CentOS6 DNS配置实例及详解

CentOS6 DNS配置实例及详解
操作系统:CentOS 6.2
BIND版本:BIND 9.7.3-P3-RedHat-9.7.3-8.P3.el6

################################################
相关配置文件
################################################
/etc/named.conf            主配置文件
/etc/named.rfc1912.zones    主要定义zone
/etc/sysconfig/named        定义chroot
################################################
1.安装包
bind
bind-chroot
bind-devel
bind-utils
bind-libs

#################################################
2.常用配置语句
        C语言风格注释
//注释            C++
#注释            UNIX和Perl风格
options            全局配置选项和默认参数
view            定义一个视图
zone            定义一个区域
logging            日志和信息来源
acl            访问控制列表
include            加载文件
key            识别和授权的密钥信息
server            服务器参数
trusted-key        信任的DNSSEC密钥
type            定义区域类型
file            指定一个区域文件
directory        指定区域文件目录
forwarders        转发到的DNS服务器
masters            主服务器
allow-transfer        指定传送主机
allow-query        允许进行查询的主机
notify            主区域数据发生变化时允许通知从服务器
##################################################
options {
    listen-on port 53 { 127.0.0.1; 192.168.100.2; 58.195.172.229; };
//    listen-on-v6 port 53 { ::1; };
    directory     "/var/named";
    dump-file     "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
    allow-query     { 192.168.100.0/24; };
    recursion yes;
//    forwarders    { 168.95.1.1; 192.168.100.1; }; #将DNS服务器收到的查询请求转发到其他的域名服务器上,通常是一个IP地址列表。
//    forward        ( only|first; );
    dnssec-enable yes;
    dnssec-validation yes;
    dnssec-lookaside auto;

   
    bindkeys-file "/etc/named.iscdlv.key";
};
acl acl_name {
    any|none|localhost|localnets;   
    }
acl "internal" {
    192.168.100.0/24;
    }

server    192.168.100.1 {
    bogus yes|no
    provide-ixfr yes|no
    request-ixfr yes|no
    support-ixfr yes|no;
    edns yes|no
    transfers number;
    transfer-format one-answer|many-answers;
    keys { key-id;key-id;... };
    }

controls {
    inet 192.168.100.1 allow { address_match_list } keys { key_list };
    };

view    view-name {
    match-clients { address_match_list };
    view_option;
    zone-statement;
    };

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

view "localhost" {
    match-clients { localhost; };
    match-destinations { localhost; };
    recursion yes;

zone "." IN {
    type hint;
    file "named.ca";
};

zone "." IN {
    type hint;
    file "named.ca";
};

zone "localhost.localdomain" IN {
    type master;
    file "named.localhost";
    allow-update { none; };
};

zone "localhost" IN {
    type master;
    file "named.localhost";
    allow-update { none; };
};

zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
    type master;
    file "named.loopback";
    allow-update { none; };
};

zone "1.0.0.127.in-addr.arpa" IN {
    type master;
    file "named.loopback";
    allow-update { none; };
};

zone "0.in-addr.arpa" IN {
    type master;
    file "named.empty";
    allow-update { none; };
};

};
///////////////////////////////////////////////////////////////////

//本地网络

view "internal" {
    match-clients { localnets; };
    match-destinations { localnets; };
    recursion yes;

zone "jlive.com" IN {
    type master;
    file "jlive.com";
    allow-transfer { 192.168.100.1; };
    update-policy { grant web name web.jlive.com. A; };
    };

zone "100.168.192.in-addr.arpa" IN {
    type master;
    file "100.168.192.zone";
    allow-transfer { 192.168.100.1; };
    };

//zone "jlive.com" IN {
//    type slave;
//    file "jlive.com";
//    masters { 192.168.100.1; };
//    };
//zone "100.168.192.in-addr.arpa" IN {
//    type slave;
//    file "100.168.192.zone";
//    masters { 192.168.100.1; };
//    };

