基于bind软件部署DNS服务器

        基于bind软件部署DNS服务器

                               作者:尹正杰 

版权声明:原创作品,谢绝转载!否则将追究法律责任。

 

 

 

一.DNS服务器类型

  DNS服务器的类型大致分为三类,即NDS服务器,从DNS服务器和缓存DNS服务器(也可以叫"DNS转发器")

  主DNS服务器:
    管理和维护所负责解析的域内解析库的服务器。常用的专业数学与如下所示:
      序列号:
        解析库版本号,主服务器解析库变化时,其序列递增。
      刷新时间间隔:
        从服务器从主服务器请求同步解析的时间间隔。
      重试时间间隔:
        从服务器请求同步失败时,再次尝试时间间隔。
      过期时长:
        主服务器解析库发生变化时,会主动通知从服务器。
      
  从DNS服务器:
    从主服务器或从服务器"复制"(区域传输)解析库副本。

  通知机制:
    主服务器解析库发生变化时,会主动通知从服务器。

  区域传输:
    完全传输: 
      传送整个解析库。
    增量传输:
      传输解析库变化的那部分内容。

  Domain(Fully Qualified Domain Name):
    正向: FQDN ---> IP
    反向: IP ---> FQDN

  负责本地域名的正向和反向解析库。
    正向区域:
      略,前面的笔记已经说过了。
    反向区域:
      略。

  温馨提示:
    关于DNS原理的内容我就不在此赘述了,感兴趣的小伙伴可参考我之前的笔记: https://www.cnblogs.com/yinzhengjie/p/14204430.html

 

二.基于bind开源软件部署DNS服务器

1>.实验前准备(仅需关闭DNS服务器的防火墙即可)

[root@dns53.yinzhengjie.com ~]# cat /etc/redhat-release 
CentOS Linux release 7.9.2009 (Core)
[root@dns53.yinzhengjie.com ~]# 
[root@dns53.yinzhengjie.com ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: en
abled)   Active: active (running) since 四 2020-12-31 19:27:59 CST; 1h 57min ago
     Docs: man:firewalld(1)
 Main PID: 592 (firewalld)
   CGroup: /system.slice/firewalld.service
           └─592 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid

12月 31 19:27:58 dns53.yinzhengjie.com systemd[1]: Starting firewalld - dynamic fir....
12月 31 19:27:59 dns53.yinzhengjie.com systemd[1]: Started firewalld - dynamic fire....
12月 31 19:27:59 dns53.yinzhengjie.com firewalld[592]: WARNING: AllowZoneDrifting i....
Hint: Some lines were ellipsized, use -l to show in full.
[root@dns53.yinzhengjie.com ~]# 
[root@dns53.yinzhengjie.com ~]# 
[root@dns53.yinzhengjie.com ~]# systemctl stop firewalld
[root@dns53.yinzhengjie.com ~]# 
[root@dns53.yinzhengjie.com ~]# systemctl disable firewalld
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@dns53.yinzhengjie.com ~]# 
[root@dns53.yinzhengjie.com ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: e
nabled)   Active: inactive (dead)
     Docs: man:firewalld(1)

12月 31 19:27:58 dns53.yinzhengjie.com systemd[1]: Starting firewalld - dynamic fir....
12月 31 19:27:59 dns53.yinzhengjie.com systemd[1]: Started firewalld - dynamic fire....
12月 31 19:27:59 dns53.yinzhengjie.com firewalld[592]: WARNING: AllowZoneDrifting i....
12月 31 21:25:24 dns53.yinzhengjie.com systemd[1]: Stopping firewalld - dynamic fir....
12月 31 21:25:25 dns53.yinzhengjie.com systemd[1]: Stopped firewalld - dynamic fire....
Hint: Some lines were ellipsized, use -l to show in full.
[root@dns53.yinzhengjie.com ~]# 
[root@dns53.yinzhengjie.com ~]# systemctl stop firewalld

