CentOS 6.xにUnboundをインストールする


DNSキャッシュサーバであるUnboundをCentOS 6.xにインストールする。

https://www.unbound.net/index.html
http://www.slideshare.net/hdais/nsd-unboundintro

RPM作成

ここではUnboundをインストールするサーバとは別ホストで行う。

依存パッケージのインストール

[root@dev-host-1 src]# yum install rpm-build openssl-devel expat-devel libevent-devel epel-release ldns-devel

RPMの作成

ソースファイル・SPECファイルの準備。
※バージョンが古くても構わなければ、EPELからもインストール可能

ソースファイルは以下から最新のものをダウンロードする。
※ここでは1.5.4になっているので注意
https://www.unbound.net/download.html

[root@dev-host-1 ~]# cd /usr/local/src/
[root@dev-host-1 src]# wget https://www.unbound.net/downloads/unbound-1.5.4.tar.gz
[root@dev-host-1 src]# mkdir -p /root/rpmbuild/SOURCES/
[root@dev-host-1 src]# cp unbound-1.5.4.tar.gz /root/rpmbuild/SOURCES/
[root@dev-host-1 src]# tar xzf unbound-1.5.4.tar.gz
[root@dev-host-1 src]# chown -R root. /usr/local/src/unbound-1.5.4
[root@dev-host-1 src]# sed -i -E 's/^Version:.*/Version: 1.5.4/' unbound-1.5.4/contrib/unbound.spec
[root@dev-host-1 src]# sed -i -E 's/^%configure (.*)/& --with-libevent/' unbound-1.5.4/contrib/unbound.spec

RPM作成。

[root@dev-host-1 src]# rpmbuild -ba /usr/local/src/unbound-1.5.4/contrib/unbound.spec
書き込み完了: /root/rpmbuild/SRPMS/unbound-1.5.4-1.el6.src.rpm
書き込み完了: /root/rpmbuild/RPMS/x86_64/unbound-1.5.4-1.el6.x86_64.rpm
書き込み完了: /root/rpmbuild/RPMS/x86_64/unbound-debuginfo-1.5.4-1.el6.x86_64.rpm

インストール

Unboundサーバとなるホストでインストール。

依存パッケージのインストール

[root@dev-host-2 src]# yum install libevent epel-release ldns

Unboundのインストール

[root@dev-host-2 src]# rpm -ivh unbound-1.5.4-1.el6.x86_64.rpm
[root@dev-host-2 src]# unbound -h
usage:  unbound [options]
  start unbound daemon DNS resolver.
-h  this help
-c file config file to read instead of /var/unbound/unbound.conf
  file format is described in unbound.conf(5).
-d  do not fork into the background.
-v  verbose (more times to increase verbosity)
Version 1.5.4
linked libs: libevent 1.4.13-stable (it uses epoll), OpenSSL 1.0.1e-fips 11 Feb 2013
linked modules: dns64 validator iterator
BSD licensed, see LICENSE in source package for details.
Report bugs to [email protected]

※バージョンが古くても構わなければ、EPELからもインストール可能

# yum info unbound | grep " :"
Repository 'treasure-data' is missing name in configuration, using id
Name        : unbound
Arch        : x86_64
Version     : 1.5.1
Release     : 1.el6
Size        : 1.2 M
Repo        : epel
Summary     : Validating, recursive, and caching DNS(SEC) resolver
URL         : http://www.nlnetlabs.nl/unbound/
License     : BSD
Description : Unbound is a validating, recursive, and caching DNS(SEC) resolver.
            :
            : The C implementation of Unbound is developed and maintained by
            : NLnet Labs. It is based on ideas and algorithms taken from a java
            : prototype developed by Verisign labs, Nominet, Kirei and ep.net.
            :
            : Unbound is designed as a set of modular components, so that also
            : DNSSEC (secure DNS) validation and stub-resolvers (that do not run
            : as a server, but are linked into an application) are easily
            : possible.

