unbound forward不成功处理
之前在进行RHCE相关课程的总结时,写过RH254小结(一)unbound DNS服务器的搭建,今天写的这篇unbound dns服务器转发查询不生效也相此相关,原因是因为有网友联系咨询local-zone和local-data配置是生效的,不过在使用forward配置后却不生效。这里记录下测试并解决的过程。先看下unbound.conf的配置文件内容:
1server:
2 verbosity: 1
3 statistics-interval: 0
4 statistics-cumulative: no
5 extended-statistics: yes
6 num-threads: 4
7 interface-automatic: no
8 interface: 0.0.0.0
9 access-control: 0.0.0.0/0 allow
10 so-reuseport: yes
11 ip-transparent: yes
12 chroot: ""
13 username: "unbound"
14 directory: "/etc/unbound"
15 #do-not-query-localhost: no
16 log-time-ascii: yes
17 pidfile: "/var/run/unbound/unbound.pid"
18 harden-glue: yes
19 harden-dnssec-stripped: yes
20 harden-below-nxdomain: yes
21 harden-referral-path: yes
22 unwanted-reply-threshold: 10000000
23 prefetch: yes
24 prefetch-key: yes
25 rrset-roundrobin: yes
26 minimal-responses: yes
27 #module-config: "ipsecmod validator iterator"
28 module-config: "iterator"
29 trust-anchor-signaling: yes
30 trusted-keys-file: /etc/unbound/keys.d/*.key
31 auto-trust-anchor-file: "/var/lib/unbound/root.key"
32 val-clean-additional: yes
33 val-permissive-mode: no
34 val-log-level: 1
35 include: /etc/unbound/local.d/*.conf
36 ipsecmod-enabled: no
37 ipsecmod-hook: "/usr/libexec/ipsec/_unbound-hook"
38 domain-insecure: *
39python:
40remote-control:
41 control-enable: no
42include: /etc/unbound/conf.d/*.conf
43forward-zone:
44 name: .
45 forward-addr: 8.8.8.8
上面的配置就将默认配置中的几个关键点进行了修改。如果想要同时对ipv4和ipv6进行进供服务,可以使用如下配置:
1interface: 0.0.0.0
2interface: ::0
3access-control: 10.0.0.0/8 allow
4access-control: 2001:DB8::/64 allow
是否使用本地查询这项do-not-query-localhost: no,默认是yes,建议改为no,因为这样在本地缓存中有的,就不再向上级进行查询,可以加快查询速度 。说下关键的几项和forward查询不成功相关的部分:
1#module-config: "ipsecmod validator iterator"
2module-config: "iterator"
3ipsecmod-enabled: no
4domain-insecure: *
5control-enable: no
module-config部分只启用了iterator迭代器模块,前两两项ipsecmod和验证器模块不启用。至于ipsec是什么,可以自行放狗搜索;ipsecmod-enabled这项表示是否启用ipsecmod;domain-insecure表示对于非安全的域名认证是否启用,这里表示所有域名都启用。这点的功能个人理解是类似于https与http一样的区别,这里启用非安全的就是类似使用了http,启用安全的,类似使用https;最后一项control-enable是远程控制相关的,里有key相关东西,这里也选择不启用。
捐赠本站(Donate)
如您感觉文章有用,可扫码捐赠本站!(If the article useful, you can scan the QR code to donate))
- Author: shisekong
- Link: https://blog.361way.com/unbound-forward/6288.html
- License: This work is under a 知识共享署名-非商业性使用-禁止演绎 4.0 国际许可协议. Kindly fulfill the requirements of the aforementioned License when adapting or creating a derivative of this work.