Tags

arm arpaname bin_sh blocage blosxom bsd bsdfrance cblog certification chroot cluster dg834 dhcp diffusion dns dnsmasq domU dovecot fail-over fail2ban firefox freebsd ftp git guruplug install ipv6 jail kernel kimsufi lex libre linutop liste makefile mikrotik ml150 mohawk nanojail netbook netbsd nginx ntp ntp.org openbsd openntpd openrd opensmtpd openwrt orke pkgng poudriere privee proxy python rescue reverse rmll route rrdcgi sendmail sieve sjail sl2009 ssd symon unbound update usb var_empty vimperator world xen yacc zfs

Powered by

blOg
maRkdown
awK
shEll

10/05/2014

[ dns unbound ]

201405100800 dns unbound

unbound et FreeBSD 10

Entre autres nouveautés, FreeBSD 10 vient avec unbound. Voyons comment je l'ai configuré sur une machine de type "serveur dédié" où je ne souhaite pas utiliser les serveurs DNS de mon hébergeur, ni des serveurs DNS "ouvert", et encore moins les frères Bogdanov du DNS (8.8.8.8 et 8.8.4.4). Je n'ai donc pas de fichier /etc/resolv.conf.

Si local_unbound n'est pas activé, c'est bien parce qu'il n'est pas configuré:

root@itanium:~ # /etc/rc.d/local_unbound setup
Cannot 'setup' local_unbound. Set local_unbound_enable to YES in /etc/rc.conf or use 'onesetup' instead of 'setup'.

root@itanium:~ # /etc/rc.d/local_unbound onesetup
Performing initial setup.
Extracting forwarders from /etc/resolv.conf.
/usr/sbin/local-unbound-setup: cannot open /etc/resolv.conf: No such file or directory
No forwarders found in resolv.conf, unbound will recurse.
/var/unbound/unbound.conf created
/etc/resolvconf.conf created
/usr/sbin/local-unbound-setup: cannot open /etc/resolv.conf: No such file or directory

root@itanium:~ # cat /etc/resolvconf.conf 
# Generated by local-unbound-setup
resolv_conf="/dev/null" # prevent updating /etc/resolv.conf
unbound_conf="/var/unbound/forward.conf"
unbound_pid="/var/run/local_unbound.pid"
unbound_service="local_unbound"
unbound_restart="service local_unbound reload"

root@itanium:~ # cat /var/unbound/unbound.conf 
# Generated by local-unbound-setup
server:
        username: unbound
        directory: /var/unbound
        chroot: /var/unbound
        pidfile: /var/run/local_unbound.pid
        auto-trust-anchor-file: /var/unbound/root.key

Je peux à présent renseigner /etc/resolv.conf:

root@itanium:~ # cat /etc/resolv.conf 
domain bsdsx.fr
search bsdsx.fr
nameserver 127.0.0.1

Test de la configuration:

root@itanium:~ # /etc/rc.d/local_unbound oneconfigtest
/var/unbound/root.key: No such file or directory
[1399710593] unbound-checkconf[21747:0] fatal error: auto-trust-anchor-file: "/var/unbound/root.key" does not exist in chrootdir /var/unbound
root@itanium:~ # /etc/rc.d/local_unbound oneanchor
root@itanium:~ # /etc/rc.d/local_unbound oneconfigtest
unbound-checkconf: no errors in /var/unbound/unbound.conf

Premier essai:

root@itanium:~ # /etc/rc.d/local_unbound onestart
Starting local_unbound.
root@itanium:~ # netstat -an -f inet | grep '\.53 '
tcp4       0      0 127.0.0.1.53           *.*                    LISTEN
udp4       0      0 127.0.0.1.53           *.*                    
root@itanium:~ # netstat -an -f inet6 | grep '\.53 '
tcp6       0      0 ::1.53                 *.*                    LISTEN
udp6       0      0 ::1.53                 *.*                    
root@itanium:~ # drill unbound.net
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 29036
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0 
;; QUESTION SECTION:
;; unbound.net. IN      A

;; ANSWER SECTION:
unbound.net.    7074    IN      A       213.154.224.1

;; AUTHORITY SECTION:
unbound.net.    7074    IN      NS      ns.secret-wg.org.
unbound.net.    7074    IN      NS      open.nlnetlabs.nl.
unbound.net.    7074    IN      NS      mcvax.nlnet.nl.
unbound.net.    7074    IN      NS      nom-ns1.nominet.org.uk.

