Shulou(Shulou.com)06/01 Report--

This article mainly shows you "how to use unbound to build DNS on RHEL7", the content is easy to understand, clear, hope to help you solve your doubts, the following let the editor lead you to study and learn "how to use unbound to build DNS on RHEL7" this article.

DNS (Domain Name System) is an acronym for "domain name system". It is a computer and network service naming system organized into a domain hierarchy. It uses port 53 of the UDP protocol. It is used in TCP/IP networks. The service it provides is used to translate host names and domain names into IP addresses.

DNS installation configuration:

In RHEL5 and 6, dns uses the bind package, while in RHEL/centos7, the unbound installation package is used, and the configuration file has been changed. Let's take a look:

Installation: yum-y install unbound (configure yum repository first)

[root@linuxprobe] # yum-y install unboundLoaded plugins: langpacks, product-id, subscription-managerThis system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.Resolving Dependencies--- > Running transaction check--- > Package unbound.x86_64 0vir 1.4.20-19.el7 will be installed--- > Finished Dependency Resolution-- start the service-- [root@linuxprobe ~] # systemctl restart unbound / / start the DNS service [root@linuxprobe] # systemctl enable unboundln-s'/ usr/lib/systemd/system/unbound.service''/ etc/systemd/system/multi-user.target.wants/unbound.service' / / start the DNS service automatically next time the system restarts

Modify the configuration file:

After unbound is installed, the default configuration file is / etc/unbound/unbound.conf.

Modify the port listening address (equivalent to: listen-on port 53 {any;}; in the RHEL6 configuration file)

-check the default listening address-- [root@linuxprobe ~] # netstat-tunlp | grep unboundtcp 0 0127.0.0.1tunlp 53 0.0.0.0 LISTEN 3333/unboundtcp 0 0127.0.0.1 tunlp 8953 0.0.0.0 * LISTEN 3333/unboundtcp6 0 0: : 1:53:: * LISTEN 3333/unboundtcp6 0 0:: 1 3333/unbound// 8953: * LISTEN 3333/unboundudp 0 0127.0.0.1 3333/unboundudp6 53 0.0.0.0 3333/unboundudp6 0 0: 1:53:: * 3333/unbound// listens on the local loopback address by default That is, only you can access the DNS service, while other hosts cannot access the local DNS service-- modify the listening address-- [root@linuxprobe ~] # vim / etc/unbound/unbound.conf. 38 # interface: 0.0.0.039 interface: 0.0.0.0. / / find the 38 lines, copy and remove the comment lines, and turn on the network-wide monitoring function. -- restart service view-- [root@linuxprobe ~] # systemctl restart unbound [root@linuxprobe ~] # netstat-tunlp | grep unboundtcp 0 0 0.0 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 1 of LISTEN 3461/unboundtcp: 8953 0.0.0.0 LISTEN 3461/unboundtcp6 0:: 1 3461/unbound// 8953: * LISTEN 3461/unboundudp 00 0.0.0.0 3461/unbound// port 53 0.0.0.0 3461/unbound// now listens to 0.0.0.0 That is, all network segments are monitored.

Modify the scope of the allowed query: in RHEL6, there is a sentence in the DNS configuration file: allow-query {localhost;};. This sentence defines the range of hosts that are allowed to query native (iterative & recursive), and localhost means that only native queries can be made to the native. In the configuration, localhost is often changed to any, so that all hosts can query DNS locally. Therefore, in RHEL7, the same modification should be made, except that the content of the modification is different, as follows:

[root@linuxprobe] # vim / etc/unbound/unbound.conf. 177 # access-control: 0.0.0.0 refuse178 access-control 0 refuse178 access-control: 0.0.0.0 allow 0 allow # access-control: 127.0.0.0 allow Find line 177 of the configuration file / etc/unbound/unbound.conf, which defaults to the comment line, change the content to allow access, then save the exit, and restart the service.

