DNS unboundサーバ構築手順(ソースからunbound 1.5.1をインストール) ref: http://qiita.com/na0AaooQ/items/ac0e2f0588c70a12f0c5

file0.txt

$ sudo su -
# vi /etc/sysconfig/network-scripts/ifcfg-eth0
PEERDNS=yes
　↓
PEERDNS=no

file1.txt

# cp /usr/share/zoneinfo/Asia/Tokyo /etc/localtime
cp: overwrite ‘/etc/localtime’? y
# date
Fri Dec 12 14:27:01 JST 2014
#

# vi /etc/sysconfig/clock
ZONE="UTC" 
UTC=true
　↓
ZONE="Asia/Tokyo" 
UTC=false
ARC=false
#

file10.txt

# cp -p /usr/local/src/unbound-1.5.1/contrib/unbound.init /etc/init.d/unbound
# diff /usr/local/src/unbound-1.5.1/contrib/unbound.init /etc/init.d/unbound
# sed -i 's_/usr/sbin/unbound_/usr/local/sbin/unbound_' /etc/init.d/unbound

# chown root:root /etc/init.d/unbound
# chmod 755 /etc/init.d/unbound

file11.txt

# chkconfig --list | grep unbound
# chkconfig --add unbound
# chkconfig unbound on
# chkconfig --list | grep unbound
unbound         0:off   1:off   2:on    3:on    4:on    5:on    6:off
#

file12.txt

# ll /var/unbound/unbound.conf
-rw-r--r-- 1 root root 24367 Jan  8 14:06 /var/unbound/unbound.conf
#
# ll /etc/unbound.conf
ls: cannot access /etc/unbound.conf: No such file or directory
#
# ln -s /var/unbound/unbound.conf /etc/unbound.conf
# ll /etc/unbound.conf
lrwxrwxrwx 1 root root 25 Jan  8 14:14 /etc/unbound.conf -> /var/unbound/unbound.conf
#

file13.txt

# cp -p /var/unbound/unbound.conf /var/unbound/unbound.conf.ORG
# diff /var/unbound/unbound.conf /var/unbound/unbound.conf.ORG
#

# vi /var/unbound/unbound.conf
　(設定を追加・編集する)

file14.txt

# diff /var/unbound/unbound.conf /var/unbound/unbound.conf.ORG
31d30
<       num-threads: 2
42,43d40
<       interface: 0.0.0.0@53
<       interface: ::0@53
51d47
<       port: 53
68d63
<       outgoing-port-permit: 32768-65535
107d101
<       msg-buffer-size: 1311240
112d105
<       msg-cache-size: 50m
131d123
<       rrset-cache-size: 100m
160d151
<       do-ip4: yes
164d154
<       do-ip6: no
168d157
<       do-udp: yes
172d160
<       do-tcp: no
193,198d180
<       access-control: 198.51.100.0/24 allow
<       access-control: 192.0.2.0/24 allow
<       access-control: 127.0.0.1/32 allow
<       access-control: 0.0.0.0/0 deny
224d205
<       chroot: ""
230d210
<       username: "unbound"
236d215
<       directory: "/var/unbound"
241d219
<       logfile: "/var/log/unbound.log"
246d223
<       use-syslog: no
253d229
<       log-queries: yes
261d236
<       root-hints: "/var/unbound/named.cache"
265d239
<       hide-identity: yes
269d242
<       hide-version: yes
429d401
<       val-permissive-mode: yes
569,570d540
<       include: /var/unbound/etc/local.d/*.conf
<
584d553
<       control-enable: yes
590d558
<       control-interface: 127.0.0.1
594d561
<       control-port: 8953
598d564
<       server-key-file: "/var/unbound/unbound_server.key"
602d567
<       server-cert-file: "/var/unbound/unbound_server.pem"
606d570
<       control-key-file: "/var/unbound/unbound_control.key"
610d573
<       control-cert-file: "/var/unbound/unbound_control.pem"
641,642d603
<
< include: /var/unbound/etc/conf.d/*.conf
#

file15.txt

# ls -lrta /var/unbound/
total 60
drwxr-xr-x 19 root root  4096 Jan  8 14:06 ..
-rw-r--r--  1 root root 24367 Jan  8 14:06 unbound.conf.ORG
-rw-r--r--  1 root root 25411 Jan  8 14:25 unbound.conf
drwxr-xr-x  2 root root  4096 Jan  8 14:25 .
#

