Last active
August 29, 2015 14:12
-
-
Save na0AaooQ/94c4db5b55131e17d9be to your computer and use it in GitHub Desktop.
DNS unboundサーバ構築手順(yumでインストール) ref: http://qiita.com/na0AaooQ/items/e165250c1ea5c19b648c
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ sudo su - | |
# yum update | |
# yum --enablerepo=epel install -y unbound |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# vi /etc/sysconfig/network-scripts/ifcfg-eth0 | |
PEERDNS=yes | |
↓ | |
PEERDNS=no | |
# vi /etc/sysconfig/unbound | |
(末尾に以下を追加) | |
ulimit -n 8290 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# vi /etc/resolv.conf | |
### unboundサーバ自身のIPアドレス | |
nameserver 127.0.0.1 | |
# |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# mkdir /var/run/unbound | |
# chown unbound:unbound /var/run/unbound | |
# |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# touch /var/log/unbound.log | |
# chown unbound:unbound /var/log/unbound.log | |
# chmod 644 /var/log/unbound.log | |
# |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# /etc/init.d/unbound start | |
Generating unbound control key and certificate: | |
Starting unbound: [ OK ] | |
# | |
# ps awux | grep -v grep | grep unbound | |
unbound 6897 0.0 0.7 146848 8064 ? Ssl 14:01 0:00 /usr/sbin/unbound -c /etc/unbound/unbound.conf | |
# | |
# unbound-checkconf | |
unbound-checkconf: no errors in /etc/unbound/unbound.conf | |
# | |
# chkconfig unbound on | |
# chkconfig --list | grep unbound | |
unbound 0:off 1:off 2:on 3:on 4:on 5:on 6:off | |
# |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# cat /etc/resolv.conf | |
### unboundサーバ自身のIPアドレス | |
nameserver 127.0.0.1 | |
# | |
# /etc/init.d/unbound reload | |
Stopping unbound: [ OK ] | |
Starting unbound: [ OK ] | |
# | |
# dig +noall +ans route53-test.example.org @127.0.0.1 | |
route53-test.example.org. 5 IN A 198.51.100.10 | |
# | |
# dig +noall +ans -x 198.51.100.10 @127.0.0.1 | |
10.100.51.198.in-addr.arpa. 1 IN PTR route53-test.example.org. | |
# | |
# dig +noall +ans www.google.co.jp @127.0.0.1 | |
www.google.co.jp. 300 IN A 74.125.235.175 | |
www.google.co.jp. 300 IN A 74.125.235.191 | |
www.google.co.jp. 300 IN A 74.125.235.184 | |
www.google.co.jp. 300 IN A 74.125.235.183 | |
# | |
# dig +noall +ans www.google.com @127.0.0.1 | |
www.google.com. 300 IN A 74.125.235.178 | |
www.google.com. 300 IN A 74.125.235.176 | |
www.google.com. 300 IN A 74.125.235.180 | |
www.google.com. 300 IN A 74.125.235.179 | |
www.google.com. 300 IN A 74.125.235.177 | |
# | |
# /etc/init.d/unbound reload | |
# |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[testuser@notvpcserver ~]$ dig +noall +ans www.google.co.jp @unboundサーバのIPアドレスを指定する | |
www.google.co.jp. 300 IN A 74.125.235.175 | |
www.google.co.jp. 300 IN A 74.125.235.184 | |
www.google.co.jp. 300 IN A 74.125.235.191 | |
www.google.co.jp. 300 IN A 74.125.235.183 | |
[testuser@notvpcserver ~]$ | |
[testuser@notvpcserver ~]$ dig +noall +ans route53-test.example.org @unboundサーバのIPアドレスを指定する | |
route53-test.example.org. 1 IN A 198.51.100.10 | |
[testuser@notvpcserver ~]$ | |
[testuser@notvpcserver ~]$ dig +noall +ans -x 198.51.100.10 @unboundサーバのIPアドレスを指定する | |
10.100.51.198.in-addr.arpa. 1 IN PTR route53-test.example.org. | |
[testuser@notvpcserver ~]$ | |
[testuser@notvpcserver ~]$ dig +noall +ans www.google.co.jp @unboundサーバのIPアドレスを指定する | |
