unbound on OpenBSD

2013-03-05 更新几条kill的正确用法和客户端排错说明
{: class=“info” }

一提起DNS,大家一般都会想到BIND。2000年的时候,Oreilly的《DNS and BIND》是最著名的也是唯一的一本关于DNS的书籍,现在已经更新到第5版。然而,时光流逝,美人迟暮,BIND的代码越来越臃肿,每向前迈一步都很困难,不少后起之秀都在觊觎BIND的地位,nsd/unbound便是其中之一,目前已有3台根域名服务器跑的就是nsd。

nsd/unbound是NLnet Labs开发的一套DNS daemon,其中nsd作为authorative DNS,unbound负责recursive和caching,旨在为用户提供一套安全、简洁、高效的DNS解决方案。ubuntu和OpenBSD均计划在下一版本中将unbound作为默认的DNS解释器。
今天仅介绍unbound,以后有机会再讲nsd。

需求

  1. 仅为内网用户服务,且仅支持IPv4;
  2. 为两个本地域提供简单的域名解析;
  3. 访问外网时由unbound实现递归解析及缓存;

安装

# pkg_add -r unbound

配置

/var/unbound/etc/unbound.conf
server:
	verbosity: 1
	 interface: 127.0.0.1
	 interface: 192.168.5.254
	 interface: 192.168.8.254
	 outgoing-interface: 202.138.174.xx
 # 假如是openbsd只有一块网卡,并且位于内网,则outgoing-interface设置为内网ip
	 do-ip4: yes
	 do-ip6: no
	 do-udp: yes
	 do-tcp: no
	 access-control: 0.0.0.0/0 refuse
	 access-control: 127.0.0.0/8 allow
	 access-control: 192.168.5.0/24 allow
	 access-control: 192.168.8.0/24 allow
local zone: "beijing.gov.cn." static
	local-data: "moa.beijing.gov.cn.            IN A 10.168.1.5"
	local-data: "mas.beijing.gov.cn.            IN A 10.168.1.8"
	local-data: "oa.beijing.gov.cn.             IN A 10.168.1.9"
local-zone: "oaserver.com." static
	local-data: "oa_server1.oaserver.com        IN A 10.168.1.6"
	local-data: "oa_server2.oaserver.com        IN A 10.168.1.7"

local-data-ptr: "10.168.1.5                    moa.beijing.gov.cn"
local-data-ptr: "10.168.1.8                    mas.beijing.gov.cn"
local-data-ptr: "10.168.1.9                     oa.beijing.gov.cn"
local-data-ptr: "10.168.1.6               oa_server1.oaserver.com"
local-data-ptr: "10.168.1.7               oa_server2.oaserver.com"

forward-zone:
 	name: "."
 	forward-addr: 8.8.4.4  # public dns-1
 	forward-addr: 8.8.8.8  # public dns-2

unbound的配置浅显易懂,上手容易。

配置resolv.conf

# echo "nameserver 172.0.0.1" > /etc/resolv.conf

启动

# /usr/local/sbin/unbound

自启动

/etc/rc.local中加入以下片段

if [ -x /usr/local/sbin/unbound ]; then
   echo -n ' unbound';
   /usr/local/sbin/unbound
fi

重启

kill -HUP cat /var/unbound/var/run/unbound.pid

-HUP仅是重新加载配置文件,进程并未中止。在执行该命令的前后分别ps -aux | grep unbound就会发现进程id不变。这条命令非常有用。

停止

kill -QUIT cat /var/unbound/var/run/unbound.pid

建议使用-QUIT来终止unbound,否则会出现日志中会出现openbsd unbound: [12078:0] warning: did not exit gracefully last time (14222)的warning。

测试

root@openbsd:~# dig @<unbound-ip> www.baidu.com

; <<>> DiG 9.4.2-P2 <<>> www.baidu.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30454
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;www.baidu.com.                 IN      A

;; ANSWER SECTION:
www.baidu.com.          301     IN      CNAME   www.a.shifen.com.
www.a.shifen.com.       557     IN      A       61.135.169.105
www.a.shifen.com.       557     IN      A       61.135.169.125

;; AUTHORITY SECTION:
a.shifen.com.           6968    IN      NS      ns2.a.shifen.com.
a.shifen.com.           6968    IN      NS      ns5.a.shifen.com.
a.shifen.com.           6968    IN      NS      ns4.a.shifen.com.
a.shifen.com.           6968    IN      NS      ns6.a.shifen.com.

;; ADDITIONAL SECTION:
ns2.a.shifen.com.       540     IN      A       123.125.113.66
ns4.a.shifen.com.       530     IN      A       123.125.113.67
ns5.a.shifen.com.       28      IN      A       220.181.3.178
ns6.a.shifen.com.       94      IN      A       220.181.4.178

;; Query time: 26 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Jun 11 12:41:19 2011
;; MSG SIZE  rcvd: 226

另外还可以通过tcpdump来跟踪53端口数据包

root@openbsd:/var/log# tcpdump -nvi fxp0 port 53 
tcpdump: listening on fxp0, link-type EN10MB
23:43:01.931549 10.168.9.34.55420 > 10.168.1.11.53: [udp sum ok] 3200+ A? www.sina.com.cn. (33) (ttl 61, id 13401, len 61)
23:43:01.932139 10.168.1.11.32044 > 8.8.4.4.53: [udp sum ok] 28238+% [1au] A? www.sina.com.cn. (44) (ttl 64, id 63444, len 72)
23:43:01.951483 8.8.4.4.53 > 10.168.1.11.32044: 28238 18/0/1 www.sina.com.cn. CNAME jupiter.sina.com.cn., jupiter.sina.com.cn. CNAME ara.sina.com.cn., [|domain] (ttl 46, id 54578, len 368)
23:43:01.952231 10.168.1.11.31698 > 8.8.4.4.53: [udp sum ok] 35898+% [1au] A? jupiter.sina.com.cn. (48) (ttl 64, id 25386, len 76)
23:43:02.091097 10.168.1.11.15044 > 8.8.4.4.53: [udp sum ok] 46337+% [1au] A? jupiter.sina.com.cn. (48) (ttl 64, id 2656, len 76)
23:43:02.112195 8.8.4.4.53 > 10.168.1.11.15044: 46337 17/0/1 jupiter.sina.com.cn. CNAME ara.sina.com.cn., ara.sina.com.cn. A 58.63.236.36, ara.sina.com.cn.[|domain] (ttl 46, id 39434, len 350)
23:43:02.112863 10.168.1.11.10921 > 8.8.4.4.53: [udp sum ok] 39366+% [1au] A? ara.sina.com.cn. (44) (ttl 64, id 12795, len 72)
23:43:02.134126 8.8.4.4.53 > 10.168.1.11.10921: 39366 16/0/1 ara.sina.com.cn. A 58.63.236.42, ara.sina.com.cn. A 58.63.236.43, ara.sina.com.cn.[|domain] (ttl 46, id 38437, len 328)
23:43:02.134731 10.168.1.11.53 > 10.168.9.34.55420: 3200 18/0/0 www.sina.com.cn. CNAME jupiter.sina.com.cn., jupiter.sina.com.cn. CNAME ara.sina.com.cn., [|domain] (ttl 64, id 34931, len 357)

说明unbound的递归查询服务正常。