# cd /var/unbound/
#

# which unbound-control-setup
/usr/local/sbin/unbound-control-setup
#

# unbound-control-setup
setup in directory /var/unbound
generating unbound_server.key
Generating RSA private key, 1536 bit long modulus
　(中略)
#

file16.txt

# ls -lrta /var/unbound/
total 76
drwxr-xr-x 19 root root  4096 Jan  8 14:06 ..
-rw-r--r--  1 root root 24367 Jan  8 14:06 unbound.conf.ORG
-rw-r--r--  1 root root 25411 Jan  8 14:25 unbound.conf
-rw-r-----  1 root root  1277 Jan  8 14:30 unbound_server.key
-rw-r-----  1 root root  1277 Jan  8 14:30 unbound_control.key
-rw-r-----  1 root root   790 Jan  8 14:30 unbound_server.pem
-rw-r-----  1 root root   802 Jan  8 14:30 unbound_control.pem
drwxr-xr-x  2 root root  4096 Jan  8 14:30 .
#

file17.txt

# wget -O "/var/unbound/named.cache" ftp://FTP.INTERNIC.NET/domain/named.cache

file18.txt

# mkdir -p /var/unbound/etc/conf.d
# mkdir -p /var/unbound/etc/local.d

file19.txt

# vi /etc/init.d/unbound
　(中略)
stop() {
    echo -n $"Stopping $prog: "
    # stop it here, often "killproc $prog"
    killproc -p $pidfile $prog
    retval=$?
    echo
    [ $retval -eq 0 ] && rm -f $lockfile
##    if egrep -q '^/[^[:space:]]+[[:space:]]+'${rootdir}'/dev/log' /proc/mounts; then
    MOUNT_CHK=`grep "devtmpfs ${rootdir}/dev/log" /proc/mounts | grep -v ^# | wc -l`
    if [ ${MOUNT_CHK} -ge 1 ] ; then
        umount ${rootdir}/dev/log >/dev/null 2>&1
    fi;
##    if egrep -q '^/[^[:space:]]+[[:space:]]+'${rootdir}'/dev/random' /proc/mounts; then
    MOUNT_CHK=`grep "devtmpfs ${rootdir}/dev/random" /proc/mounts | grep -v ^# | wc -l`
    if [ ${MOUNT_CHK} -ge 1 ] ; then
        umount ${rootdir}/dev/random >/dev/null 2>&1
    fi;
    return $retval
}
　(中略)
make_logfile() {
    if [ ! -e "/var/log/unbound.log" ]
    then
         touch /var/log/unbound.log
         chmod 644 /var/log/unbound.log
         chown unbound:unbound /var/log/unbound.log
    fi
}
　(中略)
case "$1" in
    start)
        rh_status_q && exit 0
        make_logfile
        $1
        ;;
    stop)
        rh_status_q || exit 0
        $1
        ;;
    restart)
        make_logfile
        $1
        ;;
    reload)
        rh_status_q || exit 7
        make_logfile
        $1
        ;;
    force-reload)
        make_logfile
        force_reload
        ;;
    status)
        rh_status
        ;;
    condrestart|try-restart)
        rh_status_q || exit 0
        make_logfile
        restart
        ;;
    *)
        echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}"
        exit 2
esac
exit $?

file2.txt

# cp -p /etc/passwd /etc/passwd.ORG
# cp -p /etc/shadow /etc/shadow.ORG
# cp -p /etc/group /etc/group.ORG
#

# groupadd -g [unboundグループに指定するgid] unbound
# useradd -u [unboundユーザに指定するuid] -s /sbin/nologin -d /var/unbound -N -g unbound -c 'Unbound DNS Resolver User' unbound
#

