[TOC]
一、BIND服务安装、启动
1、安装BIND
yum -y install bind*
2.启动DNS服务
#CentOS6:
service named start
#开机自启
#添加nginx服务
chkconfig --add httpd
#开机自启nginx服务
chkconfig httpd on
#关闭开机自启
chkconfig httpd off
#查看
chkconfig --list | grep apache
#CentOS7:
systemctl start named.service
#开机自启
systemctl enable named
3、查看named进程状态
ps -eaf | grep named
4、验证端口监听
netstat -an | grep 53
5.开放端口:
#firewall
firewall-cmd --zone=public --add-port=53/tcp --permanent
firewall-cmd --zone=public --add-port=53/udp --permanent
firewall-cmd --reload
#iptables
vi /etc/sysconfig/iptables
-I INPUT -p tcp --dport 53 -j ACCEPT
-I INPUT -p udp --dport 53 -j ACCEPT
service iptables restart
iptables -L -n
二、DNS服务相关配置文件
1、named.conf配置文件
(1) 位置:
named.conf 配置文件
/etc/named.conf
/etc/named.conf包含include进来的其它文件。
解析库文件
/var/named/
一般名字为:ZONE_NAME.zone
(2) 格式
# 全局配置段
options{...}
# 日志配置段
logging{...}
# 区域配置段
zone{...}
(3) 备份
cp -p /etc/named.conf /etc/named.conf.bak
(4) 修改
vim /etc/named.conf
修改内容
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
listen-on port 53 { any; }; #开放IPv4
listen-on-v6 port 53 { any; }; #开放IPv6
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; }; #开放请求
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
2、rfc1912.zone配置文件
(1) 位置
vim /etc/named.rfc1912.zones
(2) 格式
zone "ZONE_NAME" IN {
type {master|slave|hint|forward};
file "ZONE_NAME.zone";
};
示例
vim /etc/named.rfc1912.zones
# 添加如下内容
zone "test.com." IN {
type master;
file "test.com.zone";
};
3、建立test.com.zone数据文件
(1) 创建位置
vim /var/named/test.com.zone
(2) 格式
;$TTL 600
$ORIGIN mytest.cn.
; SOA record
; owner-name ttl class rr name-server email-addr (sn ref ret ex min)
@ IN SOA ns1.mytest.cn. root.mytest.cn. (
2017031088 ; sn = serial number
3600 ; ref = refresh = 20m
180 ; uret = update retry = 1m
1209600 ; ex = expiry = 2w
10800 ; nx = nxdomain ttl = 3h
)
; type syntax
; host ttl class type data
; NS records
@ 86400 IN NS ns1.mytest.cn.
@ 86400 IN NS ns2.mytest.cn.
; A records
ns1 600 IN A 10.10.8.1
ns2 600 IN A 10.10.8.2
| 项目 | 说明 |
| :-: | :-- |
|TTL指令定义默认的TTL值。|
示例
$TTL 3600
$ORIGIN test.com.
@ IN SOA test.com. admin.test.com. (
2017011901
1H
10M
3D
1D)
@ IN NS ns1.test.com.
@ IN MX 10 mail.test.com.
ns1 IN A 22.22.22.22
mail IN A 22.22.22.22
www IN A 22.22.22.22
bbs IN A 22.22.22.22
bbs IN A 22.22.22.22
(3)修改权限
# 进入zone文件目录
cd /var/named
# 修改区域文件的属组为named用户
chown :named /var/named/test.com.zone
chgrp named /var/named/test.com.zone
# 修改区域文件的权限为640
chmod 640 /var/named/test.com.zone
(4)检查语法
使用named-checkconf命令:
named-checkzone test.com. /var/named/test.com.zone
zone test.com/IN: loaded serial 2017011901
OK
(5)重载
rndc reload
#centos6
service named reload
service named restart
#server reload successful
#或者执行
systemctl reload named.service
systemctl restart named.service
三、正向区域测试
dig test.com @10.3.3.211
dig -t A www.test.com @10.3.3.211
dig -t NS test.com @10.3.3.211
网友评论