客服微信
作者:泡杯长岛冰茶
1. 配置网络为静态
1.1. 客户端DNS配置
(本篇文章环境;服务端与客户端在同一台)
2.关闭防火墙与selinux
3.配置本地yum源
3.1 挂载系统镜像文件
3.2 配置yum文件
3.3 检查yum是否配置成功
4. 安装配置unbound软件
4.1.查看unbound软件安装的位置
4.2.修配置文件
interface 表示监听的IP,4个0表示监听本机的所有IP.
access-control 客户端访问控制(4个0,表示所有客户端都可访问
domain-insecure 信任安全域
forward-zone 如果在本DNS解析不到主机记录,下一跳到下一个DNS
name: "." 转发所有的查询
forward-addr: 114.114.114.114 (本文下一跳指向114.114.114.114)
4.2.1 也可以在 /etc/unbound/conf.d/目录创建自定义配置文件
- /etc/unbound/local.d/ 定义主配置信息
-/etc/unbound/conf.d/ 定义主机资源信息
4.3.检查语法是否有问题
4.4.生成私有的证书
4.5. 启动unbound并开机自启动
4.6.查看端口监听状态
注意: 这里可以看到里面多了一条192.168.122.1 IP,这个IP是虚拟网桥的IP,如果你的服务器无法启动unbound服务,必需禁用这个IP。udp 0 0 192.168.122.1:53 0.0.0.0:*
下面是关闭网桥的命令
4.7. 检查外网能解析
4.8. 查看是否创建缓存
4.9. 清理zone缓存
4.10. 添加一个主机资源记录
注意:上文中可以看到 'www.baidu.com' 解析出来的地址是 112.80.248.76,清除缓存之后,下文添加www.baidu.com 主机记录为10.10.10.10,检查它的解析是否会改变,如果改变为10.10.10.10说明成功
4.10.1 也可在 /etc/unbound/local.d/定义一个配置文件把主机记录添加进去
4.11. 查看添加的主机解析状态
4.12 unbound搭建权威域名服务器(不推荐unbound搭建权威域名服务器)
a)定义一个访问控制文件在/etc/unbound/conf.d/目录
b) 定义一个zone文件在/etc/unbound/conf.d/目录
dns小技巧,假设管理员想禁止某些员工在线看小电影,这里就可以做一条解析,把小电影的网址指向环回地址127.254.254.254,例如你想禁止公司员工访问www.baidu.com 就可添加下面这一条 ,注意的是IP还是能访问的.
本篇完
nmcli connection modify static-ens192 ipv4.dns 172.16.50.194 ipv4.address 172.16.50.194/24 ipv4.gateway 172.16.50.1 autoconnect yes
nmcli connect reload;nmcli connection up static-ens192;
[root@localhost ~]# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 172.16.50.194
Systemc disable firewalld –now
sed -i s/^SELINUX=enforcing/SELINUX=disabled/ /etc/selinux/config
setenforce 0
# mount /dev/sr0 /mnt
# cat /etc/yum.repos.d/local_baseos.repo
[local_BaseOS]
name=local_baseOS
baseurl=file:///mnt/BaseOS
gpgcheck=0
[local_AppStream]
name=local_AppStream
baseurl=file:///mnt/AppStream
gpgcheck=0
yum clean all; yum repolist;
yum install -y unbound.x86_64
[root@localhost ~]# rpm -qc unbound
/etc/sysconfig/unbound
/etc/unbound/conf.d/example.com.conf
/etc/unbound/keys.d/example.com.key
/etc/unbound/local.d/block-example.com.conf
/etc/unbound/unbound.conf
vim /etc/unbound/unbound.conf
48: interface: 0.0.0.0
254: access-control: 0.0.0.0/0 allow
520: domain-insecure: "com."
868:forward-zone:
869: name: "."