# id unbound
uid=XXXXX(unbound) gid=XXXXX(unbound) groups=XXXXX(unbound)
#

file20.txt

# diff /usr/local/src/unbound-1.5.1/contrib/unbound.init /etc/init.d/unbound
24c24
< exec="/usr/sbin/unbound"
---
> exec="/usr/local/sbin/unbound"
78c78,80
<     if egrep -q '^/[^[:space:]]+[[:space:]]+'${rootdir}'/dev/log' /proc/mounts; then
---
> ##    if egrep -q '^/[^[:space:]]+[[:space:]]+'${rootdir}'/dev/log' /proc/mounts; then
>     MOUNT_CHK=`grep "devtmpfs ${rootdir}/dev/log" /proc/mounts | grep -v ^# | wc -l`
>     if [ ${MOUNT_CHK} -ge 1 ] ; then
81c83,85
<     if egrep -q '^/[^[:space:]]+[[:space:]]+'${rootdir}'/dev/random' /proc/mounts; then
---
> ##    if egrep -q '^/[^[:space:]]+[[:space:]]+'${rootdir}'/dev/random' /proc/mounts; then
>     MOUNT_CHK=`grep "devtmpfs ${rootdir}/dev/random" /proc/mounts | grep -v ^# | wc -l`
>     if [ ${MOUNT_CHK} -ge 1 ] ; then
108a113,121
> make_logfile() {
>     if [ ! -e "/var/log/unbound.log" ]
>     then
>          touch /var/log/unbound.log
>          chmod 644 /var/log/unbound.log
>          chown unbound:unbound /var/log/unbound.log
>     fi
> }
>
111a125
>         make_logfile
118a133
>         make_logfile
122a138
>         make_logfile
125a142
>         make_logfile
132a150
>         make_logfile
#

file21.txt

# vi /var/unbound/etc/conf.d/example.org.conf
forward-zone:
      name: "example.org."
      forward-addr: XX.XX.XX.2 (unboundサーバを作成したVPCのAmazonProvidedDNSを指定する)
#

file22.txt

# vi /var/unbound/etc/conf.d/100.51.198.in-addr.arpa.conf
forward-zone:
      name: "100.51.198.in-addr.arpa."
      forward-addr: XX.XX.XX.2 (unboundサーバを作成したVPCのAmazonProvidedDNSを指定する)
#

file23.txt

# vi /var/unbound/etc/local.d/100.51.198.in-addr.arpa.conf
local-zone: "100.51.198.in-addr.arpa." transparent
#

# vi /var/unbound/etc/local.d/example.org.conf
local-zone: "example.org." transparent
#

file24.txt

# vi /etc/resolv.conf
### unboundサーバ自身のIPアドレス
nameserver 127.0.0.1
#

file25.txt

# chown -R unbound:unbound /var/unbound

file26.txt

# unbound-checkconf
unbound-checkconf: no errors in /var/unbound/unbound.conf
#

file27.txt

# ps awux | grep -v grep | grep unbound
#

# /etc/init.d/unbound start
Starting unbound:                                          [  OK  ]
#

# ps awux | grep -v grep | grep unbound
unbound   8421  0.0  0.8 136500  8352 ?        Ssl  17:00   0:00 /usr/local/sbin/unbound
#

# unbound-control status
version: 1.5.1
verbosity: 1
threads: 2
modules: 2 [ validator iterator ]
uptime: 13 seconds
options: control(ssl)
unbound (pid 8421) is running...
#

file28.txt

# /etc/init.d/unbound reload
#

# unbound-control dump_cache
START_RRSET_CACHE
END_RRSET_CACHE
START_MSG_CACHE
END_MSG_CACHE
EOF
#

file29.txt

# dig +noall +ans route53-test.example.org @127.0.0.1
route53-test.example.org. 1     IN      A       198.51.100.10
#

# dig +noall +ans -x 198.51.100.10 @127.0.0.1
10.100.51.198.in-addr.arpa. 1   IN      PTR     route53-test.example.org.
#

# dig +noall +ans www.google.co.jp @127.0.0.1
www.google.co.jp.       300     IN      A       173.194.38.87
www.google.co.jp.       300     IN      A       173.194.38.88
www.google.co.jp.       300     IN      A       173.194.38.95
www.google.co.jp.       300     IN      A       173.194.38.79
#

