Ubuntu – Unbound DNS sever does not log anything when I make a query

dnslogging

I have recently started using unbound dns.

I have configured all the things I need properly. But the server doesn't log when I make a query.

I have no errors in the unbound.conf file

The following is my .conf file

# The server clause sets the main parameters.
server:
# whitespace is not necessary, but looks cleaner.

# verbosity number, 0 is least verbose. 1 is default.
verbosity: 1

# print statistics to the log (for every thread) every N seconds.
# Set to "" or 0 to disable. Default is disabled.
statistics-interval: 5


interface: 192.168.116.134

# port to answer queries from
port: 53


cache-min-ttl: 400
cache-max-ttl: 86400


# Enable IPv4, "yes" or "no".
do-ip4: yes

# Enable IPv6, "yes" or "no".
# do-ip6: yes

# Enable UDP, "yes" or "no".
    do-udp: yes

# Enable TCP, "yes" or "no".
    do-tcp: yes



access-control: 0.0.0.0/0 allow

# chroot: "/etc/unbound"


# username: "unbound"


# directory: "/etc/unbound"

# the log file, "" means log to stderr.
# Use of this option sets use-syslog to "no".
logfile: "/var/log/unbound/unbound.log"

forward-zone:
name: "."
forward-addr: 8.8.4.4
forward-addr: 8.8.8.8

The lig file does exist in the given directory and I have made the unbound user its owner using chown, but when I make a query the log file is still empty.

Platform: Ubuntu 18 Desktop

Best Answer

I had the same issue today. You do not mention the Linux distro you are using.
This post geared for Debian/Ubuntu/similar using their repo version.

Remove CHROOT config directive and make sure BOTH the log file & parent folder are owned by unbound user:

sudo chown unbound:unbound /var/log/unbound /var/log/unbound/unbound.log

Still not working for me (or you).
After this I noticed it was still logging to syslog after turning up verbosity to debug. I also noticed kernel showing "apparmor" was logging DENIED's for the unbound log location:

sudo cat /var/log/syslog | grep DENIED

Example in syslog:

 Dec 30 16:41:48 ip-192-168-1-1 kernel: [ 1368.641789] audit: type=1400 audit(1577724108.624:29): apparmor="DENIED" operation="open" profile="/usr/sbin/unbound" name="/var/log/unbound/unbound.log" pid=2247 comm="unbound" requested_mask="ac" denied_mask="ac" fsuid=112 ouid=112

So, I added a local override to apparmor.d area:

sudo nano /etc/apparmor.d/local/usr.sbin.unbound

This will create a new /local/ file.
Add this single line to it:

/var/log/unbound/unbound.log rw,

(Yes, with comma on end) Save.

Reload apparmor entries for unbound:

sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.unbound

Restart Unbound:

sudo systemctl restart unbound

Check log:

$ sudo tail -f /var/log/unbound/unbound.log
[1577725445] unbound[2721:0] info: start of service (unbound 1.6.7).

WORKS. If you notice, when syslog logs it, it uses a standard date format. But, Unbound custom logging/non-syslog uses Unix/Epoch time (seconds since 1970) by default. If you wish to have timestamps like syslog, add this to your unbound config and reload service:

log-time-ascii: yes

If your log location is different, make sure you change all the paths/filenames referenced above.

My config:
gist text

References:
https://nlnetlabs.nl/documentation/unbound/unbound.conf/
https://wiki.debian.org/AppArmor/Debug

Related Question