unbound導入
こないだ設定したローカルDNSの件だが、何気に見た@ITの記事でオープンソースのUnboundというDNSリゾルバの存在を知った。
今使っているdjbdnsも決して悪くはないのだが、
- IPv4、IPv6デュアルスタック
- DNSSEC(secure DNS)対応
またローカル・ゾーンとして独自情報を定義する事もできるのでUnboundだけでdnscacheと内向けtinydnsを代替できる事になり、しかもこの独自情報ではドメイン名を付与しないホスト名を含めて解決できそうなのでしてやったり。
というわけで、ソースをダウンロードしてビルド。取り敢えずSSLだけ有効にしておいた。
$ wget http://www.unbound.net/downloads/unbound-1.0.2.tar.gz次に、unboundユーザーとグループを追加。/usr/local/etc/unboundを/var/unbound/配下に移動し、/etcにもシンボリックリンク。
$ tar xvfz unbound-1.0.2.tar.gz
$ cd unbound-1.0.2/
$ ./configure --with-ssl=/usr/
$ make
$ sudo make install
$ sudo groupadd unbound
$ sudo useradd -d /var/unbound -m -g unbound -s /bin/false unbound
$ sudo mkdir /var/unbound/etc
$ sudo mv /usr/local/etc/unbound /var/unbound/etc/
$ sudo chown -R unbound:unbound /var/unbound/
$ sudo ln -s /var/unbound/etc/unbound /etc/
続いて/etc/unbound/unbound.confの下記箇所を変更。local-zoneでstaticを指定し、local-dataでAレコードを列挙しているのが簡易DNSの設定。
--- ~/unbound-1.0.2/doc/example.conf 2008-10-27 20:24:09.000000000 +0900
+++ /etc/unbound/unbound.conf 2008-10-27 22:48:18.000000000 +0900
@@ -33,6 +33,7 @@
# interface: 192.0.2.153
# interface: 192.0.2.154
# interface: 2001:DB8::5
+interface: 192.168.199.1
# enable this feature to copy the source address of queries to reply.
# Socket options not be supported on all platforms. experimental.
@@ -140,6 +141,8 @@
# access-control: ::0/0 refuse
# access-control: ::1 allow
# access-control: ::ffff:127.0.0.1 allow
+access-control: 127.0.0.0/8 allow
+access-control: 192.168.199.0/24 allow
# if given, a chroot(2) is done to the given directory.
# i.e. you can chroot to the working directory, for example,
@@ -163,6 +166,7 @@
#
# If you give "" no chroot is performed. The path must not end in a /.
# chroot: "/usr/local/etc/unbound"
+chroot: "/var/unbound"
# if given, user privileges are dropped (after binding port),
# and the given username is assumed. Default is user "unbound".
@@ -173,6 +177,7 @@
# relative to this directory. If you give "" the working directory
# is not changed.
# directory: "/usr/local/etc/unbound"
+directory: ""
# the log file, "" means log to stderr.
# Use of this option sets use-syslog to "no".
@@ -184,6 +189,7 @@
# the pid file.
# pidfile: "/usr/local/etc/unbound/unbound.pid"
+pidfile: "/var/unbound/unbound.pid"
# file to read root hints from.
# get one from ftp://FTP.INTERNIC.NET/domain/named.cache
@@ -330,6 +336,21 @@
# (this makes example.com, www.example.com, etc, all go to 192.0.2.3)
# local-zone: "example.com" redirect
# local-data: "example.com A 192.0.2.3"
+local-zone: "bravotouring.com" static
+local-data: "bravotouring.com IN A 192.168.199.1"
+local-data: "www.bravotouring.com IN A 192.168.199.1"
+local-data: "mail.bravotouring.com IN A 192.168.199.1"
+local-data: "ns1.bravotouring.com IN A 192.168.199.1"
+local-data: "ns2.bravotouring.com IN A 192.168.199.1"
+local-data: "nx9030 IN A 192.168.199.1"
+local-data: "glantank IN A 192.168.199.2"
+local-data: "pavilion IN A 192.168.199.3"
+local-data: "HPC7180 IN A 192.168.199.7"
+local-data: "andromeda IN A 192.168.199.11"
+local-data: "vista IN A 192.168.199.12"
+local-data: "MacMini IN A 192.168.199.21"
+local-data: "ThinkPadT60 IN A 192.168.199.60"
+local-data: "router IN A 192.168.199.254"
# Stub zones.