数年前の話題だが、児童ポルノ法の施工に伴って、ISPのDNSキャッシュ汚染が常習的に行われるようになったのですが、
そんな自由を侵すようなリゾルバは使ってられないということ(嘘)で自宅にもUnboundを導入してみました。
※本当は自宅サービスサーバのユーザが増えてきたので、何となくLAN内でリゾルバを持ちたくなっただけ。
0. 運用環境
OS : Ubuntu 10.04 LTS
HW : HP Proliant MicroServer
1. apt-get で インストール
ゆとり世代なのでapt-getでインストール。
apt 簡単でいいね。
micro# apt-get install unbound
2. ルートヒントファイルをダウンロードしておく
これがないと、どこに聞きに行くのかわからない。はず。(なくても名前解決できたけどね。)
micro# cd /etc/unbound && wget ftp://FTP.INTERNIC.NET/domain/named.cache
3. confを目的・環境に合わせて書き換える
自分の場合は自宅内のローカルからのみ名前解決できるようするのが目的だったので、
以下の箇所を書き換えた。ちなみにIPv6を使わない場合はv6系の項目は無視しておk
micro# diff -u unbound.conf.def unbound.conf
— unbound.conf.def 2012-04-14 16:33:20.268064334 +0900
+++ unbound.conf 2012-04-14 16:47:19.748193075 +0900
@@ -34,7 +34,10 @@
# specify 0.0.0.0 and ::0 to bind to all available interfaces.
# specify every interface[@port] on a new ‘interface:’ labelled line.
# The listen interfaces are not changed on reload, only on restart.
– # interface: 192.0.2.153
+ interface: 127.0.0.1
+ interface: 192.168.0.128
+ interface: ::1
+ interface: 240f:1:33f2:1::cafe
# interface: 192.0.2.154
# interface: 192.0.2.154@5003
# interface: 2001:DB8::5
@@ -44,7 +47,7 @@
# interface-automatic: no
# port to answer queries from
– # port: 53
+ port: 53
# specify the interfaces to send outgoing queries to authoritative
# server from by ip-address. If none, the default (all) interface
@@ -116,7 +119,7 @@
# the time to live (TTL) value cap for RRsets and messages in the
# cache. Items are not cached for longer. In seconds.
– # cache-max-ttl: 86400
+ cache-max-ttl: 86400
# the time to live (TTL) value for cached roundtrip times and
# EDNS version information for hosts. In seconds.
@@ -137,16 +140,16 @@
# infra-cache-lame-size: 10k
# Enable IPv4, “yes” or “no”.
– # do-ip4: yes
+ do-ip4: yes
# Enable IPv6, “yes” or “no”.
– # do-ip6: yes
+ do-ip6: yes
# Enable UDP, “yes” or “no”.
– # do-udp: yes
+ do-udp: yes
# Enable TCP, “yes” or “no”.
– # do-tcp: yes
+ do-tcp: yes
# Detach from the terminal, run in background, “yes” or “no”.
# do-daemonize: yes
@@ -157,9 +160,11 @@
# Choose deny (drop message), refuse (polite error reply),
# allow (recursive ok), allow_snoop (recursive and nonrecursive ok)
# access-control: 0.0.0.0/0 refuse
– # access-control: 127.0.0.0/8 allow
+ access-control: 127.0.0.0/8 allow
+ access-control: 192.168.0.0/24 allow
# access-control: ::0/0 refuse
– # access-control: ::1 allow
+ access-control: ::1 allow
+ access-control: 240f:1:33f2:1::0/64 allow
# access-control: ::ffff:127.0.0.1 allow
# if given, a chroot(2) is done to the given directory.
@@ -214,7 +219,7 @@
# file to read root hints from.
# get one from ftp://FTP.INTERNIC.NET/domain/named.cache
– # root-hints: “”
+ root-hints: “/etc/unbound/named.cache”
# enable to not answer id.server and hostname.bind queries.
# hide-identity: no
@@ -437,27 +442,27 @@
remote-control:
# Enable remote control with unbound-control(8) here.
# set up the keys and certificates with unbound-control-setup.
– # control-enable: no
+ control-enable: yes
# what interfaces are listened to for remote control.
# give 0.0.0.0 and ::0 to listen to all interfaces.
– # control-interface: 127.0.0.1
– # control-interface: ::1
+ control-interface: 127.0.0.1
+ control-interface: ::1
# port number for remote control operations.
– # control-port: 953
+ control-port: 953
# unbound server key file.
– # server-key-file: “/etc/unbound/unbound_server.key”
+ server-key-file: “/etc/unbound/unbound_server.key”
# unbound server certificate file.
– # server-cert-file: “/etc/unbound/unbound_server.pem”
+ server-cert-file: “/etc/unbound/unbound_server.pem”
# unbound-control key file.
– # control-key-file: “/etc/unbound/unbound_control.key”
+ control-key-file: “/etc/unbound/unbound_control.key”
# unbound-control certificate file.
– # control-cert-file: “/etc/unbound/unbound_control.pem”
+ control-cert-file: “/etc/unbound/unbound_control.pem”
# Stub zones.
# Create entries like below, to make all queries for ‘example.com’ and
micro#
4. リモートコントロールできるようにする
unbound-control を使えるようにするために秘密鍵、公開鍵を生成。
unbound-control は BIND でいうところの rndc ですね。
# unbound-control-setup
setup in directory /etc/unbound
generating unbound_server.key
Generating RSA private key, 1024 bit long modulus
………………..++++++
………………………….++++++
e is 65537 (0x10001)
generating unbound_control.key
Generating RSA private key, 1024 bit long modulus
……….++++++
..++++++
e is 65537 (0x10001)
create unbound_server.pem (self signed certificate)
create unbound_control.pem (signed client certificate)
Signature ok
subject=/CN=unbound-control
Getting CA Private Key
Setup success. Certificates created. Enable in unbound.conf file to use
micro#
5. Unboundを再起動する
micro# /etc/init.d/unbound restart
* Restarting recursive DNS server unbound [ OK ]
micro#
6. 名前解決ができるか確認
とりあえずローカルホストから確認。
LAN内のほかのホストからも確認した方が良い。
micro# dig @localhost mykw.jp
; <<>> DiG 9.7.0-P1 <<>> @localhost mykw.jp
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13101
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 4
;; QUESTION SECTION:
;mykw.jp. IN A
;; ANSWER SECTION:
mykw.jp. 180 IN A 180.222.80.63
;; AUTHORITY SECTION:
mykw.jp. 180 IN NS ns0.mykw.jp.
mykw.jp. 180 IN NS ns1.mykw.jp.
;; ADDITIONAL SECTION:
ns0.mykw.jp. 180 IN A 49.212.22.200
ns0.mykw.jp. 180 IN AAAA 2001:e41:31d4:16c8::1
ns1.mykw.jp. 180 IN A 183.181.172.61
ns1.mykw.jp. 180 IN AAAA 2001:2e8:603:0:2:1:0:3d
;; Query time: 15 msec
;; SERVER: ::1#53(::1)
;; WHEN: Sat Apr 14 17:00:02 2012
;; MSG SIZE rcvd: 165
micro#
7. リモートコントロールの動作確認
ステータスが取れれば成功
micro# unbound-control status
version: 1.4.1
verbosity: 1
threads: 1
modules: 2 [ validator iterator ]
uptime: 4 seconds
unbound (pid 5050) is running…
micro#
これでISPのDNSポイズニングから抜け出せますね。
めでたしめでたし
参考資料・サイト
日本Unboundユーザ会 http://unbound.jp/
Yut@rommx.com 