www.google.co.jp. 289 IN A 74.125.235.191 | |
www.google.co.jp. 289 IN A 74.125.235.183 | |
www.google.co.jp. 289 IN A 74.125.235.175 | |
www.google.co.jp. 289 IN A 74.125.235.184 | |
[testuser@notvpcserver ~]$ | |
[testuser@notvpcserver ~]$ dig +noall +ans www.google.com @unboundサーバのIPアドレスを指定する | |
www.google.com. 300 IN A 74.125.235.177 | |
www.google.com. 300 IN A 74.125.235.180 | |
www.google.com. 300 IN A 74.125.235.179 | |
www.google.com. 300 IN A 74.125.235.176 | |
www.google.com. 300 IN A 74.125.235.178 | |
[testuser@notvpcserver ~]$ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
c:\>ipconfig /flushdns | |
Windows IP 構成 | |
DNS リゾルバー キャッシュは正常にフラッシュされました。 | |
c:\>nslookup route53-test.example.org unboundサーバのIPアドレスを指定する | |
サーバー: XXXXXXXXXXXXXXXXX | |
Address: XXX.XXX.XXX.XXX | |
権限のない回答: | |
名前: route53-test.example.org | |
Address: 198.51.100.10 | |
c:\>nslookup 198.51.100.10 unboundサーバのIPアドレスを指定する | |
サーバー: XXXXXXXXXXXXXXXXX | |
Address: XXX.XXX.XXX.XXX | |
名前: route53-test.example.org | |
Address: 198.51.100.10 | |
c:\>nslookup www.google.com unboundサーバのIPアドレスを指定する | |
サーバー: XXXXXXXXXXXXXXXXX | |
Address: XXX.XXX.XXX.XXX | |
権限のない回答: | |
名前: www.google.com | |
Addresses: 2404:6800:4004:801::1010 | |
173.194.38.112 | |
173.194.38.114 | |
173.194.38.116 | |
173.194.38.113 | |
173.194.38.115 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# which unbound-control | |
/usr/sbin/unbound-control | |
# |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# vi /etc/logrotate.d/unbound | |
/var/log/unbound.log | |
{ | |
daily | |
rotate 30 | |
size 10M | |
missingok | |
compress | |
create 644 unbound unbound | |
sharedscripts | |
prerotate | |
touch /var/log/unbound.log | |
chown unbound:unbound /var/log/unbound.log | |
chmod 644 /var/log/unbound.log | |
/usr/sbin/unbound-control log_reopen | |
endscript | |
postrotate | |
/usr/sbin/unbound-control log_reopen | |
endscript | |
} | |
# | |
# chown root:root /etc/logrotate.d/unbound | |
# chmod 644 /etc/logrotate.d/unbound | |
# |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# cp /usr/share/zoneinfo/Asia/Tokyo /etc/localtime | |
cp: overwrite ‘/etc/localtime’? y | |
[root@ip-192-168-250-8 ~]# date | |
Fri Dec 12 14:27:01 JST 2014 | |
# | |
# vi /etc/sysconfig/clock | |
ZONE="UTC" | |
UTC=true | |
↓ | |
ZONE="Asia/Tokyo" | |
UTC=false | |
ARC=false | |
# | |
# mkdir /etc/unbound/local.d/BACKUP | |
# mkdir /etc/unbound/conf.d/BACKUP | |
# | |
# mv /etc/unbound/conf.d/example.com.conf /etc/unbound/conf.d/BACKUP/ | |
# | |
# mv /etc/unbound/local.d/block-example.com.conf /etc/unbound/local.d/BACKUP/ | |
# |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# vi /etc/unbound/conf.d/example.org.conf | |
forward-zone: | |
name: "example.org." | |
forward-addr: XX.XX.XX.2 (unboundサーバを作成したVPCのAmazonProvidedDNSを指定する) | |
# |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# vi /etc/unbound/conf.d/100.51.198.in-addr.arpa.conf | |
forward-zone: | |
name: "100.51.198.in-addr.arpa." | |
forward-addr: XX.XX.XX.2 (unboundサーバを作成したVPCのAmazonProvidedDNSを指定する) | |
# |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# vi /etc/unbound/local.d/100.51.198.in-addr.arpa.conf | |
local-zone: "100.51.198.in-addr.arpa." transparent | |
# | |
# vi /etc/unbound/local.d/example.org.conf | |
local-zone: "example.org." transparent | |