2>.选择bind软件部署DNS服务器

  市面上跨平台且开源的DNS服务器软件有很多,比如: smartdns,CoreDNS,godoh,robdns等等,它们各有优势,你可以选择你感兴趣的开源DNS服务软件进行部署。

  如下图所示,今天我们部署DNS服务器使用的是CentOS Linux 7.9中yum源自带的DNS服务器软件,即bind软件。

2>.安装DNS服务器

[root@dns53.yinzhengjie.com ~]# yum -y install bind
[root@dns53.yinzhengjie.com ~]# rpm -q --scripts bind
preinstall scriptlet (using /bin/sh):
if [ "$1" -eq 1 ]; then
  /usr/sbin/groupadd -g 25 -f -r named >/dev/null 2>&1 || :;
  /usr/sbin/useradd  -u 25 -r -N -M -g named -s /sbin/nologin -d /var/named -c Named named >/dev/null 2>&1 || :;
fi;
:;
postinstall scriptlet (using /bin/sh):
/sbin/ldconfig
if [ "$1" -eq 1 ]; then
  # Initial installation
  [ -x /sbin/restorecon ] && /sbin/restorecon /etc/rndc.* /etc/named.* >/dev/null 2>&1 ;
  # rndc.key has to have correct perms and ownership, CVE-2007-6283
  [ -e /etc/rndc.key ] && chown root:named /etc/rndc.key
  [ -e /etc/rndc.key ] && chmod 0640 /etc/rndc.key
else
  # Upgrade, use nologin shell again
  if getent passwd named | grep ':/bin/false$' >/dev/null; then
    /sbin/usermod -s /sbin/nologin named
  fi
fi
. /etc/selinux/config
if /usr/sbin/selinuxenabled && [ "${SELINUX}" != "disabled" ] ; then
  
. /etc/selinux/config 
_policytype=targeted 
if [ -z "${_policytype}" ]; then 
  _policytype="targeted" 
fi 
if [ -d "/etc/selinux/${_policytype}" ]; then 
  LOCAL_MODIFICATIONS=$(/usr/sbin/semanage boolean -E) 
  if [ ! -f /etc/selinux/${_policytype}/rpmbooleans.custom ]; then 
      /bin/echo "# This file is managed by macros.selinux-policy. Do not edit it manually" > /etc/selinux/${_policytype}/rpmbooleans.custom 
  fi 
  semanage_import='' 
  for boolean in named_write_master_zones=1; do 
      boolean_name=${boolean%=*} 
      boolean_value=${boolean#*=} 
      boolean_local_string=$(grep "$boolean_name$" <<<$LOCAL_MODIFICATIONS) 
      if [ -n "$boolean_local_string" ]; then 
          semanage_import="${semanage_import}\nboolean -m -$boolean_value $boolean_name" 
          boolean_customized_string=$(grep "$boolean_name$" /etc/selinux/${_policytype}/rpmbooleans.custom | tail -n 1) 
          if [ -n "$boolean_customized_string" ]; then 
              /bin/echo $boolean_customized_string >> /etc/selinux/${_policytype}/rpmbooleans.custom 
          else 
              /bin/echo $boolean_local_string >> /etc/selinux/${_policytype}/rpmbooleans.custom 
          fi 
      else 
          semanage_import="${semanage_import}\nboolean -m -$boolean_value $boolean_name" 
          boolean_default_value=$(LC_ALL=C /usr/sbin/semanage boolean -l | grep "^$boolean_name " | sed 's/[^(]*([^,]*, *\(on\|off\).*/\1/') 
          /bin/echo "boolean -m --$boolean_default_value $boolean_name" >> /etc/selinux/${_policytype}/rpmbooleans.custom 
      fi 
  done; 
  if /usr/sbin/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then 
      /bin/echo -e "$semanage_import" | /usr/sbin/semanage import -S "${_policytype}" 
  elif test -d /usr/share/selinux/"${_policytype}"/base.lst; then 
      /bin/echo -e "$semanage_import" | /usr/sbin/semanage import -S "${_policytype}" -N 
  fi 
fi 