;; ADDITIONAL SECTION:

;; Query time: 0 msec
;; SERVER: 127.0.0.1
;; WHEN: Sat May 10 08:37:33 2014
;; MSG SIZE  rcvd: 168

Le démon n'écoute que sur l'interface locale et répond bien. Je peux l'activer:

root@itanium:~ # sysrc local_unbound_enable=YES

unbound vient avec unbound-control qui permet d'interagir avec le démon. Je le configure:

root@itanium:~ # /usr/sbin/unbound-control-setup
setup in directory /etc/unbound
generating unbound_server.key
Generating RSA private key, 1536 bit long modulus
........................++++
.....++++
e is 65537 (0x10001)
generating unbound_control.key
Generating RSA private key, 1536 bit long modulus
........++++
...........++++
e is 65537 (0x10001)
create unbound_server.pem (self signed certificate)
create unbound_control.pem (signed client certificate)
Signature ok
subject=/CN=unbound-control
Getting CA Private Key
Setup success. Certificates created. Enable in unbound.conf file to use
root@itanium:~ # ls /var/unbound/
root.key                unbound.conf            unbound_control.key     unbound_control.pem     unbound_server.key      unbound_server.pem

Et j'active son utilisation:

root@itanium:~ # cat >> /var/unbound/unbound.conf
remote-control:
        control-enable: yes
^D
root@itanium:~ # /etc/rc.d/local_unbound configtest
unbound-checkconf: no errors in /var/unbound/unbound.conf
root@itanium:~ # /etc/rc.d/local_unbound restart
Stopping local_unbound.
Waiting for PIDS: 21907.
Starting local_unbound.
root@itanium:~ # /usr/sbin/unbound-control status
version: 1.4.20
verbosity: 1
threads: 1
modules: 2 [ validator iterator ]
uptime: 183 seconds
unbound (pid 22074) is running...

C'est bien gentil, mais je n'utilise pas le compte root:

dsx@itanium:~ % /usr/sbin/unbound-control status
error: Error setting up SSL_CTX client key and cert
5379689436:error:0200100D:system library:fopen:Permission denied:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:398:fopen('/var/unbound/unbound_control.pem','r')
5379689436:error:20074002:BIO routines:FILE_CTRL:system lib:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:400:
5379689436:error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/ssl_rsa.c:470:
dsx@itanium:~ % ls -l /var/unbound/
total 24
-rw-r--r--  1 unbound  unbound   759 May 10 08:35 root.key
-rw-r--r--  1 root     unbound   265 May 10 08:55 unbound.conf
-rw-r-----  1 root     unbound  1277 May 10 08:47 unbound_control.key
-rw-r-----  1 root     unbound   802 May 10 08:47 unbound_control.pem
-rw-r-----  1 root     unbound  1281 May 10 08:47 unbound_server.key
-rw-r-----  1 root     unbound   790 May 10 08:47 unbound_server.pem

Mon utilisateur fait partie du group wheel, je peux l'ajouter au groupe unbound ou adapter les permissions en conséquence:

root@itanium:~ # chown unbound:wheel /var/unbound/unbound_control.*
dsx@itanium:~ % /usr/sbin/unbound-control status
error: Error setting up SSL_CTX verify, server cert
5379689436:error:0200100D:system library:fopen:Permission denied:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:169:fopen('/var/unbound/unbound_server.pem','r')
5379689436:error:2006D002:BIO routines:BIO_new_file:system lib:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:174:
5379689436:error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/x509/by_file.c:274:
root@itanium:~ # chown unbound:wheel /var/unbound/unbound_server.*
dsx@itanium:~ % /usr/sbin/unbound-control status
version: 1.4.20
verbosity: 1
threads: 1
modules: 2 [ validator iterator ]
uptime: 4 seconds
unbound (pid 22209) is running...

