前言:
此刻各位老铁们对“linux缓存服务器”可能比较看重,朋友们都需要剖析一些“linux缓存服务器”的相关资讯。那么小编同时在网络上汇集了一些对于“linux缓存服务器””的相关知识,希望咱们能喜欢,各位老铁们一起来学习一下吧!作者:泡杯长岛冰茶
1. 配置网络为静态
nmcli connection modify static-ens192 ipv4.dns 172.16.50.194 ipv4.address 172.16.50.194/24 ipv4.gateway 172.16.50.1 autoconnect yesnmcli connect reload;nmcli connection up static-ens192;
1.1. 客户端DNS配置
(本篇文章环境;服务端与客户端在同一台)
[root@localhost ~]# cat /etc/resolv.conf# Generated by NetworkManagernameserver 172.16.50.194
2.关闭防火墙与selinux
Systemc disable firewalld –nowsed -i s/^SELINUX=enforcing/SELINUX=disabled/ /etc/selinux/configsetenforce 0
3.配置本地yum源
3.1 挂载系统镜像文件
# mount /dev/sr0 /mnt
3.2 配置yum文件
# cat /etc/yum.repos.d/local_baseos.repo[local_BaseOS]name=local_baseOSbaseurl=[local_AppStream]name=local_AppStreambaseurl=
3.3 检查yum是否配置成功
yum clean all; yum repolist;
4. 安装配置unbound软件
yum install -y unbound.x86_64
4.1.查看unbound软件安装的位置
[root@localhost ~]# rpm -qc unbound/etc/sysconfig/unbound/etc/unbound/conf.d/example.com.conf/etc/unbound/keys.d/example.com.key/etc/unbound/local.d/block-example.com.conf/etc/unbound/unbound.conf
4.2.修配置文件
vim /etc/unbound/unbound.conf48: interface: 0.0.0.0254: access-control: 0.0.0.0/0 allow520: domain-insecure: "*."868:forward-zone:869: name: "."870: forward-addr: 114.114.114.114
interface 表示监听的IP,4个0表示监听本机的所有IP.
access-control 客户端访问控制(4个0,表示所有客户端都可访问
domain-insecure 信任安全域
forward-zone 如果在本DNS解析不到主机记录,下一跳到下一个DNS
name: "." 转发所有的查询
forward-addr: 114.114.114.114 (本文下一跳指向114.114.114.114)
4.2.1 也可以在 /etc/unbound/conf.d/目录创建自定义配置文件
- /etc/unbound/local.d/ 定义主配置信息
-/etc/unbound/conf.d/ 定义主机资源信息
[root@localhost local.d]# cat /etc/unbound/conf.d/yunbee.com.conf server:domain-insecure: "*."forward-zone:name: "."forward-addr: 114.114.114.114
4.3.检查语法是否有问题
[root@localhost ~]# unbound-checkconfunbound-checkconf: no errors in /etc/unbound/unbound.conf
4.4.生成私有的证书
[root@localhost ~]# unbound-control-setupsetup in directory /etc/unboundunbound_server.key existsunbound_control.key existscreate unbound_server.pem (self signed certificate)create unbound_control.pem (signed client certificate)Signature oksubject=CN = unbound-controlGetting CA Private KeySetup success. Certificates created. Enable in unbound.conf file to use
4.5. 启动unbound并开机自启动
[root@localhost ~]# systemctl enable unbound --now
4.6.查看端口监听状态
[root@localhost ~]# netstat -ntupl |grep :53 tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 1091/unbound udp 0 0 192.168.122.1:53 0.0.0.0:* 1959/dnsmasq udp 0 0 0.0.0.0:53 0.0.0.0:* 1091/unbound udp 0 0 0.0.0.0:53 0.0.0.0:* 1091/unbound udp 0 0 0.0.0.0:53 0.0.0.0:* 1091/unbound udp 0 0 0.0.0.0:53 0.0.0.0:* 1091/unbound
注意: 这里可以看到里面多了一条192.168.122.1 IP,这个IP是虚拟网桥的IP,如果你的服务器无法启动unbound服务,必需禁用这个IP。udp 0 0 192.168.122.1:53 0.0.0.0:*
