在CentOS7.x下安装unbound 1.7.x :
# yum install -y epel-release
# yumlocalinstallopenssl-1.0.2k-8.el7.x86 _ 64.rpm OpenSSL-libs-1.0.2k-8.el7.x86 _ 64.rpm
# yum install unbound
配置:
# vi /etc/unbound/unbound.conf
服务器:
verbosity: 1#输出的详细等级,1为默认值
num-threads: 2#线程数,可设置为CPU数
接口:0.0.0.0#监听地址(通常写内部网ip或用0.0.0.0表示整个接口) )。
接口:0
端口: 53 #端口
so-reuseport: yes#为每个线程的传入查询打开专用的监听套接字。 可以将传入查询均匀分布在线程上
缓存最小- ttl : 93600 #最小缓存时间(无论为权威dns服务器配置的TTL是多少,此处返回给客户端和自身的缓存时间都不会小于此设置),26小时。 由于bind(named )没有此设置,因此建议使用unbound,因为named不太容易使用。
cache-max-ttl: 604800#最大缓存时间,7天
缓存最大否定响应缓存时间: 1小时
outgoing-range: 20000#端口数
访问访问控制:0.0.0/0 allow # IP v4网段
允许访问控制:3360:0/0 allow # IPv6网段
prefetch: yes#消息缓存元素在过期之前预取,以使缓存保持最新
禁用模块配置:迭代器DNSSEC检查。 如果不禁用,传输时可能会进行检查,但错误可能类似于info : validationfailurebeacons.gv T2.com.ain。
启用do-IP 43360是# ip4
do-IP 63360是
do-UDP :是
do-TCP :是
tcp-upstream: no#上行不使用tcp方式
so-rcvbuf: 8m#SO_RCVBUF套接字接收缓存大小
so-sndbuf: 8m#SO_SNDBUF套接字发送缓存大小
msg-cache-size: 1G#消息缓存的字节数。 默认值为4 MB。
rrset-cache-size: 1G#RRset缓存的字节数。
每个outgoing-num-tcp: 256#线程分配的传出TCP缓冲区数
incoming-num-tcp: 1024#为每个线程分配的传入TCP缓冲区数
hide-identity: yes#不会返回对id.server和hostname.bind的查询。
hide-version: yes#不会返回对version.server和version.bind的查询。
unwanted-reply-threshold :1000000 #对各种网络不服,数值为推荐值。
# include :“zone.conf”# zone.conf文件的内容是被解析的内容,例如像local-data 3360“m.Baidu.com a 192.168.10.1”那样,接下来
# local-data :“m.Baidu.com 600 a 192.168.10.1”#其中600是分析缓存时间
# python:#可以运行python脚本
名为remote-control:#的区间设置为unbound控件。 要控制unbound服务,请执行以下操作
,利用unbound-control命令对该服务执行开启、关闭、重启等操作。control-enable: yes
control-use-cert: no
control-interface: 127.0.0.1
control-port: 8953
forward-zone: #这个区间为转发设置
name: “.” #名称
forward-first: yes #设为no是无法向根域名服务器TCP解析的才会用这些来解析,设为yes就不向根域名服务器请求,直接用这些列表里的。
forward-addr: 202.96.128.86@53 #外部DNS服务器,格式: IP@PORT
forward-addr: 202.96.134.133
forward-addr: 202.96.134.33
forward-addr: 202.96.128.166
forward-addr: 114.114.114.114
forward-addr: 114.114.115.115
forward-addr: 182.254.116.116
forward-addr: 119.29.29.29
forward-addr: 180.76.76.76
forward-addr: 223.5.5.5
forward-addr: 223.6.6.6
启停:
# systemctl enable unbound
# systemctl restart unbound
记得重启或重配置时先保存cache,启动后或重配置后再导入cache:
# unbound-control dump_cache > ./unbound_dump_cache-20180919.tmp
# unbound-control reload
# unbound-control load_cache < ./unbound_dump_cache-20180919.tmp
管理:
# unbound-control status
# unbound-control stats_noreset
# unbound-control dump_cache
# unbound-control dump_infra
# unbound-control flush “aaa.com”
# unbound-control -h
Usage: unbound-control [options] command
Remote control utility for unbound server.
Options:
-c file config file, default is /etc/unbound/unbound.conf
-s ip[@port] server address, if omitted config is used.
-q quiet (don’t print anything if it works ok).
-h show this usage help.
Commands:
start start server; runs unbound(8)
stop stops the server
reload reloads the server
(this flushes data, stats, requestlist)
stats print statistics
stats_noreset peek at statistics
stats_shm print statistics using shm
status display status of server
verbosity change logging detail
log_reopen close and open the logfile
local_zone add new local zone
local_zone_remove remove local zone and its contents
local_data add local data, for example
local_data www.example.com A 192.0.2.1
local_data_remove remove local RR data from name
local_zones, local_zones_remove, local_datas, local_datas_remove
same, but read list from stdin
(one entry per line).
dump_cache print cache to stdout
load_cache load cache from stdin
lookup print nameservers for name
flush flushes common types for name from cache
types: A, AAAA, MX, PTR, NS,
SOA, CNAME, DNAME, SRV, NAPTR
flush_type flush name, type from cache
flush_zone flush everything at or under name
from rr and dnssec caches
flush_bogus flush all bogus data
flush_negative flush all negative data
flush_stats flush statistics, make zero
flush_requestlist drop queries that are worked on
dump_requestlist show what is worked on by first thread
flush_infra [all | ip] remove ping, edns for one IP or all
dump_infra show ping and edns entries
set_option opt: val set option to value, no reload
get_option opt get option value
list_stubs list stub-zones and root hints in use
list_forwards list forward-zones in use
list_insecure list domain-insecure zones
list_local_zones list local-zones in use
list_local_data list local-data RRs in use
insecure_add zone add domain-insecure zone
insecure_remove zone remove domain-insecure zone
forward_add [+i] zone addr.. add forward-zone with servers
forward_remove [+i] zone remove forward zone
stub_add [+ip] zone addr.. add stub-zone with servers
stub_remove [+i] zone remove stub zone
+i also do dnssec insecure point
+p set stub to use priming
forward [off | addr …] without arg show forward setup
or off to turn off root forwarding
or give list of ip addresses
ratelimit_list [+a] list ratelimited domains
ip_ratelimit_list [+a] list ratelimited ip addresses
+a list all, also not ratelimited
list_auth_zones list auth zones
view_list_local_zones view list local-zones in view
view_list_local_data view list local-data RRs in view
view_local_zone view name type add local-zone in view
view_local_zone_remove view name remove local-zone in view
view_local_data view RR… add local-data in view
view_local_data_remove view name remove local-data in view