https://www.bravotouring.com/~yano/archives/2008/10/27/ Recent content in 2008/10/27 on Yano's digital garage Hugo en-us Mon, 27 Oct 2008 21:39:34 +0900 https://www.bravotouring.com/~yano/diary/it/20081027unbound.htm Mon, 27 Oct 2008 21:39:34 +0900 https://www.bravotouring.com/~yano/diary/it/20081027unbound.htm <p><a href="https://www.bravotouring.com/~yano/diary/it/20081024dns.htm">こないだ設定したローカルDNS</a>の件だが、何気に見た<a href="http://www.atmarkit.co.jp/flinux/special/unbound/unbounda.html" target="SubWindow">＠ITの記事</a>でオープンソースの<a href="http://unbound.net/" target="SubWindow"><span class="Software">Unbound</span></a>というDNSリゾルバの存在を知った。</p> <p>今使っている<span class="Software">djbdns</span>も決して悪くはないのだが、 <ul> <li>IPv4、IPv6デュアルスタック</li> <li>DNSSEC(secure DNS)対応</li> </ul> という2点で、<span class="Software">djbdns</span>を上回る。</p> <p>またローカル・ゾーンとして独自情報を定義する事もできるので<a href="http://unbound.net/" target="SubWindow"><span class="Software">Unbound</span></a>だけで<span class="Software">dnscache</span>と内向け<span class="Software">tinydns</span>を代替できる事になり、しかもこの独自情報では<span class="Warning">ドメイン名を付与しないホスト名</span>を含めて解決できそうなのでしてやったり。</p> <p>というわけで、ソースをダウンロードしてビルド。取り敢えず<span class="Software">SSL</span>だけ有効にしておいた。 <blockquote class="Log"> $ wget http://www.unbound.net/downloads/unbound-1.0.2.tar.gz<br/> $ tar xvfz unbound-1.0.2.tar.gz<br/> $ cd unbound-1.0.2/<br/> $ ./configure --with-ssl=/usr/<br/> $ make<br/> $ sudo make install </blockquote> 次に、unboundユーザーとグループを追加。/usr/local/etc/unboundを/var/unbound/配下に移動し、/etcにもシンボリックリンク。 <blockquote class="Log"> $ sudo groupadd unbound<br/> $ sudo useradd -d /var/unbound -m -g unbound -s /bin/false unbound<br/> $ sudo mkdir /var/unbound/etc<br/> $ sudo mv /usr/local/etc/unbound /var/unbound/etc/<br/> $ sudo chown -R unbound:unbound /var/unbound/<br/> $ sudo ln -s /var/unbound/etc/unbound /etc/ </blockquote></p> <p>続いて<span class="Path">/etc/unbound/unbound.conf</span>の下記箇所を変更。local-zoneで<span class="Topics">static</span>を指定し、local-dataでAレコードを列挙しているのが簡易DNSの設定。 <blockquote class="Log"> --- ~/unbound-1.0.2/doc/example.conf 2008-10-27 20:24:09.000000000 +0900<br/> +++ /etc/unbound/unbound.conf 2008-10-27 22:48:18.000000000 +0900<br/> @@ -33,6 +33,7 @@<br/> # interface: 192.0.2.153<br/> # interface: 192.0.2.154<br/> # interface: 2001:DB8::5<br/> +interface: 192.168.199.1<br/> <br/> # enable this feature to copy the source address of queries to reply.<br/> # Socket options not be supported on all platforms. experimental.<br/> @@ -140,6 +141,8 @@<br/> # access-control: ::0/0 refuse<br/> # access-control: ::1 allow<br/> # access-control: ::ffff:127.0.0.1 allow<br/> +access-control: 127.0.0.0/8 allow<br/> +access-control: 192.168.199.0/24 allow<br/> <br/> # if given, a chroot(2) is done to the given directory.<br/> # i.e. you can chroot to the working directory, for example,<br/> @@ -163,6 +166,7 @@<br/> #<br/> # If you give "" no chroot is performed. The path must not end in a /.<br/> # chroot: "/usr/local/etc/unbound"<br/> +chroot: "/var/unbound"<br/> <br/> # if given, user privileges are dropped (after binding port),<br/> # and the given username is assumed. Default is user "unbound".<br/> @@ -173,6 +177,7 @@<br/> # relative to this directory. If you give "" the working directory<br/> # is not changed.<br/> # directory: "/usr/local/etc/unbound"<br/> +directory: ""<br/> <br/> # the log file, "" means log to stderr.<br/> # Use of this option sets use-syslog to "no".<br/> @@ -184,6 +189,7 @@<br/> <br/> # the pid file.<br/> # pidfile: "/usr/local/etc/unbound/unbound.pid"<br/> +pidfile: "/var/unbound/unbound.pid"<br/> <br/> # file to read root hints from.<br/> # get one from ftp://FTP.INTERNIC.NET/domain/named.cache<br/> @@ -330,6 +336,21 @@<br/> # (this makes example.com, www.example.com, etc, all go to 192.0.2.3)<br/> # local-zone: "example.com" redirect<br/> # local-data: "example.com A 192.0.2.3"<br/> +local-zone: "bravotouring.com" static<br/> +local-data: "bravotouring.com IN A 192.168.199.1"<br/> +local-data: "www.bravotouring.com IN A 192.168.199.1"<br/> +local-data: "mail.bravotouring.com IN A 192.168.199.1"<br/> +local-data: "ns1.bravotouring.com IN A 192.168.199.1"<br/> +local-data: "ns2.bravotouring.com IN A 192.168.199.1"<br/> +local-data: "nx9030 IN A 192.168.199.1"<br/> +local-data: "glantank IN A 192.168.199.2"<br/> +local-data: "pavilion IN A 192.168.199.3"<br/> +local-data: "HPC7180 IN A 192.168.199.7"<br/> +local-data: "andromeda IN A 192.168.199.11"<br/> +local-data: "vista IN A 192.168.199.12"<br/> +local-data: "MacMini IN A 192.168.199.21"<br/> +local-data: "ThinkPadT60 IN A 192.168.199.60"<br/> +local-data: "router IN A 192.168.199.254"<br/> <br/> <br/> # Stub zones.</blockquote></p>