一、BIND服务安装、启动
1、安装BIND
2.启动DNS服务
| #CentOS6: |
| service named start |
| #开机自启 |
| #添加nginx服务 |
| chkconfig --add httpd |
| #开机自启nginx服务 |
| chkconfig httpd on |
| #关闭开机自启 |
| chkconfig httpd off |
| #查看 |
| chkconfig --list | grep apache |
| |
| #CentOS7: |
| systemctl start named.service |
| #开机自启 |
| systemctl enable named |
| |
3、查看named进程状态
4、验证端口监听
5.开放端口:
| #firewall |
| firewall-cmd --zone=public --add-port=53/tcp --permanent |
| firewall-cmd --zone=public --add-port=53/udp --permanent |
| firewall-cmd --reload |
| |
| #iptables |
| vi /etc/sysconfig/iptables |
| -I INPUT -p tcp --dport 53 -j ACCEPT |
| -I INPUT -p udp --dport 53 -j ACCEPT |
| |
| service iptables restart |
| iptables -L -n |
二、DNS服务相关配置文件
1、named.conf配置文件
(1) 位置:
named.conf 配置文件
/etc/named.conf包含include进来的其它文件。
解析库文件
一般名字为:ZONE_NAME.zone
(2) 格式
| # 全局配置段 |
| options{...} |
| # 日志配置段 |
| logging{...} |
| # 区域配置段 |
| zone{...} |
(3) 备份
| cp -p /etc/named.conf /etc/named.conf.bak |
(4) 修改
修改内容
| // |
| // named.conf |
| // |
| // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS |
| // server as a caching only nameserver (as a localhost DNS resolver only). |
| // |
| // See /usr/share/doc/bind*/sample/ for example named configuration files. |
| // |
| // See the BIND Administrator's Reference Manual (ARM) for details about the |
| // configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html |
| |
| options { |
| listen-on port 53 { any; }; #开放IPv4 |
| listen-on-v6 port 53 { any; }; #开放IPv6 |
| directory "/var/named"; |
| dump-file "/var/named/data/cache_dump.db"; |
| statistics-file "/var/named/data/named_stats.txt"; |
| memstatistics-file "/var/named/data/named_mem_stats.txt"; |
| recursing-file "/var/named/data/named.recursing"; |
| secroots-file "/var/named/data/named.secroots"; |
| allow-query { any; }; #开放请求 |
| |
| /* |
| - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. |
| - If you are building a RECURSIVE (caching) DNS server, you need to enable |
| recursion. |
| - If your recursive DNS server has a public IP address, you MUST enable access |
| control to limit queries to your legitimate users. Failing to do so will |
| cause your server to become part of large scale DNS amplification |
| attacks. Implementing BCP38 within your network would greatly |
| reduce such attack surface |
| */ |
| recursion yes; |
| |
| dnssec-enable yes; |
| dnssec-validation yes; |
| |
| /* Path to ISC DLV key */ |
| bindkeys-file "/etc/named.root.key"; |
| |
| managed-keys-directory "/var/named/dynamic"; |
| |
| pid-file "/run/named/named.pid"; |
| session-keyfile "/run/named/session.key"; |
| }; |
| |
| logging { |
| channel default_debug { |
| file "data/named.run"; |
| severity dynamic; |
| }; |
| }; |
| |
| zone "." IN { |
| type hint; |
| file "named.ca"; |
| }; |
| |
| include "/etc/named.rfc1912.zones"; |
| include "/etc/named.root.key"; |
2、rfc1912.zone配置文件
