Configuration of unbound

Contents of /etc/unbound/unbound.conf

server:
    directory: "/etc/unbound"
    username: unbound
    chroot: ""
    logfile: "/etc/unbound/unbound.log"
    verbosity: 1
    pidfile: "/etc/unbound/unbound.pid"
    interface: 127.0.0.1
    do-ip6: no
    harden-dnssec-stripped: no

local-zone: "1.168.192.in-addr.arpa." transparent

forward-zone:
    name: "disruptive.org.uk."
    forward-addr: 192.168.1.254

forward-zone:
    name: "1.168.192.in-addr.arpa."
    forward-addr: 192.168.1.254

remote-control:
    control-enable: yes

To initially enable remote control you need to run (once) unbound-control-setup.

Making it work with VPN

To bring up VPN and add the DNS servers: ~/bin/workvpn:

#! /bin/bash
set -x
sudo vpnc
sudo systemctl stop nscd.service
sudo systemctl restart unbound.service
sudo systemctl start nscd.service
sudo unbound-control forward_add +i "microfocus.com" 147.2.2.2
sudo unbound-control forward_add +i "suse.com" 147.2.2.2
sudo unbound-control forward_add +i "novell.com" 147.2.2.2

To take down VPN and remove the DNS servers: ~/bin/vpnoff:

#! /bin/bash
set -x
sudo unbound-control forward_remove +i "microfocus.com" 147.2.2.2
sudo unbound-control forward_remove +i "suse.com" 147.2.2.2
sudo unbound-control forward_remove +i "novell.com" 147.2.2.2
sudo vpnc-disconnect
sudo systemctl stop nscd
sudo systemctl restart unbound.service
sudo systemctl start nscd

In /etc/sysconfig/network/config:

NETCONFIG_DNS_POLICY=""

This ensures that /etc/resolv.conf stays unchanged:

search disruptive.org.uk
nameserver 127.0.0.1