IT博客汇
  • 首页
  • 精华
  • 技术
  • 设计
  • 资讯
  • 扯淡
  • 权利声明
  • 登录 注册

    编译安装unbound,支持ipv6、ECS

    Joomaen发表于 2024-10-13 13:35:10
    love 0

    安装依赖:

    apt update
    apt install build-essential libssl-dev libexpat1-dev bison flex libevent-dev

    下载unbound源码

    wget <https://nlnetlabs.nl/downloads/unbound/unbound-latest.tar.gz>
    tar -xzvf unbound-latest.tar.gz
    cd unbound-<version>/

    配置编译选项

    ./configure --prefix=/usr/local/unbound --enable-subnet --with-libevent

    编译和安装

    make
    make install

    安装好之后在/usr/local/sbin/unbound

    会自动创建一个systemd service,如果没有就手动创建

    /etc/systemd/system/unbound.service

    内容是这个:

    [Unit]
    Description=Unbound recursive Domain Name Server
    After=syslog.target network.target
    Before=nss-lookup.target
    Wants=nss-lookup.target
    [Service]
    Type=simple
    ExecStart=/usr/local/unbound/sbin/unbound -d -c /etc/unbound/unbound.conf
    Restart=always
    LimitNOFILE=65536
    [Install]
    WantedBy=multi-user.target

    配置文件在/etc/unbound/unbound.conf ,我开启了ECS和ipv6支持

    # The server clause sets the main parameters.
    server:
      username: "unbound"
      chroot: ""
      logfile: "/data/dnslogs/unbound.log"
      log-queries: no
      log-servfail: yes
      log-time-ascii: yes
      use-syslog: no
      verbosity: 1
      interface: 0.0.0.0@53
      interface: ::0@53
      access-control: 0.0.0.0/0 allow
      access-control: ::/0 allow
      do-not-query-localhost: no
      do-ip4: yes
      do-ip6: yes
      do-udp: yes
      do-tcp: yes
      do-daemonize: no
      num-threads: 4
      msg-cache-slabs: 4
      rrset-cache-slabs: 4
      key-cache-slabs: 4
      infra-cache-slabs: 4
      
      #设置 DNSSEC 的信任锚
      auto-trust-anchor-file: "/var/lib/unbound/root.key"
    
      aggressive-nsec: yes
      hide-trustanchor: yes
      hide-version: yes
      hide-identity: yes
      qname-minimisation: yes
      qname-minimisation-strict: no
      minimal-responses: yes
      rrset-roundrobin: yes
      so-reuseport: yes
      infra-cache-numhosts: 10000
      unwanted-reply-threshold: 10000000
      so-rcvbuf: 4m
      so-sndbuf: 4m
      msg-cache-size: 64m
      key-cache-size: 64m
      neg-cache-size: 64m
      rrset-cache-size: 128m
      outgoing-range: 8192
      num-queries-per-thread: 4096
      outgoing-num-tcp: 1024
      incoming-num-tcp: 2048
      jostle-timeout: 300
      cache-min-ttl: 60
      cache-max-ttl: 3600
      cache-max-negative-ttl: 300
      infra-host-ttl: 3600
      serve-expired-ttl: 86400
      serve-expired-reply-ttl: 5
      serve-expired-client-timeout: 1800
      serve-expired: yes
      prefetch: yes
      prefetch-key: yes
      max-udp-size: 4096
      edns-buffer-size: 4096
      send-client-subnet: 0.0.0.0/0
      send-client-subnet: ::0/0
      max-client-subnet-ipv4: 24
      max-client-subnet-ipv6: 56
      client-subnet-always-forward: yes
      module-config: "subnetcache iterator"
    # forward-zone:
    #   name: "."
    #   forward-addr: 127.0.0.1@8053
    #cachedb:
      #backend: "redis"
      #redis-server-path: /dev/shm/redis.sock
      #redis-server-host: 127.0.0.1
      #redis-server-port: 6379
      #redis-timeout: 100

    如果设置了设置 DNSSEC 的信任锚,可以用以下代码更新文件。不过我不管设置与否,都不能完全支持DNSSEC,不过这个不是很在意,没多少网站支持。

    mkdir /var/lib/unbound/
    
    unbound-anchor -a /var/lib/unbound/root.key

    自带的配置文件测试工具,没有报错就重启

    unbound-checkconf /etc/unbound/unbound.conf
    
    systemctl restart unbound.service

    注意:

    该程序占用53端口,如果冲突请自行修改。



沪ICP备19023445号-2号
友情链接