安装的系统:release 7.8.2003 (可以使用cat /etc/centos-release查看,uname 不全)
先实验,是不是最新版本的unbound即已经支持ecs。(验证过最新版本的unbound不支持ecs,即应该是只有ecs分支支持ecs功能)
使用最新版本的unbound进行试验。
unbound是一个开源local dns,支持edns-client-subnet(bind不支持edns-client-subnet)。
一、下载
文件名:unbound-latest.tar.gz, 最新版是:unbound-1.12.0
下载地址:http://unbound.net/download.html
官网:http://unbound.net/index.html
二、安装
需要先安装依赖包:
#CentOS系统:
sudo yum -y install gcc openssl-devel expat-devel libevent-devel ./configure --prefix=/usr/local/unbound --with-pthreads --with-libevent --with-ssl 可以指定安装目录,启用相应的功能make; make install //编译安装 参数说明: --with-pthreads:支持多线程; --with-libevent:允许使用大的传出端口范围。 --with-ssl:用于生成秘钥文件
三、安装路径
安装路径:/usr/local/unbound
配置文件:/usr/local/unbound/etc/unbound.conf
======================================unbound的配置以及ecs的配置=================================
ecs分支,进行ecs编译时,使用的编译参数:
./configure --prefix=/data/unbound/svn/build --with-ldns --with-libevent --with-ssl --without-pthreads --enable-subnet
make
make install
即可安装完成
配置与bind完全不一致,可以参考:
server: verbosity: 1 statistics-interval: 0 statistics-cumulative: no extended-statistics: yes num-threads: 2 interface: 0.0.0.0 interface-automatic: no access-control: 127.0.0.0/8 allow access-control: 192.168.0.0/24 allow chroot: "" username: "unbound" directory: "/etc/unbound" log-time-ascii: yes pidfile: "/var/run/unbound/unbound.pid" harden-glue: yes harden-dnssec-stripped: yes harden-below-nxdomain: yes harden-referral-path: yes use-caps-for-id: no unwanted-reply-threshold: 10000000 prefetch: yes prefetch-key: yes rrset-roundrobin: yes minimal-responses: yes dlv-anchor-file: "/etc/unbound/dlv.isc.org.key" trusted-keys-file: /etc/unbound/keys.d/*.key auto-trust-anchor-file: "/var/lib/unbound/root.key" val-clean-additional: yes val-permissive-mode: no val-log-level: 1 local-zone: "111com.net" static local-data: "www.111com.net. IN A 192.168.0.103" local-data-ptr: "192.168.0.103 www.111com.net" local-data: "111com.net. IN MX 5 mail.111com.net" local-data: "mail.111com.net. IN A 192.168.0.103" include: /etc/unbound/local.d/*.conf remote-control: control-enable: yes server-key-file: "/etc/unbound/unbound_server.key" server-cert-file: "/etc/unbound/unbound_server.pem" control-key-file: "/etc/unbound/unbound_control.key" control-cert-file: "/etc/unbound/unbound_control.pem" include: /etc/unbound/conf.d/*.conf forward-zone: name: . forward-addr: 114.114.114.114 通过unbound-check工具检测配置文件中是否存在语法错误: # unbound-checkconf unbound-checkconf: no errors in /etc/unbound/unbound.conf当然,可以完全不用如此复杂,也可以使用如下简单配置:
interface: 0.0.0.0 //可以使用本机任意端口IP响应数据包 port: 53 //使用53端口响应数据包 access-control: 192.168.0.0/16 allow //响应来自192.168.0.0网段的数据包 chroot: "/usr/local/etc/unbound" username: "unbound" directory: "/usr/local/etc/unbound" pidfile: "/usr/local/etc/unbound/unbound.pid" root-hints: "/usr/local/etc/unbound/named.cache" //从这个文件读取根解析的信息 下载named.cache cd /usr/local/etc/unbound wget ftp://FTP.INTERNIC.NET/domain/named.cacheecs部分需要添加:
send-client-subnet: 119.97.137.185/32 (IP为授权DNS的IP,下同) send-client-subnet: 31.171.133.45/32 send-client-subnet: 178.162.201.47/32 send-client-subnet: 60.210.10.52/32 send-client-subnet: 111.1.42.216/32 send-client-subnet: 60.55.32.174/32 send-client-subnet: 119.81.163.56/32 send-client-subnet: 221.204.224.122/32
