Security
DNSCrypt、Unbound 和 DNSSEC
我想要一個加密的 DNS 查詢 + 一個 DNS 記憶體 + 域名系統安全擴展 (DNSSEC) 。
我使用這個 bash 腳本安裝 DNSCrypt 並選擇使用 dnscrypt.eu 伺服器:
DNSCrypt.eu (no logs) Holland Server address: 176.56.237.171:443 Provider name 2.dnscrypt-cert.dnscrypt.eu Public key 67C0:0F2C:21C5:5481:45DD:7CB4:6A27:1AF2:EB96:9931:40A3:09B6:2B8D:1653:1185:9C66我安裝了 (
apt-get install unbound) Unbound 並且我的 unbound.conf 文件包含:# # See the unbound.conf(5) man page. # # See /usr/share/doc/unbound/examples/unbound.conf for a commented # reference config file. server: # The following line will configure unbound to perform cryptographic # DNSSEC validation using the root trust anchor. auto-trust-anchor-file: "/var/lib/unbound/root.key" server: verbosity: 1 num-threads: 4 interface: 0.0.0.0 do-ip4: yes do-udp: yes do-tcp: yes access-control: 192.168.0.0/24 allow do-not-query-localhost: no chroot: "" logfile: "/var/log/unbound.log" use-syslog: no hide-identity: yes hide-version: yes harden-glue: yes harden-dnssec-stripped: yes use-caps-for-id: yes private-domain: "localhost" local-zone: "localhost." static local-data: "freebox.localhost. IN A 192.168.0.254" local-data-ptr: "192.168.0.254 freebox.localhost" python: remote-control: forward-zone: name: "." forward-addr: 127.0.0.1@40如您所見,我添加了這一行來啟動 DNSSEC :
server: # The following line will configure unbound to perform cryptographic # DNSSEC validation using the root trust anchor. auto-trust-anchor-file: "/var/lib/unbound/root.key"現在,當我輸入:
sudo service unbound start這是我得到的錯誤:* Restarting recursive DNS server unbound [1382606879] unbound[8878:0] error: bind: address already in use [1382606879] unbound[8878:0] fatal error: could not open ports我的問題當然是關於錯誤的!此外,在普通筆記型電腦(不是 DNS 伺服器)中使用 DNSSEC 是否有用,還是僅對 DNS 伺服器有用?
Thanks @Jiri Xichtkniha and @Anthon
打字的時候
sudo lsof -nPi | grep \:53我可以看到 bind 也在同一個埠上監聽:
TCP *:53 (LISTEN)然後我通過添加以下行對 /etc/unbound/unbound.conf 進行了修改:
port:533ps :伺服器響應查詢的埠號,預設為 53。
另一種解決方案是將 Bind 的埠從 53 更改為另一個。
你的 dnscrypt 代理已經使用了 53 埠。我敢打賭 :)