  
. /etc/selinux/config 
_policytype=mls 
if [ -z "${_policytype}" ]; then 
  _policytype="targeted" 
fi 
if [ -d "/etc/selinux/${_policytype}" ]; then 
  LOCAL_MODIFICATIONS=$(/usr/sbin/semanage boolean -E) 
  if [ ! -f /etc/selinux/${_policytype}/rpmbooleans.custom ]; then 
      /bin/echo "# This file is managed by macros.selinux-policy. Do not edit it manually" > /etc/selinux/${_policytype}/rpmbooleans.custom 
  fi 
  semanage_import='' 
  for boolean in named_write_master_zones=1; do 
      boolean_name=${boolean%=*} 
      boolean_value=${boolean#*=} 
      boolean_local_string=$(grep "$boolean_name$" <<<$LOCAL_MODIFICATIONS) 
      if [ -n "$boolean_local_string" ]; then 
          semanage_import="${semanage_import}\nboolean -m -$boolean_value $boolean_name" 
          boolean_customized_string=$(grep "$boolean_name$" /etc/selinux/${_policytype}/rpmbooleans.custom | tail -n 1) 
          if [ -n "$boolean_customized_string" ]; then 
              /bin/echo $boolean_customized_string >> /etc/selinux/${_policytype}/rpmbooleans.custom 
          else 
              /bin/echo $boolean_local_string >> /etc/selinux/${_policytype}/rpmbooleans.custom 
          fi 
      else 
          semanage_import="${semanage_import}\nboolean -m -$boolean_value $boolean_name" 
          boolean_default_value=$(LC_ALL=C /usr/sbin/semanage boolean -l | grep "^$boolean_name " | sed 's/[^(]*([^,]*, *\(on\|off\).*/\1/') 
          /bin/echo "boolean -m --$boolean_default_value $boolean_name" >> /etc/selinux/${_policytype}/rpmbooleans.custom 
      fi 
  done; 
  if /usr/sbin/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then 
      /bin/echo -e "$semanage_import" | /usr/sbin/semanage import -S "${_policytype}" 
  elif test -d /usr/share/selinux/"${_policytype}"/base.lst; then 
      /bin/echo -e "$semanage_import" | /usr/sbin/semanage import -S "${_policytype}" -N 
  fi 
fi 

fi

if [ $1 -eq 1 ] ; then 
        # Initial installation 
        systemctl preset named.service >/dev/null 2>&1 || : 
fi 

:;
preuninstall scriptlet (using /bin/sh):
# Package removal, not upgrade

if [ $1 -eq 0 ] ; then 
        # Package removal, not upgrade 
        systemctl --no-reload disable named.service > /dev/null 2>&1 || : 
        systemctl stop named.service > /dev/null 2>&1 || : 
fi
postuninstall scriptlet (using /bin/sh):
/sbin/ldconfig

systemctl daemon-reload >/dev/null 2>&1 || : 
if [ $1 -ge 1 ] ; then 
        # Package upgrade, not uninstall 
        systemctl try-restart named.service >/dev/null 2>&1 || : 
fi 

# Unset on both upgrade and install. Boolean would be unset from now
# until %posttrans on upgrade. Write requests might fail during update.
. /etc/selinux/config
if /usr/sbin/selinuxenabled && [ "${SELINUX}" != "disabled" ] ; then
  
