Sunday, December 03, 2017

FreeBSD 11.1 local_unbound 設定

為何想要用 local_unbound? 主要是為了 DNSSEC 檢驗能從本機開始檢查,
既然各軟體要外掛實在是有難度. 所以就安裝本機快取並使用已經啟動
DNSSEC 檢查的 cache DNS.

以下就是簡單的啟動步驟:
設定檔 /etc/rc.conf
local_unbound_enable="YES"

local_unbound 設定檔目錄 /var/unbound
root@bsd11x200s:/var/unbound # ls -la
total 36
drwxr-xr-x   3 unbound  unbound     8 Dec  3 23:08 .
drwxr-xr-x  26 root     wheel      26 Dec  3 21:27 ..
drwxr-xr-x   2 unbound  unbound     3 Dec  3 23:07 conf.d
-rw-r--r--   1 root     unbound   193 Oct 11 09:54 control.conf
-rw-r--r--   1 root     unbound   104 Dec  3 22:56 forward.conf
-rw-r--r--   1 root     unbound   189 Oct 11 09:54 lan-zones.conf
-rw-r--r--   1 unbound  unbound  1252 Dec  3 23:08 root.key
-rw-r--r--   1 root     unbound   389 Oct 11 09:54 unbound.conf

設定轉送查詢的 cache DNS
root@bsd11x200s:/var/unbound # cat forward.conf
# Generated by resolvconf

forward-zone:
name: "."
forward-addr: 8.8.8.8
forward-addr: 192.168.xxx.xxx

設定一些 unbound 參數
root@bsd11x200s:/var/unbound # cat conf.d/options.conf 
server:
    num-threads: 3
    interface: 0.0.0.0
    access-control: 127.0.0.0/8 allow
    harden-glue: yes
    harden-dnssec-stripped: yes
    harden-below-nxdomain: yes
    harden-referral-path: yes


啟動服務
root@bsd11x200s:/var/unbound # service local_unbound  start

root@bsd11x200s:/var/unbound # cat /etc/resolv.conf

nameserver 127.0.0.1
options edns0


測試
(1) host
root@bsd11x200s:/var/unbound # host www.google.com 127.0.0.1
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases: 

www.google.com has address 216.58.200.36
www.google.com has IPv6 address 2404:6800:4008:801::2004

(2) nslookup 
root@bsd11x200s:/var/unbound # nslookup www.google.com 127.0.0.1
Server: 127.0.0.1
Address: 127.0.0.1#53

Non-authoritative answer:
Name: www.google.com
Address: 172.217.160.100
Name: www.google.com
Address: 2404:6800:4008:801::2004

(3) Dig 測試 DNSSEC
root@bsd11x200s:/var/unbound # dig +dnssec @127.0.0.1 www.icann.org A

; <<>> DiG 9.11.2 <<>> +dnssec @127.0.0.1 www.icann.org A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65414
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.icann.org. IN A

;; ANSWER SECTION:
www.icann.org. 3566 IN CNAME www.vip.icann.org.
www.icann.org. 3566 IN RRSIG CNAME 7 3 3600 20171214150526 20171123111933 7500 icann.org. i5KCfOv/+c/xIaRxmQrqTItEtlGkTe9RWoh2gKh5Rh/a431n2CLLNiZ2 8xpuDXoqb2KQlAz4JBhyydFb2ilPCJIPXFbiQbUksuDV6zHdYu+PzlUC hbxRkBhRD2CIPOc227igVbp3io4oTqlzaja4P0gq268yoVEOPb2/2sSs DzFDV80=
www.vip.icann.org. 29 IN A 192.0.32.7
www.vip.icann.org. 29 IN RRSIG A 7 4 30 20171208095813 20171201095813 6887 vip.icann.org. k4FaKFgAcblg0yRPMyP1TvNcXmgI9d1GXM4YQ9jelGeCro2I+OQW+BFg OKQgmjcnh3M7NiZBW2vQQF000iKWS938B/YeiODQuun+kv9ANaiCEipD /0FFkjecpgwuMCCy2ommmRsWSlv4484Sdw7KRW8S28SZj8jonCqzIDct rVQ=
www.vip.icann.org. 29 IN RRSIG A 7 4 30 20171208095813 20171201095813 4532 vip.icann.org. FoSTut3HaWz1SEHtxReWh7IuOHOv4kCAEIuz1zPQPQVvNDU6WHenVF4h YSJOSLgyLwZ9P1MsH8PGPJEpCJr6jOR1Gl7QF24UezSj5PXnoinPLyjG Zm8/3DcM6UcrZhwmm9wRTSOuGv+LAmiU9Ab0WUfKEKR/vMnj4qn5HR+Y QOI=

;; Query time: 315 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Dec 03 23:24:36 CST 2017
;; MSG SIZE  rcvd: 598

至於想要了解什麼是 DNSSEC 請先看 

以下是 TLD 支援 DNSSEC 的現況

No comments: