使用 Unbound 创建DNS服务器
1 Installing Unbound
下载、安装unbound;
wget http://www.unbound.net/downloads/unbound-latest.tar.gz
tar xvfz unbound-latest.tar.gz
cd unbound-<?xml:namespace prefix = st1 ns = "urn:schemas-microsoft-com:office:smarttags" /><chsdate year="1899" month="12" day="30" islunardate="False" isrocdate="False" w:st="on">1.0.2</chsdate>/
./configure --prefix=/usr/local
make
make install
# 添加 unbound 运行用户组和用户
groupadd unbound
useradd -d /var/unbound -m -g unbound -s /bin/false unbound
mkdir -p /var/unbound/var/run
chown -R unbound:unbound /var/unbound
ln -s /var/unbound/var/run/unbound.pid /var/run/unbound.pid
下载root nameserver.
<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />
cd /var/unbound
wget ftp://ftp.internic.net/domain/named.cache
注: root nameserver 记录了各 Top domain 分别是由哪些 DNS server 负责. 比如说要找 www.google.com 时, root nameserver 会告诉 local DNS server 哪部 name server 负责 .com 这个 domain, 然后 local dns 再向负责 .com 的 name server 询问关于 google.com 是哪部 name server 在负责. 最后 local DNS 就可以向负责 google.com 的 name server 问到有关 www. google.com 的资料.
2 Configuring Unbound
创建/var/unbound/unbound.conf. 也可以在unbound 源代码下的doc目录中找到一个example.conf. 同样可以访问 http://www.unbound.net/documentation/unbound.conf.html查看帮助信息.
下面添加一个"sip.com"的 zone作为示例配置文件
vi /var/unbound/unbound.conf
verbosity: 1
interface: 0.0.0.0
port: 53
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes
do-daemonize: yes
access-control: 0.0.0.0/0 allow
#access-control: 0.0.0.0/0 refuse
#access-control: 127.0.0.0/8 allow
chroot: "/var/unbound"
username: "unbound"
directory: "/var/unbound"
use-syslog: no
pidfile: "/var/run/unbound.pid"
root-hints: "/var/unbound/named.cache"
local-data: "sip.com. 86400 IN SOA primary.sip.com kzy.sip.com. 200809031843 28800 7200 604800 86400"
local-data: "sip.com. 86400 IN NS primary.sip.com."
local-data: "sip.com. 86400 IN NS secondary.sip.com."
local-data: "primary.sip.com. 86400 IN A 192.168.1.7"
local-data: "secondary.sip.com. 86400 IN A 192.168.1.8"
local-data: "www.sip.com. 86400 IN A 192.168.1.9"
local-data: "ftp.sip.com. 86400 IN A 192.168.1.10"
这里添加了4个域名:
primary.sip.com
secondary.sip.com
www.sip.com
ftp.sip.com
都是IPv4 地址. 可以看出unbound 的zone config 与bind的zone file 实际上差不多,只是没有bind那么简化而已.使用unbound-checkconf 检查配置文件是否有错误:
cd /usr/local/sbin/
./unbound-checkconf unbound.conf
unbound-checkconf: no errors in unbound.conf
运行unbound,这里以debug模式运行:
cd /usr/local/sbin/
./unbound -d -c /var/unbound/unbound.conf -vvvv
......
测试unbound:
echo "nameserver 127.0.0.1" > /etc/resolv.conf
dig primary.sip.com
; <<>> DiG 9.5.0b2 <<>> primary.sip.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18034
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;primary.sip.com. IN A
;; ANSWER SECTION:
primary.sip.com. 86400 IN A 192.168.1.7
;; Query time: 6 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Sep 3 20:03:03 2008
;; MSG SIZE rcvd: 49
dig secondary.sip.com
; <<>> DiG 9.5.0b2 <<>> secondary.sip.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25490
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;secondary.sip.com. IN A
;; ANSWER SECTION:
secondary.sip.com. 86400 IN A 192.168.1.8
;; Query time: 6 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Sep 3 20:03:03 2008
;; MSG SIZE rcvd: 51
dig www.sip.com
; <<>> DiG 9.5.0b2 <<>> www.sip.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30835
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.sip.com. IN A
;; ANSWER SECTION:
www.sip.com. 86400 IN A 192.168.1.9
;; Query time: 6 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Sep 3 20:03:03 2008
;; MSG SIZE rcvd: 45
dig ftp.sip.com
; <<>> DiG 9.5.0b2 <<>> ftp.sip.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19037
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;ftp.sip.com. IN A
;; ANSWER SECTION:
ftp.sip.com. 86400 IN A 192.168.1.10
;; Query time: 6 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Sep 3 20:03:03 2008
;; MSG SIZE rcvd: 45
所有测试正常,unbound运行正常!可以添加一个脚本到/etc/init.d/,使用unbound作为system service启动!
3 Links
- Unbound: http://www.unbound.net/index.html
- Debian: http://www.debian.org