安装Bind9以及dnsutils测试工具
sudo apt-get install bind9
sudo apt-get install dnsutils
比如打算给我们的内网域名xxx.com解析到192.168.1.20
cd /etc/bind
sudo nano named.conf.local
首先编辑named.conf.local设置文件加入xxx.com域和反向解析域1.168.192.in-addr.arpa,并告诉bind9对应解释文件
zone "xxx.com" {
type master;
file "/etc/bind/db.xxx.com";
};
zone "1.168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.1.168.192";
};
建立解释文件db.xxx.com
sudo nano db.xxx.com
输入下列内容
;
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA xxx.com. root.xxx.com. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS xxx.com.
@ IN A 192.168.1.20
www A 192.168.1.20
建立反向解释文件db.1.168.192
sudo nano db.1.168.192
;
; BIND reverse data file for local loopback interface
;
$TTL 604800
@ IN SOA xxx.com. root.xxx.com. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS xxx.com.
@ A 192.168.1.20
20 IN PTR www.xxx.com.
检测解析文件是否有问题
named-checkzone "xxx.com" "/etc/bind/db.xxx.com"
正确结果:
zone xxx.com/IN: loaded serial 2
OK
named-checkzone "1.168.192.in-addr.arpa" "/etc/bind/db.1.168.192"
正确结果:
zone 1.168.192.in-addr.arpa/IN: loaded serial 1
OK
设置DNS服务器设定
sudo nano /etc/bind/named.conf.options
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
forwarders {
10.10.10.10;
};
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-enable no; #关闭DNS安全扩展
dnssec-validation no; #关闭DNS验证
auth-nxdomain no;
listen-on-v6 { any; };
};
#关闭安全扩展和验证是为了在本地局域网用你所喜欢的任何域名,因为自定义域名很可能在广域网早被人注册了,这样我们自定义域名严格来说属于DNS劫持
重启bind9服务
sudo service bind9 restart
检测是否解析到你想要的IP地址
dig @'DNS服务器所在IP地址' xxx.com
正常结果看起来是这样的:
; <<>> DiG 9.16.27-Debian <<>> @192.168.1.1 xxx.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28326
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: ****************************************** (good)
;; QUESTION SECTION:
;213.com. IN A
;; ANSWER SECTION:
xxx.com. 604800 IN A 192.168.1.20
;; Query time: 7 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Mon May 02 14:20:11 CST 2022
;; MSG SIZE rcvd: 80
网友评论