bind9根据网上的推荐,下载了9.11.18版本。
下载地址https://www.isc.org/bind/
首选需要安装开发环境,包括openssl等开发包(最好是使用本地镜像yum源安装),openssl一般都是已经安装过的,毕竟都是ssh登录的。
yum groupinstall "Development Tools" "Server Platform Development"
1、安装过程
#tar -zxvf bind-9.11.18.tar.gz #groupadd -g 53 -r named #useradd -u 53 -s /sbin/nolgin -r named -g named
使用53端口作为named组和named用户的ID号
#mkdir /var/named
#chgrp named /var/named/ 修改所属组为named
如果没有提前加入 -s /sbin/nolgin参数,可以后期再修改 usermod -s /sbin/nologin named
cd至解压缩目录
./configure --prefix=/usr/local/bind9 --sysconfdir=/etc/named --disable-ipv6 --disable-chroot --enable-threads --without-python 放置到指定目录 放置配置文件目录 禁用ipv6(可不带) 禁用chroot 启用线程编译 出现下面的报错时加这个条件 make make install
可能会存在的报错
configure: error: Python >= 2.7 or >= 3.2 and the PLY package are required for dnssec-keymgr and other Python-based tools. PLY may be available from your OS package manager as python-ply or python3-ply; it can also be installed via pip. To build without Python/PLY, use --without-python.
2、环境变量配置
安装完成,但自行编译bind源码包会产生如下问题
(1)没有配置文件
(2)没有区域解析文件(包括13个根服务器的解析文件)
(3)没有rndc的相关配置文件
解决上述问题
创建文件添加path环境变量:vim /etc/profile.d/named.sh export PATH=/usr/local/bind9/bin:/usr/local/bind9/sbin:$PATH
重读配置文件:. /etc/profile.d/named.sh
创建导出库文件:vim /etc/ld.so.conf.d/named.conf /usr/local/bind9/lib 生成库文件搜索路径;ldconfig -v
链接头文件 [root@test_iptables ~]# ln -sv /usr/local/bind9/include /usr/include/named `/usr/include/named' -> `/usr/local/bind9/include'
导出帮助文档搜索路径 vim /etc/man.config(vim /etc/man_db.conf(centos7)) MANPATH /usr/local/bind9/share/man
编辑配置文件
[root@test_iptables ~]# cd /etc/named [root@test_iptables named]# vi named.conf options { … directory "/var/named"; }; zone "." IN { type hint; file "named.ca"; }; zone "localhost" IN { type master; file "localhost.zone"; allow-update { none; }; }; zone "0.0.127.in-addr.arpa" IN { type master; file "named.local"; allow-update { none; }; };
更改权限,这个部分可以等到区域配置文件都弄完一起弄 [root@test_iptables named]# chown root:named -R /etc/named [root@test_iptables named]# chmod 640 /etc/named/*
cd /var/named dig -t NS . @server > named.ca (server:互联网上的dns服务器地址,前提需要联网,也可以通过复制或者逐条添加) 不知道dns服务器地址的,也可以获取默认的根地址,不用加@server
#在联网的情况下直接将查询根的结果导入根区域配置文件 [root@test_iptables named]# dig -t NS . > /var/named/named.ca [root@test_iptables named]# ll total 4 -rw-r--r--. 1 root root 797 May 12 10:10 named.ca [root@test_iptables named]# cat named.ca ; <<>> DiG 9.11.18 <<>> -t NS . ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52815 ;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;. IN NS ;; ANSWER SECTION: . 5 IN NS i.root-servers.net. . 5 IN NS c.root-servers.net. . 5 IN NS l.root-servers.net. . 5 IN NS a.root-servers.net. . 5 IN NS h.root-servers.net. . 5 IN NS m.root-servers.net. . 5 IN NS j.root-servers.net. . 5 IN NS k.root-servers.net. . 5 IN NS e.root-servers.net. . 5 IN NS d.root-servers.net. . 5 IN NS f.root-servers.net. . 5 IN NS b.root-servers.net. . 5 IN NS g.root-servers.net. ;; Query time: 20 msec ;; SERVER: 192.168.56.2#53(192.168.56.2) ;; WHEN: Tue May 12 10:10:01 CST 2020 ;; MSG SIZE rcvd: 228
#然后创建各区域的配置文件,上面已经配置了根区域
#配置正向解析区域
[root@test_iptables named]# vi localhost.zone $TTL 1d @ IN SOA localhost. admin.localhost. ( 2020051210 1H 5M 7D 1D ) IN NS localhost. localhost. IN A 127.0.0.1
#配置反向解析区域
[root@test_iptables named]# vi named.local $TTL 1d N SOA localhost. admin.localhost. ( 2020051210 1H 5M 7D 1D ) IN NS localhost. 1 IN PTR localhost.
更改配置文件的属组和权限
chown root:named -R /var/named/
chmod 640 /var/named/*
生成rndc配置文件
[root@test_iptables named]# rndc-confgen -r /dev/urandom > /etc/named/rndc.conf [root@test_iptables named]# ll total 12 -rw-r-----. 1 root named 1859 May 12 09:08 bind.keys -rw-r-----. 1 root named 335 May 12 10:29 named.conf -rw-r--r--. 1 root root 479 May 12 10:37 rndc.conf [root@test_iptables named]# cat rndc.conf # Start of rndc.conf key "rndc-key" { algorithm hmac-md5; secret "gVaS8XiuZQncnBMiQINYIQ=="; }; options { default-key "rndc-key"; default-server 127.0.0.1; default-port 953; }; # End of rndc.conf # Use with the following in named.conf, adjusting the allow list as needed: # key "rndc-key" { # algorithm hmac-md5; # secret "gVaS8XiuZQncnBMiQINYIQ=="; # }; # # controls { # inet 127.0.0.1 port 953 # allow { 127.0.0.1; } keys { "rndc-key"; }; # }; # End of named.conf
生成完成后,还需要将上面住宿的部分添加至/etc/named/named.conf,并取消注释。
[root@test_iptables named]# cat /etc/named/named.conf
ptions {
directory "/var/named";
};
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};
key "rndc-key" {
algorithm hmac-md5;
secret "gVaS8XiuZQncnBMiQINYIQ==";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
测试
[root@centfils named]# named -u named -f -g -d 3 #-u 为指定named用户执行 #-f 为运行在前台 #-g 把标准错误显示出来 #-d 指明调试等级
[root@test_iptables ~]# ss -tunl | grep 53 udp UNCONN 0 0 192.168.56.147:53 *:* udp UNCONN 0 0 127.0.0.1:53 *:* udp UNCONN 0 0 :::53 :::* tcp LISTEN 0 10 192.168.56.147:53 *:* tcp LISTEN 0 10 127.0.0.1:53 *:* tcp LISTEN 0 10 :::53 :::* tcp LISTEN 0 128 127.0.0.1:953 *:*