DNS & Unbound

Installation unbound

apt-get update
apt-get install unbound

Mise à jour de la liste des serveurs root DNS

wget ftp://FTP.INTERNIC.NET/domain/named.cache -O /etc/unbound/root.hints

DNSSEC

Via : https://data.iana.org/root-anchors/root-anchors.xml

nano /etc/unbound/root.key
. IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
chown unbound:unbound /etc/unbound/root.key

Configuration unbound

server:
    verbosity: 1
    interface: 1.2.3.4 #IPv4
    port: 53
    do-ip4: yes
    do-ip6: no
    do-udp: yes
    do-tcp: yes
    access-control: 0.0.0.0/0 allow #tout le monde a accès
    auto-trust-anchor-file: "/etc/unbound/root.key"
    root-hints: "/etc/unbound/root.hints"
    hide-identity: yes
    hide-version: yes
    harden-glue: yes
    harden-dnssec-stripped: yes
    use-caps-for-id: yes
    cache-min-ttl: 3600
    cache-max-ttl: 86400
    prefetch: yes
    num-threads: 6
    msg-cache-slabs: 8
    rrset-cache-slabs: 8
    infra-cache-slabs: 8
    key-cache-slabs: 8
    rrset-cache-size: 256m
    msg-cache-size: 128m
    so-rcvbuf: 1m
    unwanted-reply-threshold: 10000
    do-not-query-localhost: yes
    val-clean-additional: yes
    use-syslog: yes
    logfile: /var/log/unbound.log
    #Si besoin d'un domaine local
    private-domain: "home.local"
    include: "/etc/unbound/block-zone.conf"
    include: "/etc/unbound/local-zone.conf"
    include: "/etc/unbound/forward-zone.conf"
local-zone: "doubleclick.net" redirect
    local-data: "doubleclick.net A 127.0.0.1"
    local-zone: "googlesyndication.com" redirect
    local-data: "googlesyndication.com A 127.0.0.1"
    local-zone: "googleadservices.com" redirect
    local-data: "googleadservices.com A 127.0.0.1"
    local-zone: "google-analytics.com" redirect
    local-data: "google-analytics.com A 127.0.0.1"
    local-zone: "ads.youtube.com" redirect
    local-data: "ads.youtube.com A 127.0.0.1"
    local-zone: "adserver.yahoo.com" redirect
    local-data: "adserver.yahoo.com A 127.0.0.1"
    local-zone: "ask.com" redirect
    local-data: "ask.com A 127.0.0.1"
    #Si besoin de bloquer d'autres sites
    # local-zone: "domaine.com" redirect
    # local-data: "domaine.com A 127.0.0.1"
local-zone: "home.local." static

    local-data: "firewall.home.local.  IN A 10.0.0.1"
    local-data: "laptop.home.local.    IN A 10.0.0.2"
    local-data: "xboxone.home.local.   IN A 10.0.0.3"
    local-data: "ps4.home.local.       IN A 10.0.0.4"
    local-data: "dhcp.home.local.      IN A 10.0.0.5"

    local-data-ptr: "10.0.0.1  firewall.home.local"
    local-data-ptr: "10.0.0.2  laptop.home.local"
    local-data-ptr: "10.0.0.3  xboxone.home.local"
    local-data-ptr: "10.0.0.4  ps4.home.local"
    local-data-ptr: "10.0.0.5  dhcp.home.local"
forward-zone:
    name: "."
    forward-addr: 8.8.4.4        # Google
    forward-addr: 8.8.8.8        # Google
    forward-addr: 37.235.1.174   # FreeDNS
    forward-addr: 37.235.1.177   # FreeDNS
    forward-addr: 50.116.23.211  # OpenNIC
    forward-addr: 64.6.64.6      # Verisign
    forward-addr: 64.6.65.6      # Verisign
    forward-addr: 74.82.42.42    # Hurricane Electric
    forward-addr: 84.200.69.80   # DNS Watch
    forward-addr: 84.200.70.40   # DNS Watch
    forward-addr: 91.239.100.100 # censurfridns.dk
    forward-addr: 109.69.8.51    # puntCAT
    forward-addr: 208.67.222.220 # OpenDNS
    forward-addr: 208.67.222.222 # OpenDNS
    forward-addr: 216.146.35.35  # Dyn Public
    forward-addr: 216.146.36.36  # Dyn Public

Checkup

Reboot service :

service unbound restart

Check service :

unbound-control status

Test service :

apt-get install ldnsutils
drill libox.fr @ip-dns-server
box liandri # drill libox.fr @10.0.0.101
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 21223
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 
;; QUESTION SECTION:
;; libox.fr.	IN	A

;; ANSWER SECTION:
libox.fr.	3600	IN	A	5.196.197.68

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 654 msec
;; SERVER: 10.0.0.101
;; WHEN: Wed Sep  7 14:06:05 2016
;; MSG SIZE  rcvd: 42
box liandri # drill libox.fr @10.0.0.101
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 10054
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 
;; QUESTION SECTION:
;; libox.fr.	IN	A

;; ANSWER SECTION:
libox.fr.	3593	IN	A	5.196.197.68

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 0 msec
;; SERVER: 10.0.0.101
;; WHEN: Wed Sep  7 14:06:13 2016
;; MSG SIZE  rcvd: 42

654ms la récupération, ensuite, latence 0 en local.

Commandes utiles

Backup cache DNS :

unbound-control dump_cache > /home/liandri/dns-backup.conf

Restaurer cache DNS :

unbound-control dump_cache < /home/liandri/dns-backup.conf

Vérifier un domaine particulier :

unbound-control lookup libox.fr

Mise à jour rapide d’hôte ou de zone :

unbound-control flush www.libox.fr
unbound-control flush_zone libox.fr

Lister les servers de forward utilisés actuellement :

unbound-control list_forwards

Étape finale : changer les serveurs DNS des clients

Suivant les clients.

Alternative

Via https://github.com/Angristan/Local-DNS-resolver/blob/master/debian-unbound.sh

# Set conf location
unbound -c /etc/unbound/unbound.conf

# Set root key location (for DNSSEC)
unbound-anchor -a "/var/lib/unbound/root.key"

# Get root servers list
wget ftp://FTP.INTERNIC.NET/domain/named.cache -O /var/lib/unbound/root.hints
	
# Configuration
mv /etc/unbound/unbound.conf /etc/unbound/unbound.conf.old

echo "server:
root-hints: "/var/lib/unbound/root.hints"
auto-trust-anchor-file: "/var/lib/unbound/root.key"
interface: 127.0.0.1
access-control: 127.0.0.1 allow
port: 53
do-daemonize: yes
num-threads: 2
use-caps-for-id: yes
harden-glue: yes
hide-identity: yes
hide-version: yes" > /etc/unbound/unbound.conf

# Restart unbound
service unbound restart

# Allow the modification of the file
apt install -y e2fsprogs
chattr -i /etc/resolv.conf
# Disable previous DNS servers
sed -i 's|nameserver|#nameserver|' /etc/resolv.conf
# Set localhost as the DNS resolver
echo "nameserver 127.0.0.1" >> /etc/resolv.conf
# Disallow the modification to prevent the file from being overwritten by the system
chattr +i /etc/resolv.conf
  • system/linux/dns-unbound.txt
  • Dernière modification: 2020/06/19 20:55
  • (modification externe)