环境:Ubuntu 20.04.1 LTS
编译安装
下载最新源码包
wget https://nlnetlabs.nl/downloads/unbound/unbound-latest.tar.gz && tar xzf unbound-latest.tar.gz
安装依赖
apt update -y && apt install -y build-essential libssl-dev libexpat1-dev && apt-get install -y bison flex
开始预编译
root@livejq:~/unbound-1.16.2# ./configure
...
...
configure: creating ./config.status
config.status: creating Makefile
config.status: creating doc/example.conf
config.status: creating doc/libunbound.3
config.status: creating doc/unbound.8
config.status: creating doc/unbound-anchor.8
config.status: creating doc/unbound-checkconf.8
config.status: creating doc/unbound.conf.5
config.status: creating doc/unbound-control.8
config.status: creating doc/unbound-host.1
config.status: creating smallapp/unbound-control-setup.sh
config.status: creating dnstap/dnstap_config.h
config.status: creating dnscrypt/dnscrypt_config.h
config.status: creating contrib/libunbound.pc
config.status: creating contrib/unbound.socket
config.status: creating contrib/unbound.service
config.status: creating contrib/unbound_portable.service
config.status: creating config.h
config.status: executing libtool commands
执行编译和安装
root@livejq:~/unbound-1.16.2# make && make install
...
...
See any operating system documentation about shared libraries for
more information, such as the ld(1) and ld.so(8) manual pages.
----------------------------------------------------------------------
/bin/bash ./install-sh -m 755 -d /usr/local/sbin
/bin/bash ./install-sh -m 755 -d /usr/local/share/man
/bin/bash ./install-sh -m 755 -d /usr/local/share/man/man8
/bin/bash ./install-sh -m 755 -d /usr/local/share/man/man5
/bin/bash ./install-sh -m 755 -d /usr/local/share/man/man1
./libtool --mode=install cp -f unbound /usr/local/sbin/unbound
libtool: install: cp -f unbound /usr/local/sbin/unbound
./libtool --mode=install cp -f unbound-checkconf /usr/local/sbin/unbound-checkconf
libtool: install: cp -f unbound-checkconf /usr/local/sbin/unbound-checkconf
./libtool --mode=install cp -f unbound-control /usr/local/sbin/unbound-control
libtool: install: cp -f unbound-control /usr/local/sbin/unbound-control
./libtool --mode=install cp -f unbound-host /usr/local/sbin/unbound-host
libtool: install: cp -f .libs/unbound-host /usr/local/sbin/unbound-host
./libtool --mode=install cp -f unbound-anchor /usr/local/sbin/unbound-anchor
libtool: install: cp -f .libs/unbound-anchor /usr/local/sbin/unbound-anchor
/bin/bash ./install-sh -c -m 644 doc/unbound.8 /usr/local/share/man/man8
/bin/bash ./install-sh -c -m 644 doc/unbound-checkconf.8 /usr/local/share/man/man8
/bin/bash ./install-sh -c -m 644 doc/unbound-control.8 /usr/local/share/man/man8
/bin/bash ./install-sh -c -m 644 doc/unbound-control.8 /usr/local/share/man/man8/unbound-control-setup.8
/bin/bash ./install-sh -c -m 644 doc/unbound-anchor.8 /usr/local/share/man/man8
/bin/bash ./install-sh -c -m 644 doc/unbound.conf.5 /usr/local/share/man/man5
/bin/bash ./install-sh -c -m 644 doc/unbound-host.1 /usr/local/share/man/man1
/bin/bash ./install-sh -c -m 755 unbound-control-setup /usr/local/sbin/unbound-control-setup
if test ! -e /usr/local/etc/unbound/unbound.conf; then /bin/bash ./install-sh -d `dirname /usr/local/etc/unbound/unbound.conf`; /bin/bash ./install-sh -c -m 644 doc/example.conf /usr/local/etc/unbound/unbound.conf; fi
基本配置
server:
# 默认,详细日志输出
verbosity: 1
interface: 192.168.88.8
# 监听 IPv4 的 UDP 和 TCP 的 53 端口
port: 53
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes
# 默认,当运行起来后会删除此用户的权限
username: "unbound"
# 默认,上下文目录,相对路径会以此为依据
directory: "/usr/local/etc/unbound"
# 允许任何地址的请求
access-control: 0.0.0.0/0 allow
# DNS 子缓存,特定 DNS 查询的响应
msg-cache-size: 25m
# DNS 子缓存,资源记录集数据,可直接从缓存中生成响应
# 建议 msg 和 rrset 的缓存为 1:10
rrset-cache-size: 250m
# 默认,向上游DNS发送的报文中尽可能包含更少的信息,保护隐私
qname-minimisation: yes
# 不记录到系统日志
use-syslog: no
# 日志时间戳使用 UTC,默认为秒
log-time-ascii: yes
# 统计非正常返回的结果,达到阈值后会触发保护机制并将缓存数据清空
unwanted-reply-threshold: 10000000
# 接近过期的缓存信息也可以拿来用
prefetch: yes
# 配置上游 DNS
forward-zone:
name: "."
forward-addr: 1.1.1.1
forward-addr: 8.8.8.8
检查配置文件
unbound-checkconf
调试运行状态
root@livejq:~# unbound -d -vv
[1662407115] unbound[111994:0] notice: Start of unbound 1.16.2.
unbound[111994:0] warning: too many file descriptors requested. The builtinmini-event cannot handle more than 1024. Config for less fds or compile with libevent
unbound[111994:0] fatal error: too much tcp. not enough fds.
