CentOS7搭建公司内网DNS服务器
参考文章
1 | 官方下载地址 | https://www.isc.org/download/ |
2 | 不同子域名,如何直接做转发 |
https://serverfault.com/questions/18748/overriding-some-dns-entries-in-bind-for-internal-networks 类似于在机器上写/etc/hosts |
3 | bind9启动报错 |
https://www.simaek.com/archives/323/ network unreachable resolving './DNSKEY/IN': 2001:500:1::53#53 原因是服务器不支持ipv6 |
4 | bind9编译安装 | https://www.ttzero.org/blog/2020/06/11/BIND9-install.html |
5 | CentOS BIND9安装及配置 | https://www.cnblogs.com/zhangeamon/p/9447558.html |
过程
服务器: 192.168.0.122
操作系统版本: CentOS7.9
DNS软件: Bind9
本来想自己编译最新的Bind9(版本: 9.20.3),但这个版本开始,是用C11编写的,CentOS7.9比较老了,如果要支持C11的编译,要升级各种编译器,最后选择了直接用yum安装
编译
yum install bind
一轮操作之后,安装好的版本: BIND 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.16 (Extended Support Version)
设置开机启动
systemctl enable named
配置
文件: /etc/sysconfig/named
配置好的内容。注意,为了方便说明,下面的配置内容,中文注释在实际下应该删掉
# BIND named process options
# ~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# OPTIONS="whatever" -- These additional options will be passed to named
# at startup. Don't add -t here, enable proper
# -chroot.service unit file.
# Use of parameter -c is not supported here. Extend
# systemd named*.service instead. For more
# information please read the following KB article:
# https://access.redhat.com/articles/2986001
#
# DISABLE_ZONE_CHECKING -- By default, service file calls named-checkzone
# utility for every zone to ensure all zones are
# valid before named starts. If you set this option
# to 'yes' then service file doesn't perform those
# checks.
// 说明。我们使用的服务器是不支持IPV6的,所以要指定使用IPV4,要不然服务是启动不了的
OPTIONS="-4"
文件: /etc/rndc.conf
rndc是一个管理程序,可以用它来刷新配置,停止服务,强制同步等
rndc-confgen > /etc/rndc.conf
配置好的内容。注意,为了方便说明,下面的配置内容,中文注释在实际下应该删掉
# Start of rndc.conf
key "rndc-key" {
algorithm hmac-md5;
secret "Dwyu8nRLWRI6YKcGggdz8Q==";
};
options {
default-key "rndc-key";
default-server 127.0.0.1;
default-port 953;
};
# End of rndc.conf
# Use with the following in named.conf, adjusting the allow list as needed:
# 说明。这个配置文件的内容,是不需要做任务增加/修改的,只需要把下面的内容,复制到/etc/named.conf,然后把#号去掉
# 说明。====== 复制开始 ======
# key "rndc-key" {
# algorithm hmac-md5;
# secret "Dwyu8nRLWRI6YKcGggdz8Q==";
# };
#
# controls {
# inet 127.0.0.1 port 953
# allow { 127.0.0.1; } keys { "rndc-key"; };
# };
# 说明。====== 复制结束 ======
# End of named.conf
文件: /etc/named.conf
做个备份
cp /etc/named.conf /etc/named.conf_bak_20241122
配置好的内容。注意,为了方便说明,下面的配置内容,中文注释在实际下应该删掉
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
// 说明。这段是从/etc/rndc.conf复制过来的 === 开始
key "rndc-key" {
algorithm hmac-md5;
secret "Dwyu8nRLWRI6YKcGggdz8Q==";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
// 说明。这段是从/etc/rndc.conf复制过来的 === 结束
options {
# listen-on port 53 { 127.0.0.1; };
// 说明。监听的ip不作限制,改成了any
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
# allow-query { localhost; };
allow-query { any; };
// 说明。如果自己的DNS解析不了,那就转发出去 === 开始
forward first;
forwarders {
192.168.1.254;
114.114.114.114;
8.8.8.8;
0.0.0.0;
};
// 说明。如果自己的DNS解析不了,那就转发出去 === 结束
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
#dnssec-validation yes;
// 说明。改成no,这样上面的forwarders才会生效!
dnssec-validation no;
#auth-nxdomain no; # conform to RFC1035
/* Path to ISC DLV key */
bindkeys-file "/etc/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
// 说明。参考文章2
response-policy { zone "mine"; };
};
// 说明。下面的logging没什么,就是改一下输出的文件,以及日志文件大小和保留多少份 === 开始
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
channel queries_log {
file "data/queries.run" versions 3 size 50m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
channel resolver_log {
file "data/resolver.run" versions 3 size 50m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
channel query_errors_log {
file "data/query-errors.run" versions 3 size 50m;
print-time yes;
print-category yes;
print-severity yes;
severity dynamic;
};
category queries { queries_log; };
category resolver { resolver_log; };
category query-errors { query_errors_log; };
};
// 说明。下面的logging没什么,就是改一下输出的文件,以及日志文件大小和保留多少份 === 结束
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
文件: /etc/named.rfc1912.zones
做个备份
cp /etc/named.rfc1912.zones /etc/named.rfc1912.zones_bak_20241122
配置好的内容。注意,为了方便说明,下面的配置内容,中文注释在实际下应该删掉
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};
// 说明。参考文章2 === 开始
zone "mine" {
type master;
file "zone/mine";
};
// 说明。参考文章2 === 结束
文件: /var/named/zone/mine
mkdir /var/named/zone
touch /var/named/zone/mine
配置好的内容。注意,为了方便说明,下面的配置内容,中文注释在实际下应该删掉
$TTL 60
@ IN SOA localhost. root.localhost. (
2024112201 ; serial
1h ; refresh
30m ; retry
1w ; expiry
30m) ; minimum
IN NS localhost.
localhost A 127.0.0.1
// 说明。有哪些需要转发到测试环境服务器的,参考下面的加进去即可 === 开始
test-backend.xxxx.com A 192.168.0.122
test-back.xxxx.com A 192.168.0.122
// 说明。有哪些需要转发到测试环境服务器的,参考下面的加进去即可 === 结束
配置综合说明
Bind9其实真的是一个比较强大的软件,基础市面上常用的云域名管理,都可以配置了 | |||
2 |
我们在历史上犯了一个比较大的错误,我们测试环境的域名,基本都是这种格式。test-xxx.xxxx.com。但这种格式,并不符合bind9的zone关于域名的规范。正确的应该是用test的子域名来区分。比如 xxx.test.xxxx.com,这样在才能正常的用得上zone去做域名解析。对的,如果历史能够重来,应该用 xxx.test.xxxx.com这种子域名管理测试环境的域名 还好,参考文章2,可以通过将域名解析指定到本机来解决我们这种问题 |
||
3 |
如有添加zone的配置,目录: /var/named下,一定要将文件所有权修改一下,最简单就是整个目录重新授权
|
||
4 |
使用以下命令重新服务
虽然不会有报错信息出来,但不一定是成功的哦,需要检查一下状态
|
iptables开放端口
vim /etc/sysconfig/iptables
-A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 953 -j ACCEPT
常用命令
# 增加/修改zone配置后,刷新
rndc reload
rndc flush
# 重启服务进程
systemctl restart named
# 检查主配置文件内容是否正常。如果没有输出,就是正常
named-checkconf
# 检查zone配置文件内容能否解析域名
named-checkzone xxxx.com /etc/named/zone.xxxx.com
# 增加zone配置文件后,要修改文件权限。很关键的命令,要不然会导致进程重启失败
chown -R named.named /var/named