Skip to content

Instantly share code, notes, and snippets.

@na0AaooQ
Last active August 29, 2015 14:13
Show Gist options
  • Save na0AaooQ/703ad2817279125f473f to your computer and use it in GitHub Desktop.
Save na0AaooQ/703ad2817279125f473f to your computer and use it in GitHub Desktop.
DNS unboundサーバ構築手順(ソースからunbound 1.5.1をインストール) ref: http://qiita.com/na0AaooQ/items/ac0e2f0588c70a12f0c5
$ sudo su -
# vi /etc/sysconfig/network-scripts/ifcfg-eth0
PEERDNS=yes
 ↓
PEERDNS=no
# cp /usr/share/zoneinfo/Asia/Tokyo /etc/localtime
cp: overwrite ‘/etc/localtime’? y
# date
Fri Dec 12 14:27:01 JST 2014
#
# vi /etc/sysconfig/clock
ZONE="UTC"
UTC=true
 ↓
ZONE="Asia/Tokyo"
UTC=false
ARC=false
#
# cp -p /usr/local/src/unbound-1.5.1/contrib/unbound.init /etc/init.d/unbound
# diff /usr/local/src/unbound-1.5.1/contrib/unbound.init /etc/init.d/unbound
# sed -i 's_/usr/sbin/unbound_/usr/local/sbin/unbound_' /etc/init.d/unbound
# chown root:root /etc/init.d/unbound
# chmod 755 /etc/init.d/unbound
# chkconfig --list | grep unbound
# chkconfig --add unbound
# chkconfig unbound on
# chkconfig --list | grep unbound
unbound 0:off 1:off 2:on 3:on 4:on 5:on 6:off
#
# ll /var/unbound/unbound.conf
-rw-r--r-- 1 root root 24367 Jan 8 14:06 /var/unbound/unbound.conf
#
# ll /etc/unbound.conf
ls: cannot access /etc/unbound.conf: No such file or directory
#
# ln -s /var/unbound/unbound.conf /etc/unbound.conf
# ll /etc/unbound.conf
lrwxrwxrwx 1 root root 25 Jan 8 14:14 /etc/unbound.conf -> /var/unbound/unbound.conf
#
# cp -p /var/unbound/unbound.conf /var/unbound/unbound.conf.ORG
# diff /var/unbound/unbound.conf /var/unbound/unbound.conf.ORG
#
# vi /var/unbound/unbound.conf
 (設定を追加・編集する)
# diff /var/unbound/unbound.conf /var/unbound/unbound.conf.ORG
31d30
< num-threads: 2
42,43d40
< interface: 0.0.0.0@53
< interface: ::0@53
51d47
< port: 53
68d63
< outgoing-port-permit: 32768-65535
107d101
< msg-buffer-size: 1311240
112d105
< msg-cache-size: 50m
131d123
< rrset-cache-size: 100m
160d151
< do-ip4: yes
164d154
< do-ip6: no
168d157
< do-udp: yes
172d160
< do-tcp: no
193,198d180
< access-control: 198.51.100.0/24 allow
< access-control: 192.0.2.0/24 allow
< access-control: 127.0.0.1/32 allow
< access-control: 0.0.0.0/0 deny
224d205
< chroot: ""
230d210
< username: "unbound"
236d215
< directory: "/var/unbound"
241d219
< logfile: "/var/log/unbound.log"
246d223
< use-syslog: no
253d229
< log-queries: yes
261d236
< root-hints: "/var/unbound/named.cache"
265d239
< hide-identity: yes
269d242
< hide-version: yes
429d401
< val-permissive-mode: yes
569,570d540
< include: /var/unbound/etc/local.d/*.conf
<
584d553
< control-enable: yes
590d558
< control-interface: 127.0.0.1
594d561
< control-port: 8953
598d564
< server-key-file: "/var/unbound/unbound_server.key"
602d567
< server-cert-file: "/var/unbound/unbound_server.pem"
606d570
< control-key-file: "/var/unbound/unbound_control.key"
610d573
< control-cert-file: "/var/unbound/unbound_control.pem"
641,642d603
<
< include: /var/unbound/etc/conf.d/*.conf
#
# ls -lrta /var/unbound/
total 60
drwxr-xr-x 19 root root 4096 Jan 8 14:06 ..
