unbound.service使用以下 3 个默认文件(安装 unbound 后创建)时,运行无错误:
root@DNS:/etc/unbound# cat unbound.conf
# Unbound configuration file for Debian.
#
# See the unbound.conf(5) man page.
#
# See /usr/share/doc/unbound/examples/unbound.conf for a commented
# reference config file.
#
# The following line includes additional configuration files from the
# /etc/unbound/unbound.conf.d directory.
include-toplevel: "/etc/unbound/unbound.conf.d/*.conf"
root@DNS:/etc/unbound# cat unbound.conf.d/remote-control.conf
remote-control:
control-enable: yes
# by default the control interface is is 127.0.0.1 and ::1 and port 8953
# it is possible to use a unix socket too
control-interface: /run/unbound.ctl
root@DNS:/etc/unbound# cat unbound.conf.d/root-auto-trust-anchor-file.conf
server:
# The following line will configure unbound to perform cryptographic
# DNSSEC validation using the root trust anchor.
auto-trust-anchor-file: "/var/lib/unbound/root.key"
然而,当这 3 个文件被删除,并且内容/etc/unbound/unbound.conf包含
# unbound.conf(5) config file for unbound(8).
server:
directory: "/etc/unbound"
username: "unbound"
# make sure unbound can access entropy from inside the chroot.
# e.g. on linux the use these commands (on BSD, devfs(8) is used):
# mount --bind -n /dev/urandom /etc/unbound/dev/urandom
# and mount --bind -n /dev/log /etc/unbound/dev/log
#chroot: "/etc/unbound"
# logfile: "/etc/unbound/unbound.log" #uncomment to use logfile.
pidfile: "/etc/unbound/unbound.pid"
# verbosity: 1 # uncomment and increase to get more logging.
# listen on all interfaces, answer queries from the local subnet.
interface: 0.0.0.0
interface: ::0
access-control: 10.0.0.0/8 allow
#access-control: 2001:DB8::/64 allow
unbound.service无法使用 重启service unbound restart。例如
root@DNS:/etc/unbound# service unbound restart
Job for unbound.service failed because the control process exited with error code.
See "systemctl status unbound.service" and "journalctl -xeu unbound.service" for details.
root@DNS:/etc/unbound# systemctl status unbound.service
× unbound.service - Unbound DNS server
Loaded: loaded (/usr/lib/systemd/system/unbound.service; disabled; preset: enabled)
Active: failed (Result: exit-code) since Mon 2024-10-28 16:01:59 UTC; 18s ago
Duration: 50min 13.453s
Docs: man:unbound(8)
Process: 3385 ExecStartPre=/usr/libexec/unbound-helper chroot_setup (code=exited, status=0/SUCCESS)
Process: 3388 ExecStartPre=/usr/libexec/unbound-helper root_trust_anchor_update (code=exited, status=0/SUCCESS)
Process: 3391 ExecStart=/usr/sbin/unbound -d -p $DAEMON_OPTS (code=exited, status=1/FAILURE)
Process: 3393 ExecStopPost=/usr/libexec/unbound-helper chroot_teardown (code=exited, status=0/SUCCESS)
Main PID: 3391 (code=exited, status=1/FAILURE)
CPU: 168ms
Oct 28 16:01:59 DNS systemd[1]: unbound.service: Scheduled restart job, restart counter is at 5.
Oct 28 16:01:59 DNS systemd[1]: unbound.service: Start request repeated too quickly.
Oct 28 16:01:59 DNS systemd[1]: unbound.service: Failed with result 'exit-code'.
Oct 28 16:01:59 DNS systemd[1]: Failed to start unbound.service - Unbound DNS server.
为了排除故障,我注释掉了每一行,然后取消注释每一行,直到unbound.service无法重新启动。我发现该行interface: 0.0.0.0是导致错误的原因。我不明白为什么0.0.0.0会导致这个问题。为什么这个 IP 地址会导致这个问题?
系统:
- 未绑定版本:1.19.2
- 操作系统:Linux DNS 6.1.63 #218 SMP 星期四 11 月 30 日 20:48:04 CST 2023 aarch64 aarch64 aarch64 GNU/Linux 于 Ubuntu Server 24.04.1
unbound -V输出:
root@DNS::/etc/unbound# unbound -V
Version 1.19.2
Configure line: --build=aarch64-linux-gnu --prefix=/usr --includedir=${prefix}/include --mandir=${prefix}/share/man --infodir=${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-option-checking --disable-silent-rules --libdir=${prefix}/lib/aarch64-linux-gnu --runstatedir=/run --disable-maintainer-mode --disable-dependency-tracking --with-pythonmodule --with-pyunbound --enable-subnet --enable-dnstap --enable-systemd --enable-cachedb --with-libhiredis --with-libnghttp2 --with-chroot-dir= --with-dnstap-socket-path=/run/dnstap.sock --disable-rpath --with-pidfile=/run/unbound.pid --with-libevent --enable-tfo-client --with-rootkey-file=/usr/share/dns/root.key --disable-flto --enable-tfo-server
Linked libs: libevent 2.1.12-stable (it uses epoll), OpenSSL 3.0.13 30 Jan 2024
Linked modules: dns64 python cachedb subnetcache respip validator iterator
TCP Fastopen feature available
BSD licensed, see LICENSE in source package for details.
Report bugs to [email protected] or https://github.com/NLnetLabs/unbound/issues
更新:
root@DNS:/etc/unbound# unbound -d -vv -c /etc/unbound/unbound.conf
[1730176049] unbound[4263:0] notice: Start of unbound 1.19.2.
[1730176049] unbound[4263:0] error: can't bind socket: Address already in use for 0.0.0.0 port 53
[1730176049] unbound[4263:0] fatal error: could not open ports
这可能是因为 的
systemd-resolved存根 DNS 侦听器侦听相同的地址/端口(正如您之前的问题所暗示的那样)。合理的行动方案是:
port: 3000添加/etc/unbound/unbound.conf;dig -p3000 [...];systemd-resolved的监听器,删除port: 3000并/etc/unbound/unbound.conf重新启动systemd-resolved和Unbound。要禁用
systemd-resolved的监听器,请创建一个/etc/systemd/resolved.conf.d包含名为的文件的目录,例如,10-disable-listener.conf包含以下内容:然后,重新启动
systemd-resolved和 Unbound:感谢@kos 的回答。
解决端口问题后,出现的另一个问题是文件
/etc/unbound/unbound.log没有正确的文件权限,因为"unbound"和 不是在 中"root"被声明为。因此,仍然无法启动。username:/etc/unbound/unbound.confunbound.service为了解决这个问题,我做了以下事情:
已停止并禁用
unbound.service。使用以下命令创建了一个名为的新用户,
unbound作为名为的新组的主要成员unbound:使用以下命令将目录
/etc/unbound及其所有子文件和目录的组成员身份从 更改为root:unbound/etc/unbound授予目录及其所有子文件和目录的组成员写权限:运行命令
unbound -d -vv -c /etc/unbound/unbound.conf以调试模式启动服务,确认/etc/unbound/unbound.log权限失败已解决。此后,我unbound.service使用命令重新启动systemctl restart unbound.service。