DNS服務器的安裝配置

原創 flfteym34431 2018-09-11 03:25

一、DNS服務的安裝和配置

DNS的實現爲BIND(Berkerly Internat Name Domain), 後來移交給ISC維護(www.isc.org).
DNS服務的程序包名爲bind, 程序名爲named.
所需要的安裝包如下:

  • bind
  • bind-libs
  • bind-utils
  • bind-chroot: /var/named/chroot/, 可選

1.1 bind安裝

使用CentOS系統可通過yum直接安裝, 也可以選擇編譯安裝. 

# yum安裝
~]# yum install bind bind-libs bind-utils bind-chroot

# 編譯安裝請參考README

1.2 bind的配置文件

bind的服務腳本: CentOS 6(/etc/rc.d/init.d/named); CentOS 7(/usr/lib/systemd/system/named.service)
主配置文件: /etc/named.conf, /etc/named.rfc1912.zones, /etc/rndc.key
解析庫文件: /var/named/ZONE_NAME.zone
NOTE:

  • rndc(remote named domain controller)默認與bind安裝中哎同一主機, 且只能通過127.0.0.1來連接named進程, 提供輔助性的管理功能.
  • 一臺物理服務器可同時爲多個區域提供解析
  • 必須要有根區域文件
  • 應該有兩個(如果包括IPv6的地址, 甚至更多)實現localhost和本地會還地址的解析庫

主配置文件用於定義監聽地址, 端口號、安全策略、日誌和區域配置等. 

# /etc/named.conf
    # 全局配置: option {};
    # 日誌子系統配置: logging {};

# /etc/named.rfc1912.zones
    # 區域定義: 本機能夠爲哪些zone進行解析, 就要定義哪些zone
        # zone "zone_name" IN {};

NOTE: 任何服務程序如果期望能夠通過網絡被其他主機訪問, 至少應該監聽在一個能與外部主機通信的IP地址上.

1.3 bind的配置

緩存名稱服務器的配置:

# 修改外部監聽地址
listen-on port 53 {192.168.123.132; 127.0.0.1; };

# 關閉dnssec
dnssec-enable no;
denssec-validation no;

# 修改allow-query
allow-query { any; };

# 配置文件示例:
[root@docker-package etc]# vim /etc/named.conf

options {
        listen-on port 53 { 192.168.123.132; 127.0.0.1; };
//      listen-on-v6 port 53 { ::1; }; # IPv6地址如果沒有使用可以將其註釋
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { any; };

        /* 
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable 
           recursion. 
         - If your recursive DNS server has a public IP address, you MUST enable access 
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification 
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface 
        */
        recursion yes;

        dnssec-enable no;
        dnssec-validation no;

        /* Path to ISC DLV key */
//      bindkeys-file "/etc/named.iscdlv.key";

//      managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

[root@leistudy yum.repos.d]# systemctl start named
[root@leistudy yum.repos.d]# ss -tunl | grep ":53\b"
udp    UNCONN     0      0      192.168.123.100:53                    *:*                  
udp    UNCONN     0      0      127.0.0.1:53                    *:*                  
tcp    LISTEN     0      10     192.168.123.100:53                    *:*                  
tcp    LISTEN     0      10     127.0.0.1:53                    *:*

主DNS服務器正向區域配置:

# 在緩存dns服務器的基礎上加zone文件
# 在/etc/named.rfc1912.zones文件中定義區域

# 示例:
[root@leistudy yum.repos.d]# vim /etc/named.rfc1912.zones
zone "leistudy.com" IN {
        type master;
        file "leistudy.com.zone";
};

# 定義區域解析庫文件
    # 宏定義
    # 資源記錄

# 示例:
[root@leistudy ~]# cd /var/named/
[root@leistudy named]# ls
chroot  data  dynamic  named.ca  named.empty  named.localhost  named.loopback  slaves

[root@leistudy named]# vim leistudy.com.zone
$TTL 86400
$ORIGIN leistudy.com.
@       IN      SOA     ns1.leistudy.com.       admin.leistudy.com (
                        2018032901
                        1H
                        5M
                        7D
                        1D
)

        IN      NS      ns1
        IN      NS      ns2
        IN      MX  10  mx1
        IN      MX  20  mx2
ns1     IN      A       192.168.123.100
ns2     IN      A       192.168.123.101
mx1     IN      A       192.168.123.100
mx2     IN      A       192.168.123.101
www     IN      A       192.168.123.100
web     IN      CNAME   www