Unboundの設定

アクセス制御

環境に合わせて設定すること。

/var/unbound/unbound.conf
-   # interface: 192.0.2.153
+   interface: 0.0.0.0

-   # access-control: 127.0.0.0/8 allow
+   access-control: 127.0.0.1 allow
+   access-control: 192.168.0.0/16 allow

リモート制御

TLS鍵ファイルの生成。

[root@dev-host-2 src]# sudo -u unbound unbound-control-setup
setup in directory /var/unbound
generating unbound_server.key
Generating RSA private key, 3072 bit long modulus
.............................................................++
.....................................++
e is 65537 (0x10001)
generating unbound_control.key
Generating RSA private key, 3072 bit long modulus
........................++
........................++
e is 65537 (0x10001)
create unbound_server.pem (self signed certificate)
create unbound_control.pem (signed client certificate)
Signature ok
subject=/CN=unbound-control
Getting CA Private Key
Setup success. Certificates created. Enable in unbound.conf file to use
/var/unbound/unbound.conf
-   # control-enable: no
+   control-enable: yes

Randomness Calculation

/var/unbound/unbound.conf
-   use-caps-for-id: no
+   use-caps-for-id: yes

ログファイル

[root@dev-host-2 ~]# sudo -u unbound mkdir /var/unbound/log
/var/unbound/unbound.conf
-   # logfile: ""
+   logfile: "/var/unbound/log/unbound.log"

-   # use-syslog: yes
+   use-syslog: no

設定ファイルチェック

[root@dev-host-2 unbound]# unbound-checkconf
unbound-checkconf: no errors in /var/unbound/unbound.conf

Unboundの起動

起動

[root@dev-host-2 src]# service unbound start
unbound を起動中: [1440582030] unbound[3201:0] warning: IPv6 protocol not available
                                                           [  OK  ]
[root@dev-host-2 src]# service unbound status
unbound (pid  3204) を実行中...
[root@dev-host-2 src]# netstat -nltp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name
tcp        0      0 127.0.0.1:53                0.0.0.0:*                   LISTEN      3204/unbound
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      1678/sshd
tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN      1827/master

自動起動設定

[root@dev-host-2 src]# chkconfig unbound --list
unbound         0:off   1:off   2:off   3:off   4:off   5:off   6:off
[root@dev-host-2 src]# chkconfig unbound on
[root@dev-host-2 src]# chkconfig unbound --list
unbound         0:off   1:off   2:on    3:on    4:on    5:on    6:off

設定ファイルの再読み込み

設定変更後に再読み込みしたい場合。

[root@dev-host-2 unbound]# service unbound reload

reload時に接続が切れないかの検証

1秒ごとにreloadしている間に6500qpsでリクエストを投げても問題なかった。

サーバ側

[root@unbound-server ~]# for i in $(seq 1 100) ; do service unbound reload; sleep 1; done

クライアント側

$ cat /tmp/a.txt
test.example.com a
$ /usr/local/Cellar/dnsperf/2.0.0.0-1/bin/dnsperf -s 10.0.5.51 -l 100 -d /tmp/a.txt
DNS Performance Testing Tool
Nominum Version 2.0.0.0

[Status] Command line: dnsperf -s 10.0.5.51 -l 100 -d /tmp/a.txt
[Status] Sending queries (to 10.0.5.51)
[Status] Started at: Wed Sep  9 17:59:06 2015
[Status] Stopping after 100.000000 seconds
[Status] Testing complete (time limit)

Statistics:

  Queries sent:         658702
  Queries completed:    658702 (100.00%)
  Queries lost:         0 (0.00%)

  Response codes:       NOERROR 658702 (100.00%)
  Average packet size:  request 34, response 66
  Run time (s):         100.003844
  Queries per second:   6586.766805

  Average Latency (s):  0.015158 (min 0.000260, max 1.999668)
  Latency StdDev (s):   0.115561