-rw-r--r-- 1 root root 24367 Jan 8 14:06 unbound.conf.ORG
-rw-r--r-- 1 root root 25411 Jan 8 14:25 unbound.conf
drwxr-xr-x 2 root root 4096 Jan 8 14:25 .
#
# cd /var/unbound/
#
# which unbound-control-setup
/usr/local/sbin/unbound-control-setup
#
# unbound-control-setup
setup in directory /var/unbound
generating unbound_server.key
Generating RSA private key, 1536 bit long modulus
 (中略)
#
# ls -lrta /var/unbound/
total 76
drwxr-xr-x 19 root root 4096 Jan 8 14:06 ..
-rw-r--r-- 1 root root 24367 Jan 8 14:06 unbound.conf.ORG
-rw-r--r-- 1 root root 25411 Jan 8 14:25 unbound.conf
-rw-r----- 1 root root 1277 Jan 8 14:30 unbound_server.key
-rw-r----- 1 root root 1277 Jan 8 14:30 unbound_control.key
-rw-r----- 1 root root 790 Jan 8 14:30 unbound_server.pem
-rw-r----- 1 root root 802 Jan 8 14:30 unbound_control.pem
drwxr-xr-x 2 root root 4096 Jan 8 14:30 .
#
# wget -O "/var/unbound/named.cache" ftp://FTP.INTERNIC.NET/domain/named.cache
# mkdir -p /var/unbound/etc/conf.d
# mkdir -p /var/unbound/etc/local.d
# vi /etc/init.d/unbound
 (中略)
stop() {
echo -n $"Stopping $prog: "
# stop it here, often "killproc $prog"
killproc -p $pidfile $prog
retval=$?
echo
[ $retval -eq 0 ] && rm -f $lockfile
## if egrep -q '^/[^[:space:]]+[[:space:]]+'${rootdir}'/dev/log' /proc/mounts; then
MOUNT_CHK=`grep "devtmpfs ${rootdir}/dev/log" /proc/mounts | grep -v ^# | wc -l`
if [ ${MOUNT_CHK} -ge 1 ] ; then
umount ${rootdir}/dev/log >/dev/null 2>&1
fi;
## if egrep -q '^/[^[:space:]]+[[:space:]]+'${rootdir}'/dev/random' /proc/mounts; then
MOUNT_CHK=`grep "devtmpfs ${rootdir}/dev/random" /proc/mounts | grep -v ^# | wc -l`
if [ ${MOUNT_CHK} -ge 1 ] ; then
umount ${rootdir}/dev/random >/dev/null 2>&1
fi;
return $retval
}
 (中略)
make_logfile() {
if [ ! -e "/var/log/unbound.log" ]
then
touch /var/log/unbound.log
chmod 644 /var/log/unbound.log
chown unbound:unbound /var/log/unbound.log
fi
}
 (中略)
case "$1" in
start)
rh_status_q && exit 0
make_logfile
$1
;;
stop)
rh_status_q || exit 0
$1
;;
restart)
make_logfile
$1
;;
reload)
rh_status_q || exit 7
make_logfile
$1
;;
force-reload)
make_logfile
force_reload
;;
status)
rh_status
;;
condrestart|try-restart)
rh_status_q || exit 0
make_logfile
restart
;;
*)
echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}"
exit 2
esac
exit $?
