红帽全球峰会第 2 章 Setting up an unbound DNS server
The unbound DNS server is a validating, recursive, and caching DNS resolver. Additionally, unbound focuses on security and has, for example, Domain Name System Security Extensions (DNSSEC) enabled by default.
2.1. Configuring Unbound as a caching DNS server
By default, the unbound DNS service resolves and caches successful and failed lookups. The service then answers requests to the same records from its cache.
Procedure
Install the
unboundpackage:# dnf install unboundEdit the
/etc/unbound/unbound.conffile, and make the following changes in theserverclause:Add
interfaceparameters to configure on which IP addresses theunboundservice listens for queries, for example:interface: 127.0.0.1 interface: 192.0.2.1 interface: 2001:db8:1::1With these settings,
unboundonly listens on the specified IPv4 and IPv6 addresses.Limiting the interfaces to the required ones prevents clients from unauthorized networks, such as the internet, from sending queries to this DNS server.
Add
access-controlparameters to configure from which subnets clients can query the DNS service, for example:access-control: 127.0.0.0/8 allow access-control: 192.0.2.0/24 allow access-control: 2001:db8:1::/64 allow
Create private keys and certificates for remotely managing the
unboundservice:# systemctl restart unbound-keygenIf you skip this step, verifying the configuration in the next step will report the missing files. However, the
unboundservice automatically creates the files if they are missing.Verify the configuration file:
# unbound-checkconf unbound-checkconf: no errors in /etc/unbound/unbound.confUpdate the firewalld rules to allow incoming DNS traffic:
# firewall-cmd --permanent --add-service=dns # firewall-cmd --reloadEnable and start the
unboundservice:# systemctl enable --now unbound
Verification
Query the
unboundDNS server listening on thelocalhostinterface to resolve a domain:# dig @localhost www.example.com ... www.example.com. 86400 IN A 198.51.100.34 ;; Query time: 330 msec ...After querying a record for the first time,
unboundadds the entry to its cache.Repeat the previous query:
# dig @localhost www.example.com ... www.example.com. 85332 IN A 198.51.100.34 ;; Query time: 1 msec ...Because of the cached entry, further requests for the same record are significantly faster until the entry expires.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}