};

include "/etc/named.rfc1912.zones";

# Use with the following in named.conf, adjusting the allow list as needed:
#RNDC远程管理DNS
1.检查已经存在于DNS缓存中的资料
2.重新更新某个zone而不需重新启动整个DNS
3.检查DNS状态与统计资料

建立RNDC KEY的相关数据
执行rndc-confgen,将输出贴到rndc.conf文件中

# Start of rndc.conf
key "rndc-key" {
    algorithm hmac-md5;
    secret "PqS2wtxdK3hWhF4FPP71Ng==";
};

options {
    default-key "rndc-key";
    default-server 127.0.0.1;
    default-port 953;
};
将以下输出贴到named.conf中
# End of rndc.conf
key "rndc-key" {
     algorithm hmac-md5;
     secret "PqS2wtxdK3hWhF4FPP71Ng==";
};

controls {
     inet 127.0.0.1 port 953
         allow { 127.0.0.1; } keys { "rndc-key"; };
};
修改权限
chmod 640 /etc/rndc.conf
chown root.named /etc/rndc.conf

架设动态DNS主机
cd /var/named/chroot/etc/pki/dnssec-keys
dnssec-keygen -a HMAC-MD5 -b 128 -n HOST web

#dnssec-keygen
key "web"
  algorithm hmac-md5;
    secret "YajpQJPNSk+S33Yp1HxQxA==";
};

vi /etc/named.rfc1912.zones
zone "****" {
    type
    file
    allow-transfer
    update-policy {
    grant web name web.jlive.com. A;
    };
}


cd /var/named/chroot/etc/pki/dnssec-keys
nsupdate -k Kweb.+157+50096.key

>server    192.168.100.2
>update    delete web.jlive.com
>update add web.jlive.com 600 A 192.168.100.1
>send
>^D

自动更新脚本
#!/bin/bash
export PATH=/usr/lib/qt-3.3/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
basedir="/var/named/chroot/etc/pki/dnssec-keys"
key="${basedir}/Kweb.+157+50096.key"
ttl=600
outif="eth0"
hostname="web.jlive.com"
servername="192.168.100.2"

newip=$(ifconfig ${outif}|grep 'inet addr'|gawk '{print $2}'|sed -e 's/addr\://')

checkip=$(echo $newip|grep '_[0-9]')
if [ "$checkip" == "" ];then
    echo "$0: the interface can't connect internet..."
    exit 1
fi

tmp=${basedir}/tmp.txt
cd $basedir
echo "server $servername" >$tmp
echo "update delete $hostname A" >>$tmp
echo "update add $hostname $ttl A $newip" >>$tmp
echo "send" >>$tmp

nsupdate -k $key -v $tmp

###################################################
区域类型及其说明
master        主DNS
slave        从DNS
forward        转发
stub        与从DNS类似,但只保留DNS服务器名称
hint        根域名服务器
##################################################


##################################################
常用资源记录类型
TTL    time to live ,允许客户端缓存所查询的数据的时间
  映射主机名到IP地址
NS    域名服务器
SOA    start of authority 授权开始记录
CNAME    canonical name 别名,将多个名称映射到同一台计算机上
PTR    pointer,指针记录,用于映射IP地址到主机名
WKS    已知的服务描述
RP    文本字符串,包含相关主机的连接点信息
HINFO    host information
MINFO    电子信箱或邮件列表信息
MX    mail exchanger ,指向一个邮件服务器
TXT     文本字符串
##################################################
2.vi /etc/named.conf

listen-on port 53 { any; };

vi /etc/named.rfc1912.zones

zone "jlive.com" IN {
    type master;
    file "jlive.com";
    allow-transfer { 192.168.100.1; };
    update-policy { grant web name web.jlive.com. A; };
    };

zone "100.168.192.in-addr.arpa" IN {
    type master;
    file "100.168.192.zone";
    allow-transfer { 192.168.100.1; };
    };
##################################################
正向解析

