written in front
- Share some notes on building DNS cache server
- If you don’t understand enough, please help me to correct
I have read very few books, "The Unbearable Lightness of Being" is one of them. I read it for the first time when I was young. It was the erotic fragments in the book that attracted me. When I read Sabina, I thought of "The Moon and Six Blanche in Penny's, wondering what the hell is that physical attraction? Later, I read other chapters one after another, and my memory is still fresh. On the title page, the sentence "When people think, God laughs—Jewish proverb", the "Concept of Eternal Reincarnation" at the beginning is especially suitable for me later, probably because Schopenhauer read too much . I especially like a sentence in the book, but I don’t remember clearly, it’s probably “the fraternity of the world is based on kitsch”
a brief introdction
DNS 缓存服务器
will be DNS查询结果
stored in the local cache and TTL
removed from the cache when they expire 删除资源记录
.
Set up a caching name server in 本地网络
, which saves the mapping relationship between recently accessed domain names and IP addresses in the local cache, reducing cross time Internet
, DNS流量
which greatly improves DNS名称解析
the efficiency of the server. DNS performance will improve as the number of local caches increases and caching name servers answer more and more client queries.
When the user enters a URL in the browser, the browser will send a DNS query request to the cache name server. If the requested domain name and IP address mapping already exists in the cache, the cache name server can immediately return the mapping relationship. There is no need to send requests to DNS servers, which speeds up the loading of web pages.
There are several packages available for configuring caching nameservers, including bind,dnsmasq
(mostly for virtualization) and unbound
. Here Unbound is used to install, configure and manage caching name servers.
Environmental preparation
install unbound
[root@servera ]# yum -y install unbound
Last metadata expiration check: 0:53:24 ago on Sun 19 Feb 2023 02:19:20 PM CST.
Installed:
unbound-1.7.3-8.el8.x86_64
View related configuration files
[root@servera ]# rpm -qlc unbound
/etc/sysconfig/unbound
/etc/unbound/conf.d/example.com.conf
/etc/unbound/keys.d/example.com.key
/etc/unbound/local.d/block-example.com.conf
/etc/unbound/unbound.conf
[root@servera ]#
edit configuration file
edit configuration file/etc/unbound/unbound.conf
Help document view
[root@servera ]# man unbound.conf
Common Configuration Information
Define network listening
In the server clause, define 网络监听
, the following are different listening configurations, listening to IPV4 and IPv6
interface:172.25.250.10
interface:2001:db8:1001:f0
interface-automatic:no
- By default UNbound listens on the localhost network interface.
- If it is set to monitor
0.0.0.0
or::0
, all interfaces will be monitored, and it needs to be setinterface-automatic
toyes
(meaning that the DNS server will automatically select the best network interface to monitor DNS query requests). Otherwise setinterface-automatic
tono
- If the service is still running locally at this time
libvirtd
, andUnbound
is bound to all interfaces, it willUnbound
fail to start. Becauselibvirtd
it will rundnsmasq
, itdnsmasq
will also listen on the port on the local interface53
.
Network monitoring configuration Demo
interface: 0.0.0.0
# interface: ::0
# interface: 192.0.2.153
# interface: 192.0.2.154
# interface: 192.0.2.154@5003
# interface: 2001:DB8::5
#
# for dns over tls and raw dns over port 80
# interface: 0.0.0.0@443
# interface: ::0@443
# interface: 0.0.0.0@80
# interface: ::0@80
# enable this feature to copy the source address of queries to reply.
# Socket options are not supported on all platforms. experimental.
# interface-automatic: yes
#
# NOTE: Enable this option when specifying interface 0.0.0.0 or ::0
# NOTE: Disabled per Fedora policy not to listen to * on default install
# NOTE: If deploying on non-default port, eg 80/443, this needs to be disabled
interface-automatic: yes
access control list
In the server clause, define 访问控制列表
.
Use access-control
options to specify what 客户端
can be done 递归查询
. Network or IP address can be specified, control type:
allow
, allowing access torefuse
, blocking access and sending a DNS REFUSED error to the clientdeny
, block access, do not send a response
Example:
# access-control: 0.0.0.0/0 refuse
# access-control: 127.0.0.0/8 allow
# access-control: ::0/0 refuse
# access-control: ::1 allow
# access-control: ::ffff:127.0.0.1 allow
access-control: 172.25.250.0/24 allow
Configure access control to disallow recursive caching name servers for hosts other than intended clients .
If Internet
any host on is allowed to recursively query your server, an attacker can use this to perform a DNS amplification distributed denial-of-service attack against third parties. See for details https://blog.cloudflare.com/deep-inside-a-dns-amplification-ddos-attack/
.