Create parsing files: in RHEL/centos 5 and 6 systems, DNS parsing files are divided into forward parsing files and reverse parsing files, and there are template files for parsing files. However, in RHEL7, the forward and backward resolution files are merged into one, and there is no template file, so you need to create your own. The path can be viewed in the main configuration file:

[root@linuxprobe] # vim / etc/unbound/unbound.conf. 453 # You can add locally served data with454 # local-zone: "local." Static455 # local-data: "mycomputer.local. For IN A 192.0.2.51 "/ / forward parsing, please refer to syntax 456 # local-data: 'mytext.local TXT" content of text record "457 # 458 # You can override certain queries with459 # local-data:" adserver.example.com A 127.0.0.1 "460 # 461 # You can redirect a domain to a fixed address with462 # (this makes example.com, www.example.com, etc All go to 192.0.2.3) 463 # local-zone: "example.com" redirect464 # local-data: "example.com A 192.0.2.3" 465 # # Shorthand to make PTR records, "IPv4 name" or "IPv6 name" .467 # You can also add PTR records using local-data directly But then468 # you need to do the reverse notation yourself.469 # local-data-ptr: "192.0.2.3 www.example.com" / / reverse parsing reference syntax 470471 include: / etc/unbound/local.d/*.conf472473 # service clients over SSL (on the TCP sockets), with plain DNS inside... -- check the native FQDN-- [root@linuxprobe ~] # hostnamelinuxprobe.example.com//. The domain name creates a resolution file for example.com-- [root@linuxprobe ~] # vim / etc/unbound/local.d/example.conflocal-zone: "example.com." Staticlocal-data: "example.com. 86400 IN SOA ns.example.com. Root 1 1D 1H 1W 1H "local-data:" ns.example.com. IN A 192.168.10.10 "local-data:" linuxprobe.example.com. IN A 192.168.10.10 "local-data-ptr:" 192.168.10.10 ns.example.com. "local-data-ptr:" 192.168.10.10 linuxprobe.example.com. "- view the parsing file on RHEL6 for comparison-[root@linuxprobe ~] # vim / var / named/named.localhost$TTL 1D @ IN SOA @ rname.invalid. (0; serial1D; refresh1H; retry1W; expire3H); minimumNS @ A 127.0.0.1AAAA:: 1

Disable service users:

Each service has its own dedicated service user, and the service user of DNS is unbound. In fact, the enabling of service users may have security risks. Here, service users are disabled.

[root@linuxprobe] # vim / etc/unbound/ unbound.conf .211 # if given, user privileges are dropped (after binding port), 212 # and the given username is assumed. Default is user "unbound". 213 # If you give "" no privileges are dropped.214 # username: "unbound" 215 username: "" 216217 # the working directory. The relative files in this config ·as above, find line 214 of the configuration file, delete unbound, and delete it as: username "".

Verify:

[root@linuxprobe ~] # unbound-checkconfunbound-checkconf: no errors in / etc/unbound/unbound.conf verifies that there are no configuration problems You can restart the service [root@linuxprobe ~] # systemctl restart unbounddns Verification:-modify native DNS---- [root@linuxprobe ~] # vim / etc/sysconfig/network-scripts/ifcfg-eth0HWADDR=00:0C:29:70: TYPE = Ethernet ·IPADDR = "192.168.10.10" PREFIX= "24" DNS1=192.168.10.10NAME=eth0ONBOOT=no [root@linuxprobe ~] # systemctl restart network---nslookup Verification-- -- [root@linuxprobe ~] # nslookuplinuxprobe.example.com.192.168.10.10ok dns is set successfully

PS: turn off the firewall

In this experiment, we shut down the three major firewalls of linux. Remote host authentication may fail when the firewall is not turned off, and you need to open the DNS service on the DNS server firewall. Let's take the firewall firewall as an example and modify it:

[root@linuxprobe ~] # systemctl stop iptables [root@linuxprobe ~] # systemctl stop ebtables [root@linuxprobe ~] # systemctl disable iptables [root@linuxprobe ~] # systemctl disable ebtables [root@linuxprobe ~] # firewall-cmd-- add-service=dns-- permanentsuccess [root@linuxprobe ~] # firewall-cmd-- reloadsuccess [root@linuxprobe ~] # firewall-cmd-list-allpublic (default, active) interfaces: eth0sources:services: dhcpv6-client dns sshports:masquerade: noforward-ports:icmp-blocks:rich rules://DNS Server Firewall Open DNS access ok

The above is all the contents of the article "how to use unbound to build DNS on RHEL7". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.