网络上能搜到的unbound搭建教程很多,但编译安装的却很少,且配置文件并不适合生产环境使用,所以写了这篇教学
编译安装unbound
dnf install -y hiredis-devel expat-devel openssl-devel libnghttp2-devel gcc-c++ unzip wget -O unbound-master.zip https://github.com/NLnetLabs/unbound/archive/refs/heads/master.zip wget https://github.com/libevent/libevent/releases/download/release-2.1.12-stable/libevent-2.1.12-stable.tar.gz tar zxvf libevent-2.1.12-stable.tar.gz cd libevent-2.1.12-stable/ ./autogen.sh ./configure --prefix=/usr make make install echo /usr/local/lib > /etc/ld.so.conf.d/usr_local_lib.conf ldconfig cd ../ unzip unbound-master.zip cd unbound-master/ ./configure --prefix=/usr/local/unbound --enable-subnet --enable-cachedb --with-libhiredis=/usr --with-libevent=/usr --with-libnghttp2=/usr --with-username=unbound --without-pthreads --without-solaris-threads make make install cd ../
创建unbound配置文件
mkdir -p /etc/unbound vi /etc/unbound/unbound.conf
这里给出一份转发上游DNS的配置示例:
# The server clause sets the main parameters. server: username: "unbound" chroot: "" logfile: "/data/dnslogs/unbound.log" log-queries: no log-servfail: yes log-time-ascii: yes use-syslog: no verbosity: 1 interface: 0.0.0.0@53 access-control: 0.0.0.0/0 allow do-not-query-localhost: no do-ip4: yes do-ip6: yes do-udp: yes do-tcp: yes do-daemonize: no num-threads: 2 msg-cache-slabs: 4 rrset-cache-slabs: 4 key-cache-slabs: 4 infra-cache-slabs: 4 aggressive-nsec: yes hide-trustanchor: yes hide-version: yes hide-identity: yes qname-minimisation: yes qname-minimisation-strict: no minimal-responses: yes rrset-roundrobin: yes so-reuseport: yes infra-cache-numhosts: 10000 unwanted-reply-threshold: 10000000 so-rcvbuf: 4m so-sndbuf: 4m msg-cache-size: 64m key-cache-size: 64m neg-cache-size: 64m rrset-cache-size: 128m outgoing-range: 8192 num-queries-per-thread: 4096 outgoing-num-tcp: 1024 incoming-num-tcp: 2048 jostle-timeout: 300 cache-min-ttl: 60 cache-max-ttl: 3600 cache-max-negative-ttl: 300 infra-host-ttl: 3600 serve-expired-ttl: 86400 serve-expired-reply-ttl: 5 serve-expired-client-timeout: 1800 serve-expired: yes prefetch: yes prefetch-key: yes max-udp-size: 4096 edns-buffer-size: 4096 send-client-subnet: 0.0.0.0/0 send-client-subnet: ::0/0 max-client-subnet-ipv4: 24 max-client-subnet-ipv6: 56 client-subnet-always-forward: yes module-config: "subnetcache cachedb iterator" forward-zone: name: "." forward-addr: 127.0.0.1@8053 #cachedb: #backend: "redis" #redis-server-path: /dev/shm/redis.sock #redis-server-host: 127.0.0.1 #redis-server-port: 6379 #redis-timeout: 100
创建unbound用户组与日志目录
/usr/sbin/groupadd unbound /usr/sbin/useradd -g unbound unbound mkdir -p /data/dnslogs chown -R unbound:unbound /data/dnslogs
配置日志切割
vi /etc/logrotate.d/unbound
/data/dnslogs/unbound.log {
daily
rotate 30
missingok
copytruncate
dateext
nocompress
notifempty
}
创建unbound服务
vi /usr/lib/systemd/system/unbound.service
[Unit] Description=Unbound recursive Domain Name Server After=syslog.target network.target Before=nss-lookup.target Wants=nss-lookup.target [Service] Type=simple ExecStart=/usr/local/unbound/sbin/unbound -d -c /etc/unbound/unbound.conf Restart=always [Install] WantedBy=multi-user.target
启动unbound服务
systemctl start unbound systemctl enable unbound systemctl status unbound
至此搭建完成