Unbound DNS Server Cache Control
Mar 12, 2016 12:00
Unbound is a highly-performant, easy-to-configure, recursive, caching DNS server. Configuring Unbound as a recursive, caching DNS server is outside of the scope of this post. However, Calomel.org has a well-written how-to on doing so.
Part of what makes Unbound a great tool is that it’s cache can be manipulated on the fly using unbound-control. The examples below should give you some flavor of how straight-forward working with Unbound’s cache can be.
Showing Cache Data
Unbound will allow you to interrogate it’s cache in multiple ways, one of which is by simply dumping the cache:
# unbound-control dump_cache
Here’s an example snippet:
START_RRSET_CACHE
...
;rrset 73895 1 1 11 4
mozilla.net. 73895 IN DS 58911 7 1 D14FECD29A6ED5E519375B4BD29294F6E9F77785
mozilla.net. 73895 IN RRSIG DS 8 2 86400 20160316051355 20160309050355 51128 net. L9RT2YhKWxyT2THZdbwfvR4iQxysDhDNSykO3yKMpxL6MJTcGA5gl+O3+GMydJLZ2e7CY/MLtXr9jZcaHHmFvpv73Rn47dn/CpHWYEzTc/uxAXVGhvUm9/RISfBVHuLz4oX8L1N1b4pTbWBm91TbmIhSfGO6ROadZIbZlz58YcE= ;{id = 51128}
...
;rrset 72433 1 0 5 3
mail.google.com. 507560 IN CNAME googlemail.l.google.com.
;rrset 1147 1 0 5 3
c-ls.mgo-images.com.edgekey.net. 1147 IN CNAME e7226.g.akamaiedge.net.
...
END_MSG_CACHE
EOF
Importing Cache Data
You may already have been wondering if Unbound would allow cache data to be imported: Yes, it does.
Simply dump the cache to a file:
# unbound-control dump_cache > unbound.dump
Then, import the dump:
# cat unbound.dump | unbound-control load_cache
This is mostly useful for debugging purposes.
Clearing Cached Data
All Data for a Zone
Suppose you wanted to clear all cache data for google.com. The following command will clear everything related to google.com from the cache:
# unbound-control flush_zone google.com
ok removed 12 rrsets, 6 messages and 0 key entries
This command has the potential to be slow especially for a zone like google.com. Chances are, there are many entries for google.com in your cache and Unbound needs to go looking for every one of them in the cache.
You may want to drill or dig for multiple record types related to google.com before running this command. You should notice that the TTLs start decrementing before running the command. After running the command, you should notice that the TTLs jump back up.
Partial Data for a Zone
Maybe you only want to clear instances of ‘www’ from the google.com zone in the cache and not others such as ‘maps’ or ‘mail’. The following will delete A, AAAA, NS, SOA, CNAME, DNAME, MX, PTR, SRV and NAPTR records associated with www.google.com:
# unbound-control flush www.google.com
ok
A specific record type can also be specified in case you want clear one type and not others. For example, if you wanted to remove AAAA records but keep A records for www.google.com:
# unbound-control flush_type name www.google.com aaaa
ok
Adding Data to Cache
Using DNS to block ad servers is a pretty common tactic nowadays. Entries can be added to return ‘0.0.0.0’ instead the actual ad server IP - preventing communication with the ad servers:
# unbound-control local_zone "random-ad-server.com" redirect
# unbound-control local_data "random-ad-server.com A 0.0.0.0"
These examples don’t cover all use cases. There are still other cache-related actions that unbound-control can do. For more info check out the unbound-control man page.