$TTL 3D
  IN SOA    ct6.jlive.com.  liujun_ok.hotmail.com. (
                    20120504; serial
                    1D    ; refresh
                    1H    ; retry
                    1W    ; expire
                    3H )    ; minimum

      IN    NS    dns.ct6.jlive.com.
dns        IN      192.168.100.2
ftp        IN      192.168.100.2
www        IN      192.168.100.2
      IN      192.168.100.2 #泛域名解析
      IN      192.168.100.2 #直接解析
mail        IN    MX  10  mail.ct6.jlive.com.
mail        IN    MX  12  mail2
      IN    MX     linux

jun        IN    CNAME    dns
xiao        IN    CNAME    dns

sun        IN    TXT    "The sun solaris OS"
sun        IN    HINFO    "Celeron 1G""solaris 10"

##################################################
反向解析
$TTL 3D
  IN SOA    ct6.jlive.com.  liujun_ok.hotmail.com. (
                    20120504; serial
                    1D    ; refresh
                    1H    ; retry
                    1W    ; expire
                    3H )    ; minimum

      IN    NS    dns.ct6.jlive.com.
      IN    PTR    dns.ct6.jlive.com.
      IN    PTR    www.sunrun.com.
      IN    PTR    www.lei.com.
      IN    PTR    www.ang.com.
      IN    PTR    www.yue.com.

##################################################

以下是个个的named.conf和named.rfc1912.zones
############
named.conf
############
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
    listen-on port 53 { any; };
//    listen-on-v6 port 53 { ::1; };
    directory     "/var/named";
    dump-file     "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
    allow-query     { 192.168.100.0/24; };
    recursion yes;
//    forwarders    { 168.95.1.1; };
//    forward        ( only|first; );
    dnssec-enable yes;
    dnssec-validation yes;
    dnssec-lookaside auto;

   
    bindkeys-file "/etc/named.iscdlv.key";

};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};



# Use with the following in named.conf, adjusting the allow list as needed:
key "rndc-key" {
     algorithm hmac-md5;
     secret "PqS2wtxdK3hWhF4FPP71Ng==";
};

controls {
     inet 127.0.0.1 port 953
         allow { 127.0.0.1; } keys { "rndc-key"; };
};
# End of named.conf

#dnssec-keygen
key "web"
  algorithm hmac-md5;
    secret "YajpQJPNSk+S33Yp1HxQxA==";
};

include "/etc/named.rfc1912.zones";


############
named.rfc1912.zones
############

// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-dra ... -local-zones-02.txt
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
//本机

zone "." IN {
    type hint;
    file "named.ca";
};

zone "localhost.localdomain" IN {
    type master;
    file "named.localhost";
    allow-update { none; };
};

zone "localhost" IN {
    type master;
    file "named.localhost";
    allow-update { none; };
};

//zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
//    type master;
//    file "named.loopback";
//    allow-update { none; };
//};

zone "1.0.0.127.in-addr.arpa" IN {
    type master;
    file "named.loopback";
    allow-update { none; };
};

zone "0.in-addr.arpa" IN {
    type master;
    file "named.empty";
    allow-update { none; };
};

///////////////////////////////////////////////////////////////////

//本地网络

zone "jlive.com" IN {
    type master;
    file "jlive.com";
    allow-transfer { 192.168.100.1; };
    update-policy { grant web name web.jlive.com. A; };
    };

zone "100.168.192.in-addr.arpa" IN {
    type master;
    file "100.168.192.zone";
    allow-transfer { 192.168.100.1; };
    };

//zone "jlive.com" IN {
//    type slave;
//    file "jlive.com";
//    masters { 192.168.100.1; };
//    };
//zone "100.168.192.in-addr.arpa" IN {
//    type slave;
//    file "100.168.192.zone";
//    masters { 192.168.100.1; };
//    };
posted @ 2013-05-11 20:31  李庆喜  阅读(863)  评论(0编辑  收藏  举报