# cp -p /etc/passwd /etc/passwd.ORG
# cp -p /etc/shadow /etc/shadow.ORG
# cp -p /etc/group /etc/group.ORG
#
# groupadd -g [unboundグループに指定するgid] unbound
# useradd -u [unboundユーザに指定するuid] -s /sbin/nologin -d /var/unbound -N -g unbound -c 'Unbound DNS Resolver User' unbound
#
# id unbound
uid=XXXXX(unbound) gid=XXXXX(unbound) groups=XXXXX(unbound)
#
# diff /usr/local/src/unbound-1.5.1/contrib/unbound.init /etc/init.d/unbound
24c24
< exec="/usr/sbin/unbound"
---
> exec="/usr/local/sbin/unbound"
78c78,80
< if egrep -q '^/[^[:space:]]+[[:space:]]+'${rootdir}'/dev/log' /proc/mounts; then
---
> ## if egrep -q '^/[^[:space:]]+[[:space:]]+'${rootdir}'/dev/log' /proc/mounts; then
> MOUNT_CHK=`grep "devtmpfs ${rootdir}/dev/log" /proc/mounts | grep -v ^# | wc -l`
> if [ ${MOUNT_CHK} -ge 1 ] ; then
81c83,85
< if egrep -q '^/[^[:space:]]+[[:space:]]+'${rootdir}'/dev/random' /proc/mounts; then
---
> ## if egrep -q '^/[^[:space:]]+[[:space:]]+'${rootdir}'/dev/random' /proc/mounts; then
> MOUNT_CHK=`grep "devtmpfs ${rootdir}/dev/random" /proc/mounts | grep -v ^# | wc -l`
> if [ ${MOUNT_CHK} -ge 1 ] ; then
108a113,121
> make_logfile() {
> if [ ! -e "/var/log/unbound.log" ]
> then
> touch /var/log/unbound.log
> chmod 644 /var/log/unbound.log
> chown unbound:unbound /var/log/unbound.log
> fi
> }
>
111a125
> make_logfile
118a133
> make_logfile
122a138
> make_logfile
125a142
> make_logfile
132a150
> make_logfile
#
# vi /var/unbound/etc/conf.d/example.org.conf
forward-zone:
name: "example.org."
forward-addr: XX.XX.XX.2 (unboundサーバを作成したVPCのAmazonProvidedDNSを指定する)
#
# vi /var/unbound/etc/conf.d/100.51.198.in-addr.arpa.conf
forward-zone:
name: "100.51.198.in-addr.arpa."
forward-addr: XX.XX.XX.2 (unboundサーバを作成したVPCのAmazonProvidedDNSを指定する)
#
# vi /var/unbound/etc/local.d/100.51.198.in-addr.arpa.conf
local-zone: "100.51.198.in-addr.arpa." transparent
#
# vi /var/unbound/etc/local.d/example.org.conf
local-zone: "example.org." transparent
#
# vi /etc/resolv.conf
### unboundサーバ自身のIPアドレス
nameserver 127.0.0.1
#
# chown -R unbound:unbound /var/unbound
# unbound-checkconf
unbound-checkconf: no errors in /var/unbound/unbound.conf
#
# ps awux | grep -v grep | grep unbound
#
# /etc/init.d/unbound start
Starting unbound: [ OK ]
#
# ps awux | grep -v grep | grep unbound
unbound 8421 0.0 0.8 136500 8352 ? Ssl 17:00 0:00 /usr/local/sbin/unbound
#
# unbound-control status
version: 1.5.1
verbosity: 1
threads: 2
modules: 2 [ validator iterator ]
uptime: 13 seconds
options: control(ssl)
unbound (pid 8421) is running...
#
# /etc/init.d/unbound reload
#
# unbound-control dump_cache
START_RRSET_CACHE
END_RRSET_CACHE
START_MSG_CACHE
END_MSG_CACHE
EOF
#
# dig +noall +ans route53-test.example.org @127.0.0.1
route53-test.example.org. 1 IN A 198.51.100.10
#
# dig +noall +ans -x 198.51.100.10 @127.0.0.1
10.100.51.198.in-addr.arpa. 1 IN PTR route53-test.example.org.