Forward requests to other caching nameservers
Forward requests to other caching nameservers:
If this name server is unreachable Internet
, but can reach another connected Internet
one DNS服务器
. Create a forward-zone
clause to specify the domain to forward and the server to forward the query to DNS
.
Set the name value to .
forward all queries
forward-zone:
name:"."
forward-addr:172.25.250.254
Queries for 内部域
the pair are sent directly to the 域
owner 权威性
of the pair 名称服务器
.
Specify DNS servers for the forwarding zone:
- Use
forward-host
the option to pass the hostname - Use
forward-addr
option to pass IP address.
# forward-zone:
# name: "example.com"
# forward-addr: 192.0.2.68
# forward-addr: 192.0.2.73@5355 # forward to port 5355.
# forward-first: no
# forward-tls-upstream: no
# forward-zone:
# name: "example.org"
# forward-host: fwd.example.com
domain-insecure
Used to specify DNSSEC
a domain name that does not require verification. In this option example.com means that the DNSSEC security of the example.com domain name does not need to be verified. This means that when Unbound receives a DNS response from example.com, it does not validate the response DNSSEC
. If the DNS response for example.com is tampered or forged, then Unbound will not detect this attack
domain-insecure: "example.com"
Certificate related generation
unbound-control-setup
In /etc/unbound
the directory generated unbound_server.key
and unbound_control.key
two RSA
private key files, and generated unbound_server.pem
and unbound_control.pem
two 证书文件
.
where unbound_server.pem is the self-signed server certificate and unbound_control.pem is the client certificate, signed by the server certificate. This command also outputs the signature and subject information of the certificate. Finally, the command prompts you to enable certificates in the unbound.conf configuration file to use them.
[root@servera ]# unbound-control-setup
setup in directory /etc/unbound
generating unbound_server.key
Generating RSA private key, 3072 bit long modulus (2 primes)
..............................++++
......................................................++++
e is 65537 (0x010001)
generating unbound_control.key
Generating RSA private key, 3072 bit long modulus (2 primes)
............................................++++
.............................................................++++
e is 65537 (0x010001)
create unbound_server.pem (self signed certificate)
create unbound_control.pem (signed client certificate)
Signature ok
subject=CN = unbound-control
Getting CA Private Key
Setup success. Certificates created. Enable in unbound.conf file to use
[root@servera ]#
Configuration file syntax check
[root@servera ]# unbound-checkconf
unbound-checkconf: no errors in /etc/unbound/unbound.conf
[root@servera ]#
Start the DNS cache server
Turn on the firewall
[root@servera ]# firewall-cmd --add-service=dns --permanent
success
[root@servera ]# firewall-cmd --reload
success
Configure to enable self-starting, and start
[root@servera ]# systemctl enable unbound --now
Created symlink /etc/systemd/system/multi-user.target.wants/unbound.service → /usr/lib/systemd/system/unbound.service.
test
[root@servera ]# dig @servera.lab.example.com workstation.lab.example.com
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el8 <<>> @servera.lab.example.com workstation.lab.example.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24427
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;workstation.lab.example.com. IN A
;; ANSWER SECTION:
workstation.lab.example.com. 600 IN A 172.25.250.9
;; Query time: 2 msec
;; SERVER: 172.25.250.10#53(172.25.250.10)
;; WHEN: Sun Feb 19 19:21:49 CST 2023
;; MSG SIZE rcvd: 72
[root@servera ]#
HEADER
The part contains some basic information of the query, such as opcode, status code, ID, etc.;QUESTION
Part indicates the question part of the query, including the host name and record type (A record) that needs to be queried;ANSWER
The part is the query result, which contains the queried host name and corresponding IP address.
The query is the NS record of the domain name lab.example.com, and the DNS server used is servera.lab.example.com
[root@servera ]# dig @servera.lab.example.com NS lab.example.com
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el8 <<>> @servera.lab.example.com NS lab.example.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51183
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;lab.example.com. IN NS
;; ANSWER SECTION:
lab.example.com. 86400 IN NS bastion.lab.example.com.
;; Query time: 2 msec
;; SERVER: 172.25.250.10#53(172.25.250.10)
;; WHEN: Sun Feb 19 19:29:04 CST 2023
;; MSG SIZE rcvd: 66
[root@servera ]#
The query result shows that the record of the domain name NS
is bastion.lab.example.com
. In the query results,
flags
The field displays qr rd ra, respectively indicating that the query is a response (response), recursive query (recursion desired) and recursion available (recursion available)Query time
field shows that the query took 2 millisecondsSERVER
field shows that the DNS server IP address used is 172.25.250.10MSG SIZE rcvd
field shows that the received DNS response message size is 66 bytes.