. /etc/selinux/config 
_policytype=targeted 
if [ -z "${_policytype}" ]; then 
  _policytype="targeted" 
fi 
if [ -d "/etc/selinux/${_policytype}" ]; then 
  semanage_import='' 
  for boolean in named_write_master_zones=1; do 
      boolean_name=${boolean%=*} 
      boolean_customized_string=$(grep "$boolean_name$" /etc/selinux/${_policytype}/rpmbooleans.custom | tail -n 1) 
      if [ -n "$boolean_customized_string" ]; then 
          awk "/$boolean_customized_string/ && !f{f=1; next} 1" /etc/selinux/${_policytype}/rpmbooleans.custom > /etc/selinux/${_policytype}/rpmbooleans.custom.tmp && mv /etc/selinux/${_pol
icytype}/rpmbooleans.custom.tmp /etc/selinux/${_policytype}/rpmbooleans.custom           if ! grep -q "$boolean_name$" /etc/selinux/${_policytype}/rpmbooleans.custom; then 
              semanage_import="${semanage_import}\n${boolean_customized_string}" 
          fi 
      fi 
  done; 
  if /usr/sbin/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then 
      /bin/echo -e "$semanage_import" | /usr/sbin/semanage import -S "${_policytype}" 
  elif test -d /usr/share/selinux/"${_policytype}"/base.lst; then 
      /bin/echo -e "$semanage_import" | /usr/sbin/semanage import -S "${_policytype}" -N 
  fi 
fi 

  
. /etc/selinux/config 
_policytype=mls 
if [ -z "${_policytype}" ]; then 
  _policytype="targeted" 
fi 
if [ -d "/etc/selinux/${_policytype}" ]; then 
  semanage_import='' 
  for boolean in named_write_master_zones=1; do 
      boolean_name=${boolean%=*} 
      boolean_customized_string=$(grep "$boolean_name$" /etc/selinux/${_policytype}/rpmbooleans.custom | tail -n 1) 
      if [ -n "$boolean_customized_string" ]; then 
          awk "/$boolean_customized_string/ && !f{f=1; next} 1" /etc/selinux/${_policytype}/rpmbooleans.custom > /etc/selinux/${_policytype}/rpmbooleans.custom.tmp && mv /etc/selinux/${_pol
icytype}/rpmbooleans.custom.tmp /etc/selinux/${_policytype}/rpmbooleans.custom           if ! grep -q "$boolean_name$" /etc/selinux/${_policytype}/rpmbooleans.custom; then 
              semanage_import="${semanage_import}\n${boolean_customized_string}" 
          fi 
      fi 
  done; 
  if /usr/sbin/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then 
      /bin/echo -e "$semanage_import" | /usr/sbin/semanage import -S "${_policytype}" 
  elif test -d /usr/share/selinux/"${_policytype}"/base.lst; then 
      /bin/echo -e "$semanage_import" | /usr/sbin/semanage import -S "${_policytype}" -N 
  fi 
fi 