# 檢查zone配置文件是否有錯誤
[root@leistudy named]# named-checkzone "leistudy.com" /var/named/leistudy.com.zone      
zone leistudy.com/IN: loaded serial 2018032901
OK

# 重新加載配置文件
[root@leistudy named]# rndc reload
server reload successful

# 測試
[root@leistudy named]# dig -t A www.leistudy.com @192.168.123.100

; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.2 <<>> -t A www.leistudy.com @192.168.123.100
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29655
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.leistudy.com.              IN      A

;; ANSWER SECTION:
www.leistudy.com.       86400   IN      A       192.168.123.100

;; AUTHORITY SECTION:
leistudy.com.           86400   IN      NS      ns2.leistudy.com.
leistudy.com.           86400   IN      NS      ns1.leistudy.com.

;; ADDITIONAL SECTION:
ns1.leistudy.com.       86400   IN      A       192.168.123.100
ns2.leistudy.com.       86400   IN      A       192.168.123.101

;; Query time: 0 msec
;; SERVER: 192.168.123.100#53(192.168.123.100)
;; WHEN: Thu Mar 29 17:11:04 CST 2018
;; MSG SIZE  rcvd: 129

主DNS服務器反向區域配置:

# 區域名稱: 網絡地址反寫.in-addr.arpa
192.168.123. --> 100.16.172.in-addr.arpa

# 定義區域: /etc/named.rfc1912.zones
[root@leistudy ~]# vim /etc/named.rfc1912.zones
zone "123.168.192.in-addr.arpa" IN {
        type master;
        file "123.168.192.in-addr.arpa.zone";
};

# 定義反向區域解析庫文件
[root@leistudy ~]# vim /var/named/123.168.192.in-addr.arpa.zone
$TTL 86400
$ORIGIN 123.168.192.in-addr.arpa.
@       IN      SOA     ns1.leistudy.com.       admin.leistudy.com. (
                        2018032901
                        1H
                        5M
                        7D
                        1D
)

        IN      NS      ns1.leistudy.com.
        IN      NS      ns2.leistudy.com.
100     IN      PTR     ns1.leistudy.com.
101     IN      PTR     ns2.leistudy.com.
100     IN      PTR     mx1.leistudy.com.
101     IN      PTR     mx2.leistudy.com.
100     IN      PTR     www.leistudy.com.

# 區域解析庫文件測試
[root@leistudy ~]# named-checkzone "123.168.192.in-addr.arpa" /var/named/123.168.192.in-addr.arpa.zone 
zone 123.168.192.in-addr.arpa/IN: loaded serial 2018032901
OK

# 重新加載配置文件
[root@leistudy ~]# rndc reload
server reload successful

# 反解測試
[root@leistudy ~]# host -t PTR 192.168.123.100 192.168.123.100
Using domain server:
Name: 192.168.123.100
Address: 192.168.123.100#53
Aliases: 

100.123.168.192.in-addr.arpa domain name pointer ns1.leistudy.com.
100.123.168.192.in-addr.arpa domain name pointer www.leistudy.com.
100.123.168.192.in-addr.arpa domain name pointer mx1.leistudy.com.

[root@leistudy ~]# dig -x 192.168.123.100 @192.168.123.100

; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.2 <<>> -x 192.168.123.100 @192.168.123.100
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34713
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;100.123.168.192.in-addr.arpa.  IN      PTR

;; ANSWER SECTION:
100.123.168.192.in-addr.arpa. 86400 IN  PTR     www.leistudy.com.
100.123.168.192.in-addr.arpa. 86400 IN  PTR     ns1.leistudy.com.
100.123.168.192.in-addr.arpa. 86400 IN  PTR     mx1.leistudy.com.

;; AUTHORITY SECTION:
123.168.192.in-addr.arpa. 86400 IN      NS      ns2.leistudy.com.
123.168.192.in-addr.arpa. 86400 IN      NS      ns1.leistudy.com.

