Lỗi out of range khi cài windows 8 năm 2024
Pi-hole includes a caching and forwarding DNS server, now known as FTLDNS. After applying the blocking lists, it forwards requests made by the clients to configured upstream DNS server(s). However, as has been mentioned by several users in the past, this leads to some privacy concerns as it ultimately raises the question: Whom can you trust? Recently, more and more small (and not so small) DNS upstream providers have appeared on the market, advertising free and private DNS service, but how can you know that they keep their promises? Right, you can't. Show Furthermore, from the point of an attacker, the DNS servers of larger providers are very worthwhile targets, as they only need to poison one DNS server, but millions of users might be affected. Instead of your bank's actual IP address, you could be sent to a phishing site hosted on some island. This scenario has already happened and it isn't unlikely to happen again... When you operate your own (tiny) recursive DNS server, then the likeliness of getting affected by such an attack is greatly reduced. What is a recursive DNS server?The first distinction we have to be aware of is whether a DNS server is authoritative or not. If I'm the authoritative server for, e.g.,
4, then I know which IP is the correct answer for a query. Recursive name servers, in contrast, resolve any query they receive by consulting the servers authoritative for this query by traversing the domain. Example: We want to resolve
4. On behalf of the client, the recursive DNS server will traverse the path of the domain across the Internet to deliver the answer to the question. What does this guide provide?In only a few simple steps, we will describe how to set up your own recursive DNS server. It will run on the same device you're already using for your Pi-hole. There are no additional hardware requirements. This guide assumes a fairly recent Debian/Ubuntu-based system and will use the maintainer provided packages for installation to make it an incredibly simple process. It assumes only a very basic knowledge of how DNS works. A standard Pi-hole installation will do it as follows:
After you set up your Pi-hole as described in this guide, this procedure changes notably:
You can easily imagine even longer chains for subdomains as the query process continues until your recursive resolver reaches the authoritative server for the zone that contains the queried domain name. It is obvious that the methods are very different and the own recursion is more involved than "just" asking some upstream server. This has benefits and drawbacks:
Setting up Pi-hole as a recursive DNS server solutionWe will use
6, a secure open-source recursive DNS server primarily developed by NLnet Labs, VeriSign Inc., Nominet, and Kirei. The first thing you need to do is to install the recursive DNS resolver: If you are installing unbound from a package manager, it should install the
7 file automatically with the dependency
8. The root hints will then be automatically updated by your package manager. Optional: Download the current root hints file (the list of primary root servers which are serving the domain "." - the root domain). Update it roughly every six months. Note that this file changes infrequently. This is only necessary if you are not installing unbound from a package manager. If you do this optional step, you will need to uncomment the
9 configuration line in the suggested config file.
Configure
6 Highlights:
1:
Start your local recursive server and test that it's operational:
The first query may be quite slow, but subsequent queries, also to other domains under the same TLD, should be fairly quick. You should also consider adding to a config file like
2 to signal FTL to adhere to this limit. Test validationYou can test DNSSEC validation using
The first command should give a status report of
3 and no IP address. The second should give
4 plus an IP address. Configure Pi-holeFinally, configure Pi-hole to use your recursive DNS server by specifying
5 as the Custom DNS (IPv4): (don't forget to hit Return or click on
6) Disable
7 entry for
6 (Required for Debian Bullseye+ releases) Debian Bullseye+ releases auto-install a package called
9 with a certain configuration that will cause unexpected behaviour for pihole and unbound. The effect is that the
0 instructs
1 to write
6's own DNS service at
3 , but without the 5335 port, into the file
4. That
4 file is used by local services/processes to determine DNS servers configured. You need to edit the configuration file and disable the service to work-around the misconfiguration. Step 1 - Disable the ServiceTo check if this service is enabled for your distribution, run below one. It will show either
6 or
7 or it might not even be installed resulting in a
8 message:
To disable the service, run the statement below:
Step 2 - Disable the file resolvconf_resolvers.confDisable the file resolvconf_resolvers.conf from being generated when resolvconf is invoked elsewhere. `sudo sed -Ei 's/^unbound_conf=/ unbound_conf=/' /etc/resolvconf.confsudo rm /etc/unbound/unbound.conf.d/resolvconf_resolvers.conf ` Restart
6.
Add logging to unboundWarning It's not recommended to increase verbosity for daily use, as unbound logs a lot. But it might be helpful for debugging purposes. There are five levels of verbosity
First, specify the log file, human-readable timestamps and the verbosity level in the
0 part of
1:
Second, create log dir and file, set permissions:
0 On modern Debian/Ubuntu-based Linux systems, you'll also have to add an AppArmor exception for this new file so
6 can write into it. |