Unbound搭建DNS缓存服务器

 2025/03/28 

在搭建之前，请保证已经了解DNS根服务器、顶级域名服务器、权威服务器等概念

了解主机DNS查询方式与过程，了解资源记录类型与含义，域名结构等。对基础知识不做赘述

DNS缓存服务器：

缓存名称服务器将DNS查询结果存储在本地缓存中，并在它们的ttl过期时从缓存中删除资源记录。通常设置缓存名称服务器以代表本地网络上的客户端执行查询。这大大提高了DNS名称解析的效率，减少DNS流量在互联网上。随着缓存的增长，DNS性能会随着缓存名称服务器从其本地缓存响应越来越多的客户端查询而提高。有几个包可用于配置缓存名称服务器，包括bind、dnsmasq和unbound

搭建DNS缓存服务器

配置缓存服务器1

# 缓存服务器1
nmcli con add con-name static-eth1 ifname eth1 type ethernet ipv4.addresses 1.1.1.1/24 ipv4.method man
nmcli con add con-name static-eth2 ifname eth2 type ethernet ipv4.addresses 2.2.2.1/24 ipv4.method man

# 安装unbound
yum -y install unbound

# unbound配置文件字段
vim /etc/unbound/unbound.conf
interface: 0.0.0.0  # 绑定到所有网卡
access-control: 0.0.0.0/0 allow # 允许所有人能查询
forward-zone:
        name: "."
        forward-host: 114.114.114.114
访问.这个域的(所有查询)，就转发到114.114.114.114

# 生成密钥
unbound-control-setup

# 配置文件检查
unbound-checkconf
unbound-checkconf: no errors in /etc/unbound/unbound.conf

# 
systemctl restart unbound
netstat -tunlp | grep 53
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      14805/unbound
udp        0      0 0.0.0.0:53              0.0.0.0:*                           14805/unbound
udp        0      0 0.0.0.0:53              0.0.0.0:*                           14805/unbound
udp        0      0 0.0.0.0:53              0.0.0.0:*                           14805/unbound
udp        0      0 0.0.0.0:53              0.0.0.0:*                           14805/unbound

解析测试

# dns-client1 网络配置
nmcli con add con-name eth0 ifname eth0 ipv4.address 1.1.1.2/24 type ethernet ipv4.method man
nmcli con up eth0
ping 1.1.1.1

# dns-client1 指定dns地址
vi /etc/resolv.conf
nameserver 1.1.1.1

# 解析测试，dns服务器返回为SERVFAIL
dig @127.0.0.1 baidu.com +ttlid
; <<>> DiG 9.16.23-RH <<>> @127.0.0.1 baidu.com +ttlid
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 34127
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;baidu.com.                     IN      A

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Mar 27 09:48:00 EDT 2025
;; MSG SIZE  rcvd: 38

# 解析测试，已经缓存到了
unbound-control dump_cache
START_RRSET_CACHE
;rrset 132 2 0 5 0
baidu.com.      132     IN      A       110.242.68.66
baidu.com.      132     IN      A       39.156.66.10
END_RRSET_CACHE
START_MSG_CACHE
msg baidu.com. IN A 33152 1 132 0 1 0 0
baidu.com. IN A 0
END_MSG_CACHE
EOF

其原因是114.114.114.114认为1.1.1.1不安全，所以拒绝将这条记录传递给1.1.1.2

解决方法

关闭DNSSEC也可以，但不推荐

添加参数，跳过对 com. 域的 DNSSEC 验证
domain-insecure: "com."

或关闭DNSSEC(不建议)
module-config: "iterator"

systemctl restart unbound

此时缓存服务器1获取缓存
unbound-control dump_cache | grep baidu
baidu.com.      544     IN      MX      20 mx.baidu.com.
baidu.com.      544     IN      MX      10 mx.maillb.baidu.com.
www.baidu.com.  236     IN      A       153.3.238.127
www.baidu.com.  236     IN      A       153.3.238.28
baidu.com.      2785    IN      SOA     dns.baidu.com. sa.baidu.com. 2012149411 300 300 2592000 7200
baidu.com.      513     IN      A       110.242.68.66
baidu.com.      513     IN      A       39.156.66.10
msg baidu.com. IN MX 33152 1 544 3 1 0 0
baidu.com. IN MX 0
msg baidu.com. IN AAAA 33152 1 2785 3 0 1 0
baidu.com. IN SOA 4
msg baidu.com. IN A 33152 1 513 3 1 0 0
baidu.com. IN A 0
msg www.baidu.com. IN A 33152 1 236 3 1 0 0
www.baidu.com. IN A 0

dns客户端可以获取dns地址
[root@dns-client-1 ~]# host baidu.com
baidu.com has address 39.156.66.10
baidu.com has address 110.242.68.66
baidu.com mail is handled by 10 mx.maillb.baidu.com.
baidu.com mail is handled by 20 mx.baidu.com.

缓存服务器级联测试

配置缓存服务器2

# 缓存服务器2
nmcli con add con-name static-eth0 ifname eth0 type ethernet ipv4.addresses 2.2.2.2/24 ipv4.method man
nmcli con add con-name static-eth1 ifname eth1 type ethernet ipv4.addresses 3.3.3.1/24 ipv4.method man
# dns-client-2略过，总之是3.3.3.2

yum -y install unbound
vim /etc/resolv.conf
删除系统自带的dns解析地址

在/etc/unbound/unbound.conf中指定dns服务器为2.2.2.1，并对.com取消DNSSEC检查
interface: 0.0.0.0
access-control: 0.0.0.0/0 allow
forward-zone:
        name: "."
        forward-addr: 2.2.2.1
domain-insecure: "com."

unbound-control-setup
unbound-checkconf
systemctl restart unbound

解析测试

缓存服务器1
[root@cacheing-nameserver-1 ~]# host www.baidu.com
www.baidu.com has address 153.3.238.127
www.baidu.com has address 153.3.238.28
www.baidu.com has IPv6 address 2408:873d:22:18cb:0:ff:b037:e6d8
www.baidu.com has IPv6 address 2408:873d:22:1a91:0:ff:b013:cf81
www.baidu.com is an alias for www.a.shifen.com.
[root@cacheing-nameserver-1 ~]# unbound-control dump_cache | grep baidu
www.baidu.com.  290     IN      AAAA    2408:873d:22:18cb:0:ff:b037:e6d8
www.baidu.com.  290     IN      AAAA    2408:873d:22:1a91:0:ff:b013:cf81
www.baidu.com.  591     IN      CNAME   www.a.shifen.com.
www.baidu.com.  289     IN      A       153.3.238.127
www.baidu.com.  289     IN      A       153.3.238.28
a.shifen.com.   591     IN      SOA     ns1.a.shifen.com. baidu_dns_master.baidu.com. 2503280022 5 5 2592000 3600
msg www.baidu.com. IN AAAA 33152 1 290 3 1 0 0
www.baidu.com. IN AAAA 0
msg www.baidu.com. IN MX 33152 1 591 3 1 1 0
www.baidu.com. IN CNAME 0
msg www.baidu.com. IN A 33152 1 289 3 1 0 0
www.baidu.com. IN A 0

dns客户端2
[root@dns-clinet-2 ~]# host baidu.com
baidu.com has address 110.242.68.66
baidu.com has address 39.156.66.10
baidu.com mail is handled by 20 mx.baidu.com.
baidu.com mail is handled by 10 mx.maillb.baidu.com.

说明此时dns客户端2已经可以通过缓存服务器2访问缓存服务器1，然后获取到ip地址解析了