侧边栏壁纸
博主头像
liveJQ博主等级

沒有乐趣,何来开始

  • 累计撰写 171 篇文章
  • 累计创建 67 个标签
  • 累计收到 2 条评论

Unbound 实现域名分流

liveJQ
2022-08-25 / 0 评论 / 0 点赞 / 1,290 阅读 / 7,555 字

环境:Ubuntu 20.04.1 LTS

编译安装

下载最新源码包

wget https://nlnetlabs.nl/downloads/unbound/unbound-latest.tar.gz && tar xzf unbound-latest.tar.gz

安装依赖

apt update -y && apt install -y build-essential libssl-dev libexpat1-dev && apt-get install -y bison flex 

开始预编译

root@livejq:~/unbound-1.16.2# ./configure
...
...
configure: creating ./config.status
config.status: creating Makefile
config.status: creating doc/example.conf
config.status: creating doc/libunbound.3
config.status: creating doc/unbound.8
config.status: creating doc/unbound-anchor.8
config.status: creating doc/unbound-checkconf.8
config.status: creating doc/unbound.conf.5
config.status: creating doc/unbound-control.8
config.status: creating doc/unbound-host.1
config.status: creating smallapp/unbound-control-setup.sh
config.status: creating dnstap/dnstap_config.h
config.status: creating dnscrypt/dnscrypt_config.h
config.status: creating contrib/libunbound.pc
config.status: creating contrib/unbound.socket
config.status: creating contrib/unbound.service
config.status: creating contrib/unbound_portable.service
config.status: creating config.h
config.status: executing libtool commands

执行编译和安装

root@livejq:~/unbound-1.16.2# make && make install
...
...
See any operating system documentation about shared libraries for
more information, such as the ld(1) and ld.so(8) manual pages.
----------------------------------------------------------------------
/bin/bash ./install-sh -m 755 -d /usr/local/sbin
/bin/bash ./install-sh -m 755 -d /usr/local/share/man
/bin/bash ./install-sh -m 755 -d /usr/local/share/man/man8
/bin/bash ./install-sh -m 755 -d /usr/local/share/man/man5
/bin/bash ./install-sh -m 755 -d /usr/local/share/man/man1
./libtool --mode=install cp -f unbound /usr/local/sbin/unbound
libtool: install: cp -f unbound /usr/local/sbin/unbound
./libtool --mode=install cp -f unbound-checkconf /usr/local/sbin/unbound-checkconf
libtool: install: cp -f unbound-checkconf /usr/local/sbin/unbound-checkconf
./libtool --mode=install cp -f unbound-control /usr/local/sbin/unbound-control
libtool: install: cp -f unbound-control /usr/local/sbin/unbound-control
./libtool --mode=install cp -f unbound-host /usr/local/sbin/unbound-host
libtool: install: cp -f .libs/unbound-host /usr/local/sbin/unbound-host
./libtool --mode=install cp -f unbound-anchor /usr/local/sbin/unbound-anchor
libtool: install: cp -f .libs/unbound-anchor /usr/local/sbin/unbound-anchor
/bin/bash ./install-sh -c -m 644 doc/unbound.8 /usr/local/share/man/man8
/bin/bash ./install-sh -c -m 644 doc/unbound-checkconf.8 /usr/local/share/man/man8
/bin/bash ./install-sh -c -m 644 doc/unbound-control.8 /usr/local/share/man/man8
/bin/bash ./install-sh -c -m 644 doc/unbound-control.8 /usr/local/share/man/man8/unbound-control-setup.8
/bin/bash ./install-sh -c -m 644 doc/unbound-anchor.8 /usr/local/share/man/man8
/bin/bash ./install-sh -c -m 644 doc/unbound.conf.5 /usr/local/share/man/man5
/bin/bash ./install-sh -c -m 644 doc/unbound-host.1 /usr/local/share/man/man1
/bin/bash ./install-sh -c -m 755 unbound-control-setup /usr/local/sbin/unbound-control-setup
if test ! -e /usr/local/etc/unbound/unbound.conf; then /bin/bash ./install-sh -d `dirname /usr/local/etc/unbound/unbound.conf`; /bin/bash ./install-sh -c -m 644 doc/example.conf /usr/local/etc/unbound/unbound.conf; fi 

基本配置

server:
		# 默认,详细日志输出
		verbosity: 1
		interface: 192.168.88.8
		# 监听 IPv4 的 UDP 和 TCP 的 53 端口
		port: 53
		do-ip4: yes
		do-ip6: no
		do-udp: yes
		do-tcp: yes
		# 默认,当运行起来后会删除此用户的权限
		username: "unbound"
		# 默认,上下文目录,相对路径会以此为依据
		directory: "/usr/local/etc/unbound"
		# 允许任何地址的请求
		access-control: 0.0.0.0/0 allow
		# DNS 子缓存,特定 DNS 查询的响应
		msg-cache-size: 25m
		# DNS 子缓存,资源记录集数据,可直接从缓存中生成响应
		# 建议 msg 和 rrset 的缓存为 1:10
		rrset-cache-size: 250m
		# 默认,向上游DNS发送的报文中尽可能包含更少的信息,保护隐私
		qname-minimisation: yes
		# 不记录到系统日志
		use-syslog: no
		# 日志时间戳使用 UTC,默认为秒
		log-time-ascii: yes
		# 统计非正常返回的结果,达到阈值后会触发保护机制并将缓存数据清空
		unwanted-reply-threshold: 10000000
		# 接近过期的缓存信息也可以拿来用
		prefetch: yes
# 配置上游 DNS
forward-zone:
		name: "."
		forward-addr: 1.1.1.1
		forward-addr: 8.8.8.8

检查配置文件

unbound-checkconf

调试运行状态

root@livejq:~# unbound -d -vv
[1662407115] unbound[111994:0] notice: Start of unbound 1.16.2.
unbound[111994:0] warning: too many file descriptors requested. The builtinmini-event cannot handle more than 1024. Config for less fds or compile with libevent
unbound[111994:0] fatal error: too much tcp. not enough fds.