出现上述错误,是因为我没有使用libevent
进行编译,而又使用了如下配置导致的,注释掉就行了。
num-threads: 4
so-reuseport: yes
outgoing-num-tcp: 256
incoming-num-tcp: 1024
查看 Unbound 依赖库
root@livejq:~# ldd /usr/local/sbin/unbound
linux-vdso.so.1 (0x00007ffd5f9b9000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f8ed1ed0000)
libssl.so.1.1 => /lib/x86_64-linux-gnu/libssl.so.1.1 (0x00007f8ed1e3d000)
libcrypto.so.1.1 => /lib/x86_64-linux-gnu/libcrypto.so.1.1 (0x00007f8ed1b67000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f8ed1b44000)
/lib64/ld-linux-x86-64.so.2 (0x00007f8ed21d5000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f8ed1b3e000)
也可以使用 readelf -d /usr/local/sbin/unbound
设置 Remote Control
使用unbound-control-setup
命令在默认目录下生成密钥
root@livejq:/usr/local/etc/unbound# ls
unbound.conf unbound.pid
root@livejq:/usr/local/etc/unbound# unbound-control-setup
setup in directory /usr/local/etc/unbound
Generating RSA private key, 3072 bit long modulus (2 primes)
..........................++++
...................................................................................................................................................................................++++
e is 65537 (0x010001)
Generating RSA private key, 3072 bit long modulus (2 primes)
...............................................++++
......++++
e is 65537 (0x010001)
Signature ok
subject=CN = unbound-control
Getting CA Private Key
removing artifacts
Setup success. Certificates created. Enable in unbound.conf file to use
root@livejq:/usr/local/etc/unbound# ls
unbound.conf unbound_control.key unbound_control.pem unbound.pid unbound_server.key unbound_server.pem
在配置文件上启用remote-control
功能
remote-control:
control-enable: yes
control-interface: 127.0.0.1
control-port: 8953
server-key-file: "/usr/local/etc/unbound/unbound_server.key"
server-cert-file: "/usr/local/etc/unbound/unbound_server.pem"
control-key-file: "/usr/local/etc/unbound/unbound_control.key"
control-cert-file: "/usr/local/etc/unbound/unbound_control.pem"
启动 Unbound 服务
unbound
或
unbound-control start
停止 Unbound 服务
unbound-control stop
重载 Unbound 配置
unbound-control reload
检查是否运行成功
root@livejq:~# unbound-control status
version: 1.16.2
verbosity: 1
threads: 1
modules: 2 [ validator iterator ]
uptime: 4240 seconds
options: reuseport control(ssl)
unbound (pid 119243) is running...
查看监听接口
root@livejq:~# netstat -tunlp | grep 53
tcp 0 0 192.168.88.8:53 0.0.0.0:* LISTEN 119243/unbound
tcp 0 0 127.0.0.1:8953 0.0.0.0:* LISTEN 119243/unbound
udp 0 0 192.168.88.8:53 0.0.0.0:* 119243/unbound
域名分流
在操作之前请先在服务器本地尝试用114.114.114.114
和本地 Unbound 监听接口(我这里是 192.168.88.8)解析出www.apple.com
的 IP 地址,之后需要作为验证使用。
git clone --depth=1 https://gitee.com/felixonmars/dnsmasq-china-list.git && cd dnsmasq-china-list/ && make unbound && mv *unbound.conf /usr/local/etc/unbound
注意:执行前确保你的 Unbound 默认配置目录为
/usr/local/etc/unbound
,修改默认 DNS 可使用命令make SERVER=223.6.6.6 unbound
加入到 Unbound 配置文件中,直接运行如下命令
cat << EOF >> /usr/local/etc/unbound/unbound.conf
include: "/usr/local/etc/unbound/accelerated-domains.china.unbound.conf"
include: "/usr/local/etc/unbound/google.china.unbound.conf"
include: "/usr/local/etc/unbound/apple.china.unbound.conf"
EOF
需要重载 Unbound 配置
unbound-control reload
验证分流是否生效,下面是分流之前解析到的www.apple.com
的 IP 地址。若现在再次尝试从 Unbound 监听接口(192.168.88.8)上解析得到的 IP 与之前在 114 上解析到的 IP 相同,则表明分流已经生效。
@114.114.114.114
218.58.101.229
@192.168.88.8
23.220.193.4
小结
上述分流是基于访问白名单
的形式,将正常访问的国内域名交给国内DNS解析,其他没有匹配到的域名交给国外DNS;因此,同样也可以基于访问黑名单
的形式,将国外经常访问的域名交给国外DNS解析,其他没有匹配到的域名交给国内DNS。域名分流通常需要同时兼具国内和海外多线路的支持,并结合基于路由表的分流才能发挥出真正的作用。
评论区