#
# dig +noall +ans www.google.co.jp @127.0.0.1
www.google.co.jp. 300 IN A 173.194.38.87
www.google.co.jp. 300 IN A 173.194.38.88
www.google.co.jp. 300 IN A 173.194.38.95
www.google.co.jp. 300 IN A 173.194.38.79
#
# dig +noall +ans www.google.com @127.0.0.1
www.google.com. 287 IN A 74.125.235.176
www.google.com. 287 IN A 74.125.235.180
www.google.com. 287 IN A 74.125.235.177
www.google.com. 287 IN A 74.125.235.179
www.google.com. 287 IN A 74.125.235.178
#
# dig +noall +ans www.google.co.jp @127.0.0.1
www.google.co.jp. 192 IN A 74.125.235.183
www.google.co.jp. 192 IN A 74.125.235.191
www.google.co.jp. 192 IN A 74.125.235.184
www.google.co.jp. 192 IN A 74.125.235.175
#
# yum update
# yum -y install openssl-devel
# yum -y install flex
# yum -y install libevent-devel
# yum -y install gcc
# yum -y install expat-devel
# tail -f /var/log/unbound.log
 (中略)
[1420704380] unbound[8530:1] info: 127.0.0.1 route53-test.example.org. A IN
[1420704380] unbound[8530:1] info: 127.0.0.1 10.100.51.198.in-addr.arpa. PTR IN
[1420704380] unbound[8530:1] info: 127.0.0.1 www.google.co.jp. A IN
[1420704380] unbound[8530:1] info: 127.0.0.1 www.google.com. A IN
[1420704380] unbound[8530:1] info: 127.0.0.1 www.google.com. A IN
[1420704380] unbound[8530:1] info: 127.0.0.1 www.google.co.jp. A IN
 (中略)
# /etc/init.d/unbound reload
#
# unbound-control dump_cache
START_RRSET_CACHE
END_RRSET_CACHE
START_MSG_CACHE
END_MSG_CACHE
EOF
#
[exampleuser@notvpcserver ~]$ dig +noall +ans route53-test.example.org @unboundサーバのIPアドレスを指定する
route53-test.example.org. 1 IN A 198.51.100.10
[exampleuser@notvpcserver ~]$
[exampleuser@notvpcserver ~]$ dig +noall +ans -x 198.51.100.10 @unboundサーバのIPアドレスを指定する
10.100.51.198.in-addr.arpa. 1 IN PTR route53-test.example.org.
[exampleuser@notvpcserver ~]$
[exampleuser@notvpcserver ~]$ dig +noall +ans www.google.com @unboundサーバのIPアドレスを指定する
www.google.com. 300 IN A 74.125.235.179
www.google.com. 300 IN A 74.125.235.178
www.google.com. 300 IN A 74.125.235.180
www.google.com. 300 IN A 74.125.235.177
www.google.com. 300 IN A 74.125.235.176
[exampleuser@notvpcserver ~]$
[exampleuser@notvpcserver ~]$ dig +noall +ans www.google.co.jp @unboundサーバのIPアドレスを指定する
www.google.co.jp. 300 IN A 74.125.235.191
www.google.co.jp. 300 IN A 74.125.235.184
www.google.co.jp. 300 IN A 74.125.235.183
www.google.co.jp. 300 IN A 74.125.235.175
[exampleuser@notvpcserver ~]$
# which unbound-control
/usr/local/sbin/unbound-control
#
# vi /etc/logrotate.d/unbound
/var/log/unbound.log
{
daily
rotate 30
size 15M
missingok
compress
create 644 unbound unbound
sharedscripts
prerotate
touch /var/log/unbound.log
chown unbound:unbound /var/log/unbound.log
chmod 644 /var/log/unbound.log
/usr/local/sbin/unbound-control log_reopen
endscript
postrotate
/usr/local/sbin/unbound-control log_reopen
endscript
}
# chown root:root /etc/logrotate.d/unbound
# chmod 644 /etc/logrotate.d/unbound
#
# logrotate -dv /etc/logrotate.d/unbound
reading config file /etc/logrotate.d/unbound