(1) 位置
| vim /etc/named.rfc1912.zones |
(2) 格式
| zone "ZONE_NAME" IN { |
| type {master|slave|hint|forward}; |
| file "ZONE_NAME.zone"; |
| }; |
示例
| vim /etc/named.rfc1912.zones |
| # 添加如下内容 |
| zone "test.com." IN { |
| type master; |
| file "test.com.zone"; |
| }; |
3、建立test.com.zone数据文件
(1) 创建位置
| vim /var/named/test.com.zone |
(2) 格式
| ;$TTL 600 |
| $ORIGIN mytest.cn. |
| ; SOA record |
| ; owner-name ttl class rr name-server email-addr (sn ref ret ex min) |
| @ IN SOA ns1.mytest.cn. root.mytest.cn. ( |
| 2017031088 ; sn = serial number |
| 3600 ; ref = refresh = 20m |
| 180 ; uret = update retry = 1m |
| 1209600 ; ex = expiry = 2w |
| 10800 ; nx = nxdomain ttl = 3h |
| ) |
| ; type syntax |
| ; host ttl class type data |
| ; NS records |
| @ 86400 IN NS ns1.mytest.cn. |
| @ 86400 IN NS ns2.mytest.cn. |
| ; A records |
| ns1 600 IN A 10.10.8.1 |
| ns2 600 IN A 10.10.8.2 |
| 项目 | 说明 |
| :-: | :-- |
| $TTL 600 | 表示定义默认TTL值,所以在下面的所有资源记录都不用在写TTL值; |
| ORIGIN mytest.com. | 作用是在资源记录中像"ns1.test.cn."就可以简写为ns1,会继承ORIGIN后面定义的域名; ||
|SOA|记录说明|
|owner-name|当前域,通常用 @ 来表示|
|TTL|标准的TTL值,范围 0 ~ 2147483647。
Note:Bind9 开始这里不再适用。|
|rr|resource record 资源记录|
|name-server|当前域的主DNS|
|email-addr|负责此区域的人员的电子邮件地址,因为@在这里有特殊意义,所以用.替代。|
|sn|序列号 – Serial,每次变更区域内容时数值+1,以通知slave同步数据。
值范围1 ~ 4294967295,最大增量 2147483647|
|ref|更新频率 – Refresh,slave主动向master更新。
建议 1200 ~ 43200 秒|
|ret|重试时间 – Retry,当slave同步数据失败,多少时间内会再次重试同步。
典型值为180(3分钟)至900(15分钟)或更高。|
|ex|失效时间(Expire),一直尝试的失败时间,持续到这个设定值,指示区域数据不再具有权威性。
建议 1209600 ~ 2419200 秒 (2-4 weeks)|
|nx / min| bind9开始将此值重新定义为负缓存时间。任何解析器都可以缓存 NAME ERROR = NXDOMAIN 结果的时间。允许的最大值是 3 hours (10800 seconds).
Note:Bind4 ~ 8版本中,这里为 min,用于保存未指定显式TTL的区域中的任何RR的默认TTL值。而Bind9开始使用$TTL指令定义默认的TTL值。|
示例
| $TTL 3600 |
| $ORIGIN test.com. |
| @ IN SOA test.com. admin.test.com. ( |
| 2017011901 |
| 1H |
| 10M |
| 3D |
| 1D) |
| |
| @ IN NS ns1.test.com. |
| @ IN MX 10 mail.test.com. |
| ns1 IN A 22.22.22.22 |
| mail IN A 22.22.22.22 |
| www IN A 22.22.22.22 |
| bbs IN A 22.22.22.22 |
| bbs IN A 22.22.22.22 |
(3)修改权限
| # 进入zone文件目录 |
| cd /var/named |
| # 修改区域文件的属组为named用户 |
| chown :named /var/named/test.com.zone |
| chgrp named /var/named/test.com.zone |
| # 修改区域文件的权限为640 |
| chmod 640 /var/named/test.com.zone |
(4)检查语法
使用named-checkconf命令:
| named-checkzone test.com. /var/named/test.com.zone |
| |
| zone test.com/IN: loaded serial 2017011901 |
| OK |
(5)重载
| rndc reload |
| #centos6 |
| service named reload |
| service named restart |
| #server reload successful |
| #或者执行 |
| systemctl reload named.service |
| systemctl restart named.service |
三、正向区域测试
| dig test.com @10.3.3.211 |
| dig -t A www.test.com @10.3.3.211 |
| dig -t NS test.com @10.3.3.211 |
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 无需6万激活码!GitHub神秘组织3小时极速复刻Manus,手把手教你使用OpenManus搭建本
· Manus爆火,是硬核还是营销?
· 终于写完轮子一部分:tcp代理 了,记录一下
· 别再用vector<bool>了!Google高级工程师:这可能是STL最大的设计失误
· 单元测试从入门到精通