CentOS7.9 搭建DNS服务器

一、DNS简介

1.DNS的作用

  • DNS(Domain Name System,域名系统),因特网上作为域名和IP地址相互映射的一个分布式数据库,能够使用户更方便的访问互联网,而不用去记住能够被机器直接读取的IP数串。通过主机名,最终得到该主机名对应的IP地址的过程叫做域名解析(或主机名解析)。
  • 端口:udp/53(用户查询时使用的端口,以及主从服务器同步), 用户查询只需53/udp。 tcp/53(用于主从服务器之间的同步),如果这个两个端口有一个无法访问时主从服务器无法同步。

二、配置DNS

1.环境安装

软件包:bind、bind-utils
守护进程:/usr/sbin/named

[root@MengXin ~]# yum -y install bind
[root@MengXin ~]# yum -y install bind-utils
[root@MengXin ~]# yum -y install bind*  //这是安装所有有关bind的软件包,省事可选

2.修改全局配置文件

文件路径:/etc/named.conf,下面是我的文件内容

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
	listen-on port 53 { any; };    //指定侦听DNS查询的本机IP地址及端口
	listen-on-v6 port 53 { ::1; };
	directory 	"/var/named";    //区域配置文件路径
	dump-file 	"/var/named/data/cache_dump.db";
	statistics-file "/var/named/data/named_stats.txt";
	memstatistics-file "/var/named/data/named_mem_stats.txt";
	secroots-file	"/var/named/data/named.secroots";
	recursing-file	"/var/named/data/named.recursing";
	allow-query     { any; };    //指定接收DNS查询请求的客户端

	/* 
	 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
	 - If you are building a RECURSIVE (caching) DNS server, you need to enable 
	   recursion. 
	 - If your recursive DNS server has a public IP address, you MUST enable access 
	   control to limit queries to your legitimate users. Failing to do so will
	   cause your server to become part of large scale DNS amplification 
	   attacks. Implementing BCP38 within your network would greatly
	   reduce such attack surface 
	*/
	recursion yes;

	dnssec-enable yes;
	dnssec-validation yes;

	managed-keys-directory "/var/named/dynamic";

	pid-file "/run/named/named.pid";
	session-keyfile "/run/named/session.key";

	/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
	include "/etc/crypto-policies/back-ends/bind.config";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
	type hint;
	file "named.ca";
};

include "/etc/named.rfc1912.zones";    //指定主配置文件
include "/etc/named.root.key";


3.修改主配置文件

路径:/etc/named.rfc1912.zones,这个根据实际情况,看你全局配置文件里设置的路径
在文件末尾追加内容

// 正向解析
zone "immengxin.top" IN {
	type master;
	file "immengxin.top.zone";  //这个是在/var/named下对应的配置文件
	allow-update { none; };
};
// 反向解析,倒置网络号加固定后缀
zone "255.168.192.in-addr.arpa" IN {
	type master;
	file "255.168.192.zone";  //同上
	allow-update { none; };
};

4.修改区域配置文件

  • 在/var/named目录下复制模板文件
[root@MengXin named]# cp -a named.localhost immengxin.top.zone    //该文件为正向模板文件
[root@MengXin named]# cp -a named.loopback 255.168.192.zone    //该文件为反向模板文件
[root@MengXin named]# chmod 777 immengxin.top.zone 
[root@MengXin named]# chmod 777 255.168.192.zone 
[root@MengXin named]# ll *.zone
-rwxrwxrwx. 1 root named 168 8月  25 2021 255.168.192.zone    //要保证配置文件的所有者为root,所属组为named,权限改成777最方便
-rwxrwxrwx. 1 root named 152 8月  25 2021 immengxin.top.zone
[root@MengXin named]# 
  • 编辑正向解析
$TTL 1D
@	IN SOA	@ root.immengxin.top. (
					0	; serial
					1D	; refresh
					1H	; retry
					1W	; expire
					3H )	; minimum
	NS	immengxin.top.  //这里用什么,下面就要加什么解析
@	A	192.168.255.10
web	A	192.168.255.11
ftp	A	192.168.255.12
bbs	A	192.168.255.13
  • 编辑反向解析,尽量与正向解析对应
$TTL 1D
@	IN SOA	@ root.immengxin.top. (
					0	; serial
					1D	; refresh
					1H	; retry
					1W	; expire
					3H )	; minimum
	NS	immengxin.top.
10	PTR	immengxin.top.
11	PTR	web.immengxin.top.
12	PTR	ftp.immengxin.top.
13	PTR	bbs.immengxin.top.

4.防火墙与重启服务

[root@MengXin named]# firewall-cmd --add-service=dns
[root@MengXin named]# firewall-cmd --reload
[root@MengXin named]# systemctl restart named

三、结果验证

  • 修改客户机的DNS地址,指向服务器,或者在本机上修改DNS地址
[MengXin@MengXin ~]$ nslookup
> immengxin.top
Server:		192.168.255.12
Address:	192.168.255.12#53

Name:	immengxin.top
Address: 192.168.255.10
> 192.168.255.10
10.255.168.192.in-addr.arpa	name = immengxin.top.
> 
posted @ 2022-10-26 10:01  我不是萌新  阅读(925)  评论(0编辑  收藏  举报