Ubuntu 20.04 で Unbound を立てたい
環境
host: Ubuntu server 20.04
lxc: 4.0.9
guest: Ubuntu:20.04
パラメータ
key | value |
---|---|
timezone | Asia/Tokyo |
editor | vim-nox |
ip address | 192.168.100.244/24 |
gateway | 192.168.100.254 |
dns | 127.0.0.1 , 127.0.0.53 |
上流 dns | root |
lxc について
既に ip / timezone / editor の設定は終わっているものとする
Unbound のインストール
sudo apt install -y unbound unbound -V
version
root@unbound01:~# unbound -V Version 1.9.4 Configure line: --build=x86_64-linux-gnu --prefix=/usr --includedir=${prefix}/include --mandir=${prefix}/share/man --infodir=${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-silent-rules --libdir=${prefix}/lib/x86_64-linux-gnu --libexecdir=${prefix}/lib/x86_64-linux-gnu --disable-maintainer-mode --disable-dependency-tracking --disable-rpath --with-pidfile=/run/unbound.pid --with-rootkey-file=/var/lib/unbound/root.key --with-libevent --with-pythonmodule --enable-subnet --enable-dnstap --enable-systemd --with-chroot-dir= --with-dnstap-socket-path=/run/dnstap.sock --libdir=/usr/lib Linked libs: libevent 2.1.11-stable (it uses epoll), OpenSSL 1.1.1f 31 Mar 2020 Linked modules: dns64 python subnetcache respip validator iterator BSD licensed, see LICENSE in source package for details. Report bugs to unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues root@unbound01:~#
Unbound の設定
qname-minimisation.conf
cd /etc/unbound/
vim unbound.conf.d/qname-minimisation.conf
こうした
root@unbound01:/etc/unbound# cat unbound.conf.d/qname-minimisation.conf server: # Send minimum amount of information to upstream servers to enhance # privacy. Only sends minimum required labels of the QNAME and sets # QTYPE to NS when possible. # See RFC 7816 "DNS Query Name Minimisation to Improve Privacy" for # details. # qname-minimisation: yes # allow local address access-control: 192.168.100.0/24 allow # listen interface interface: 192.168.100.244 # hide version hide-version: yes hide-identity: yes root-hints: root.hints root@unbound01:/etc/unbound#
root.hints を用意して、root から問い合わせるようにする
curl --output /etc/unbound/root.hints https://www.internic.net/domain/named.cache
半年に1回くらいは更新したほうがいいらしい
syntax check
unbound-checkconf
再起動
systemctl restart unbound.service
dig で動作確認
dig @127.0.0.1 twitter.com dig @192.168.100.244 yahoo.com
dig +trace 出来るようにする
# allow local address # access-control: 192.168.100.0/24 allow access-control: 192.168.100.0/24 allow_snoop
再起動
unbound-checkconf
systemctl restart unbound.service
dig +trace test
dig +trace google.com
local なサーバの名前解決を行う
私は /etc/unbound/unbound.conf.d/local-data.conf
を作りました
TLD は自分で実際に取得したドメイン名にしておくのが無難
root@unbound01:/etc/unbound# cat unbound.conf.d/local-data.conf # local domain local-data: "xynology01.example.com. IN A 192.168.100.245" local-data: "cachedns01.example.com. IN A 192.168.100.244" local-data: "adguard01.example.com. IN A 192.168.100.248" root@unbound01:/etc/unbound#
再起動
unbound-checkconf
systemctl restart unbound.service
逆引き
root@unbound01:/etc/unbound# cat unbound.conf.d/local-data.conf # transparent は該当の local-data が存在しないときに外部に問い合わせに行く設定 local-zone: "kouno.org." transparent # local domain # <domain> [TTL] IN <type> <value> local-data: "xynology.example.com. IN A 192.168.100.245" local-data: "cachedns.example.com. IN A 192.168.100.244" local-data: "adguard.example.com. IN A 192.168.100.248" # ptr # <ip> [TTL] <domain>. local-data-ptr: "192.168.100.245 300 xynology.example.com" local-data-ptr: "192.168.100.244 300 cachedns.example.com" local-data-ptr: "192.168.100.248 300 adguard.example.com." root@unbound01:/etc/unbound#
再起動
unbound-checkconf systemctl restart unbound.service systemctl status unbound.service | cat
systemd の timer で root.hints を更新するようにしてみる
サービスの作成 /etc/systemd/system/roothint.service
root@unbound01:/etc/unbound# cat /etc/systemd/system/roothint.service [Unit] Description=Update root hints for unbound After=network.target [Service] Type=oneshot ExecStart=/usr/bin/curl -S -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache ExecStartPost=/usr/sbin/unbound-control reload root@unbound01:/etc/unbound#
timer を作成 /etc/systemd/system/roothints.timer
とする
root@unbound01:/etc/unbound# cat /etc/systemd/system/roothints.timer [Unit] Description=Update root.hints monthly [Timer] OnCalendar=monthly Persistent=true Unit=roothint.service [Install] WantedBy=timers.target root@unbound01:/etc/unbound#
タイマーを有効化
systemctl start roothints.timer systemctl enable roothints.timer