870: forward-addr: 114.114.114.114
[root@localhost local.d]# cat /etc/unbound/conf.d/yunbee.com.conf
server:
domain-insecure: "com."
domain-insecure: "net."
domain-insecure: "org."
forward-zone:
name: "."
forward-addr: 114.114.114.114
[root@localhost ~]# unbound-checkconf
unbound-checkconf: no errors in /etc/unbound/unbound.conf
[root@localhost ~]# unbound-control-setup
setup in directory /etc/unbound
unbound_server.key exists
unbound_control.key exists
create unbound_server.pem (self signed certificate)
create unbound_control.pem (signed client certificate)
Signature ok
subject=CN = unbound-control
Getting CA Private Key
Setup success. Certificates created. Enable in unbound.conf file to use
[root@localhost ~]# systemctl enable unbound --now
[root@localhost ~]# netstat -ntupl |grep :53
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 1091/unbound
udp 0 0 192.168.122.1:53 0.0.0.0:* 1959/dnsmasq
udp 0 0 0.0.0.0:53 0.0.0.0:* 1091/unbound
udp 0 0 0.0.0.0:53 0.0.0.0:* 1091/unbound
udp 0 0 0.0.0.0:53 0.0.0.0:* 1091/unbound
udp 0 0 0.0.0.0:53 0.0.0.0:* 1091/unbound
[root@localhost ~]# ip a s virbr0
virbr0: mtu 1500 qdisc noqueue state DOWN group default qlen 1000
link/ether 52:54:00:f3:16:9d brd ff:ff:ff:ff:ff:ff
inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
valid_lft forever preferred_lft forever
[root@localhost ~]# ifconfig virbr0 down;nmcli device disconnect virbr0;
[root@localhost ~]# dig www.baidu.com
; <<>> DiG 9.11.26-RedHat-9.11.26-3.el8 <<>> www.baidu.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60041
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.baidu.com. IN A
;; ANSWER SECTION:
www.baidu.com. 1200 IN CNAME www.a.shifen.com.
www.a.shifen.com. 300 IN A 112.80.248.76
www.a.shifen.com. 300 IN A 112.80.248.75
;; Query time: 815 msec
;; SERVER: 172.16.50.194#53(172.16.50.194)
;; WHEN: Mon Aug 30 19:59:38 CST 2021
;; MSG SIZE rcvd: 101
[root@localhost ~]# unbound-control dump_cache |grep www.baidu.com
www.baidu.com. 1192 IN CNAME www.a.shifen.com.
msg www.baidu.com. IN A 32896 1 293 3 2 1 5
www.baidu.com. IN CNAME 0
unbound-control flush_zone baidu.com
vim /etc/unbound/unbound.conf
#interface: 0.0.0.0 ########下面记录必需在配置文件server关键字下
local-data: "www.baidu.com. 10800 IN A 10.10.10.10" ##正向解析
local-data-ptr: "10.10.10.10 www.baidu.com" ##反向解析
[root@localhost local.d]# readlink -f yunbee.com.conf
/etc/unbound/local.d/yunbee.com.conf
[root@localhost local.d]# ls -l
-rw-r--r--. 1 root unbound 359 Dec 2 2020 block-example.com.conf
-rw-r--r--. 1 root unbound 410 Sep 1 21:36 yunbee.com.conf
[root@localhost local.d]# cat /etc/unbound/local.d/yunbee.com.conf
local-data: "www.baidu.com. 3600 IN A 10.10.10.10"
local-data-ptr: "10.10.10.10 www.baidu.com"
[root@localhost ~]# nslookup www.baidu.com
Server: 172.16.50.194
Address: 172.16.50.194#53
Name: www.baidu.com
Address: 10.10.10.10
[root@localhost local.d]# readlink -f ../conf.d/yunbee.com.conf
/etc/unbound/conf.d/yunbee.com.conf
[root@localhost local.d]# cat /etc/unbound/conf.d/yunbee.com.conf
server:
domain-insecure: "com."
domain-insecure: "net."
domain-insecure: "org."
forward-zone:
name: "."
forward-addr: 114.114.114.114
[root@localhost local.d]# readlink -f yunbee.com.conf
/etc/unbound/local.d/yunbee.com.conf
[root@localhost local.d]# cat yunbee.com.conf
local-zone: "yunbee.com." static
local-data: "yunbee.com. 10800 IN NS yunbee.com."
local-data: "yunbee.com. 10800 IN SOA yunbee.com. root.yunbee.com. 1 3600 1200 604800 10800"
local-data: "ns.yunbee.com. 3600 IN A 172.16.50.194"
local-data: "www.baidu.com. 3600 IN A 10.10.10.10"
local-data: "www1.baidu.com. 3600 IN A 10.10.10.11"
local-data: "www.qq.com. 3600 IN A 127.254.254.254"
local-data: "www.baidu.com. 10800 IN A 127.254.254.254"
