客服微信
作者:泡杯长岛冰茶
1. 配置网络为静态
nmcli connection modify static-ens192 ipv4.dns 172.16.50.194 ipv4.address 172.16.50.194/24 ipv4.gateway 172.16.50.1 autoconnect yes nmcli connect reload;nmcli connection up static-ens192;
1.1. 客户端DNS配置
(本篇文章环境;服务端与客户端在同一台)
[root@localhost ~]# cat /etc/resolv.conf # Generated by NetworkManager nameserver 172.16.50.194
2.关闭防火墙与selinux
Systemc disable firewalld –now sed -i s/^SELINUX=enforcing/SELINUX=disabled/ /etc/selinux/config setenforce 0
3.配置本地yum源
3.1 挂载系统镜像文件
# mount /dev/sr0 /mnt
3.2 配置yum文件
# cat /etc/yum.repos.d/local_baseos.repo [local_BaseOS] name=local_baseOS baseurl=file:///mnt/BaseOS gpgcheck=0 [local_AppStream] name=local_AppStream baseurl=file:///mnt/AppStream gpgcheck=0
3.3 检查yum是否配置成功
yum clean all; yum repolist;
4. 安装配置unbound软件
yum install -y unbound.x86_64
4.1.查看unbound软件安装的位置
[root@localhost ~]# rpm -qc unbound /etc/sysconfig/unbound /etc/unbound/conf.d/example.com.conf /etc/unbound/keys.d/example.com.key /etc/unbound/local.d/block-example.com.conf /etc/unbound/unbound.conf
4.2.修配置文件
vim /etc/unbound/unbound.conf 48: interface: 0.0.0.0 254: access-control: 0.0.0.0/0 allow 520: domain-insecure: "com." 868:forward-zone: 869: name: "." 870: forward-addr: 114.114.114.114
interface 表示监听的IP,4个0表示监听本机的所有IP.
access-control 客户端访问控制(4个0,表示所有客户端都可访问
domain-insecure 信任安全域
forward-zone 如果在本DNS解析不到主机记录,下一跳到下一个DNS
name: "." 转发所有的查询
forward-addr: 114.114.114.114 (本文下一跳指向114.114.114.114)
4.2.1 也可以在 /etc/unbound/conf.d/目录创建自定义配置文件
- /etc/unbound/local.d/ 定义主配置信息
-/etc/unbound/conf.d/ 定义主机资源信息
[root@localhost local.d]# cat /etc/unbound/conf.d/yunbee.com.conf server: domain-insecure: "com." domain-insecure: "net." domain-insecure: "org." forward-zone: name: "." forward-addr: 114.114.114.114
4.3.检查语法是否有问题
[root@localhost ~]# unbound-checkconf unbound-checkconf: no errors in /etc/unbound/unbound.conf
4.4.生成私有的证书
[root@localhost ~]# unbound-control-setup setup in directory /etc/unbound unbound_server.key exists unbound_control.key exists create unbound_server.pem (self signed certificate) create unbound_control.pem (signed client certificate) Signature ok subject=CN = unbound-control Getting CA Private Key Setup success. Certificates created. Enable in unbound.conf file to use
4.5. 启动unbound并开机自启动
[root@localhost ~]# systemctl enable unbound --now
4.6.查看端口监听状态
[root@localhost ~]# netstat -ntupl |grep :53 tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 1091/unbound udp 0 0 192.168.122.1:53 0.0.0.0:* 1959/dnsmasq udp 0 0 0.0.0.0:53 0.0.0.0:* 1091/unbound udp 0 0 0.0.0.0:53 0.0.0.0:* 1091/unbound udp 0 0 0.0.0.0:53 0.0.0.0:* 1091/unbound udp 0 0 0.0.0.0:53 0.0.0.0:* 1091/unbound
注意: 这里可以看到里面多了一条192.168.122.1 IP,这个IP是虚拟网桥的IP,如果你的服务器无法启动unbound服务,必需禁用这个IP。udp 0 0 192.168.122.1:53 0.0.0.0:*
[root@localhost ~]# ip a s virbr0 virbr0: mtu 1500 qdisc noqueue state DOWN group default qlen 1000 link/ether 52:54:00:f3:16:9d brd ff:ff:ff:ff:ff:ff inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0 valid_lft forever preferred_lft forever