# dig +noall +ans www.google.com @127.0.0.1
www.google.com.         287     IN      A       74.125.235.176
www.google.com.         287     IN      A       74.125.235.180
www.google.com.         287     IN      A       74.125.235.177
www.google.com.         287     IN      A       74.125.235.179
www.google.com.         287     IN      A       74.125.235.178
#

# dig +noall +ans www.google.co.jp @127.0.0.1
www.google.co.jp.       192     IN      A       74.125.235.183
www.google.co.jp.       192     IN      A       74.125.235.191
www.google.co.jp.       192     IN      A       74.125.235.184
www.google.co.jp.       192     IN      A       74.125.235.175
#

file3.txt

# yum update
# yum -y install openssl-devel
# yum -y install flex
# yum -y install libevent-devel
# yum -y install gcc
# yum -y install expat-devel

file30.txt

# tail -f /var/log/unbound.log
　(中略)
[1420704380] unbound[8530:1] info: 127.0.0.1 route53-test.example.org. A IN
[1420704380] unbound[8530:1] info: 127.0.0.1 10.100.51.198.in-addr.arpa. PTR IN
[1420704380] unbound[8530:1] info: 127.0.0.1 www.google.co.jp. A IN
[1420704380] unbound[8530:1] info: 127.0.0.1 www.google.com. A IN
[1420704380] unbound[8530:1] info: 127.0.0.1 www.google.com. A IN
[1420704380] unbound[8530:1] info: 127.0.0.1 www.google.co.jp. A IN
　(中略)

file31.txt

# /etc/init.d/unbound reload
#

# unbound-control dump_cache
START_RRSET_CACHE
END_RRSET_CACHE
START_MSG_CACHE
END_MSG_CACHE
EOF
#

file32.txt

[exampleuser@notvpcserver ~]$ dig +noall +ans route53-test.example.org @unboundサーバのIPアドレスを指定する
route53-test.example.org. 1     IN      A       198.51.100.10
[exampleuser@notvpcserver ~]$

[exampleuser@notvpcserver ~]$ dig +noall +ans -x 198.51.100.10 @unboundサーバのIPアドレスを指定する
10.100.51.198.in-addr.arpa. 1   IN      PTR     route53-test.example.org.
[exampleuser@notvpcserver ~]$

[exampleuser@notvpcserver ~]$ dig +noall +ans www.google.com @unboundサーバのIPアドレスを指定する
www.google.com.         300     IN      A       74.125.235.179
www.google.com.         300     IN      A       74.125.235.178
www.google.com.         300     IN      A       74.125.235.180
www.google.com.         300     IN      A       74.125.235.177
www.google.com.         300     IN      A       74.125.235.176
[exampleuser@notvpcserver ~]$

[exampleuser@notvpcserver ~]$ dig +noall +ans www.google.co.jp @unboundサーバのIPアドレスを指定する
www.google.co.jp.       300     IN      A       74.125.235.191
www.google.co.jp.       300     IN      A       74.125.235.184
www.google.co.jp.       300     IN      A       74.125.235.183
www.google.co.jp.       300     IN      A       74.125.235.175
[exampleuser@notvpcserver ~]$

file33.txt

# which unbound-control
/usr/local/sbin/unbound-control
#

file34.txt

# vi /etc/logrotate.d/unbound
/var/log/unbound.log
{
    daily
    rotate 30
    size 15M
    missingok
    compress
    create 644 unbound unbound
    sharedscripts
    prerotate
        touch /var/log/unbound.log
        chown unbound:unbound /var/log/unbound.log
        chmod 644 /var/log/unbound.log
        /usr/local/sbin/unbound-control log_reopen
    endscript
    postrotate
        /usr/local/sbin/unbound-control log_reopen
    endscript
}

file35.txt

# chown root:root /etc/logrotate.d/unbound
# chmod 644 /etc/logrotate.d/unbound
#

file36.txt

# logrotate -dv /etc/logrotate.d/unbound
reading config file /etc/logrotate.d/unbound
reading config info for /var/log/unbound.log