fi
[root@dns53.yinzhengjie.com ~]# 
[root@dns53.yinzhengjie.com ~]# rpm -q --scripts bind  # 查看安装bind软件过程中都做了哪些事情。
[root@dns53.yinzhengjie.com ~]# rpm -ql bind
/etc/logrotate.d/named
/etc/named
/etc/named.conf
/etc/named.iscdlv.key
/etc/named.rfc1912.zones
/etc/named.root.key
/etc/rndc.conf
/etc/rndc.key
/etc/rwtab.d/named
/etc/sysconfig/named
/run/named
/usr/bin/arpaname
/usr/bin/named-rrchecker
/usr/lib/python2.7/site-packages/isc
/usr/lib/python2.7/site-packages/isc-2.0-py2.7.egg-info
/usr/lib/python2.7/site-packages/isc/__init__.py
/usr/lib/python2.7/site-packages/isc/__init__.pyc
/usr/lib/python2.7/site-packages/isc/__init__.pyo
/usr/lib/python2.7/site-packages/isc/checkds.py
/usr/lib/python2.7/site-packages/isc/checkds.pyc
/usr/lib/python2.7/site-packages/isc/checkds.pyo
/usr/lib/python2.7/site-packages/isc/coverage.py
/usr/lib/python2.7/site-packages/isc/coverage.pyc
/usr/lib/python2.7/site-packages/isc/coverage.pyo
/usr/lib/python2.7/site-packages/isc/dnskey.py
/usr/lib/python2.7/site-packages/isc/dnskey.pyc
/usr/lib/python2.7/site-packages/isc/dnskey.pyo
/usr/lib/python2.7/site-packages/isc/eventlist.py
/usr/lib/python2.7/site-packages/isc/eventlist.pyc
/usr/lib/python2.7/site-packages/isc/eventlist.pyo
/usr/lib/python2.7/site-packages/isc/keydict.py
/usr/lib/python2.7/site-packages/isc/keydict.pyc
/usr/lib/python2.7/site-packages/isc/keydict.pyo
/usr/lib/python2.7/site-packages/isc/keyevent.py
/usr/lib/python2.7/site-packages/isc/keyevent.pyc
/usr/lib/python2.7/site-packages/isc/keyevent.pyo
/usr/lib/python2.7/site-packages/isc/keymgr.py
/usr/lib/python2.7/site-packages/isc/keymgr.pyc
/usr/lib/python2.7/site-packages/isc/keymgr.pyo
/usr/lib/python2.7/site-packages/isc/keyseries.py
/usr/lib/python2.7/site-packages/isc/keyseries.pyc
/usr/lib/python2.7/site-packages/isc/keyseries.pyo
/usr/lib/python2.7/site-packages/isc/keyzone.py
/usr/lib/python2.7/site-packages/isc/keyzone.pyc
/usr/lib/python2.7/site-packages/isc/keyzone.pyo
/usr/lib/python2.7/site-packages/isc/parsetab.py
/usr/lib/python2.7/site-packages/isc/parsetab.pyc
/usr/lib/python2.7/site-packages/isc/parsetab.pyo
/usr/lib/python2.7/site-packages/isc/policy.py
/usr/lib/python2.7/site-packages/isc/policy.pyc
/usr/lib/python2.7/site-packages/isc/policy.pyo
/usr/lib/python2.7/site-packages/isc/rndc.py
/usr/lib/python2.7/site-packages/isc/rndc.pyc
/usr/lib/python2.7/site-packages/isc/rndc.pyo
/usr/lib/python2.7/site-packages/isc/utils.py
/usr/lib/python2.7/site-packages/isc/utils.pyc
/usr/lib/python2.7/site-packages/isc/utils.pyo
/usr/lib/systemd/system/named-setup-rndc.service
/usr/lib/systemd/system/named.service
/usr/lib/tmpfiles.d/named.conf
/usr/lib64/bind
/usr/libexec/generate-rndc-key.sh
/usr/sbin/ddns-confgen
/usr/sbin/dnssec-checkds
