FreeBSD 使用 unbound 配置 DNS over TLS

Jun 29, 2024 • 预计阅读时间 1 分钟

local_unbound 是 FreeBSD 内置的组件,应对本机使用的 DNS 服务配置没有问题,这里我们只使用它来初始化配置:

$ sudo service local_unbound onesetup

Performing initial setup.
destination: 
Extracting forwarders from /etc/resolv.conf.
/var/unbound/forward.conf created
/var/unbound/lan-zones.conf created
/var/unbound/control.conf created
/var/unbound/unbound.conf created
/etc/resolvconf.conf created
Original /etc/resolv.conf saved as /var/backups/resolv.conf.20240629.050713

自动生成的文件 /etc/resolvconf.conf 不需要,直接删掉:

/etc/resolvconf.conf

想要体验完整特性还是需要安装完整版本的 unbound

$ sudo pkg install unbound

unbound 的 DoT 需要依赖 security/ca_root_nss

$ sudo pkg install security/ca_root_nss

然后再开启完整版本的 unbound

$ sudo service unbound enable

unbound 默认加载的配置文件路径是 /usr/local/etc/unbound/unbound.conf,在 rc.conf 中可以配置默认加载的配置文件路径:

$ sudo sysrc unbound_config="/var/unbound/unbound.conf"

unbound 安装包自带的 root.key 复制到 /var/unbound 目录中:

cp /usr/local/etc/unbound/root.key /var/unbound/

接下来编辑 /var/unbound/forward.conf,配置上游 DNS 服务器为 TLS 的解析方式。

forward-zone:
        name: .
        forward-tls-upstream: yes               # Use DNS-over-TLS
        forward-first: no                       # do NOT send direct
        forward-addr: 1.1.1.1@853#cloudflare-dns.com
        forward-addr: 1.0.0.1@853#cloudflare-dns.com

重启系统:

sudo reboot

然后试试 nslookup 命令:

$ nslookup github.com

Server:		127.0.0.1
Address:	127.0.0.1#53

Non-authoritative answer:
Name:	github.com
Address: 140.82.116.4

参考:https://github.com/freebsd/freebsd-ports/blob/main/dns/unbound/files/unbound.in

FreeBSD
版权声明:如果转发请带上本文链接和注明来源。

lvv.me

iOS/macOS Developer

使用 Dropbear 作为 SSH 服务器

给腾讯云轻量服务器全新安装 FreeBSD