Vous n'êtes pas identifié(e).

#1 2012-04-22 21:12:08

skingrapher
Ours mal léché mais qui lèche bien
Lieu : 974
Inscription : 2011-05-03
Messages : 2 049
Site Web

Configurer un serveur DNS en local avec Unbound

server:
	verbosity: 1

	# specify 0.0.0.0 and ::0 to bind to all available interfaces.
	interface: 0.0.0.0

	# port to answer queries from
	port: 53

	# the time to live (TTL) value lower bound, in seconds. Default 0.
	# If more than an hour could easily give trouble due to stale data.
	cache-min-ttl: 900

	# Enable IPv4
	do-ip4: yes

	# Enable IPv6
	# do-ip6: yes

	# Enable UDP
	do-udp: yes

	# Enable TCP
	do-tcp: yes

	# control which clients are allowed to make (recursive) queries
	# to this server. Specify classless netblocks with /size and action.
	# By default everything is refused, except for localhost.
	# Choose deny (drop message), refuse (polite error reply),
	# allow (recursive ok), allow_snoop (recursive and nonrecursive ok)
	access-control: 127.0.0.0/8 allow # localhost
	access-control: 192.168.0.0/24 allow # plage d'adresses ip sur le réseau local

	chroot: ""

	# the log file, "" means log to stderr. 
	# Use of this option sets use-syslog to "no".
	logfile: "/var/log/unbound.log"

	# Log to syslog(3) if yes. The log facility LOG_DAEMON is used to 
	# log to, with identity "unbound". If yes, it overrides the logfile.
	use-syslog: no

	# file to read root hints from.
	# get one from ftp://FTP.INTERNIC.NET/domain/named.cache
	root-hints: "/etc/unbound/named.cache"

	# enable to not answer id.server and hostname.bind queries.
	hide-identity: yes

	# enable to not answer version.server and version.bind queries.
	hide-version: yes

	# Harden against out of zone rrsets, to avoid spoofing attempts. 
	harden-glue: yes

	# Harden against receiving dnssec-stripped data. If you turn it
	# off, failing to validate dnskey data for a trustanchor will 
	# trigger insecure mode for that zone (like without a trustanchor).
	# Default on, which insists on dnssec data for trust-anchored zones.
	harden-dnssec-stripped: yes

	# Use 0x20-encoded random bits in the query to foil spoof attempts.
	# This feature is an experimental implementation of draft dns-0x20.
	use-caps-for-id: no

	# Ignore chain of trust. Domain is treated as insecure.
	# domain-insecure: "example.com"
	domain-insecure: 42
	domain-insecure: ovh

	stub-zone:
		name: "42"
		stub-addr: 81.93.248.69
		stub-addr: 81.93.248.68
		stub-addr: 91.194.60.196
		stub-addr: 193.17.192.53

	stub-zone:
		name: "ovh"
		stub-addr: 213.251.128.133
		stub-addr: 213.251.188.133

Unbound est configuré pour résoudre les adresses dns en questionnant les serveurs dns à la racine, donc nul besoin du serveur dns de son fai.

J'ai édité /etc/resolvconf/resolv.conf.d/base qui contient maintenant ceci :

nameserver 127.0.0.1

Après une mise en cache de la résolution de l'adresse crunchbanglinux-fr.org, la réponse du serveur dns met 1 milliseconde.

Par contre, je n'ai pas encore réussi à implémenter correctement DNSSEC. Il y a bien un tuto ici, mais c'est à lire avec un thermos de café à côté ou une boîte de comprimés pour doper le cerveau.


Je suis un obsédé textuel. J'aime trop le LaTeX.
Mon ventre est un cimetière de poulets. Cthulhu fhtagn !
5 phrases max dans vos emails : five.sentenc.es

Hors ligne

Pied de page des forums