DNSキャッシュサーバであるUnboundをCentOS 6.xにインストールする。
https://www.unbound.net/index.html
http://www.slideshare.net/hdais/nsd-unboundintro
RPM作成
ここではUnboundをインストールするサーバとは別ホストで行う。
依存パッケージのインストール
[root@dev-host-1 src]# yum install rpm-build openssl-devel expat-devel libevent-devel epel-release ldns-devel
RPMの作成
ソースファイル・SPECファイルの準備。
※バージョンが古くても構わなければ、EPELからもインストール可能
ソースファイルは以下から最新のものをダウンロードする。
※ここでは1.5.4になっているので注意
https://www.unbound.net/download.html
[root@dev-host-1 ~]# cd /usr/local/src/
[root@dev-host-1 src]# wget https://www.unbound.net/downloads/unbound-1.5.4.tar.gz
[root@dev-host-1 src]# mkdir -p /root/rpmbuild/SOURCES/
[root@dev-host-1 src]# cp unbound-1.5.4.tar.gz /root/rpmbuild/SOURCES/
[root@dev-host-1 src]# tar xzf unbound-1.5.4.tar.gz
[root@dev-host-1 src]# chown -R root. /usr/local/src/unbound-1.5.4
[root@dev-host-1 src]# sed -i -E 's/^Version:.*/Version: 1.5.4/' unbound-1.5.4/contrib/unbound.spec
[root@dev-host-1 src]# sed -i -E 's/^%configure (.*)/& --with-libevent/' unbound-1.5.4/contrib/unbound.spec
RPM作成。
[root@dev-host-1 src]# rpmbuild -ba /usr/local/src/unbound-1.5.4/contrib/unbound.spec
書き込み完了: /root/rpmbuild/SRPMS/unbound-1.5.4-1.el6.src.rpm
書き込み完了: /root/rpmbuild/RPMS/x86_64/unbound-1.5.4-1.el6.x86_64.rpm
書き込み完了: /root/rpmbuild/RPMS/x86_64/unbound-debuginfo-1.5.4-1.el6.x86_64.rpm
インストール
Unboundサーバとなるホストでインストール。
依存パッケージのインストール
[root@dev-host-2 src]# yum install libevent epel-release ldns
Unboundのインストール
[root@dev-host-2 src]# rpm -ivh unbound-1.5.4-1.el6.x86_64.rpm
[root@dev-host-2 src]# unbound -h
usage: unbound [options]
start unbound daemon DNS resolver.
-h this help
-c file config file to read instead of /var/unbound/unbound.conf
file format is described in unbound.conf(5).
-d do not fork into the background.
-v verbose (more times to increase verbosity)
Version 1.5.4
linked libs: libevent 1.4.13-stable (it uses epoll), OpenSSL 1.0.1e-fips 11 Feb 2013
linked modules: dns64 validator iterator
BSD licensed, see LICENSE in source package for details.
Report bugs to unbound-bugs@nlnetlabs.nl
※バージョンが古くても構わなければ、EPELからもインストール可能
# yum info unbound | grep " :"
Repository 'treasure-data' is missing name in configuration, using id
Name : unbound
Arch : x86_64
Version : 1.5.1
Release : 1.el6
Size : 1.2 M
Repo : epel
Summary : Validating, recursive, and caching DNS(SEC) resolver
URL : http://www.nlnetlabs.nl/unbound/
License : BSD
Description : Unbound is a validating, recursive, and caching DNS(SEC) resolver.
:
: The C implementation of Unbound is developed and maintained by
: NLnet Labs. It is based on ideas and algorithms taken from a java
: prototype developed by Verisign labs, Nominet, Kirei and ep.net.
:
: Unbound is designed as a set of modular components, so that also
: DNSSEC (secure DNS) validation and stub-resolvers (that do not run
: as a server, but are linked into an application) are easily
: possible.
Unboundの設定
アクセス制御
環境に合わせて設定すること。
/var/unbound/unbound.conf
- # interface: 192.0.2.153
+ interface: 0.0.0.0
- # access-control: 127.0.0.0/8 allow
+ access-control: 127.0.0.1 allow
+ access-control: 192.168.0.0/16 allow
リモート制御
TLS鍵ファイルの生成。
[root@dev-host-2 src]# sudo -u unbound unbound-control-setup
setup in directory /var/unbound
generating unbound_server.key
Generating RSA private key, 3072 bit long modulus
.............................................................++
.....................................++
e is 65537 (0x10001)
generating unbound_control.key
Generating RSA private key, 3072 bit long modulus
........................++
........................++
e is 65537 (0x10001)
create unbound_server.pem (self signed certificate)
create unbound_control.pem (signed client certificate)
Signature ok
subject=/CN=unbound-control
Getting CA Private Key
Setup success. Certificates created. Enable in unbound.conf file to use
/var/unbound/unbound.conf
- # control-enable: no
+ control-enable: yes
Randomness Calculation
/var/unbound/unbound.conf
- use-caps-for-id: no
+ use-caps-for-id: yes
ログファイル
[root@dev-host-2 ~]# sudo -u unbound mkdir /var/unbound/log
/var/unbound/unbound.conf
- # logfile: ""
+ logfile: "/var/unbound/log/unbound.log"
- # use-syslog: yes
+ use-syslog: no
設定ファイルチェック
[root@dev-host-2 unbound]# unbound-checkconf
unbound-checkconf: no errors in /var/unbound/unbound.conf
Unboundの起動
起動
[root@dev-host-2 src]# service unbound start
unbound を起動中: [1440582030] unbound[3201:0] warning: IPv6 protocol not available
[ OK ]
[root@dev-host-2 src]# service unbound status
unbound (pid 3204) を実行中...
[root@dev-host-2 src]# netstat -nltp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 3204/unbound
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1678/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1827/master
自動起動設定
[root@dev-host-2 src]# chkconfig unbound --list
unbound 0:off 1:off 2:off 3:off 4:off 5:off 6:off
[root@dev-host-2 src]# chkconfig unbound on
[root@dev-host-2 src]# chkconfig unbound --list
unbound 0:off 1:off 2:on 3:on 4:on 5:on 6:off
設定ファイルの再読み込み
設定変更後に再読み込みしたい場合。
[root@dev-host-2 unbound]# service unbound reload
reload時に接続が切れないかの検証
1秒ごとにreloadしている間に6500qpsでリクエストを投げても問題なかった。
サーバ側
[root@unbound-server ~]# for i in $(seq 1 100) ; do service unbound reload; sleep 1; done
クライアント側
$ cat /tmp/a.txt
test.example.com a
$ /usr/local/Cellar/dnsperf/2.0.0.0-1/bin/dnsperf -s 10.0.5.51 -l 100 -d /tmp/a.txt
DNS Performance Testing Tool
Nominum Version 2.0.0.0
[Status] Command line: dnsperf -s 10.0.5.51 -l 100 -d /tmp/a.txt
[Status] Sending queries (to 10.0.5.51)
[Status] Started at: Wed Sep 9 17:59:06 2015
[Status] Stopping after 100.000000 seconds
[Status] Testing complete (time limit)
Statistics:
Queries sent: 658702
Queries completed: 658702 (100.00%)
Queries lost: 0 (0.00%)
Response codes: NOERROR 658702 (100.00%)
Average packet size: request 34, response 66
Run time (s): 100.003844
Queries per second: 6586.766805
Average Latency (s): 0.015158 (min 0.000260, max 1.999668)
Latency StdDev (s): 0.115561