Can I change control-enable: yes to no?

[Jack-Sparr0w]

Just wondering if unbound will work if I disable this? I don't like remote connections.

 

[jacklul]

That option is "no" by default, see here: https://nlnetlabs.nl/documentation/unbound/unbound.conf/
Unless you have external script/addon controlling unbound you don't need it.
When people use this option they usually set control-interface: 127.0.0.1 which prevents any outside from accessing it anyway while still having the control interface.

 

[Jack-Sparr0w]

It's set to yes in merlin unbound by default. probably for ease of use

 

[Jack-Sparr0w]

use v to look at config file, use vx to change it

 

[Jack-Sparr0w]

Disable Remote Connections Unbound​

To disable remote connections in Unbound, you need to modify the remote-control: section in your Unbound configuration file. Specifically, you should set control-enable to no. Here is an example of how to configure this:

remote-control: control-enable: no
This configuration disables the remote control facility, preventing the use of the unbound-control utility to send commands to the running Unbound server. If you have already set up the necessary keys and certificates, you should also ensure that the remote-control: section is properly commented out or removed to prevent any unintended access.

Additionally, if you have any forwarders or stub zones configured to use TLS, you should disable those as well to ensure no remote connections are made. This can be done by setting tls-upstream to no in the respective zones.

If you have previously enabled remote control and set up the necessary files using unbound-control-setup, you may need to remove or modify those files to ensure they do not interfere with the new configuration.

After making these changes, restart the Unbound service to apply the new settings:

This will ensure that remote connections are disabled and that Unbound operates without the remote control facility.

 

[jacklul]

If you're using this: https://github.com/MartineauUK/Unbound-Asuswrt-Merlin then it uses unbound-control command for showing stats in console on demand: https://github.com/MartineauUK/Unbo...a7c502da55c500a4157d5/unbound_manager.sh#L449

 

[Jack-Sparr0w]

Sorry just noticed, Its needed to interface it and see stats on lan side if I'm correct or could it be setup to be seen outside the network.

 

[Jack-Sparr0w]

again I thank you head was spinning trying to figure out that setting lol

 

[Jack-Sparr0w]

remote-control:
control-enable: yes
control-use-cert: no # v1.08 Default "Fast Menu" ENABLED v1.07 Martineau "Fast Menu"
control-interface: 127.0.0.1
control-port: 953
server-key-file: "/opt/var/lib/unbound/unbound_server.key"
server-cert-file: "/opt/var/lib/unbound/unbound_server.pem"
control-key-file: "/opt/var/lib/unbound/unbound_control.key"
control-cert-file: "/opt/var/lib/unbound/unbound_control.pem"

 

[Jack-Sparr0w]

In Unbound, the control-enable: yes setting enables remote control functionality, allowing you to manage the Unbound daemon using the unbound-control command. This includes starting, stopping, and reloading Unbound, as well as other administrative tasks. To use this feature, you need to ensure that the necessary cryptographic keys are created using the unbound-control-setup command. These keys are required for secure communication between the Unbound daemon and the control program.

If you decide to disable control-enable: yes, you simply set it to no in the configuration file. However, this will disable the remote control functionality, which might be useful for security reasons but will also limit your ability to manage Unbound remotely.

 

[Jack-Sparr0w]

Would this harden unbound further?

 

[jacklul]

To me config from that repository is pretty much hardened already