- Zip - 1.2 ko
Installer et configurer Unbound sur Debian 9
Unbound est un serveur de nom (ou serveur DNS), il permet la correspondance entre un nom de domaine et une adresse IP.
Installer Unbound :
apt update
apt install unboundLa documentation :
https://unbound.net/documentation/unbound.conf.html
Récupérer la liste des serveurs DNS racines :
cd /var/lib/unbound/
wget https://www.internic.net/domain/named.cacheRenommer la liste comme il convient :
mv named.cache root.hintsCréer un fichier de configuration dans le dossier /etc/unbound/unboud.conf.d/ à nommer comme bon nous semble :
vim /etc/unbound/unbound.conf.d/perso.confserver:
verbosity: 1
use-syslog: yes
logfile: "/var/log/unbound.log"
log-time-ascii: yes
# Parametres par defaut pour mémo
interface: 192.168.x.x
interface: ::1
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes
# autoriser mon serveur
access-control: 127.0.0.0/8 allow
# autoriser les réseaux locaux
access-control: 192.168.1.0/24 allow
access-control: 192.168.2.0/24 allow
# interdire tout le reste
access-control: 0.0.0.0/0 refuse
# use all CPUs
num-threads: 8
# power of 2 close to num-threads
msg-cache-slabs: 16
rrset-cache-slabs: 16
infra-cache-slabs: 16
key-cache-slabs: 16
# Read the root hints from this file
root-hints: "/var/lib/unbound/root.hints"
harden-referral-path: yes
use-caps-for-id: yes
hide-identity: yes
hide-version: yes
harden-glue: yes
harden-dnssec-stripped: yes
# the time to live (TTL) value lower bound, in seconds. Default 0.
# If more than an hour could easily give trouble due to stale data.
# WARNING : against protocol rule but efficient against stupidly too low TTLs
cache-min-ttl: 3600
# the time to live (TTL) value cap for RRsets and messages in the
# cache. Items are not cached for longer. In seconds.
cache-max-ttl: 86400
prefetch: yes
# If nonzero, unwanted replies are not only reported in statistics, but also
# a running total is kept per thread. If it reaches the threshold, a warning
# is printed and a defensive action is taken, the cache is cleared to flush
# potential poison out of it. A suggested value is 10000000, the default is
# 0 (turned off). We think 10K is a good value.
unwanted-reply-threshold: 10000
# Should additional section of secure message also be kept clean of unsecure
# data. Useful to shield the users of this validator from potential bogus
# data in the additional section. All unsigned data in the additional section
# is removed from secure messages.
val-clean-additional: yes
# Log validation failures
val-log-level: 2
private-address: 192.168.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
# Optimise
# https://unbound.net/documentation/howto_optimise.html
# Faster UDP with multithreading (only on Linux).
so-reuseport: yes
# Taille du cache
rrset-cache-size: 100m
msg-cache-size: 50m
# gestion DNSSEC
harden-below-nxdomain: yes
harden-dnssec-stripped: yesVérifier la configuration :
unbound-checkconfRedémarrer Unbound :
systemctl restart unboundLa machine utilise son propre serveur DNS
vim /etc/resolv.conf
nameserver 192.168.x.xsi DHCP editer plutôt le bon fichier (plutôt que /etc/resolv.conf)
vim /etc/dhcp/dhclient.conf
# au dessus du bloc request
supersede domain-name-servers 192.168.x.x;redémarrer le gestionnaire de réseau
service networking restartTester le serveur DNS Unbound :
time nslookup afnic.fr
# OU
dig afnic.frVider le cache DNS d’une VM Windows
Démarrer -> Exécuter -> tapez cmd
Dans la fenêtre DOS, tapez ipconfig /flushdnsPlus d’infos sur :
https://www.shaftinc.fr/arretez-google-dns.html
https://wiki.debian-fr.xyz/Utiliser_Unbound_avec_DNSSEC
https://carmagnole.ovh/le-resolveur-dns-unbound.htm
https://calomel.org/unbound_dns.html
Documents joints
unbound.conf.zip