reading config info for /var/log/unbound.log
Handling 1 logs
rotating pattern: /var/log/unbound.log
15728640 bytes (30 rotations)
empty log files are rotated, old logs are removed
considering log /var/log/unbound.log
log does not need rotating
not running prerotate script, since no logs will be rotated
not running postrotate script, since no logs were rotated
#
# ll /var/log/unbound.log*
-rw-r--r-- 1 unbound unbound 246825 *** **:** /var/log/unbound.log-YYYYMM01.gz
-rw-r--r-- 1 unbound unbound 237778 *** **:** /var/log/unbound.log-YYYYMM02.gz
#
$ sudo su -
# cd /usr/local/src/
# wget http://www.nlnetlabs.nl/downloads/ldns/ldns-1.6.17.tar.gz
# tar zxvf /usr/local/src/ldns-1.6.17.tar.gz
# cd /usr/local/src/ldns-1.6.17
# pwd
/usr/local/src/ldns-1.6.17
# ./configure
# make
# make install
# cd /usr/local/src/ldns-1.6.17/drill/
# pwd
/usr/local/src/ldns-1.6.17/drill
#
# ./configure
# make
# make install
# cd /usr/local/src
# wget http://unbound.net/downloads/unbound-1.5.1.tar.gz
# tar zxvf /usr/local/src/unbound-1.5.1.tar.gz
# cd /usr/local/src/unbound-1.5.1
# pwd
/usr/local/src/unbound-1.5.1
# ./configure --sysconfdir=/var --with-conf-file=/var/unbound/unbound.conf --with-libevent
# make
# make install
# ls -lrta /var/unbound/unbound.conf
-rw-r--r-- 1 root root 24367 Jan 8 14:06 /var/unbound/unbound.conf
# ls -lrta /usr/local/sbin/unbound
-rwxr-xr-x 1 root root 3880714 Jan 8 14:06 /usr/local/sbin/unbound
#
# ls -lrta /usr/local/lib/*unbound*
-rwxr-xr-x 1 root root 652510 Jan 8 14:06 /usr/local/lib/libunbound.so.2.3.3
lrwxrwxrwx 1 root root 19 Jan 8 14:06 /usr/local/lib/libunbound.so.2 -> libunbound.so.2.3.3
lrwxrwxrwx 1 root root 19 Jan 8 14:06 /usr/local/lib/libunbound.so -> libunbound.so.2.3.3
-rw-r--r-- 1 root root 975 Jan 8 14:06 /usr/local/lib/libunbound.la
-rw-r--r-- 1 root root 9297828 Jan 8 14:06 /usr/local/lib/libunbound.a
#
# ls -lrta /usr/local/lib/*unbound*
-rwxr-xr-x 1 root root 652510 Jan 8 14:06 /usr/local/lib/libunbound.so.2.3.3
lrwxrwxrwx 1 root root 19 Jan 8 14:06 /usr/local/lib/libunbound.so.2 -> libunbound.so.2.3.3
lrwxrwxrwx 1 root root 19 Jan 8 14:06 /usr/local/lib/libunbound.so -> libunbound.so.2.3.3
-rw-r--r-- 1 root root 975 Jan 8 14:06 /usr/local/lib/libunbound.la
-rw-r--r-- 1 root root 9297828 Jan 8 14:06 /usr/local/lib/libunbound.a
# cp -p /etc/ld.so.cache /etc/ld.so.cache.ORG
# diff /etc/ld.so.cache /etc/ld.so.cache.ORG
#
# cp -p /etc/ld.so.conf /etc/ld.so.conf.ORG
# diff /etc/ld.so.conf /etc/ld.so.conf.ORG
#
# echo "/usr/local/lib" >> /etc/ld.so.conf
#
# cat /etc/ld.so.conf
include ld.so.conf.d/*.conf
/usr/local/lib
#
# ls -lrta /etc/ld.so.cache
-rw-r--r-- 1 root root 20832 Jan 8 13:39 /etc/ld.so.cache
#
# ldconfig
#
# ls -lrta /etc/ld.so.cache
-rw-r--r-- 1 root root 21144 Jan 8 14:10 /etc/ld.so.cache
#
# ldconfig -p | grep unbound
libunbound.so.2 (libc6,x86-64) => /usr/local/lib/libunbound.so.2
libunbound.so (libc6,x86-64) => /usr/local/lib/libunbound.so
#
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment