运维技巧

  博客园  :: 首页  :: 新随笔  :: 联系 :: 订阅 订阅  :: 管理

 

安装bind前先安装gcc,配置好yum源,yum -y install gcc,如果有run.pid报错,直接rm -rf /var/run/yum.pid (解决yum-updatesd服务正运行的情况)

下载 bind9.6到/root/Desktop,先进至目录里,然后wget ftp://ftp.isc.org/isc/bind9/9.6.0-P1/bind-9.6.0-P1.tar.gz
解压bind-9.6.0-P1.tar.gz
# tar zxvf bind-9.6.0-P1.tar.gz
进入 bind-9.6.0-P1.gz文件夹
# cd bind-9.6.0-P1
创建安装目录,我是安装在 /opt/bind
# mkdir /opt/bind
编译,指定安装目录,开启多线程支持
#./configure --prefix=/opt/bind --enable-threads --disable-openssl-version-check --disable-ipv6

#Make 大约需要几分钟,只要不报错就继续下去。
# make
#Make install 安装
# make install
没有报错,就表示安装成功了。

开始配置bind,接下来的过程是让rndc来管理bind9.6
创建 rndc.conf文件,用bind自带程序生成
进入/opt/bind/etc,将rndc.conf及named.conf生成
# cd /opt/bind/etc
# /opt/bind/sbin/rndc-confgen > /opt/bind/etc/rndc.conf
把rndc.conf 中的key信息输出到 named.conf 中
# tail -10 rndc.conf | head -9 | sed -e s/#\ //g > named.conf

这里强调一下,rndc.conf与named.conf的key值必须完全一样,而且并不需要生成rndc.key,这个问题纠缠了我大约3个小时

# vim named.conf
key "rndc-key" {
        algorithm hmac-md5;
        secret "WeHHAt0lui+9WihUW6HdsQ==";
};

controls {
        inet 127.0.0.1 port 953
                allow { 127.0.0.1; } keys { "rndc-key"; };
};
options {
directory "/opt/bind/var/named";
};

zone "." IN {
type hint;
file "named.ca";
};

zone "localhost" IN {
type master;
file "localhost.zone";
};

zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};

zone "fuying.com" IN {
type master;
file "fuying.zone";
};
zone "xiaofang.com" IN {
type master;
file "xiaofang.zone";

};

创建named文件夹:

# mkdir /opt/bind/var/named

进入named文件夹

# cd /opt/bind/var/named/

创建locale.zone文件

# vi localhost.zone
写入以下内容:
$TTL       86400
$ORIGIN localhost.
@                          1D IN SOA          @ root (
                                           42                 ; serial (d. adams)
                                           3H                 ; refresh
                                           15M                ; retry
                                           1W                 ; expiry
                                           1D )               ; minimum

                           1D IN NS           @
                           1D IN A            127.0.0.1

将跟服务器的信息导入到/opt/bind/var/named/named.ca文件中

# dig -t NS . >/opt/bind/var/named/named.ca

创建文件named.local

#vi named.local

$TTL       86400
@          IN         SOA        localhost. root.localhost.  (
                                         1997022700 ; Serial
                                         28800         ; Refresh
                                         14400         ; Retry
                                         3600000       ; Expire
                                         86400 )       ; Minimum
                 IN         NS         localhost.

1          IN         PTR        localhost.

创建fuying.zone

# vi fuying.zone

$TTL       86400
@               IN SOA  fuying.com.  root.fuying.com. (
                                           57                 ; serial (d. adams)
                                           3H                 ; refresh
                                           15M                ; retry
                                           1W                 ; expiry
                                           1D )               ; minimum

                           IN NS          dns.fuying.com.
                           IN MX   5      mail

dns             IN      A       121.101.211.72
dns1            IN      A       121.101.211.72
dns2            IN      A       121.101.211.74
www             IN      A       121.101.211.76

创建xiaofang.zone

#vi xiaofang.zone

$TTL       86400
@               IN SOA  xiaofang.com.  root.xiaofang.com. (
                                           57                 ; serial (d. adams)
                                           3H                 ; refresh
                                           15M                ; retry
                                           1W                 ; expiry
                                           1D )               ; minimum

                           IN NS          dns.xiaofang.com.
                           IN MX   5      mail

dns             IN      A       121.101.211.72
dns1            IN      A       121.101.211.72
dns2            IN      A       121.101.211.74
www             IN      A       192.168.1.179

特别注意:bind的配置文档是区分大小写的。
下面就可以启动bind来测试安装是否成功了
# /opt/bind/sbin/named –gc /opt/bind/etc/named.conf &
加 –gc 参数,可以显示出启动日志,以便出错排查。
如果运行结果最后一行显示
Running

表明安装并启动成功。

测试rndc命令 /opt/bind/sbin/rndc status,正确的话应该有状态提示,我一般是直接编辑vim /root/.bashrc加进一个alias rndc9='/opt/bind/sbin/rndc'

把named 添加到启动项,随操作系统一起启动。
# cd /etc/rc.d
# vim rc.local
在最后添加以下内容
/opt/bind/sbin/named /opt/bind/etc/named.conf &
退出保存。
可以尝试重启服务器,然后用命令nslookup及dig测试,或用pa axu | grep named,结束此服务用命令killall named

附加从DNS配置文件:

key "rndc-key" {
        algorithm hmac-md5;
        secret "c97aVpbK9mWdlbefliG7qg==";
};

controls {
        inet 127.0.0.1 port 953
                allow { 127.0.0.1; } keys { "rndc-key"; };
};
options {
directory "/opt/bind/var/named";

};

zone "." IN {
type hint;
file "named.ca";
};

zone "localhost" IN {
type master;
file "localhost.zone";
};

zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};

zone "fuying.com" IN {
type slave;
file "slaves/fuying.salve";
        masters{192.168.1.179;};

};
zone "xiaofang.com" IN {
type slave;
file "slaves/xiaofang.salve";
        masters{192.168.1.179;};

附加防火墙策略

[root@fuying opt]# vi vivabj069.sh
#! /bin/bash

#start iptables services
  service iptables restart

#Flush all the policy
  iptables -F

# setting the default policy
  iptables -P INPUT DROP
  iptables -P FORWARD DROP
  iptables -P OUTPUT DROP

iptables -A INPUT -m state --state RELATED,ESTABLISHED  -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT


iptables -A INPUT -p tcp  -m tcp -s 0/0 --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp  -m tcp --dport 22 -j ACCEPT

iptables -A INPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -p tcp -m tcp --dport 953 -j ACCEPT
iptables -A INPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -p tcp -m tcp --sport 953 -j ACCEPT
iptables -A INPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -p udp -m udp --sport 953 -j ACCEPT
iptables -A INPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -p udp -m udp --dport 953 -j ACCEPT
iptables -A OUTPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -p tcp -m tcp --dport 953 -j ACCEPT
iptables -A OUTPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -p tcp -m tcp --sport 953 -j ACCEPT
iptables -A OUTPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -p udp -m udp --sport 953 -j ACCEPT
iptables -A OUTPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -p udp -m udp --dport 953 -j ACCEPT

iptables -A INPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -p tcp -m tcp --dport 53 -j ACCEPT
iptables -A INPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -p tcp -m tcp --sport 53 -j ACCEPT
iptables -A INPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -p udp -m udp --dport 53 -j ACCEPT
iptables -A INPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -p udp -m udp --sport 53 -j ACCEPT
iptables -A OUTPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -p tcp -m tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -p tcp -m tcp --sport 53 -j ACCEPT
iptables -A OUTPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -p udp -m udp --sport 53 -j ACCEPT
iptables -A OUTPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -p udp -m udp --dport 53 -j ACCEPT

执行防火墙:

# sh vivabj069.sh

附CNAME 解析记录
# sh vivabj069.sh

# vi fuying.zone

$TTL       86400
@               IN SOA  fuying.com.  root.fuying.com. (
                                           57                 ; serial (d. adams)
                                           3H                 ; refresh
                                           15M                ; retry
                                           1W                 ; expiry
                                           1D )               ; minimum

                           IN NS          dns.fuying.com.
                           IN MX   5      mail

dns             IN      A       121.101.211.72
dns1            IN      A       121.101.211.72
dns2            IN      A       121.101.211.74
www             IN      A       121.101.211.76
wwww  IN CNAME www.fuying.com.

注意域名后面必须跟“.”;

posted on 2010-03-19 12:04  付莹  阅读(321)  评论(0编辑  收藏  举报