分类: 服务器与存储
2015-01-01 22:30:37
Install Unbound FreeBSD
unbound Validating, recursive, and caching DNS resolver
Unbound
is designed as a set of modular components, so that also
DNSSEC
(secure DNS) validation and stub-resolvers (that do not run as
a
server, but are linked into an application) are easily possible.
Goals:
*
A validating recursive DNS resolver.
*
Code diversity in the DNS resolver monoculture.
*
Drop-in replacement for BIND apart from config.
*
DNSSEC support.
*
Fully RFC compliant.
*
High performance, even with validation enabled.
*
Used as: stub resolver, full caching name server, resolver library.
*
Elegant design of validator, resolver, cache modules.
o
provide the ability to pick and choose modules.
*
Robust.
*
In C, open source: The BSD license.
*
Smallest as possible component that does the job.
*
Stub-zones can be configured (local data or AS112 zones).
Non-goals:
*
An authoritative name server.
*
Too many Features.
WWW:
Configuration Options
===>
The following configuration options are available for
unbound-1.4.22_5:
DOCS=on:
Build and/or install documentation
ECDSA=on:
Enable ECDSA (elliptic curve) support (OpenSSL >= 1.0)
GOST=off:
Enable GOST support (requires OpenSSL >= 1.0)
LIBEVENT=off:
Build against libevent (devel/libevent2) (BROKEN on >=10)
MUNIN=off:
Install Munin plugin
PYTHON=off:
Python bindings or support
THREADS=on:
Threading support
===>
Use 'make config' to modify these settings
To
install the
port: cd
/usr/ports/dns/unbound/ &&
make install clean
To
add the package: pkg
install dns/unbound
cd
/usr/local/etc/unbound
wget
ftp://ftp.internic.net/domain/named.cache
unbound-control-setup
-d
/usr/local/etc/unbound
setup
in directory /usr/local/etc/unbound
unbound_server.key
exists
unbound_control.key
exists
create
unbound_server.pem (self signed certificate)
create
unbound_control.pem (signed client certificate)
Signature
ok
subject=/CN=unbound-control
Getting
CA Private Key
Setup
success. Certificates created. Enable in unbound.conf file to use
chown
unbound:wheel unbound_*
chmod
440 unbound_*
#
mkdir /usr/local/etc/unbound/dev
tambah
unbound_enable="YES"' /etc/rc.conf
ee
/usr/local/etc/unbound/unbound.conf
server:
verbosity:
1
statistics-interval:
120
num-threads:
1
interface:
0.0.0.0
outgoing-range:
950
num-queries-per-thread:
msg-cache-size:
50m
rrset-cache-size:
100m
msg-cache-slabs:
4
rrset-cache-slabs:
4
cache-max-ttl:
86400
infra-host-ttl:
60
infra-lame-ttl:
120
infra-cache-numhosts:
10000
infra-cache-lame-size:
10k
do-ip4:
yes
do-ip6:
no
do-udp:
yes
do-tcp:
yes
do-daemonize:
yes
access-control:
0.0.0.0/0 refuse
access-control:
127.0.0.0/8 allow
access-control:
10.1.9.0/24 allow
chroot:
"/usr/local/etc/unbound"
username:
"unbound"
directory:
"/usr/local/etc/unbound"
logfile:
""
use-syslog:
no
root-hints:
"/usr/local/etc/unbound/named.cache"
#
Download
dlv-anchor-file:
"dlv.isc.org.key"
identity:
"DNS"
version:
"1.4"
hide-identity:
yes
hide-version:
yes
harden-glue:
yes
do-not-query-address:
127.0.0.1/8
do-not-query-localhost:
yes
module-config:
"iterator"
#zone
localhost
local-zone:
"localhost." static
local-data:
"localhost. 10800 IN NS localhost."
local-data:
"localhost. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200
604800 10800"
local-data:
"localhost. 10800 IN A 127.0.0.1"
local-zone:
"127.in-addr.arpa." static
local-data:
"127.in-addr.arpa. 10800 IN NS localhost."
local-data:
"127.in-addr.arpa. 10800 IN SOA localhost. nobody.invalid. 2
3600 1200 604800 10800"
local-data:
"1.0.0.127.in-addr.arpa. 10800 IN PTR localhost."
forward-zone:
name:
"."
forward-addr:
8.8.8.8
forward-addr:
8.8.4.4
forward-addr:
208.67.222.222
forward-addr:
208.67.220.220
remote-control:
control-enable:
yes
control-interface:
127.0.0.1
control-port:
953
server-key-file:
"/usr/local/etc/unbound/unbound_server.key"
server-cert-file:
"/usr/local/etc/unbound/unbound_server.pem"
control-key-file:
"/usr/local/etc/unbound/unbound_control.key"
control-cert-file:
"/usr/local/etc/unbound/unbound_control.pem"
Ubuntu 14.04可用实例:
server:
access-control:
127.0.0.0/8 allow
access-control:
10.1.9.0/24 allow
auto-trust-anchor-file:
"/var/lib/unbound/root.key"
verbosity:
1
statistics-interval:
120
num-threads:
2
interface:
127.0.0.1
interface:
10.1.9.18
outgoing-range:
512
num-queries-per-thread:
1024
msg-cache-size:
16m
rrset-cache-size:
32m
msg-cache-slabs:
4
rrset-cache-slabs:
4
cache-max-ttl:
86400
infra-host-ttl:
60
infra-lame-ttl:
120
infra-cache-numhosts:
10000
infra-cache-lame-size:
10k
do-ip4:
yes
do-ip6:
no
do-udp:
yes
do-tcp:
yes
do-daemonize:
yes
logfile:
""
use-syslog:
no
identity:
"DNS"
version:
"1.4"
hide-identity:
yes
hide-version:
yes
harden-glue:
yes
do-not-query-address:
127.0.0.1/8
do-not-query-localhost:
yes
module-config:
"iterator"
local-zone:
"localhost." static
local-data:
"localhost. 10800 IN NS localhost."
local-data:
"localhost. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200
604800 10800"
local-data:
"localhost. 10800 IN A 127.0.0.1"
local-zone:
"127.in-addr.arpa." static
local-data:
"127.in-addr.arpa. 10800 IN NS localhost."
local-data:
"127.in-addr.arpa. 10800 IN SOA localhost. nobody.invalid. 2
3600 1200 604800 10800"
local-data:
"1.0.0.127.in-addr.arpa. 10800 IN PTR localhost."
forward-zone:
name:
"."
forward-addr:
8.8.8.8
forward-addr:
8.8.4.4
forward-addr:
208.67.222.222
forward-addr:
208.67.220.220
remote-control:
control-enable:
yes
control-interface:
127.0.0.1
control-interface:
10.1.9.18
control-port:
953
server-key-file:
"/etc/unbound/unbound_server.key"
server-cert-file:
"/etc/unbound/unbound_server.pem"
control-key-file:
"/etc/unbound/unbound_control.key"
control-cert-file:
"/etc/unbound/unbound_control.pem"