Après avoir lu la page de manuel, il apparait qu'utiliser un fichier root-hints est une bonne pratique. Il faut pour cela définir l'option éponyme:

[ snip ]
root-hints: root-hints

Je récupère le fichier depuis ftp://FTP.INTERNIC.NET/domain/named.cache:

root@itanium:~ # fetch -o /var/unbound/root-hints ftp://FTP.INTERNIC.NET/domain/named.cache

Pour la mise à jour, on peut faire le goret:

root# fetch url_ki_va_bien && unbound-control reload

ou essayer de faire les choses un peu plus "proprement":

#!/bin/sh

RH="root-hints"
FILENAME=$(unbound-control get_option $RH)
FILEPATH=$(unbound-control get_option directory)

if [ $? -ne 0 -o -z "$FILENAME" -o -z "$FILEPATH" ]; then
        echo "Can't retrieve unbound $RH or directory"
        exit 1
fi

TMPFILE=$(mktemp -q /tmp/$RH.XXXXXX)
if [ $? -ne 0 ]; then
        echo "Can't create temp file"
        exit 1
fi

URL=ftp://FTP.INTERNIC.NET/domain/named.cache
fetch --quiet --output=$TMPFILE $URL
if [ $? -ne 0 ]; then
        echo "Can't fetch '$URL'"
        exit 1
fi

MINIMAL_ROOT_SERVERS=13
if [ $(grep --count '^.\.ROOT\-SERVERS\.NET' $TMPFILE) -lt $MINIMAL_ROOT_SERVERS ]; then
        echo "Less than $MINIMAL_ROOT_SERVERS found"
        exit 1
fi

if [ -f $FILEPATH/$FILENAME ]; then
        cmp -s $FILEPATH/$FILENAME $TMPFILE
        if [ $? -ne 1 ]; then
                rm $TMPFILE
                exit
        fi
fi
install -g unbound -o root -m 440 $TMPFILE $FILEPATH/$FILENAME && unbound-control reload

Inutile de planifier l'exécution de ce script toutes les minutes, les serveurs DNS racine n'ayant pas vocation à évoluer tous les 4 matins (une fois par mois me semble largement suffisant).

Si d'autres machines doivent utiliser ce service, il faut écouter sur autre chose que l'interface locale:

dsx@itanium:~ % egrep '(interface|access-control)' /var/unbound/unbound.conf
    interface: 127.0.0.1
    interface: 31.216.24.123
    access-control: 127.0.0.0/8 allow
    access-control: 31.216.24.205/32 allow

Et un redémarrage plus tard:

dsx@itanium:~ % netstat -an -f inet | grep \.53
tcp4       0      0 127.0.0.1.8953         *.*                    LISTEN
tcp4       0      0 31.216.24.123.53       *.*                    LISTEN
tcp4       0      0 127.0.0.1.53           *.*                    LISTEN
udp4       0      0 31.216.24.123.53       *.*                    
udp4       0      0 127.0.0.1.53           *.*                    

Depuis 31.216.24.205:

dsx@blade>drill unbound.net @31.216.24.123
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 50348
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0 
;; QUESTION SECTION:
;; unbound.net. IN      A

;; ANSWER SECTION:
unbound.net.    7200    IN      A       213.154.224.1

;; AUTHORITY SECTION:
unbound.net.    7200    IN      NS      ns.secret-wg.org.
unbound.net.    7200    IN      NS      mcvax.nlnet.nl.
unbound.net.    7200    IN      NS      nom-ns1.nominet.org.uk.
unbound.net.    7200    IN      NS      open.nlnetlabs.nl.

;; ADDITIONAL SECTION:

;; Query time: 406 msec
;; SERVER: 31.216.24.123
;; WHEN: Sun May 18 11:34:33 2014
;; MSG SIZE  rcvd: 168

Depuis une autre machine:

dsx@linutop>dig unbound.net @31.216.24.123

; <<>> DiG 9.4.2-P2 <<>> unbound.net @31.216.24.123
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 33127
;; flags: qr rd; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; Query time: 51 msec
;; SERVER: 31.216.24.123#53(31.216.24.123)
;; WHEN: Sun May 18 11:38:56 2014
;; MSG SIZE  rcvd: 12

Reste à définir l'accès aux serveurs de nom de mon domaine:

root@itanium:~ # tail -n 5 /var/unbound/unbound.conf 
stub-zone:
        name: bsdsx.fr
        stub-host: ns.bsdsx.fr
        stub-host: lucifer.example.com
        stub-host: ns6.bsdsx.fr

Un unbound-control reload plus tard, c'est prêt !


Lien vers ce billet