出现上述错误,是因为我没有使用libevent进行编译,而又使用了如下配置导致的,注释掉就行了。

num-threads: 4
so-reuseport: yes
outgoing-num-tcp: 256
incoming-num-tcp: 1024

查看 Unbound 依赖库

root@livejq:~# ldd /usr/local/sbin/unbound
	linux-vdso.so.1 (0x00007ffd5f9b9000)
	libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f8ed1ed0000)
	libssl.so.1.1 => /lib/x86_64-linux-gnu/libssl.so.1.1 (0x00007f8ed1e3d000)
	libcrypto.so.1.1 => /lib/x86_64-linux-gnu/libcrypto.so.1.1 (0x00007f8ed1b67000)
	libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f8ed1b44000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f8ed21d5000)
	libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f8ed1b3e000)

也可以使用 readelf -d /usr/local/sbin/unbound

设置 Remote Control

使用unbound-control-setup命令在默认目录下生成密钥

root@livejq:/usr/local/etc/unbound# ls
unbound.conf  unbound.pid
root@livejq:/usr/local/etc/unbound# unbound-control-setup
setup in directory /usr/local/etc/unbound
Generating RSA private key, 3072 bit long modulus (2 primes)
..........................++++
...................................................................................................................................................................................++++
e is 65537 (0x010001)
Generating RSA private key, 3072 bit long modulus (2 primes)
...............................................++++
......++++
e is 65537 (0x010001)
Signature ok
subject=CN = unbound-control
Getting CA Private Key
removing artifacts
Setup success. Certificates created. Enable in unbound.conf file to use
root@livejq:/usr/local/etc/unbound# ls
unbound.conf  unbound_control.key  unbound_control.pem  unbound.pid  unbound_server.key  unbound_server.pem

在配置文件上启用remote-control功能

remote-control:
		control-enable: yes
		control-interface: 127.0.0.1
		control-port: 8953

		server-key-file: "/usr/local/etc/unbound/unbound_server.key"
		server-cert-file: "/usr/local/etc/unbound/unbound_server.pem"

		control-key-file: "/usr/local/etc/unbound/unbound_control.key"
		control-cert-file: "/usr/local/etc/unbound/unbound_control.pem"

启动 Unbound 服务

unbound

unbound-control start

停止 Unbound 服务

unbound-control stop

重载 Unbound 配置

unbound-control reload

检查是否运行成功

root@livejq:~# unbound-control status
version: 1.16.2
verbosity: 1
threads: 1
modules: 2 [ validator iterator ]
uptime: 4240 seconds
options: reuseport control(ssl)
unbound (pid 119243) is running...

查看监听接口

root@livejq:~# netstat -tunlp | grep 53
tcp        0      0 192.168.88.8:53        0.0.0.0:*               LISTEN      119243/unbound      
tcp        0      0 127.0.0.1:8953          0.0.0.0:*               LISTEN      119243/unbound      
udp        0      0 192.168.88.8:53        0.0.0.0:*                           119243/unbound      

域名分流

在操作之前请先在服务器本地尝试用114.114.114.114和本地 Unbound 监听接口(我这里是 192.168.88.8)解析出www.apple.com的 IP 地址,之后需要作为验证使用。

git clone --depth=1 https://gitee.com/felixonmars/dnsmasq-china-list.git && cd dnsmasq-china-list/ && make unbound && mv *unbound.conf /usr/local/etc/unbound

注意:执行前确保你的 Unbound 默认配置目录为/usr/local/etc/unbound,修改默认 DNS 可使用命令make SERVER=223.6.6.6 unbound

加入到 Unbound 配置文件中,直接运行如下命令

cat << EOF >> /usr/local/etc/unbound/unbound.conf
include: "/usr/local/etc/unbound/accelerated-domains.china.unbound.conf"
include: "/usr/local/etc/unbound/google.china.unbound.conf"
include: "/usr/local/etc/unbound/apple.china.unbound.conf"
EOF

需要重载 Unbound 配置

unbound-control reload

验证分流是否生效,下面是分流之前解析到的www.apple.com的 IP 地址。若现在再次尝试从 Unbound 监听接口(192.168.88.8)上解析得到的 IP 与之前在 114 上解析到的 IP 相同,则表明分流已经生效。

@114.114.114.114
218.58.101.229

@192.168.88.8
23.220.193.4

小结

上述分流是基于访问白名单的形式,将正常访问的国内域名交给国内DNS解析,其他没有匹配到的域名交给国外DNS;因此,同样也可以基于访问黑名单的形式,将国外经常访问的域名交给国外DNS解析,其他没有匹配到的域名交给国内DNS。域名分流通常需要同时兼具国内和海外多线路的支持,并结合基于路由表的分流才能发挥出真正的作用。

参考资料

  1. Unbound by NLnet Labs
  2. Unbound not compiled with libevent
  3. Linux 下查看程序依赖的库
  4. Using a DNS cache sizing formula to tune DNS cache
  5. DNS域名系统详解
  6. better dns with unbound
  7. dnsmasq china list
0

评论区