In an attempt to encourage administrators to minimize their router/firewall's vulnerability surface, the security router does not currently provide a DNS server. However, it's possible to enable Unbound or BIND by following these steps. It requires root access and uses skeleton files. This is not officially supported. The examples below both provides a recursive (caching) DNS and one split-horizon zone.
Start by enabling root access and log in using SSH.
Create/edit /cfg/skel/rc.local (using for example vi) with the following contents
mount -uw / cp /cfg/unbound.conf /var/unbound/etc/ mount -ur / mount_mfs -o nodev,nosuid -s 1024 swap /var/unbound/db unbound-anchor -v unbound
and then create /cfg/unbound.conf with whatever you want as Unbound config; for example
server: interface: 0.0.0.0 interface: ::0 access-control: 0.0.0.0/0 allow auto-trust-anchor-file: "/var/unbound/db/root.key" local-zone: "example.com." static local-data: "www.example.com. IN A 126.96.36.199" local-zone: "1.2.10.in-addr.arpa." static local-data-ptr: "10.2.1.101 reverse.example.com."
Unbound on earlier versions
In security router releases other than 3.4 (OpenBSD 5.6), Unbound is not part of the software and has to be manually installed. However, Mikael Löfstrand has been so kind and created a package. The example below provides a recursive (caching) DNS.
Then run (as root)
# ftp -o /cfg/unbound-install.sh https://github.com/mld/halon-unbound/blob/master/3.1-fox/unbound-install.sh # chmod +x /cfg/unbound-install.sh
Optionally put a customized unbound.conf in /cfg/skel:
# scp unbound.conf firstname.lastname@example.org:/cfg/skel/unbound.conf
Add a startup command to /cfg/skel/rc.local by running
# echo "/cfg/unbound-install.sh &" >> cfg/skel/rc.local
Now we are ready to reboot. Unbound should now start automatically and listen on port 53 (both TCP and UDP) on all available interfaces. As long as there is a working internet connection at boot time, unbound-anchor also downloads and configures the root (.) DNSSEC-key and we also download a named.cache so unbound knows where to look for root servers.