如果没有什么特殊需求的话(比如edns-client-subnet),直接用软件包管理工具安装unbound即可。
brew install unbound
安装完成后注意修改/etc/default/unbound文件:
- RESOLVCONF_FORWARDERS=true
+ RESOLVCONF_FORWARDERS=false
配置unbound
wget ftp://FTP.INTERNIC.NET/domain/named.cache -O /etc/unbound/root.hints
unbound-control-setup # 生成unbound-control证书文件
参考配置文件,具体参数作用可以查看官方文档:
https://nlnetlabs.nl/documentation/unbound/
# Unbound configuration file for Debian.
#
# See the unbound.conf(5) man page.
#
# See /usr/share/doc/unbound/examples/unbound.conf for a commented
# reference config file.
#
# The following line includes additional configuration files from the
# /etc/unbound/unbound.conf.d directory.
server:
num-threads: 1 # 使用cpu cores
interface: 0.0.0.0 # 监听地址
port: 53 # 监听端口
interface: ::0
so-rcvbuf: 4m
so-sndbuf: 4m
so-reuseport: yes # 多线程设置为yes
msg-cache-size: 64m
rrset-cache-size: 128m
cache-max-ttl: 3600
outgoing-num-tcp: 256
incoming-num-tcp: 1024
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes
tcp-upstream: no
access-control: 127.0.0.1 allow ##
access-control: 10.0.0.0/24 allow ## ACL
access-control: 192.168.56.0/24 allow ##
root-hints: "/etc/unbound/root.hints"
hide-identity: yes
hide-version: yes
harden-glue: yes
module-config: "iterator"
unwanted-reply-threshold: 10000000
do-not-query-localhost: no
prefetch: yes
minimal-responses: no
logfile: "/var/log/unbound.log"
log-queries: yes
include: "/etc/unbound/unbound.conf.d/*.conf" # 包含unbound.conf.d目录下的conf文件
forward-zone: ##
name: "." ##
forward-addr: 127.0.0.1@5353 ## 转发请求到dingo
forward-first: no ##
remote-control: # unbound-control命令相关配置
control-enable: yes
control-interface: 127.0.0.1
control-port: 8953
control-key-file: "/etc/unbound/unbound_control.key"
control-cert-file: "/etc/unbound/unbound_control.pem"
server-key-file: "/etc/unbound/unbound_server.key"
server-cert-file: "/etc/unbound/unbound_server.pem"
将本地机器的dns server的地址修改为127.0.0.1
unbound的配置文档:
https://nlnetlabs.nl/documentation/unbound/