安装bind前先安装gcc,配置好yum源,yum -y install gcc,如果有run.pid报错,直接rm -rf /var/run/yum.pid (解决yum-updatesd服务正运行的情况)
下载 bind9.6到/root/Desktop,先进至目录里,然后wget ftp://ftp.isc.org/isc/bind9/9.6.0-P1/bind-9.6.0-P1.tar.gz
解压bind-9.6.0-P1.tar.gz
# tar zxvf bind-9.6.0-P1.tar.gz
进入 bind-9.6.0-P1.gz文件夹
# cd bind-9.6.0-P1
创建安装目录,我是安装在 /opt/bind
# mkdir /opt/bind
编译,指定安装目录,开启多线程支持
#./configure --prefix=/opt/bind --enable-threads --disable-openssl-version-check --disable-ipv6
#Make 大约需要几分钟,只要不报错就继续下去。
# make
#Make install 安装
# make install
没有报错,就表示安装成功了。
开始配置bind,接下来的过程是让rndc来管理bind9.6
创建 rndc.conf文件,用bind自带程序生成
进入/opt/bind/etc,将rndc.conf及named.conf生成
# cd /opt/bind/etc
# /opt/bind/sbin/rndc-confgen > /opt/bind/etc/rndc.conf
把rndc.conf 中的key信息输出到 named.conf 中
# tail -10 rndc.conf | head -9 | sed -e s/#\ //g > named.conf
这里强调一下,rndc.conf与named.conf的key值必须完全一样,而且并不需要生成rndc.key,这个问题纠缠了我大约3个小时
# vim named.conf
key "rndc-key" {
algorithm hmac-md5;
secret "WeHHAt0lui+9WihUW6HdsQ==";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
options {
directory "/opt/bind/var/named";
};
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "localhost.zone";
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};
zone "fuying.com" IN {
type master;
file "fuying.zone";
};
zone "xiaofang.com" IN {
type master;
file "xiaofang.zone";
};
创建named文件夹:
# mkdir /opt/bind/var/named
进入named文件夹
# cd /opt/bind/var/named/
创建locale.zone文件
# vi localhost.zone
写入以下内容:
$TTL 86400
$ORIGIN localhost.
@ 1D IN SOA @ root (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
1D IN NS @
1D IN A 127.0.0.1
将跟服务器的信息导入到/opt/bind/var/named/named.ca文件中
# dig -t NS . >/opt/bind/var/named/named.ca
创建文件named.local
#vi named.local
$TTL 86400
@ IN SOA localhost. root.localhost. (
1997022700 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS localhost.
1 IN PTR localhost.
创建fuying.zone
# vi fuying.zone
$TTL 86400
@ IN SOA fuying.com. root.fuying.com. (
57 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS dns.fuying.com.
IN MX 5 mail
dns IN A 121.101.211.72
dns1 IN A 121.101.211.72
dns2 IN A 121.101.211.74
www IN A 121.101.211.76
创建xiaofang.zone
#vi xiaofang.zone
$TTL 86400
@ IN SOA xiaofang.com. root.xiaofang.com. (
57 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS dns.xiaofang.com.
IN MX 5 mail
dns IN A 121.101.211.72
dns1 IN A 121.101.211.72
dns2 IN A 121.101.211.74
www IN A 192.168.1.179
特别注意:bind的配置文档是区分大小写的。
下面就可以启动bind来测试安装是否成功了
# /opt/bind/sbin/named –gc /opt/bind/etc/named.conf &
加 –gc 参数,可以显示出启动日志,以便出错排查。
如果运行结果最后一行显示
Running
表明安装并启动成功。
测试rndc命令 /opt/bind/sbin/rndc status,正确的话应该有状态提示,我一般是直接编辑vim /root/.bashrc加进一个alias rndc9='/opt/bind/sbin/rndc'
把named 添加到启动项,随操作系统一起启动。
# cd /etc/rc.d
# vim rc.local
在最后添加以下内容
/opt/bind/sbin/named /opt/bind/etc/named.conf &
退出保存。
可以尝试重启服务器,然后用命令nslookup及dig测试,或用pa axu | grep named,结束此服务用命令killall named
附加从DNS配置文件:
key "rndc-key" {
algorithm hmac-md5;
secret "c97aVpbK9mWdlbefliG7qg==";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
options {
directory "/opt/bind/var/named";
};
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "localhost.zone";
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};
zone "fuying.com" IN {
type slave;
file "slaves/fuying.salve";
masters{192.168.1.179;};
};
zone "xiaofang.com" IN {
type slave;
file "slaves/xiaofang.salve";
masters{192.168.1.179;};
附加防火墙策略
[root@fuying opt]# vi vivabj069.sh
#! /bin/bash
#start iptables services
service iptables restart
#Flush all the policy
iptables -F
# setting the default policy
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m tcp -s 0/0 --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -p tcp -m tcp --dport 953 -j ACCEPT
iptables -A INPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -p tcp -m tcp --sport 953 -j ACCEPT
iptables -A INPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -p udp -m udp --sport 953 -j ACCEPT
iptables -A INPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -p udp -m udp --dport 953 -j ACCEPT
iptables -A OUTPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -p tcp -m tcp --dport 953 -j ACCEPT
iptables -A OUTPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -p tcp -m tcp --sport 953 -j ACCEPT
iptables -A OUTPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -p udp -m udp --sport 953 -j ACCEPT
iptables -A OUTPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -p udp -m udp --dport 953 -j ACCEPT
iptables -A INPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -p tcp -m tcp --dport 53 -j ACCEPT
iptables -A INPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -p tcp -m tcp --sport 53 -j ACCEPT
iptables -A INPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -p udp -m udp --dport 53 -j ACCEPT
iptables -A INPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -p udp -m udp --sport 53 -j ACCEPT
iptables -A OUTPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -p tcp -m tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -p tcp -m tcp --sport 53 -j ACCEPT
iptables -A OUTPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -p udp -m udp --sport 53 -j ACCEPT
iptables -A OUTPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -p udp -m udp --dport 53 -j ACCEPT
执行防火墙:
# sh vivabj069.sh
附CNAME 解析记录
# sh vivabj069.sh
# vi fuying.zone
$TTL 86400
@ IN SOA fuying.com. root.fuying.com. (
57 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS dns.fuying.com.
IN MX 5 mail
dns IN A 121.101.211.72
dns1 IN A 121.101.211.72
dns2 IN A 121.101.211.74
www IN A 121.101.211.76
wwww IN CNAME www.fuying.com.
注意域名后面必须跟“.”;