Status output of the unbound DNS server
[root@servera ]# unbound-control status
version: 1.7.3
verbosity: 1
threads: 4
modules: 3 [ ipsecmod validator iterator ]
uptime: 349 seconds
options: reuseport control(ssl)
unbound (pid 28457) is running...
version
The field shows that the current unbound version is 1.7.3verbosity
field shows log verbosity as 1threads
field shows 4 threads usedmodules
The field shows that 3 modules are loaded, namely ipsecmod, validator and iteratoruptime
field shows unbound elapsed time of 349 secondsoptions
The field shows that the reuseport and control(ssl) options are used.unbound
The process has PID 28457 and is running.
Cache output from unbound DNS server
[root@servera ]# unbound-control dump_cache
START_RRSET_CACHE
;rrset 504 1 0 3 3
bastion.lab.example.com. 504 IN A 172.25.250.254
;rrset 86304 1 0 8 3
lab.example.com. 86304 IN NS bastion.lab.example.com.
END_RRSET_CACHE
START_MSG_CACHE
msg lab.example.com. IN NS 33152 1 504 3 1 0 1
lab.example.com. IN NS 0
bastion.lab.example.com. IN A 0
END_MSG_CACHE
EOF
[root@servera ]# unbound-control dump_cache > dns_dump
[root@servera ]#
START_RRSET_CACHE 和 END_RRSET_CACHE
The part in between is stored in the unbound cache RRset 记录
, including the A record of the bastion.lab.example.com domain name and the NS record of the lab.example.com domain name. Each RRset
record contains multiple RRSIG
records, which are used to verify the authenticity of the RRset record.
START_MSG_CACHE 和 END_MSG_CACHE
The part in between is the DNS record stored in the unbound cache 消息
, including the DNS message record for querying the NS record of the lab.example.com domain name.
[root@servera ]# dig @servera.lab.example.com servera.lab.example.com
[root@servera ]# dig @servera.lab.example.com serverb.lab.example.com
[root@servera ]# dig @servera.lab.example.com serverc.lab.example.com
[root@servera ]#
View cache information
[root@servera ]# unbound-control dump_cache
START_RRSET_CACHE
;rrset 502 1 0 8 3
serverb.lab.example.com. 502 IN A 172.25.250.11
;rrset 280 1 0 3 3
bastion.lab.example.com. 280 IN A 172.25.250.254
;rrset 490 1 0 8 3
servera.lab.example.com. 490 IN A 172.25.250.10
;rrset 86080 1 0 8 3
lab.example.com. 86080 IN NS bastion.lab.example.com.
;rrset 511 1 0 8 3
serverc.lab.example.com. 511 IN A 172.25.250.12
END_RRSET_CACHE
START_MSG_CACHE
msg serverb.lab.example.com. IN A 33152 1 502 3 1 1 1
serverb.lab.example.com. IN A 0
lab.example.com. IN NS 0
bastion.lab.example.com. IN A 0
msg lab.example.com. IN NS 33152 1 280 3 1 0 1
lab.example.com. IN NS 0
bastion.lab.example.com. IN A 0
msg servera.lab.example.com. IN A 33152 1 490 3 1 1 1
servera.lab.example.com. IN A 0
lab.example.com. IN NS 0
bastion.lab.example.com. IN A 0
msg serverc.lab.example.com. IN A 33152 1 511 3 1 1 1
serverc.lab.example.com. IN A 0
lab.example.com. IN NS 0
bastion.lab.example.com. IN A 0
END_MSG_CACHE
EOF
clear cache
[root@servera ]# unbound-control flush_zone lab.example.com.
ok removed 5 rrsets, 4 messages and 0 key entries
[root@servera ]# unbound-control dump_cache
START_RRSET_CACHE
END_RRSET_CACHE
START_MSG_CACHE
END_MSG_CACHE
EOF
[root@servera ]#
Cache export and import
[root@servera ]# unbound-control load_cache < dns_dump
ok
[root@servera ]# unbound-control dump_cache
START_RRSET_CACHE
;rrset 457 1 0 3 3
bastion.lab.example.com. 457 IN A 172.25.250.254
;rrset 86257 1 0 8 3
lab.example.com. 86257 IN NS bastion.lab.example.com.
END_RRSET_CACHE
START_MSG_CACHE
msg lab.example.com. IN NS 33152 1 457 3 1 0 1
lab.example.com. IN NS 0
bastion.lab.example.com. IN A 0
END_MSG_CACHE
EOF
[root@servera ]#
Part of the blog post content reference
The copyright of the content of the reference link in the article belongs to the original author, if there is any infringement, please inform
<RH358 Lecture Notes>
© 2018-2023 [email protected], All rights reserved. Attribution-Non-Commercial-Share Alike (CC BY-NC-SA 4.0)