More than 1 year has passed since last update.

[Docker]Almalinuxのimageでunboundを構築してみた

Posted at 2023-07-26

目的

DockerでDNSを構築するタスクが降ってきたので、今回はimageにalmalinuxを使用してunboundを構築をする方法を紹介する。

構築

Dockerfile

FROM almalinux:latest
FROM almalinux:latest
RUN yum -y update && yum -y install unbound
ADD unbound.conf /etc/unbound/
ENTRYPOINT ["/usr/sbin/unbound","-d","-c","/etc/unbound/unbound.conf"]

-dオプションで、バックグラウンドに落とさない設定。
-cオプションで、設定ファイルの指定。

/usr/sbin/unboundがバイナリの場所。ずっと/sbin/unboundを指定していて起動しなかった。

docker-compose.yml

DockerのホストOSがUbuntuで既にudp53番が使用されていたので、今回はmacvlanを用いて公開する

version: "3.9"
services:
  unbound:
    build: .
    image: unbound-alma:1.0.0
    container_name: unbound
    tty: true

    networks:
      vlan0:
        ipv4_address: 172.24.20.205

networks:
  vlan0:
    name: vlan0
    driver: macvlan
    driver_opts:
      parent: enp1s0
    ipam:
      config:
        - subnet: 172.24.20.0/24
          gateway: 172.24.20.254

unbound.conf

server:
    # Send minimum amount of information to upstream servers to enhance
    # privacy. Only sends minimum required labels of the QNAME and sets
    # QTYPE to NS when possible.

    # See RFC 7816 "DNS Query Name Minimisation to Improve Privacy" for
    # details.

    # qname-minimisation: yes

    # allow local address
    access-control: 0.0.0.0/0 allow

    # listen interface
    interface: 0.0.0.0

    # hide version
    hide-version: yes
    hide-identity: yes

    use-syslog: yes
    log-queries: yes

    local-data: "www.tmcit.sho    IN A 172.24.20.25"
#    local-data: "fuga.example.com.    IN A 172.16.0.2"
#    local-data: "foo.example.com.     IN A 172.16.0.3"
#    local-data: "bar.example.com.     IN A 172.16.0.4"


#forward-zone:
#        name: "example.org."
#        forward-addr: 192.168.10.5

forward-zone:
        name: "."
        forward-addr: 8.8.8.8
        forward-addr: 8.8.4.4

確認

DNSの機能がちゃんと動いているかを確認する。

docker-compose up

キャッシュDNS確認

shoma@LAPTOP-HADFF4IQ:~$ dig google.com @172.24.20.205

; <<>> DiG 9.16.1-Ubuntu <<>> google.com @172.24.20.205
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37839
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;google.com.                    IN      A

;; ANSWER SECTION:
google.com.             50      IN      A       172.217.31.142

;; Query time: 789 msec
;; SERVER: 172.24.20.205#53(172.24.20.205)
;; WHEN: Wed Jul 26 14:12:44 JST 2023
;; MSG SIZE  rcvd: 55

権威DNS確認

shoma@LAPTOP-HADFF4IQ:~$ dig www.tmcit.sho @172.24.20.205

; <<>> DiG 9.16.1-Ubuntu <<>> www.tmcit.sho @172.24.20.205
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14204
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.tmcit.sho.                 IN      A

;; ANSWER SECTION:
www.tmcit.sho.          3600    IN      A       172.24.20.25

;; Query time: 19 msec
;; SERVER: 172.24.20.205#53(172.24.20.205)
;; WHEN: Wed Jul 26 14:03:43 JST 2023
;; MSG SIZE  rcvd: 58

You get articles that match your needs
You can efficiently read back useful information
You can use dark theme

What you can do with signing up