translation (NAT64) for traffic passing some interfaces. For
true v6-only networks and for the router itself, we don’t (or just can not) use
address family translation. Therefore we need one resolver that does expose
64:ff9b::/96-based DNS RRs for some interfaces, and a second one that refrains
from using its DNS64 superpowers at
all.
Our policy here at sixfw is to stay as close to OpenBSD and its best current practices as possible. Here is how we dealt with the problem:
Make sure you have both config files ready, one for each instance.
# ls /var/unbound/etc/
unbound.conf unbound64.conf
Now create a copy of the original daemon’s rc script. Avoid dashes in the name, underscores seem to be fine, though.
# cp /etc/rc.d/unbound /etc/rc.d/unbound64
Add a _flags variable for the new instance in /etc/rc.conf.local.
It is important to define a separate config file for each instance.
unbound_flags="-c /var/unbound/etc/unbound.conf"
unbound64_flags="-c /var/unbound/etc/unbound64.conf"
Now both instances are ready to be fired up.
# /etc/rc.d/unbound start
unbound(ok)
# /etc/rc.d/unbound64 start
unbound64(ok)
If you like to have the instances auto-started each time the system boots, enable them
using rcctl:
# rcctl enable unbound
# rcctl enable unbound64
In our case we additionally wanted to check if DNS64 is working as expected. Choose a hostname that is known to not have a AAAA RR, e.g. hosts of organizations that still think the Internet is Neuland. Now query the first instance for the RR:
# host bundesregierung.de ::1
bundesregierung.de has address 46.243.126.120
And the second instance, configured to use DNS64:
# host bundesregierung.de 2001:67c:26f4:a100::1
bundesregierung.de has IPv6 address 64:ff9b::2ef3:7e78
bundesregierung.de has address 46.243.126.120
Voilà!