既然各軟體要外掛實在是有難度. 所以就安裝本機快取並使用已經啟動
DNSSEC 檢查的 cache DNS.
以下就是簡單的啟動步驟:
設定檔 /etc/rc.conf
local_unbound_enable="YES"
local_unbound 設定檔目錄 /var/unbound
root@bsd11x200s:/var/unbound # ls -la
total 36
drwxr-xr-x 3 unbound unbound 8 Dec 3 23:08 .
drwxr-xr-x 26 root wheel 26 Dec 3 21:27 ..
drwxr-xr-x 2 unbound unbound 3 Dec 3 23:07 conf.d
-rw-r--r-- 1 root unbound 193 Oct 11 09:54 control.conf
-rw-r--r-- 1 root unbound 104 Dec 3 22:56 forward.conf
-rw-r--r-- 1 root unbound 189 Oct 11 09:54 lan-zones.conf
-rw-r--r-- 1 unbound unbound 1252 Dec 3 23:08 root.key
-rw-r--r-- 1 root unbound 389 Oct 11 09:54 unbound.conf
設定轉送查詢的 cache DNS
root@bsd11x200s:/var/unbound # cat forward.conf
# Generated by resolvconf
forward-zone:
name: "."
forward-addr: 8.8.8.8
forward-addr: 192.168.xxx.xxx
設定一些 unbound 參數
root@bsd11x200s:/var/unbound # cat conf.d/options.conf
server:
num-threads: 3
interface: 0.0.0.0
access-control: 127.0.0.0/8 allow
harden-glue: yes
harden-dnssec-stripped: yes
harden-below-nxdomain: yes
harden-referral-path: yes
啟動服務
root@bsd11x200s:/var/unbound # service local_unbound start
root@bsd11x200s:/var/unbound # cat /etc/resolv.conf
nameserver 127.0.0.1
options edns0
測試
(1) host
root@bsd11x200s:/var/unbound # host www.google.com 127.0.0.1
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases:
www.google.com has address 216.58.200.36
www.google.com has IPv6 address 2404:6800:4008:801::2004
(2) nslookup
root@bsd11x200s:/var/unbound # nslookup www.google.com 127.0.0.1
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:
Name: www.google.com
Address: 172.217.160.100
Name: www.google.com
Address: 2404:6800:4008:801::2004
(3) Dig 測試 DNSSEC
root@bsd11x200s:/var/unbound # dig +dnssec @127.0.0.1 www.icann.org A
; <<>> DiG 9.11.2 <<>> +dnssec @127.0.0.1 www.icann.org A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65414
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.icann.org. IN A
;; ANSWER SECTION:
www.icann.org. 3566 IN CNAME www.vip.icann.org.
www.icann.org. 3566 IN RRSIG CNAME 7 3 3600 20171214150526 20171123111933 7500 icann.org. i5KCfOv/+c/xIaRxmQrqTItEtlGkTe9RWoh2gKh5Rh/a431n2CLLNiZ2 8xpuDXoqb2KQlAz4JBhyydFb2ilPCJIPXFbiQbUksuDV6zHdYu+PzlUC hbxRkBhRD2CIPOc227igVbp3io4oTqlzaja4P0gq268yoVEOPb2/2sSs DzFDV80=
www.vip.icann.org. 29 IN A 192.0.32.7
www.vip.icann.org. 29 IN RRSIG A 7 4 30 20171208095813 20171201095813 6887 vip.icann.org. k4FaKFgAcblg0yRPMyP1TvNcXmgI9d1GXM4YQ9jelGeCro2I+OQW+BFg OKQgmjcnh3M7NiZBW2vQQF000iKWS938B/YeiODQuun+kv9ANaiCEipD /0FFkjecpgwuMCCy2ommmRsWSlv4484Sdw7KRW8S28SZj8jonCqzIDct rVQ=
www.vip.icann.org. 29 IN RRSIG A 7 4 30 20171208095813 20171201095813 4532 vip.icann.org. FoSTut3HaWz1SEHtxReWh7IuOHOv4kCAEIuz1zPQPQVvNDU6WHenVF4h YSJOSLgyLwZ9P1MsH8PGPJEpCJr6jOR1Gl7QF24UezSj5PXnoinPLyjG Zm8/3DcM6UcrZhwmm9wRTSOuGv+LAmiU9Ab0WUfKEKR/vMnj4qn5HR+Y QOI=
;; Query time: 315 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Dec 03 23:24:36 CST 2017
;; MSG SIZE rcvd: 598
至於想要了解什麼是 DNSSEC 請先看
DNSSEC – What Is It and Why Is It Important?
以下是 TLD 支援 DNSSEC 的現況
參考資料
No comments:
Post a Comment