Red Hat SummitEste contenido no está disponible en el idioma seleccionado.
Chapter 3. Setting up an unbound DNS server
To validate, resolve, and cache DNS queries, configure the unbound DNS service. Additionally, unbound enhances security and has Domain Name System Security Extensions (DNSSEC) enabled by default.
3.1. Configuring Unbound as a caching DNS server
To resolve and cache successful and failed lookup, and answer requests to the same records from its cache, configure the unbound DNS service.
Prerequisites
- You have administrative privileges.
Procedure
Install the
unboundpackage:dnf install unbound
# dnf install unboundCopy to Clipboard Copied! Toggle word wrap Toggle overflow Edit the
/etc/unbound/unbound.conffile, and make the following changes in theserverclause:Add
interfaceparameters to configure on which IP addresses theunboundservice listens for queries, for example:interface: 127.0.0.1 interface: 192.0.2.1 interface: 2001:db8:1::1
interface: 127.0.0.1 interface: 192.0.2.1 interface: 2001:db8:1::1Copy to Clipboard Copied! Toggle word wrap Toggle overflow With these settings,
unboundonly listens on the specified IPv4 and IPv6 addresses.Limiting the interfaces to the required ones prevents clients from unauthorized networks, such as the internet, from sending queries to this DNS server.
Add
access-controlparameters to configure from which subnets clients can query the DNS service, for example:access-control: 127.0.0.0/8 allow access-control: 192.0.2.0/24 allow access-control: 2001:db8:1::/64 allow
access-control: 127.0.0.0/8 allow access-control: 192.0.2.0/24 allow access-control: 2001:db8:1::/64 allowCopy to Clipboard Copied! Toggle word wrap Toggle overflow
Create private keys and certificates for remotely managing the
unboundservice:systemctl restart unbound-keygen
# systemctl restart unbound-keygenCopy to Clipboard Copied! Toggle word wrap Toggle overflow NoteIf you skip this step, verifying the configuration in the next step will report the missing files. However, the
unboundservice automatically creates the files if they are missing.Verify the configuration file:
unbound-checkconf
# unbound-checkconfCopy to Clipboard Copied! Toggle word wrap Toggle overflow unbound-checkconf: no errors in /etc/unbound/unbound.conf
unbound-checkconf: no errors in /etc/unbound/unbound.confCopy to Clipboard Copied! Toggle word wrap Toggle overflow Update the firewalld rules to allow incoming DNS traffic:
firewall-cmd --permanent --add-service=dns firewall-cmd --reload
# firewall-cmd --permanent --add-service=dns # firewall-cmd --reloadCopy to Clipboard Copied! Toggle word wrap Toggle overflow Enable and start the
unboundservice:systemctl enable --now unbound
# systemctl enable --now unboundCopy to Clipboard Copied! Toggle word wrap Toggle overflow
Verification
Query the
unboundDNS server listening on thelocalhostinterface to resolve a domain:dig @localhost www.example.com
# dig @localhost www.example.comCopy to Clipboard Copied! Toggle word wrap Toggle overflow ... __www.example.com.__ __86400__ IN A __198.51.100.34__ ;; Query time: __330 msec__ ...
... __www.example.com.__ __86400__ IN A __198.51.100.34__ ;; Query time: __330 msec__ ...Copy to Clipboard Copied! Toggle word wrap Toggle overflow After querying a record for the first time,
unboundadds the entry to its cache.Repeat the last query:
dig @localhost www.example.com
# dig @localhost www.example.comCopy to Clipboard Copied! Toggle word wrap Toggle overflow ... __www.example.com.__ __85332__ IN A __198.51.100.34__ ;; Query time: __1 msec__ ...
... __www.example.com.__ __85332__ IN A __198.51.100.34__ ;; Query time: __1 msec__ ...Copy to Clipboard Copied! Toggle word wrap Toggle overflow Because of the cached entry, further requests for the same record are significantly faster until the entry expires.
For details, see
unbound.conf(5)man page on your system.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}