unbound is a recursive caching DNS resolver. It is in the Linux area, "state-of-the-art" to either a public DNS resolver to operate, or to use it as an internal DNS resolver to resolve their own servers to independent providers of domain names.
It was written in C and is particularly stable, fast and easy to use. It supports inter alia following features:
- Plugin for Munin
- Manage their own local areas
- Supports "prefetching" (similar to Google's DNS, that will expire before the TTL of a record is requested by the daemon in the background of this so the client does not wait more)
Since unbound at very early stage of development, and in the DNA area (perhaps because of DNSSEC or other security features) is currently doing a lot, it is highly recommended unbound prefer to compile itself, rather than relying on the Debian / Ubuntu repositories.
1) install the required packages
# apt-get install make gcc libssl-dev libevent-dev libexpat1-dev libldns-dev
2) Compile
# cd /usr/src
# wget http://www.unbound.net/downloads/unbound-1.4.16.tar.gz
# tar xvfz unbound-1.4.16.tar.gz
# cd unbound-1.4.16
# ./configure \
--prefix=/usr \
--sysconfdir=/etc \
--localstatedir=/var \
--with-conf-file=/etc/unbound/unbound.conf \
--with-libevent \
--with-ldns \
--with-ssl
(optional, wenn OpenSSL Version
# make && make install
3) Konfiguration
# nano /etc/unbound/unbound.conf
server:
verbosity: 0
# don't thread
num-threads: 1
interface: 127.0.0.1
interface: 192.168.2.1
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes
do-daemonize: yes
access-control: 192.168.2.0/24 allow
pidfile: "/var/run/unbound.pid"
username: nobody
# file to read root hints from.
# get one from ftp://FTP.INTERNIC.NET/domain/named.cache
root-hints: "/etc/unbound/named.cache"
hide-identity: yes
hide-version: yes
# optimisations for high traffic (ist für 1GB RAM Auslegung optimiert, entsprechend anpassen)
rrset-cache-size: 512m
msg-cache-size: 256m
outgoing-range: 8192
num-queries-per-thread: 4096
so-rcvbuf: 4m
so-sndbuf: 4m
# optimisations for client speed (google-dns wannabe)
prefetch: yes
prefetch-key: yes
# Harden against very small EDNS buffer sizes.
harden-short-bufsize: yes
# Harden against unseemly large queries.
harden-large-queries: yes
# Harden against out of zone rrsets, to avoid spoofing attempts.
harden-glue: yes
# A suggested value is 10000000, the default is 0 (turned off).
unwanted-reply-threshold: 10000000
4) Start
# unbound
No comments:
Post a Comment