/usr/sbin/dnssec-coverage
/usr/sbin/dnssec-dsfromkey
/usr/sbin/dnssec-importkey
/usr/sbin/dnssec-keyfromlabel
/usr/sbin/dnssec-keygen
/usr/sbin/dnssec-keymgr
/usr/sbin/dnssec-revoke
/usr/sbin/dnssec-settime
/usr/sbin/dnssec-signzone
/usr/sbin/dnssec-verify
/usr/sbin/genrandom
/usr/sbin/isc-hmac-fixup
/usr/sbin/lwresd
/usr/sbin/named
/usr/sbin/named-checkconf
/usr/sbin/named-checkzone
/usr/sbin/named-compilezone
/usr/sbin/named-journalprint
/usr/sbin/nsec3hash
/usr/sbin/rndc
/usr/sbin/rndc-confgen
/usr/sbin/tsig-keygen
/usr/share/doc/bind-9.11.4
/usr/share/doc/bind-9.11.4/Bv9ARM.ch01.html
/usr/share/doc/bind-9.11.4/Bv9ARM.ch02.html
/usr/share/doc/bind-9.11.4/Bv9ARM.ch03.html
/usr/share/doc/bind-9.11.4/Bv9ARM.ch04.html
/usr/share/doc/bind-9.11.4/Bv9ARM.ch05.html
/usr/share/doc/bind-9.11.4/Bv9ARM.ch06.html
/usr/share/doc/bind-9.11.4/Bv9ARM.ch07.html
/usr/share/doc/bind-9.11.4/Bv9ARM.ch08.html
/usr/share/doc/bind-9.11.4/Bv9ARM.ch09.html
/usr/share/doc/bind-9.11.4/Bv9ARM.ch10.html
/usr/share/doc/bind-9.11.4/Bv9ARM.ch11.html
/usr/share/doc/bind-9.11.4/Bv9ARM.ch12.html
/usr/share/doc/bind-9.11.4/Bv9ARM.ch13.html
/usr/share/doc/bind-9.11.4/Bv9ARM.html
/usr/share/doc/bind-9.11.4/Bv9ARM.pdf
/usr/share/doc/bind-9.11.4/CHANGES
/usr/share/doc/bind-9.11.4/README
/usr/share/doc/bind-9.11.4/isc-logo.pdf
/usr/share/doc/bind-9.11.4/man.arpaname.html
/usr/share/doc/bind-9.11.4/man.ddns-confgen.html
/usr/share/doc/bind-9.11.4/man.delv.html
/usr/share/doc/bind-9.11.4/man.dig.html
/usr/share/doc/bind-9.11.4/man.dnssec-checkds.html
/usr/share/doc/bind-9.11.4/man.dnssec-coverage.html
/usr/share/doc/bind-9.11.4/man.dnssec-dsfromkey.html
/usr/share/doc/bind-9.11.4/man.dnssec-importkey.html
/usr/share/doc/bind-9.11.4/man.dnssec-keyfromlabel.html
/usr/share/doc/bind-9.11.4/man.dnssec-keygen.html
/usr/share/doc/bind-9.11.4/man.dnssec-keymgr.html
/usr/share/doc/bind-9.11.4/man.dnssec-revoke.html
/usr/share/doc/bind-9.11.4/man.dnssec-settime.html
/usr/share/doc/bind-9.11.4/man.dnssec-signzone.html
/usr/share/doc/bind-9.11.4/man.dnssec-verify.html
/usr/share/doc/bind-9.11.4/man.dnstap-read.html
/usr/share/doc/bind-9.11.4/man.genrandom.html
/usr/share/doc/bind-9.11.4/man.host.html
/usr/share/doc/bind-9.11.4/man.isc-hmac-fixup.html
/usr/share/doc/bind-9.11.4/man.lwresd.html
/usr/share/doc/bind-9.11.4/man.mdig.html
/usr/share/doc/bind-9.11.4/man.named-checkconf.html
/usr/share/doc/bind-9.11.4/man.named-checkzone.html
/usr/share/doc/bind-9.11.4/man.named-journalprint.html
/usr/share/doc/bind-9.11.4/man.named-nzd2nzf.html
/usr/share/doc/bind-9.11.4/man.named-rrchecker.html
/usr/share/doc/bind-9.11.4/man.named.conf.html
/usr/share/doc/bind-9.11.4/man.named.html
/usr/share/doc/bind-9.11.4/man.nsec3hash.html
/usr/share/doc/bind-9.11.4/man.nslookup.html
/usr/share/doc/bind-9.11.4/man.nsupdate.html
/usr/share/doc/bind-9.11.4/man.pkcs11-destroy.html
/usr/share/doc/bind-9.11.4/man.pkcs11-keygen.html
/usr/share/doc/bind-9.11.4/man.pkcs11-list.html
/usr/share/doc/bind-9.11.4/man.pkcs11-tokens.html
/usr/share/doc/bind-9.11.4/man.rndc-confgen.html
/usr/share/doc/bind-9.11.4/man.rndc.conf.html
/usr/share/doc/bind-9.11.4/man.rndc.html
/usr/share/doc/bind-9.11.4/named.conf.default
/usr/share/doc/bind-9.11.4/notes.html
/usr/share/doc/bind-9.11.4/notes.pdf
/usr/share/doc/bind-9.11.4/sample
/usr/share/doc/bind-9.11.4/sample/etc
/usr/share/doc/bind-9.11.4/sample/etc/named.conf
/usr/share/doc/bind-9.11.4/sample/etc/named.rfc1912.zones
/usr/share/doc/bind-9.11.4/sample/var
/usr/share/doc/bind-9.11.4/sample/var/named
/usr/share/doc/bind-9.11.4/sample/var/named/data
/usr/share/doc/bind-9.11.4/sample/var/named/my.external.zone.db
/usr/share/doc/bind-9.11.4/sample/var/named/my.internal.zone.db
/usr/share/doc/bind-9.11.4/sample/var/named/named.ca
/usr/share/doc/bind-9.11.4/sample/var/named/named.empty
/usr/share/doc/bind-9.11.4/sample/var/named/named.localhost
/usr/share/doc/bind-9.11.4/sample/var/named/named.loopback
/usr/share/doc/bind-9.11.4/sample/var/named/slaves
/usr/share/doc/bind-9.11.4/sample/var/named/slaves/my.ddns.internal.zone.db
/usr/share/doc/bind-9.11.4/sample/var/named/slaves/my.slave.internal.zone.db
/usr/share/man/man1/arpaname.1.gz
/usr/share/man/man1/named-rrchecker.1.gz
/usr/share/man/man5/named.conf.5.gz
/usr/share/man/man5/rndc.conf.5.gz
/usr/share/man/man8/ddns-confgen.8.gz
/usr/share/man/man8/dnssec-checkds.8.gz
/usr/share/man/man8/dnssec-coverage.8.gz
/usr/share/man/man8/dnssec-dsfromkey.8.gz
/usr/share/man/man8/dnssec-importkey.8.gz
/usr/share/man/man8/dnssec-keyfromlabel.8.gz
/usr/share/man/man8/dnssec-keygen.8.gz
/usr/share/man/man8/dnssec-keymgr.8.gz
/usr/share/man/man8/dnssec-revoke.8.gz
/usr/share/man/man8/dnssec-settime.8.gz
/usr/share/man/man8/dnssec-signzone.8.gz
/usr/share/man/man8/dnssec-verify.8.gz
/usr/share/man/man8/genrandom.8.gz
/usr/share/man/man8/isc-hmac-fixup.8.gz
/usr/share/man/man8/lwresd.8.gz
/usr/share/man/man8/named-checkconf.8.gz
/usr/share/man/man8/named-checkzone.8.gz
/usr/share/man/man8/named-compilezone.8.gz
/usr/share/man/man8/named-journalprint.8.gz
/usr/share/man/man8/named.8.gz
/usr/share/man/man8/nsec3hash.8.gz
/usr/share/man/man8/rndc-confgen.8.gz
/usr/share/man/man8/rndc.8.gz
/usr/share/man/man8/tsig-keygen.8.gz
/var/log/named.log
/var/named
/var/named/data
/var/named/dynamic
/var/named/named.ca
/var/named/named.empty
/var/named/named.localhost
/var/named/named.loopback
/var/named/slaves
[root@dns53.yinzhengjie.com ~]# 
[root@dns53.yinzhengjie.com ~]# 
[root@dns53.yinzhengjie.com ~]# rpm -ql bind