# |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# cp -p /etc/unbound/unbound.conf /etc/unbound/unbound.conf.ORG | |
# diff /etc/unbound/unbound.conf /etc/unbound/unbound.conf.ORG | |
# | |
# vi /etc/unbound/unbound.conf /etc/unbound/unbound.conf.ORG |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# diff /etc/unbound/unbound.conf /etc/unbound/unbound.conf.ORG | |
49,50d48 | |
< interface: 0.0.0.0@53 | |
< interface: ::0@53 | |
63d60 | |
< port: 53 | |
115d111 | |
< msg-buffer-size: 1311240 | |
163d158 | |
< do-ip4: yes | |
167d161 | |
< do-ip6: no | |
173d166 | |
< do-udp: yes | |
177d169 | |
< do-tcp: no | |
196,205d187 | |
< access-control: 198.51.100.0/24 allow | |
< access-control: 192.0.2.0/24 allow | |
< access-control: 127.0.0.1/32 allow | |
< access-control: ::1 allow | |
< access-control: ::ffff:127.0.0.1 allow | |
< access-control: 0.0.0.0/0 deny | |
246d227 | |
< logfile: "/var/log/unbound.log" | |
251d231 | |
< use-syslog: no | |
258d237 | |
< log-queries: yes | |
266d244 | |
< root-hints: "/etc/unbound/named.cache" | |
270d247 | |
< hide-identity: yes | |
274d250 | |
< hide-version: yes | |
431,432c407 | |
< ### val-permissive-mode: no | |
< val-permissive-mode: yes | |
--- | |
> val-permissive-mode: no | |
# |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# grep -v "#" /etc/unbound/unbound.conf | grep -v ^$ | |
server: | |
verbosity: 1 | |
statistics-interval: 0 | |
statistics-cumulative: yes | |
extended-statistics: yes | |
num-threads: 2 | |
interface: 0.0.0.0@53 | |
interface: ::0@53 | |
interface-automatic: no | |
port: 53 | |
outgoing-port-permit: 32768-65535 | |
outgoing-port-avoid: 0-32767 | |
max-udp-size: 3072 | |
msg-buffer-size: 1311240 | |
do-ip4: yes | |
do-ip6: no | |
do-udp: yes | |
do-tcp: no | |
access-control: 198.51.100.0/24 allow | |
access-control: 192.0.2.0/24 allow | |
access-control: ::1 allow | |
access-control: ::ffff:127.0.0.1 allow | |
access-control: 0.0.0.0/0 deny | |
chroot: "" | |
username: "unbound" | |
directory: "/etc/unbound" | |
logfile: "/var/log/unbound.log" | |
use-syslog: no | |
log-time-ascii: yes | |
log-queries: yes | |
pidfile: "/var/run/unbound/unbound.pid" | |
root-hints: "/etc/unbound/named.cache" | |
hide-identity: yes | |
hide-version: yes | |
harden-glue: yes | |
harden-dnssec-stripped: yes | |
harden-below-nxdomain: yes | |
harden-referral-path: yes | |
use-caps-for-id: no | |
unwanted-reply-threshold: 10000000 | |
prefetch: yes | |
prefetch-key: yes | |
rrset-roundrobin: yes | |
minimal-responses: yes | |
dlv-anchor-file: "/etc/unbound/dlv.isc.org.key" | |
trusted-keys-file: /etc/unbound/keys.d/*.key | |
auto-trust-anchor-file: "/var/lib/unbound/root.anchor" | |
val-clean-additional: yes | |
val-permissive-mode: yes | |
val-log-level: 1 | |
include: /etc/unbound/local.d/*.conf | |
remote-control: | |
control-enable: yes | |
server-key-file: "/etc/unbound/unbound_server.key" | |
server-cert-file: "/etc/unbound/unbound_server.pem" | |
control-key-file: "/etc/unbound/unbound_control.key" | |
control-cert-file: "/etc/unbound/unbound_control.pem" | |
include: /etc/unbound/conf.d/*.conf | |
# |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# wget -O "/etc/unbound/named.cache" ftp://FTP.INTERNIC.NET/domain/named.cache | |
# chown unbound:unbound /etc/unbound/named.cache |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment