Unbound Unbound Config File(s)

[Zim]

I couldn't find the answer to this with my searches, so posting the question here.

As I understand it, for configuring Unbound, the config file lives here:
/opt/var/lib/unbound/unbound.config

But I find similar config files at other locations:
/opt/etc/unbound/unbound.config
/opt/share/unbound/configs/user.config


1.) What's the difference in the files? They all appear to have similar settings?

2.) To configure settings like "num-threads", "msg-cache-size", "rrset-cache-size" should these be changed in all the locations or only in /opt/var/lib/unbound/unbound.config?

3.) In /opt/var/lib/unbound/unbound.config, setting like "outgoing-range" and "num-queries-per-thread" don't exist. Can these just be added to this file under the # tiny memory cache section? I do see these settings under /opt/etc/unbound/unbound.config, hence the confusion as to which files should be modified. Do these also need to be updated in all locations?

Thanks.

 

[dave14305]

/opt/var/lib/unbound/unbound.conf

This is the only file that matters. The one in /opt/etc/unbound should be a link to the lib file. The user.conf is a backup copy of your main conf. These are made by the unbound-manager script, not unbound itself.

 

[Zim]

This is the only file that matters. The one in /opt/etc/unbound should be a link to the lib file. The user.conf is a backup copy of your main conf. These are made by the unbound-manager script, not unbound itself.

Thanks @dave14305

So, /opt/var/lib/unbound/unbound.config and /opt/share/unbound/configs/user.config should be identical at installation? If changes are made to /opt/var/lib/unbound/unbound.config it should/will not propagate to /opt/share/unbound/configs/user.config?

Comparing /opt/var/lib/unbound/unbound.config and /opt/etc/unbound/unbound.config - they appear totally different. Any changes made to the first appears to have no impact on the latter (don't seem linked). I'm noticing that "outgoing-range" and "num-queries-per-thread" don't exist in first file but exist in the latter.

So the question is, which file do these settings need to be modified in? Should I add the entries in the first file or ONLY modify in the second file?

 

[dave14305]

So the question is, which file do these settings need to be modified in?

Only modify the /opt/var/lib/unbound/unbound.conf. It's the only one of the files mentioned that's actually read by Unbound.

I don't use unbound_manager, so I can't explain the reasoning behind it making extra copies of the config. But you can find the references to the extra files in the unbound_manager.sh script.

 

[SomeWhereOverTheRainBow]

Thanks @dave14305

So, /opt/var/lib/unbound/unbound.config and /opt/share/unbound/configs/user.config should be identical at installation? If changes are made to /opt/var/lib/unbound/unbound.config it should/will not propagate to /opt/share/unbound/configs/user.config?

Comparing /opt/var/lib/unbound/unbound.config and /opt/etc/unbound/unbound.config - they appear totally different. Any changes made to the first appears to have no impact on the latter (don't seem linked). I'm noticing that "outgoing-range" and "num-queries-per-thread" don't exist in first file but exist in the latter.

So the question is, which file do these settings need to be modified in? Should I add the entries in the first file or ONLY modify in the second file?

I concur with @dave14305.

S61Unbound launch file points to "/opt/var/lib/unbound/unbound.config" being the config unbound manager reads from --- check it out for yourself.

Spoiler: ARGS="-c /opt/var/lib/unbound/unbound.conf"

#!/bin/sh
VER="1.01"

# v1.01 08-May-2020 Martineau Allow dnsmasq bypass; (Stop dnsmasq to release '127.0.0.1@53')
if [ "$1" = "start" ] || [ "$1" = "restart" ]; then
        # Wait for NTP before starting
        ntptimer=0
        while [ "$(nvram get ntp_ready)" = "0" ] && [ "$ntptimer" -lt "300" ]; do
                ntptimer=$((ntptimer+1))
                [ "$ntptimer" -eq "1" ] && logger -st "S61unbound" "Waiting for NTP to sync before starting Unbound..."
                sleep 1
        done

        if [ "$ntptimer" -ge "300" ]; then
                logger -st "S61unbound" "NTP failed to sync after 5 minutes - please check immediately!"
                exit 1
        fi
     
        TXT=
        # Default unbound+dnsmasq uses 'port: 53535'; if not then assume dnsmasq bypass ('port 53')
        [ -z "$(grep "^port: 53535" /opt/var/lib/unbound/unbound.conf)" ] && { service stop_dnsmasq; TXT="(bypass dnsmasq)"; } # (Release '127.0.0.1@53')
     
        logger -t S61unbound "$1 Unbound DNS server $TXT $0"    
fi


# set environment PATH to system binaries
export PATH=/sbin:/bin:/usr/sbin:/usr/bin:$PATH
export TZ=$(cat /etc/TZ)
ENABLED=yes
PROCS=unbound
ARGS="-c /opt/var/lib/unbound/unbound.conf"
PREARGS="nohup"
PRECMD=""
POSTCMD="service restart_dnsmasq"
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

. /opt/etc/init.d/rc.func

I believe unbound manager does not create a symbolic link between the two. Instead it just uses the one it places in "/opt/var/lib/unbound/" directory.

 

[Zim]

Thank you @dave14305 and @SomeWhereOverTheRainBow for explaining.