我想要一个加密的 DNS 查询 + DNS 缓存 + 域名系统安全扩展 (DNSSEC)。
我使用这个 bash 脚本来安装 DNSCrypt,并选择使用 dnscrypt.eu 服务器:
DNSCrypt.eu (no logs)
Holland
Server address:
176.56.237.171:443
Provider name
2.dnscrypt-cert.dnscrypt.eu
Public key
67C0:0F2C:21C5:5481:45DD:7CB4:6A27:1AF2:EB96:9931:40A3:09B6:2B8D:1653:1185:9C66
我安装了 ( apt-get install unbound) Unbound 并且我的 unbound.conf 文件包含:
#
# See the unbound.conf(5) man page.
#
# See /usr/share/doc/unbound/examples/unbound.conf for a commented
# reference config file.
server:
# The following line will configure unbound to perform cryptographic
# DNSSEC validation using the root trust anchor.
auto-trust-anchor-file: "/var/lib/unbound/root.key"
server:
verbosity: 1
num-threads: 4
interface: 0.0.0.0
do-ip4: yes
do-udp: yes
do-tcp: yes
access-control: 192.168.0.0/24 allow
do-not-query-localhost: no
chroot: ""
logfile: "/var/log/unbound.log"
use-syslog: no
hide-identity: yes
hide-version: yes
harden-glue: yes
harden-dnssec-stripped: yes
use-caps-for-id: yes
private-domain: "localhost"
local-zone: "localhost." static
local-data: "freebox.localhost. IN A 192.168.0.254"
local-data-ptr: "192.168.0.254 freebox.localhost"
python:
remote-control:
forward-zone:
name: "."
forward-addr: 127.0.0.1@40
如您所见,我添加了这一行来激活 DNSSEC :
server:
# The following line will configure unbound to perform cryptographic
# DNSSEC validation using the root trust anchor.
auto-trust-anchor-file: "/var/lib/unbound/root.key"
现在,当我输入:sudo service unbound start
这是我得到的错误:
* Restarting recursive DNS server unbound
[1382606879] unbound[8878:0] error: bind: address already in use
[1382606879] unbound[8878:0] fatal error: could not open ports
我的问题当然是关于错误!另外,在普通笔记本电脑(不是 DNS 服务器)中使用 DNSSEC 有用还是仅对 DNS 服务器有用?
答案1
你的 dnscrypt 代理已经使用端口 53。我敢打赌:)
答案2
感谢@Jiri Xichtkniha 和@Anthon
打字时
sudo lsof -nPi | grep \:53
我可以看到绑定也在同一端口上侦听:
TCP *:53 (LISTEN)
然后我通过添加以下行对 /etc/unbound/unbound.conf 进行了修改:
port:533
ps :服务器响应查询的端口号,默认53。
另一个解决方案是将 Bind 的端口从 53 更改为另一个。