下面是关闭网桥的命令
[root@localhost ~]# ifconfig virbr0 down;nmcli device disconnect virbr0;
4.7. 检查外网能解析
[root@localhost ~]# dig www.baidu.com ; <<>> DiG 9.11.26-RedHat-9.11.26-3.el8 <<>> www.baidu.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60041 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.baidu.com. IN A ;; ANSWER SECTION: www.baidu.com. 1200 IN CNAME www.a.shifen.com. www.a.shifen.com. 300 IN A 112.80.248.76 www.a.shifen.com. 300 IN A 112.80.248.75 ;; Query time: 815 msec ;; SERVER: 172.16.50.194#53(172.16.50.194) ;; WHEN: Mon Aug 30 19:59:38 CST 2021 ;; MSG SIZE rcvd: 101
4.8. 查看是否创建缓存
[root@localhost ~]# unbound-control dump_cache |grep www.baidu.com www.baidu.com. 1192 IN CNAME www.a.shifen.com. msg www.baidu.com. IN A 32896 1 293 3 2 1 5 www.baidu.com. IN CNAME 0
4.9. 清理zone缓存
unbound-control flush_zone baidu.com
4.10. 添加一个主机资源记录
注意:上文中可以看到 'www.baidu.com' 解析出来的地址是 112.80.248.76,清除缓存之后,下文添加www.baidu.com 主机记录为10.10.10.10,检查它的解析是否会改变,如果改变为10.10.10.10说明成功
vim /etc/unbound/unbound.conf #interface: 0.0.0.0 ########下面记录必需在配置文件server关键字下 local-data: "www.baidu.com. 10800 IN A 10.10.10.10" ##正向解析 local-data-ptr: "10.10.10.10 www.baidu.com" ##反向解析
4.10.1 也可在 /etc/unbound/local.d/定义一个配置文件把主机记录添加进去
[root@localhost local.d]# readlink -f yunbee.com.conf /etc/unbound/local.d/yunbee.com.conf [root@localhost local.d]# ls -l -rw-r--r--. 1 root unbound 359 Dec 2 2020 block-example.com.conf -rw-r--r--. 1 root unbound 410 Sep 1 21:36 yunbee.com.conf [root@localhost local.d]# cat /etc/unbound/local.d/yunbee.com.conf local-data: "www.baidu.com. 3600 IN A 10.10.10.10" local-data-ptr: "10.10.10.10 www.baidu.com"
4.11. 查看添加的主机解析状态
[root@localhost ~]# nslookup www.baidu.com Server: 172.16.50.194 Address: 172.16.50.194#53 Name: www.baidu.com Address: 10.10.10.10
4.12 unbound搭建权威域名服务器(不推荐unbound搭建权威域名服务器)
a)定义一个访问控制文件在/etc/unbound/conf.d/目录
[root@localhost local.d]# readlink -f ../conf.d/yunbee.com.conf /etc/unbound/conf.d/yunbee.com.conf [root@localhost local.d]# cat /etc/unbound/conf.d/yunbee.com.conf server: domain-insecure: "com." domain-insecure: "net." domain-insecure: "org." forward-zone: name: "." forward-addr: 114.114.114.114
b) 定义一个zone文件在/etc/unbound/conf.d/目录
[root@localhost local.d]# readlink -f yunbee.com.conf /etc/unbound/local.d/yunbee.com.conf [root@localhost local.d]# cat yunbee.com.conf local-zone: "yunbee.com." static local-data: "yunbee.com. 10800 IN NS yunbee.com." local-data: "yunbee.com. 10800 IN SOA yunbee.com. root.yunbee.com. 1 3600 1200 604800 10800" local-data: "ns.yunbee.com. 3600 IN A 172.16.50.194" local-data: "www.baidu.com. 3600 IN A 10.10.10.10" local-data: "www1.baidu.com. 3600 IN A 10.10.10.11" local-data: "www.qq.com. 3600 IN A 127.254.254.254"
dns小技巧,假设管理员想禁止某些员工在线看小电影,这里就可以做一条解析,把小电影的网址指向环回地址127.254.254.254,例如你想禁止公司员工访问www.baidu.com 就可添加下面这一条 ,注意的是IP还是能访问的.
local-data: "www.baidu.com. 10800 IN A 127.254.254.254"
本篇完