linux下的unbound DNS服务器设置详解
在CentOS7.x下安装unbound 1.7.x:
# yum install -y epel-release
# rpm -Uvh http://rnd.rajven.net/centos/rajven-release-7-1.cnt7.noarch.rpm #这里才有比较新的unbound版本。
# yum localinstall openssl-1.0.2k-8.el7.x86_64.rpm openssl-libs-1.0.2k-8.el7.x86_64.rpm
# yum install unbound
配置:
# vi /etc/unbound/unbound.conf
server:
verbosity: 1 #输出详细程度,1为缺省
num-threads: 2 #线程数,可设置为CPU数
interface: 0.0.0.0 #监听地址(一般写本机内网ip,或者0.0.0.0表示全部接口)
interface: ::0
port: 53 #端口
so-reuseport: yes #为每个线程的传入查询打开专用侦听套接字。可以更均匀地将传入查询分布到线程
cache-min-ttl: 93600 #最小缓存时间(不管权威dns服务器上配置的ttl是多少,这里返回给客户端及自身保存的缓存时间都不会比这个设置值小),26小时,因为bind(named)没有这个设置,所以named不那么好用,建议用unbound。
cache-max-ttl: 604800 #最大缓存时间,7天
cache-max-negative-ttl: 3600 #否定应答缓存时间,1小时
outgoing-range: 20000 #端口数量
access-control: 0.0.0.0/0 allow #访问ipv4网段访问
access-control: ::0/0 allow #允许ipv6网段访问
prefetch: yes #消息缓存元素在它们到期之前被预取以保持缓存是最新的
module-config: “iterator” #禁用DNSSEC检查,否则作为转发时可能会校验不过,报错类似:info: validation failure beacons.gvt2.com. A IN。
do-ip4: yes #启用IP4
do-ip6: yes
do-udp: yes
do-tcp: yes
tcp-upstream: no #上行不用tcp方式
so-rcvbuf: 8m #SO_RCVBUF套接口接收缓存大小
so-sndbuf: 8m #SO_SNDBUF套接口发送缓存大小
msg-cache-size: 1G #消息缓存的字节数。 默认值为4 MB。
rrset-cache-size: 1G #RRset缓存的字节数。
outgoing-num-tcp: 256 #为每个线程分配的传出TCP缓冲区数
incoming-num-tcp: 1024 #为每个线程分配的传入TCP缓冲区数
hide-identity: yes #不返回对 id.server 和 hostname.bind 的查询。
hide-version: yes #不返回对 version.server 和 version.bind 的查询。
unwanted-reply-threshold: 10000000 #针对各种网络不服,数值为建议值。
# include: “zone.conf” #zone.conf文件内容为解析内容,如local-data: “m.baidu.com A 192.168.10.1″,也可以使用下面注释的方式配置解析
# local-data: “m.baidu.com 600 A 192.168.10.1” #其中600为解析缓存时间
# python: #可以执行python脚本
remote-control: #这个区间为unbound控制设置。配置如下内容可以控制unbound服务,利用unbound-control命令对该服务执行开启、关闭、重启等操作。
control-enable: yes
control-use-cert: no
control-interface: 127.0.0.1
control-port: 8953
forward-zone: #这个区间为转发设置
name: “.” #名称
forward-first: yes #设为no是无法向根域名服务器TCP解析的才会用这些来解析,设为yes就不向根域名服务器请求,直接用这些列表里的。
forward-addr: 202.96.128.86@53 #外部DNS服务器,格式: IP@PORT
forward-addr: 202.96.134.133
forward-addr: 202.96.134.33
forward-addr: 202.96.128.166
forward-addr: 114.114.114.114
forward-addr: 114.114.115.115
forward-addr: 182.254.116.116
forward-addr: 119.29.29.29
forward-addr: 180.76.76.76
forward-addr: 223.5.5.5
forward-addr: 223.6.6.6
启停:
# systemctl enable unbound
# systemctl restart unbound
记得重启或重配置时先保存cache,启动后或重配置后再导入cache:
# unbound-control dump_cache > ./unbound_dump_cache-20180919.tmp
# unbound-control reload
# unbound-control load_cache < ./unbound_dump_cache-20180919.tmp
管理:
# unbound-control status
# unbound-control stats_noreset
# unbound-control dump_cache
# unbound-control dump_infra
# unbound-control flush “aaa.com”
# unbound-control -h
Usage: unbound-control [options] command
Remote control utility for unbound server.
Options:
-c file config file, default is /etc/unbound/unbound.conf
-s ip[@port] server address, if omitted config is used.
-q quiet (don’t print anything if it works ok).
-h show this usage help.
Commands:
start start server; runs unbound(8)
stop stops the server
reload reloads the server
(this flushes data, stats, requestlist)
stats print statistics
stats_noreset peek at statistics
stats_shm print statistics using shm
status display status of server
verbosity <number> change logging detail
log_reopen close and open the logfile
local_zone <name> <type> add new local zone
local_zone_remove <name> remove local zone and its contents
local_data <RR data…> add local data, for example
local_data www.example.com A 192.0.2.1
local_data_remove <name> remove local RR data from name
local_zones, local_zones_remove, local_datas, local_datas_remove
same, but read list from stdin
(one entry per line).
dump_cache print cache to stdout
load_cache load cache from stdin
lookup <name> print nameservers for name
flush <name> flushes common types for name from cache
types: A, AAAA, MX, PTR, NS,
SOA, CNAME, DNAME, SRV, NAPTR
flush_type <name> <type> flush name, type from cache
flush_zone <name> flush everything at or under name
from rr and dnssec caches
flush_bogus flush all bogus data
flush_negative flush all negative data
flush_stats flush statistics, make zero
flush_requestlist drop queries that are worked on
dump_requestlist show what is worked on by first thread
flush_infra [all | ip] remove ping, edns for one IP or all
dump_infra show ping and edns entries
set_option opt: val set option to value, no reload
get_option opt get option value
list_stubs list stub-zones and root hints in use
list_forwards list forward-zones in use
list_insecure list domain-insecure zones
list_local_zones list local-zones in use
list_local_data list local-data RRs in use
insecure_add zone add domain-insecure zone
insecure_remove zone remove domain-insecure zone
forward_add [+i] zone addr.. add forward-zone with servers
forward_remove [+i] zone remove forward zone
stub_add [+ip] zone addr.. add stub-zone with servers
stub_remove [+i] zone remove stub zone
+i also do dnssec insecure point
+p set stub to use priming
forward [off | addr …] without arg show forward setup
or off to turn off root forwarding
or give list of ip addresses
ratelimit_list [+a] list ratelimited domains
ip_ratelimit_list [+a] list ratelimited ip addresses
+a list all, also not ratelimited
list_auth_zones list auth zones
view_list_local_zones view list local-zones in view
view_list_local_data view list local-data RRs in view
view_local_zone view name type add local-zone in view
view_local_zone_remove view name remove local-zone in view
view_local_data view RR… add local-data in view
view_local_data_remove view name remove local-data in view