Handling 1 logs

rotating pattern: /var/log/unbound.log
 15728640 bytes (30 rotations)
empty log files are rotated, old logs are removed
considering log /var/log/unbound.log
  log does not need rotating
not running prerotate script, since no logs will be rotated
not running postrotate script, since no logs were rotated
#

file37.txt

# ll /var/log/unbound.log*
-rw-r--r-- 1 unbound unbound   246825 *** **:** /var/log/unbound.log-YYYYMM01.gz
-rw-r--r-- 1 unbound unbound   237778 *** **:** /var/log/unbound.log-YYYYMM02.gz
#

file4.txt

# reboot

file5.txt

$ sudo su -
# cd /usr/local/src/
# wget http://www.nlnetlabs.nl/downloads/ldns/ldns-1.6.17.tar.gz
# tar zxvf /usr/local/src/ldns-1.6.17.tar.gz
# cd /usr/local/src/ldns-1.6.17

# pwd
/usr/local/src/ldns-1.6.17
# ./configure

# make

# make install

file6.txt

# cd /usr/local/src/ldns-1.6.17/drill/
# pwd
/usr/local/src/ldns-1.6.17/drill
#

# ./configure

# make

# make install

file7.txt

# cd /usr/local/src
# wget http://unbound.net/downloads/unbound-1.5.1.tar.gz

# tar zxvf /usr/local/src/unbound-1.5.1.tar.gz

# cd /usr/local/src/unbound-1.5.1
# pwd
/usr/local/src/unbound-1.5.1

# ./configure --sysconfdir=/var --with-conf-file=/var/unbound/unbound.conf --with-libevent

# make

# make install

file8.txt

# ls -lrta /var/unbound/unbound.conf
-rw-r--r-- 1 root root 24367 Jan  8 14:06 /var/unbound/unbound.conf
# ls -lrta /usr/local/sbin/unbound
-rwxr-xr-x 1 root root 3880714 Jan  8 14:06 /usr/local/sbin/unbound
#

# ls -lrta /usr/local/lib/*unbound*
-rwxr-xr-x 1 root root  652510 Jan  8 14:06 /usr/local/lib/libunbound.so.2.3.3
lrwxrwxrwx 1 root root      19 Jan  8 14:06 /usr/local/lib/libunbound.so.2 -> libunbound.so.2.3.3
lrwxrwxrwx 1 root root      19 Jan  8 14:06 /usr/local/lib/libunbound.so -> libunbound.so.2.3.3
-rw-r--r-- 1 root root     975 Jan  8 14:06 /usr/local/lib/libunbound.la
-rw-r--r-- 1 root root 9297828 Jan  8 14:06 /usr/local/lib/libunbound.a
#

file9.txt

# ls -lrta /usr/local/lib/*unbound*
-rwxr-xr-x 1 root root  652510 Jan  8 14:06 /usr/local/lib/libunbound.so.2.3.3
lrwxrwxrwx 1 root root      19 Jan  8 14:06 /usr/local/lib/libunbound.so.2 -> libunbound.so.2.3.3
lrwxrwxrwx 1 root root      19 Jan  8 14:06 /usr/local/lib/libunbound.so -> libunbound.so.2.3.3
-rw-r--r-- 1 root root     975 Jan  8 14:06 /usr/local/lib/libunbound.la
-rw-r--r-- 1 root root 9297828 Jan  8 14:06 /usr/local/lib/libunbound.a

# cp -p /etc/ld.so.cache /etc/ld.so.cache.ORG
# diff /etc/ld.so.cache /etc/ld.so.cache.ORG
#

# cp -p /etc/ld.so.conf /etc/ld.so.conf.ORG
# diff /etc/ld.so.conf /etc/ld.so.conf.ORG
#

# echo "/usr/local/lib" >> /etc/ld.so.conf
#

# cat /etc/ld.so.conf
include ld.so.conf.d/*.conf
/usr/local/lib
#

# ls -lrta /etc/ld.so.cache
-rw-r--r-- 1 root root 20832 Jan  8 13:39 /etc/ld.so.cache
#

# ldconfig
#

# ls -lrta /etc/ld.so.cache
-rw-r--r-- 1 root root 21144 Jan  8 14:10 /etc/ld.so.cache
#

# ldconfig -p | grep unbound
        libunbound.so.2 (libc6,x86-64) => /usr/local/lib/libunbound.so.2
        libunbound.so (libc6,x86-64) => /usr/local/lib/libunbound.so
#