安装依赖:
apt update
apt install build-essential libssl-dev libexpat1-dev bison flex libevent-dev下载unbound源码
wget <https://nlnetlabs.nl/downloads/unbound/unbound-latest.tar.gz>
tar -xzvf unbound-latest.tar.gz
cd unbound-<version>/配置编译选项
./configure --prefix=/usr/local/unbound --enable-subnet --with-libevent编译和安装
make
make install安装好之后在/usr/local/sbin/unbound
会自动创建一个systemd service,如果没有就手动创建
/etc/systemd/system/unbound.service
内容是这个:
[Unit]
Description=Unbound recursive Domain Name Server
After=syslog.target network.target
Before=nss-lookup.target
Wants=nss-lookup.target
[Service]
Type=simple
ExecStart=/usr/local/unbound/sbin/unbound -d -c /etc/unbound/unbound.conf
Restart=always
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target配置文件在/etc/unbound/unbound.conf ,我开启了ECS和ipv6支持
# The server clause sets the main parameters.
server:
username: "unbound"
chroot: ""
logfile: "/data/dnslogs/unbound.log"
log-queries: no
log-servfail: yes
log-time-ascii: yes
use-syslog: no
verbosity: 1
interface: 0.0.0.0@53
interface: ::0@53
access-control: 0.0.0.0/0 allow
access-control: ::/0 allow
do-not-query-localhost: no
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes
do-daemonize: no
num-threads: 4
msg-cache-slabs: 4
rrset-cache-slabs: 4
key-cache-slabs: 4
infra-cache-slabs: 4
#设置 DNSSEC 的信任锚
auto-trust-anchor-file: "/var/lib/unbound/root.key"
aggressive-nsec: yes
hide-trustanchor: yes
hide-version: yes
hide-identity: yes
qname-minimisation: yes
qname-minimisation-strict: no
minimal-responses: yes
rrset-roundrobin: yes
so-reuseport: yes
infra-cache-numhosts: 10000
unwanted-reply-threshold: 10000000
so-rcvbuf: 4m
so-sndbuf: 4m
msg-cache-size: 64m
key-cache-size: 64m
neg-cache-size: 64m
rrset-cache-size: 128m
outgoing-range: 8192
num-queries-per-thread: 4096
outgoing-num-tcp: 1024
incoming-num-tcp: 2048
jostle-timeout: 300
cache-min-ttl: 60
cache-max-ttl: 3600
cache-max-negative-ttl: 300
infra-host-ttl: 3600
serve-expired-ttl: 86400
serve-expired-reply-ttl: 5
serve-expired-client-timeout: 1800
serve-expired: yes
prefetch: yes
prefetch-key: yes
max-udp-size: 4096
edns-buffer-size: 4096
send-client-subnet: 0.0.0.0/0
send-client-subnet: ::0/0
max-client-subnet-ipv4: 24
max-client-subnet-ipv6: 56
client-subnet-always-forward: yes
module-config: "subnetcache iterator"
# forward-zone:
# name: "."
# forward-addr: 127.0.0.1@8053
#cachedb:
#backend: "redis"
#redis-server-path: /dev/shm/redis.sock
#redis-server-host: 127.0.0.1
#redis-server-port: 6379
#redis-timeout: 100如果设置了设置 DNSSEC 的信任锚,可以用以下代码更新文件。不过我不管设置与否,都不能完全支持DNSSEC,不过这个不是很在意,没多少网站支持。
mkdir /var/lib/unbound/
unbound-anchor -a /var/lib/unbound/root.key自带的配置文件测试工具,没有报错就重启
unbound-checkconf /etc/unbound/unbound.conf
systemctl restart unbound.service注意:
该程序占用53端口,如果冲突请自行修改。