好啊。
在我的网络中,我有两个 dns 缓存/解析器:
- 路由器上的 Dnsmasq。
- 在另一台服务器上解除绑定。
Dnsmasq 运行完美。它通过 dhcp 和主机文件提供本地 dns。
Unbound 设置为将所有请求转发到本地域并将地址空间转发到 Dnsmasq。直到大约两周前,这种方法一直很有效。
其余的应该遵循通常的 DNS 解析。此外,全局解析具有 DNSSEC 验证和 dns64(这部分效果很好)。
当我在网络中请求 unbound 解析时,我可能会得到缓慢的答案或错误的答案:
dig @unbound -x 2a06:...:5367
hanging...
dig +short @unbound blackblock4.22decembre.eu any
10.0.0.2
64:ff9b::a00:2
(我们可以看到Unbound确实从Dnsmasq获取信息。然后它添加了dns64,这是错误的。)
而 dnsmasq 响应完美:
dig @mirror +short -x 2a06:...:5367
jabberwocky.22decembre.eu
dig +short @mirror blackblock4.22decembre.eu any
10.0.0.2
这是未绑定的conf:
server:
# verbosity number, 0 is least verbose. 1 is default.
verbosity: 1
# number of threads to create. 1 disables threading.
num-threads: 4
outgoing-range: 206
outgoing-interface: 2a06:...::2
outgoing-interface: fd00:2016:22:dec::3
outgoing-interface: 10.0.0.2
unwanted-reply-threshold: 1000000
interface: ::1
interface: fd00:2016:22:dec::3
interface: 10.0.0.3
interface: 127.0.0.1
# upstream connections use TCP only (and no UDP), "yes" or "no"
# useful for tunneling scenarios, default no.
# tcp-upstream: no
harden-below-nxdomain: yes
harden-dnssec-stripped: yes
harden-algo-downgrade: yes
harden-glue: yes
private-address: fd00:2016:22::/48
private-address: 10.0.0.0/8
# Uncomment to enable qname minimisation.
# https://tools.ietf.org/html/draft-ietf-dnsop-qname-minimisation-08
#
qname-minimisation: yes
access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: 10.0.0.0/8 allow
access-control: ::0/0 refuse
access-control: ::1/128 allow
access-control: fd00:...:22::/48 allow
statistics-interval: 0
statistics-cumulative: no
extended-statistics: yes
module-config: "dns64 validator iterator"
dns64-prefix: 64:FF9B::/96
trust-anchor-file: "/var/unbound/db/root.key"
chroot: "/var/unbound"
use-caps-for-id: yes
cache-min-ttl: 3600
cache-max-ttl: 86400
prefetch-key: yes
prefetch: yes
root-hints: "named.cache"
unblock-lan-zones: yes
insecure-lan-zones: yes
local-zone: "22decembre.eu." nodefault
local-zone: "22december.dk." transparent
local-zone: "10.in-addr.arpa." transparent
local-zone: "d.f.ip6.arpa." transparent
local-zone: "2.2.0.0.6.1.0.2.0.0.d.f.ip6.arpa." transparent
private-domain: "22decembre.eu."
private-domain: "22december.dk."
domain-insecure: "22decembre.eu."
domain-insecure: "22december.dk."
domain-insecure: "10.in-addr.arpa."
domain-insecure: "2.2.0.0.6.1.0.2.0.0.d.f.ip6.arpa."
forward-zone:
name: "10.in-addr.arpa."
forward-addr: fd00:2016:22:dec::1
stub-zone:
name: "22decembre.eu."
stub-addr: fd00:2016:22:dec::1
stub-first: yes
stub-zone:
name: "22december.dk."
stub-addr: fd00:2016:22:dec::1
stub-first: yes
forward-zone:
name: "d.f.ip6.arpa."
forward-addr: fd00:2016:22:dec::1
forward-zone:
name: "2.2.0.0.6.1.0.2.0.0.d.f.ip6.arpa."
forward-addr: fd00:2016:22:dec::1
stub-zone:
name: "....6.0.a.2.ip6.arpa."
stub-addr: fd00:2016:22:dec::1
Unbound 是 OpenBSD 上稳定的版本 1.6.1。链接库:pluggable-libevent 1.4.15-stable(它使用 kqueue),LibreSSL 2.5.2 链接模块:dns64 验证器迭代器。