使用 Unbound 创建DNS服务器

 

1 Installing Unbound

下载、安装unbound;

wget http://www.unbound.net/downloads/unbound-latest.tar.gz

tar xvfz unbound-latest.tar.gz

cd unbound-1.0.2/

./configure --prefix=/usr/local

 make
     make install

# 添加 unbound 运行用户组和用户

groupadd unbound

useradd -d /var/unbound -m -g unbound -s /bin/false unbound

mkdir -p /var/unbound/var/run
chown -R unbound:unbound /var/unbound
ln -s /var/unbound/var/run/unbound.pid /var/run/unbound.pid

下载root  nameserver.

 

cd /var/unbound
wget ftp://ftp.internic.net/domain/named.cache

注: root nameserver 记录了各 Top domain 分别是由哪些 DNS server 负责. 比如说要找 www.google.com 时, root nameserver 会告诉 local DNS server 哪部 name server 负责 .com 这个 domain, 然后 local dns 再向负责 .com 的 name server 询问关于 google.com 是哪部 name server 在负责. 最后 local DNS 就可以向负责 google.com 的 name server 问到有关 www. google.com 的资料.

 

2 Configuring Unbound

创建/var/unbound/unbound.conf.  也可以在unbound 源代码下的doc目录中找到一个example.conf.  同样可以访问 http://www.unbound.net/documentation/unbound.conf.html 查看帮助信息.

 

下面添加一个"sip.com"的 zone作为示例配置文件

 

vi /var/unbound/unbound.conf

server:
        verbosity: 1
        interface: 0.0.0.0
        port: 53
        do-ip4: yes
        do-ip6: no
        do-udp: yes
        do-tcp: yes
        do-daemonize: yes
        access-control: 0.0.0.0/0 allow
        #access-control: 0.0.0.0/0 refuse
        #access-control: 127.0.0.0/8 allow
        chroot: "/var/unbound"
        username: "unbound"
        directory: "/var/unbound"
        use-syslog: no
        pidfile: "/var/run/unbound.pid"
        root-hints: "/var/unbound/named.cache"

        local-zone: "sip.com." static
        local-data: "sip.com. 86400 IN SOA primary.sip.com kzy.sip.com. 200809031843 28800 7200 604800 86400"
        local-data: "sip.com. 86400 IN NS primary.sip.com."
        local-data: "sip.com. 86400 IN NS secondary.sip.com."
        local-data: "primary.sip.com. 86400 IN A 192.168.1.7"
        local-data: "secondary.sip.com. 86400 IN A 192.168.1.8"
        local-data: "www.sip.com. 86400 IN A 192.168.1.9"
        local-data: "ftp.sip.com. 86400 IN A 192.168.1.10"

 

 

这里添加了4个域名:

primary.sip.com

secondary.sip.com

www.sip.com

ftp.sip.com

都是IPv4 地址. 可以看出unbound 的zone config 与bind的zone file 实际上差不多，只是没有bind那么简化而已.使用unbound-checkconf 检查配置文件是否有错误:

cd /usr/local/sbin/

./unbound-checkconf unbound.conf
unbound-checkconf: no errors in unbound.conf

运行unbound，这里以debug模式运行:

cd /usr/local/sbin/

./unbound -d -c /var/unbound/unbound.conf -vvvv

......

 

测试unbound:

echo "nameserver 127.0.0.1" > /etc/resolv.conf

dig  primary.sip.com

; <<>> DiG 9.5.0b2 <<>> primary.sip.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18034
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;primary.sip.com.               IN      A

;; ANSWER SECTION:
primary.sip.com.        86400   IN      A       192.168.1.7

;; Query time: 6 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Sep  3 20:03:03 2008
;; MSG SIZE  rcvd: 49

 

dig  secondary.sip.com

; <<>> DiG 9.5.0b2 <<>> secondary.sip.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25490
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;secondary.sip.com.             IN      A

;; ANSWER SECTION:
secondary.sip.com.      86400   IN      A       192.168.1.8

;; Query time: 6 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Sep  3 20:03:03 2008
;; MSG SIZE  rcvd: 51

 

dig  www.sip.com

; <<>> DiG 9.5.0b2 <<>> www.sip.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30835
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.sip.com.                   IN      A

;; ANSWER SECTION:
www.sip.com.            86400   IN      A       192.168.1.9

;; Query time: 6 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Sep  3 20:03:03 2008
;; MSG SIZE  rcvd: 45

 

dig  ftp.sip.com

; <<>> DiG 9.5.0b2 <<>> ftp.sip.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19037
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;ftp.sip.com.                   IN      A

;; ANSWER SECTION:
ftp.sip.com.            86400   IN      A       192.168.1.10

;; Query time: 6 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Sep  3 20:03:03 2008
;; MSG SIZE  rcvd: 45

所有测试正常，unbound运行正常！可以添加一个脚本到/etc/init.d/，使用unbound作为system service启动！

 

3 Links

• Unbound: http://www.unbound.net/index.html
• Debian: http://www.debian.org