Skip to content

安装配置 unbound 作为 dot 服务器

Jump to bottom
PikuZheng edited this page Sep 24, 2022 · 2 revisions

注意:unbound 1.13.1(含)及更高版本不能在具有内核版本5的 Debian 上运行。尽管报告有故障的版本为1.13.1 - 1.16.1,但目前尚不清楚 1.16.2 和 1.16.3 是否有修复

以下操作基于 Debian stretch 和 unbound 1.16.3(当前最新版本)

安装必要的组件

apt install -y build-essential pkg-config libssl-dev libexpat1-dev libevent-dev libsystemd-dev bison flex wget

下载解压最新版

wget http://www.unbound.net/downloads/unbound-latest.tar.gz
tar xvfz unbound-latest.tar.gz
cd unbound-1.16.3

编译并安装

./configure --enable-systemd --enable-subnet --enable-cachedb --with-libexpat=/usr --with-libevent --with-ssl --disable-flto 
make && make install

为unbound建立用户组和用户,以及准备一些配置文件

groupadd unbound
useradd -d /var/unbound -m -g unbound -s /bin/false unbound
mkdir -p /var/unbound/var/run
chown -R unbound:unbound /var/unbound
ln -s /var/unbound/var/run/unbound.pid /var/run/unbound.pid

cd /etc/unbound
wget ftp://ftp.internic.net/domain/named.cache
cat > auto-trust-anchor-file.key << EOF
IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
EOF

配置自启动 /etc/init.d/unbound(以下脚本提取自 debian unbound 1.13,有修改)

#!/bin/sh

### BEGIN INIT INFO
# Provides:          unbound
# Required-Start:    $network $remote_fs $syslog
# Required-Stop:     $network $remote_fs $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
### END INIT INFO
# pidfile: /run/unbound.pid

NAME="unbound"
DESC="DNS server"
DAEMON="/usr/local/sbin/unbound"
PIDFILE="/var/unbound/var/run/unbound.pid"

#HELPER="/usr/local/lib/unbound/package-helper"

test -x $DAEMON || exit 0

#. /lib/lsb/init-functions

# Override this variable by editing or creating /etc/default/unbound.
DAEMON_OPTS="-d -p -c /etc/unbound/unbound.conf"

if [ -f /etc/default/unbound ]; then
    . /etc/default/unbound
fi

case "$1" in
    start)
        log_daemon_msg "Starting $DESC" "$NAME"
        $HELPER chroot_setup
        $HELPER root_trust_anchor_update 2>&1 | logger -p daemon.info -t unbound-anchor
        if start-stop-daemon --start --quiet --oknodo --pidfile $PIDFILE --name $NAME --startas $DAEMON -- $DAEMON_OPTS; then
            $HELPER resolvconf_start
            log_end_msg 0
        else
            log_end_msg 1
        fi
        ;;

    stop)
        log_daemon_msg "Stopping $DESC" "$NAME"
        if start-stop-daemon --stop --quiet --oknodo --pidfile $PIDFILE --name $NAME --retry 5; then
            $HELPER resolvconf_stop
            $HELPER chroot_teardown
            log_end_msg 0
        else
            log_end_msg 1
        fi
        ;;

    restart|force-reload)
        log_daemon_msg "Restarting $DESC" "$NAME"
        start-stop-daemon --stop --quiet --pidfile $PIDFILE --name $NAME --retry 5
        $HELPER resolvconf_stop
        if start-stop-daemon --start --quiet --oknodo --pidfile $PIDFILE --name $NAME --startas $DAEMON -- $DAEMON_OPTS; then
            $HELPER chroot_setup
            $HELPER resolvconf_start
            log_end_msg 0
        else
            log_end_msg 1
        fi
        ;;

    reload)
        log_daemon_msg "Reloading $DESC" "$NAME"
        if start-stop-daemon --stop --pidfile $PIDFILE --name $NAME --signal 1; then
            $HELPER chroot_setup
            log_end_msg 0
        else
            log_end_msg 1
        fi
        ;;

    status)
        status_of_proc -p $PIDFILE $DAEMON $NAME && exit 0 || exit $?
        ;;

    *)
        N=/etc/init.d/$NAME
        echo "Usage: $N {start|stop|restart|status|reload|force-reload}" >&2
        exit 1
        ;;
esac

exit 0

向systemd注册自启动 /etc/systemd/system/unbound.service

[Unit]
SourcePath=/etc/init.d/unbound
[Service]
ExecStart=/etc/init.d/unbound start
ExecStop=/etc/init.d/unbound stop

配置文件 /etc/unbound/unbound.conf

server:
    username: "unbound"
    access-control: 0.0.0.0/0 allow

        interface: 0.0.0.0@853
        interface: ::0@853
        ssl-port: 853
        auto-trust-anchor-file: "/var/unbound/auto-trust-anchor-file.key"
        ssl-service-key: "/var/unbound/sslcert.key"
        ssl-service-pem: "/var/unbound/sslcert.crt"
        incoming-num-tcp: 1000

        directory: "/etc/unbound"
        chroot: "/etc/unbound"
        pidfile: "/var/run/unbound.pid"

    log-servfail: yes
    aggressive-nsec: yes
    hide-trustanchor: yes
    hide-version: yes
    hide-identity: yes
    qname-minimisation: yes
    qname-minimisation-strict: no
    minimal-responses: yes
    rrset-roundrobin: yes

    do-not-query-localhost: yes
    infra-cache-numhosts: 50000

    so-rcvbuf: 8m
    so-sndbuf: 8m
    neg-cache-size: 25m
    msg-cache-size: 64m
    key-cache-size: 64m
    neg-cache-size: 32m
    rrset-cache-size: 128m

    outgoing-range: 8192
    num-queries-per-thread: 4096
    outgoing-num-tcp: 200
    incoming-num-tcp: 200
    jostle-timeout: 300

    cache-min-ttl: 120
    cache-max-ttl: 86400
    infra-host-ttl: 3600
    serve-expired-ttl: 86400
    cache-max-negative-ttl: 360

    serve-expired: yes
    prefetch: yes
    prefetch-key: yes
    max-udp-size: 4096

    edns-buffer-size: 4096
    edns-tcp-keepalive: yes
    edns-tcp-keepalive-timeout: 120000

    module-config: "subnetcache validator iterator"
    send-client-subnet: 0.0.0.0/24
    client-subnet-always-forward: no                 <-------------此处若为yes则会透传下游edns信息

forward-zone:
    name: "."
    forward-addr: 8.8.8.8

运行

chmod 755 /etc/init.d/unbound
systemctl daemon-reload
systemctl enable unbound
systemctl start unbound
Clone this wiki locally