bind搭建DNS服务(主从)
DNS主从
dns01 192.168.20.10 主
dns02 192.168.20.11 从
一、bind安装
dnf install bind bind-utils -y
二、named.conf配置文件修改
主dns
修改监听listen-on和allow-query
添加
notify yes;
also-notify { 192.168.20.11; }; //从dns
allow-transfer { 192.168.20.11; };
forwarders {
223.5.5.5; //阿里dns
114.114.114.114; //114dns
119.29.29.29; //腾讯dns
180.76.76.76; //百度dns
};
从dns
修改监听listen-on和allow-query
添加
allow-transfer { 192.168.20.10; };
完整配置文件,尾部添加需要解析的zone配置
#主
[root@dns01 named]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { any; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { any; };
notify yes;
also-notify { 192.168.20.11; }; //从dns
allow-transfer { 192.168.20.11; };
forwarders {
223.5.5.5; //阿里dns
114.114.114.114; //114dns
119.29.29.29; //腾讯dns
180.76.76.76; //百度dns
};
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
zone "localtest.com" IN {
type master;
file "localtest.com.zone";
};
zone "0.168.192.in-addr.arpa" IN { //192.168.0.x反向解析
type master;
file "192.168.0.rev";
};
#从
[root@dns02 named]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { any; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { any; };
allow-transfer { 192.168.20.10; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
zone "localtest.com" IN {
type slave;
masters { 192.168.20.10; };
file "slaves/localtest.com.zone.slave";
};
zone "0.168.192.in-addr.arpa" IN { //192.168.0.x反向解析
type slave;
masters { 192.168.20.10; };
file "slaves/192.168.0.rev.slave";
};
三、zone配置文件
正向解析
[root@dns01 named]# vim /var/named/localtest.com.zone
$TTL 1D
@ IN SOA master admin.localtest.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS master
NS slave
master A 192.168.20.10
slave A 192.168.20.11
www A 123.45.67.89
www AAAA 123:456:789::1
test A 192.168.0.100
反向解析
[root@dns01 named]# vim /var/named/192.168.0.rev
$TTL 1D
@ IN SOA master admin.localtest.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS master.localtest.com.
100 IN PTR test.localtest.com.
四、检查
检查named.conf配置:
named-checkconf
如果一切正常,将返回一个空结果。
检查zone配置:
named-checkzone localtest.com /var/named/localtest.com.zone
如果一切正常,这将返回如下内容:
[root@dns01 named]# named-checkzone localtest.com.zone /var/named/localtest.com.zone
zone localtest.com.zone/IN: loaded serial 0
最后,检查反向区域:
named-checkzone 192.168.0.100 /var/named/192.168.0.rev
如果一切正常,将返回如下结果:
[root@dns01 named]# named-checkzone 192.168.0.rev /var/named/192.168.0.rev
zone 192.168.0.rev/IN: loaded serial 0
OK
一切正常,重新启动 bind:
systemctl restart named
五、修改解析
修改zone配置文件后serial要+1
rndc reload
#使其生效
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· TypeScript + Deepseek 打造卜卦网站:技术与玄学的结合
· 阿里巴巴 QwQ-32B真的超越了 DeepSeek R-1吗?
· 如何调用 DeepSeek 的自然语言处理 API 接口并集成到在线客服系统
· 【译】Visual Studio 中新的强大生产力特性
· 2025年我用 Compose 写了一个 Todo App