;; ADDITIONAL SECTION:
ns1.leistudy.com.       86400   IN      A       192.168.123.100
ns2.leistudy.com.       86400   IN      A       192.168.123.101

;; Query time: 0 msec
;; SERVER: 192.168.123.100#53(192.168.123.100)
;; WHEN: Fri Mar 30 10:06:13 CST 2018
;; MSG SIZE  rcvd: 187

主從複製:

# 1. 從服務器應該爲一臺獨立的名稱服務器
# 2. 主服務器的區域解析庫文件中必須有一條NS記錄指向從服務器
# 3. 從服務器只需要定義區域, 而無需提供解析庫文件, 解析庫文件應該放置於/var/named/slaves目錄中
# 4. 主服務器得允許從服務器做區域傳送
# 5. 主從無武器時間應該同步, 可同ntp進行
# 6. bind程序的版本應該保持一致, 否則應該從高主低

# 定義從區域:
[root@ns2 ~]# ip add sh | grep ens33 | tail -1
    inet 192.168.123.101/24 brd 192.168.123.255 scope global ens33

[root@ns2 slaves]# vim /etc/named.rfc1912.zones     
zone "leistudy.com" IN {
        type slave;
        masters { 192.168.123.100; };
        file "slaves/leistudy.com.zone";
};

zone "123.168.192.in-addr.arpa" IN {
        type slave;
        masters { 192.168.123.100; };
        file "slaves/123.168.192.in-addr.arpa.zone";
};

# 查看區域文件是否同步
[root@ns2 slaves]# cd /var/named/slaves/
[root@ns2 slaves]# ll
total 8
-rw-r--r--. 1 named named 416 Mar 30 10:44 123.168.192.in-addr.arpa.zone
-rw-r--r--. 1 named named 561 Mar 30 10:46 leistudy.com.zone

# 測試
[root@ns2 slaves]# host -t A www.leistudy.com 192.168.123.101
Using domain server:
Name: 192.168.123.101
Address: 192.168.123.101#53
Aliases: 

www.leistudy.com has address 192.168.123.100

[root@ns2 slaves]# host -t PTR 192.168.123.100 192.168.123.101  
Using domain server:
Name: 192.168.123.101
Address: 192.168.123.101#53
Aliases: 

100.123.168.192.in-addr.arpa domain name pointer ns1.leistudy.com.
100.123.168.192.in-addr.arpa domain name pointer mx1.leistudy.com.
100.123.168.192.in-addr.arpa domain name pointer www.leistudy.com.

二、rndc命令

rndc用於連接rndc服務端, rndc服務端隨着named一起啓動, 監聽端口號爲tcp的953號端口號.

[root@ns2 slaves]# ss -tnl | grep ":953\b"
LISTEN     0      128    127.0.0.1:953                      *:*                  
LISTEN     0      128        ::1:953                     :::*     

# 用法: rndc COMMAND
# COMMAND:
    # reload: 重載主配置文件和區域解析庫文件
    # relaod zone: 只重載區域解析庫文件, 不重載主配置文件
    # retransfer zone: 手動啓動區域傳送過程, 而不管序列號是否增加
    # notify zone: 重新對區域傳送發通知
    # reconfig: 重載主配置文件
    # querylog: 開啓或關閉查詢日誌
    # trace: 遞增debug級別
    # trace [LEVEL]: 指定使用的級別
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章

Amoeba for MySQL學習研究之配置

lvrenX 2019-02-24 13:04:33

VMware Tools 安裝、卸載及配置

如沐陽光 2019-02-24 13:00:22

配置EIGRP

wpgs 2019-02-23 14:05:20

配置基本的邊界網關協議(BGP)

wpgs 2019-02-23 14:05:20

如何備份cisco路由器配置文件

talkstone 2019-02-23 13:59:02

核心網絡設備配置及參數如何備份

talkstone 2019-02-23 13:59:02

交換機的啓動及基本配置

talkstone 2019-02-23 13:59:02

交換機基本配置

talkstone 2019-02-23 13:59:02

Cisco路由器安全配置必用10條命令

LQ_112 2019-02-23 13:47:18

轉貼:51cto論壇

spirit9 2019-02-23 13:37:48

OSPF 多區域配置

程張飛 2019-02-23 13:37:42

配置數據庫服務器

程張飛 2019-02-23 13:37:42

配置虛擬網站主機

程張飛 2019-02-23 13:37:42

linux下多DNS的配置

coinking 2019-02-23 13:36:37

ISA2004標準版在windows03中的部署和簡單配置

coinking 2019-02-23 13:34:58