[root@localhost ~]# ip a s virbr0 virbr0: mtu 1500 qdisc noqueue state DOWN group default qlen 1000 link/ether 52:54:00:f3:16:9d brd ff:ff:ff:ff:ff:ff inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0 valid_lft forever preferred_lft forever
下面是关闭网桥的命令
[root@localhost ~]# ifconfig virbr0 down;nmcli device disconnect virbr0;
4.7. 检查外网能解析
[root@localhost ~]# dig ; <<>> DiG 9.11.26-RedHat-9.11.26-3.el8 <<>> ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60041 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;. IN A ;; ANSWER SECTION: . 1200 IN CNAME . . 300 IN A 112.80.248.76 . 300 IN A 112.80.248.75 ;; Query time: 815 msec ;; SERVER: 172.16.50.194#53(172.16.50.194) ;; WHEN: Mon Aug 30 19:59:38 CST 2021 ;; MSG SIZE rcvd: 101
4.8. 查看是否创建缓存
[root@localhost ~]# unbound-control dump_cache |grep . 1192 IN CNAME . msg . IN A 32896 1 293 3 2 1 5 . IN CNAME 0
4.9. 清理zone缓存
unbound-control flush_zone baidu.com
4.10. 添加一个主机资源记录
注意:上文中可以看到 '; 解析出来的地址是 112.80.248.76,清除缓存之后,下文添加 主机记录为10.10.10.10,检查它的解析是否会改变,如果改变为10.10.10.10说明成功
vim /etc/unbound/unbound.conf #interface: 0.0.0.0 ########下面记录必需在配置文件server关键字下 local-data: ". 10800 IN A 10.10.10.10" ##正向解析 local-data-ptr: "10.10.10.10 ; ##反向解析
4.10.1 也可在 /etc/unbound/local.d/定义一个配置文件把主机记录添加进去
[root@localhost local.d]# readlink -f yunbee.com.conf /etc/unbound/local.d/yunbee.com.conf[root@localhost local.d]# ls -l-rw-r--r--. 1 root unbound 359 Dec 2 2020 block-example.com.conf-rw-r--r--. 1 root unbound 410 Sep 1 21:36 yunbee.com.conf[root@localhost local.d]# cat /etc/unbound/local.d/yunbee.com.conflocal-data: ". 3600 IN A 10.10.10.10"local-data-ptr: "10.10.10.10 ;
4.11. 查看添加的主机解析状态
[root@localhost ~]# nslookup Server: 172.16.50.194 Address: 172.16.50.194#53 Name: Address: 10.10.10.10
4.12 unbound搭建权威域名服务器(不推荐unbound搭建权威域名服务器)
a)定义一个访问控制文件在/etc/unbound/conf.d/目录
[root@localhost local.d]# readlink -f ../conf.d/yunbee.com.conf/etc/unbound/conf.d/yunbee.com.conf[root@localhost local.d]# cat /etc/unbound/conf.d/yunbee.com.confserver:domain-insecure: "."forward-zone:name: "."forward-addr: 114.114.114.114
b) 定义一个zone文件在/etc/unbound/conf.d/目录
[root@localhost local.d]# readlink -f yunbee.com.conf /etc/unbound/local.d/yunbee.com.conf[root@localhost local.d]# cat yunbee.com.conf local-zone: "yunbee.com." staticlocal-data: "yunbee.com. 10800 IN NS yunbee.com."local-data: "yunbee.com. 10800 IN SOA yunbee.com. root.yunbee.com. 1 3600 1200 604800 10800"local-data: "ns.yunbee.com. 3600 IN A 172.16.50.194"local-data: ". 3600 IN A 10.10.10.10"local-data: "www1.baidu.com. 3600 IN A 10.10.10.11"local-data: ". 3600 IN A 127.254.254.254"
dns小技巧,假设管理员想禁止某些员工在线看小电影,这里就可以做一条解析,把小电影的网址指向环回地址127.254.254.254,例如你想禁止公司员工访问 就可添加下面这一条 ,注意的是IP还是能访问的.
local-data: ". 10800 IN A 127.254.254.254"
本篇完
*禁止转载,可转发(转发文章请注明出处)
TDPUB数+社区
标签: #linux缓存服务器