3>.bind服务软件常用文件说明

  主配置文件:
    /etc/named.conf

  服务名称:
    /usr/lib/systemd/system/named.service:

  主程序:
    /usr/sbin/named

  数据库文件:
    /var/named

  日志文件:
    /var/log/named.log

  存储根域服务器地址的文件:
    /var/named/named.ca

  检查配置文件语法程序:
    /usr/sbin/named-checkconf

  重新加载bind服务的配置文件,而无需重启服务:
    /usr/sbin/rndc

4>.启动DNS服务器

[root@dns53.yinzhengjie.com ~]# systemctl start named
[root@dns53.yinzhengjie.com ~]# 
[root@dns53.yinzhengjie.com ~]# systemctl enable named
Created symlink from /etc/systemd/system/multi-user.target.wants/named.service to /usr/lib/systemd/system/named.service.
[root@dns53.yinzhengjie.com ~]# 


温馨提示:
  如下图所示,我们成功启动了DNS服务器,但我埋下了一个坑,因为我没有修改bind服务的配置文件,这意味着默认监听的服务器地址是本地回环地址(即127.0.0.1)哟~

5>.找一台客户端将其DNS服务器指向咱们自建的bind服务器哟

 

三.验证DNS服务器的可用性

1>.客户端连接DNS服务器解析,发现超时

  如下图所示,这就是我上面提到的,给大家埋了一个坑,因为我没有修改bind服务的配置服务,因此它会使用默认的配置文件。而默认的配置文件监听的都是IPv4和IPv6的本地回环地址。

  温馨提示:
    我们可以注释"listen-on"和"listen-on-v6",也会默认监听本地的所有主机哟。

2>.修改bind服务的监听地址

  如下图所示,我们可以将IPV4和IPV6的监听地址修改为"localhost",这样就会监听DNS服务器的所有网卡IP地址啦!

  生产环境中,建议大家还是配置成对应DNS服务器实际的网卡地址,除非你明确知道你要监听所有的DNS服务器的所有网卡地址,因为有的服务器网卡接口不止一个,甚至一台服务有十几块网卡都是存在的哟~

3>.默认情况下,仅允许DNS服务器自己有权限访问DNS服务哟

  如下图所示,DNS服务器是可以进行解析操作的,但是非DNS的其他主机却无法进行解析。这是DNS默认是有权限的,需要我们手动修改!

4>.修改DNS服务器的权限

[root@dns53.yinzhengjie.com ~]# egrep -v "^//|^$" /etc/named.conf | head 
options {
    listen-on port 53 { localhost; };
    listen-on-v6 port 53 { localhost; };
    directory     "/var/named";
    dump-file     "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";
    memstatistics-file "/var/named/data/named_mem_stats.txt";
    recursing-file  "/var/named/data/named.recursing";
    secroots-file   "/var/named/data/named.secroots";
    allow-query     { any; };
[root@dns53.yinzhengjie.com ~]# 
[root@dns53.yinzhengjie.com ~]# 
[root@dns53.yinzhengjie.com ~]# named-checkconf  # 检查bind程序的语法配置是否正确 
[root@dns53.yinzhengjie.com ~]# 
[root@dns53.yinzhengjie.com ~]# rndc reload  # 重新加载bind的配置文件!
server reload successful
[root@dns53.yinzhengjie.com ~]# 


温馨提示:
  需要注意的是,allow-query可以设置为any,表示允许所有客户端访问,当然,如果你注释改行的话默认就是any。
  顺表说一句,除了将allow-query设置为any值外,我们还可以允许指定主机网段来访问本DNS服务器,比如仅允许"172.200.0.0/21"的网段访问!

5>.DNS正向解析实现

  如果能做到这一步,说明你的DNS服务器部署完毕了,那么接下来我们就开始来自定义DNS服务器来进行解析操作啦!

  DNS正向解析实现可以参考我另一篇笔记:
    https://www.cnblogs.com/yinzhengjie/p/14218718.html

 

posted @ 2020-12-31 00:49  尹正杰  阅读(595)  评论(0编辑  收藏  举报