<div dir="ltr"><div class="gmail_default" style="font-family:monospace,monospace"><font face="monospace, monospace" style="font-size:12.8px">Hi,</font><div style="font-family:arial,sans-serif;font-size:12.8px"><font face="monospace, monospace"><br></font></div><div style="font-family:arial,sans-serif;font-size:12.8px"><font face="monospace, monospace">I <div class="gmail_default" style="display:inline">don't </div>see all mailling, but this I know how to do.</font></div><span class="gmail-im" style="font-family:arial,sans-serif;font-size:12.8px"><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">> 4. Gathering statistics and graphing queries per second (not sure how</font></div><div><font face="monospace, monospace">> to accomplish this</font></div><div><font face="monospace, monospace"><br></font></div></span><div style="font-family:arial,sans-serif;font-size:12.8px"><font face="monospace, monospace">You can have a daemon, that grab statistics each second</font></div><div style="font-family:arial,sans-serif;font-size:12.8px"><font face="monospace, monospace"><br></font></div><div style="font-family:arial,sans-serif;font-size:12.8px"><font face="monospace, monospace">1 - Using 'system' unbound-control stats_noreset</font></div><div style="font-family:arial,sans-serif;font-size:12.8px"><font face="monospace, monospace">2 - Or your own daemon, connecting via TCP+SSL, and making the command.</font></div><div style="font-family:arial,sans-serif;font-size:12.8px"><font face="monospace, monospace"><br></font></div><div style="font-family:arial,sans-serif;font-size:12.8px"><font face="monospace, monospace">Each reply has a connection close, so you need to reconnect.</font></div><div style="font-family:arial,sans-serif;font-size:12.8px"><font face="monospace, monospace"><br></font></div><div style="font-family:arial,sans-serif;font-size:12.8px"><font face="monospace, monospace">This 2, for me, isn't the best way, because the CPU increase.</font></div><div style="font-family:arial,sans-serif;font-size:12.8px"><font face="monospace, monospace"><br></font></div><div style="font-family:arial,sans-serif;font-size:12.8px"><font face="monospace, monospace">3 - Or, use the Shared Memory, so you can create a daemon and attach to SHM and get</font></div><div style="font-family:arial,sans-serif;font-size:12.8px"><font face="monospace, monospace">needed info.</font></div><div style="font-family:arial,sans-serif;font-size:12.8px"><font face="monospace, monospace"><br></font></div><div style="font-family:arial,sans-serif;font-size:12.8px"><font face="monospace, monospace"><a href="https://github.com/jedisct1/unbound/commit/9f11a7300938e265d8b346b7f71739a0578e84d6" target="_blank">https://github.com/jedisct1/<wbr>unbound/commit/<wbr>9f11a7300938e265d8b346b7f71739<wbr>a0578e84d6</a></font></div><div style="font-family:arial,sans-serif;font-size:12.8px"><font face="monospace, monospace"><br></font></div><div style="font-family:arial,sans-serif;font-size:12.8px"><font face="monospace, monospace">After getting the info, you need to populate some files or database.</font></div><div style="font-family:arial,sans-serif;font-size:12.8px"><font face="monospace, monospace">With that info, you can create graphs.</font></div><div style="font-family:arial,sans-serif;font-size:12.8px"><font face="monospace, monospace"><br></font></div><div style="font-family:arial,sans-serif;font-size:12.8px"><font face="monospace, monospace">Use your imagination and the data needed.</font></div><div style="font-family:arial,sans-serif;font-size:12.8px"><font face="monospace, monospace"><br></font></div><div style="font-family:arial,sans-serif;font-size:12.8px"><font face="monospace, monospace">Here are some screenshots from one of our client, to show the ideia.</font></div><div style="font-family:arial,sans-serif;font-size:12.8px"><font face="monospace, monospace"><br></font></div><div style="font-family:arial,sans-serif;font-size:12.8px"><font face="monospace, monospace"><a href="http://prntscr.com/enqrlj" target="_blank">http://prntscr.com/enqrlj</a></font></div><div style="font-family:arial,sans-serif;font-size:12.8px"><font face="monospace, monospace"><a href="http://prntscr.com/enqkoz" target="_blank">http://prntscr.com/enqkoz</a></font></div><div style="font-family:arial,sans-serif;font-size:12.8px"><font face="monospace, monospace"><a href="http://prntscr.com/enqmgj" target="_blank">http://prntscr.com/enqmgj</a></font></div><div style="font-family:arial,sans-serif;font-size:12.8px"><font face="monospace, monospace"><a href="http://prntscr.com/enqkkm" target="_blank">http://prntscr.com/enqkkm</a></font></div><div style="font-family:arial,sans-serif;font-size:12.8px"><font face="monospace, monospace"><a href="http://prntscr.com/enqmcu" target="_blank">http://prntscr.com/enqmcu</a></font></div><div style="font-family:arial,sans-serif;font-size:12.8px"><font face="monospace, monospace"><a href="http://prntscr.com/enqkz9" target="_blank">http://prntscr.com/enqkz9</a></font></div><div style="font-family:arial,sans-serif;font-size:12.8px"><font face="monospace, monospace"><a href="http://prntscr.com/enqlnv" target="_blank">http://prntscr.com/enqlnv</a></font></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">2017-03-21 16:15 GMT-04:00 Oscar Ricardo Silva via Unbound-users <span dir="ltr"><<a href="mailto:unbound-users@unbound.net" target="_blank">unbound-users@unbound.net</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 03/16/2017 07:13 PM, Eric Luehrsen wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
1. BIND runs in a chroot environment. Should I continue this with<br>
Unbound or is this not as much an issue?<br>
<br>
</blockquote>
Yes. Do chroot. Have init-start copy everything to /var/lib/unbound.<br>
Then allow Unbound only to operate there. Have your init-stop script<br>
copy back to /etc/ only non-poisoned updates. Example, double check<br>
RFC5011 root.key file.<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
2. Minimal responses to queries (I see how Unbound does that)<br>
<br>
3. Resolve RFC1918 addresses (we currently forward those to our<br>
authoritative servers and I believe I see how to do this with Unbound)<br>
<br>
</blockquote>
"stub:" clause to authoritative servers that normally respond to<br>
recursive queries. "forward:" clause to other recursive search or<br>
forwarding servers (not authoritative). RFC1918, RC4193... see the<br>
section on private zone data under "unbound.conf" on the web page.<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
4. Gathering statistics and graphing queries per second (not sure how<br>
to accomplish this)<br>
<br>
</blockquote></blockquote>
<br>
<br></span>
I wanted to thank Eric for taking the time to answer my questions. Testing is going well and I'm putting these suggestions to work.<span class="HOEnZb"><font color="#888888"><br>
<br>
<br>
<br>
Oscar<br>
<br>
</font></span></blockquote></div><br></div>