• 【Linux】DNS服务BIND基础配置


    1、BIND简介

    现在使用最为广泛的DNS服务器软件是BIND(Berkeley Internet Name Domain),最早有伯克利大学的一名学生编写,现在最新的版本是9,有ISC(Internet Systems Consortium)编写和维护。

    BIND支持先今绝大多数的操作系统(Linux,UNIX,Mac,Windows)

    BIND服务的名称称之为named

    DNS默认使用UDP、TCP协议,使用端口为53(domain),953(mdc,远程控制使用)

    2、BIND安装

    [root@20liuzhenchao ~]# yum install -y bind bind-chroot bind-utils
    已加载插件:product-id, search-disabled-repos, subscription-manager
    This system is not registered with an entitlement server. You can use subscription-manager to register.
    base                                                                                                                                                                | 3.6 kB  00:00:00     
    centosplus                                                                                                                                                          | 3.4 kB  00:00:00     
    epel                                                                                                                                                                | 4.7 kB  00:00:00     
    extras                                               libselinux.x86_64 0:2.5-14.1.el7         libselinux-python.x86_64 0:2.5-14.1.el7         libselinux-utils.x86_64 0:2.5-14.1.el7          libsemanage.x86_64 0:2.5-14.el7              
      libsepol.x86_64 0:2.5-10.el7             policycoreutils.x86_64 0:2.5-29.el7_6.1        
    
    完毕!

    3、BIND配置

    3.1、BIND配置文件保存在两个位置:

    • /etc/named.conf  - BIND服务主配置文件
    • /var/named/    - zone文件(域的dns信息)

    如果安装了bind-chroot(其中chroot是 change root 的缩写),BIND会被封装到一个伪根目录内,配置文件的位置变为:

    • /var/named/chroot/etc/named.conf   -BIND服务主配置文件
    • /var/named/chroot/var/named/    - zone文件

    chroot是通过相关文件封装在一个伪根目录内,已达到安全防护的目的,一旦程序被攻破,将只能访问伪根目录内的内容,而不是真实的根目录

    3.2、BIND安装好之后不会有预制的配置文件,但是在BIND的文档文件夹内(/usr/share/doc/bind-9.9.4),BIND为我们提供了配置文件模板,我们可以直接拷贝过来:

    [root@20liuzhenchao ~]# cp -r /usr/share/doc/bind-9.9.4/sample/etc/* /var/named/chroot/etc/
    [root@20liuzhenchao ~]# cp -r /usr/share/doc/bind-9.9.4/sample/var/* /var/named/chroot/var/

    3.3、配置BIND服务的主配置文件(/var/named/chroot/etc/named.conf),命令:vim /var/named/chroot/etc/named.conf;

    内容很多使用简单配置,删除文件中logging以下的全部内容,以及option中的部分内容,得到如下配置

     

    [root@20liuzhenchao ~]# vim /var/named/chroot/etc/named.conf
     Sample named.conf BIND DNS server 'named' configuration file
     for the Red Hat BIND distribution.
    
     See the BIND Administrator's Reference Manual (ARM) for details about the
     configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
    */
    
    options
    {
            // Put files that named is allowed to write in the data/ directory:
            directory               "/var/named";           // "Working" directory
    
            //listen-on port 53     { any; };
            listen-on port 53       { 127.0.0.1; };
    
            //listen-on-v6 port 53  { any; };
            listen-on-v6 port 53    { ::1; };
    
    };

    3.4、在主配置文件(/var/named/chroot/etc/named.conf )中加入,zone参数

    [root@20liuzhenchao ~]# vim /var/named/chroot/etc/named.conf
    
     See the BIND Administrator's Reference Manual (ARM) for details about the
     configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
    */
    
    options
    {
            // Put files that named is allowed to write in the data/ directory:
            directory               "/var/named";           // "Working" directory
    
            //listen-on port 53     { any; };
            listen-on port 53       { 127.0.0.1; };
    
            //listen-on-v6 port 53  { any; };
            listen-on-v6 port 53    { ::1; };
    
    };
    
    zone "example.net" {
            type master;
            file "example.net.zone";
    };

    ~

    3.5、新建example.net.zone文件,example.net的域名解析文件,zone文件放在/var/named/chroot/var/named/下,zone文件可以已/var/named/chroot/var/named/named.localhost为模板。

    [root@0liuzhenchao ~]# cp /var/named/chroot/var/named/named.localhost /var/named/chroot/var/named/example.net.zone
    [root@0liuzhenchao ~]# ls /var/named/chroot/var/named/
    data  example.net.zone  my.external.zone.db  my.internal.zone.db  named.ca  named.empty  named.localhost  named.loopback  slaves

    文件example.net.zone的内容如下:

    [root@20liuzhenchao named]# vim example.net.zone
    $TTL 1D
    @       IN SOA  @ rname.invalid. (
                                            0       ; serial
                                            1D      ; refresh
                                            1H      ; retry
                                            1W      ; expire
                                            3H )    ; minimum
            NS      @
            A       127.0.0.1
            AAAA    ::1
    www     IN A    192.168.0.168

     

    3.6、禁用bind默认方式启动,改用bind-chroot方式启动。命令如下:

    [root@20liuzhenchao named]# /usr/libexec/setup-named-chroot.sh /var/named/chroot on
    [root@20liuzhenchao named]# systemctl stop named
    [root@20liuzhenchao named]# systemctl disable named
    [root@20liuzhenchao named]# systemctl start named-chroot
    [root@20liuzhenchao named]#  systemctl enable named-chroot
    Created symlink from /etc/systemd/system/multi-user.target.wants/named-chroot.service to /usr/lib/systemd/system/named-chroot.service.

    3.7、查看是否启动,命令:ps -ef|grep named

    [root@0liuzhenchao named]# ps -ef |grep named
    named      5904      1  0 06:19 ?        00:00:00 /usr/sbin/named -u named -c /etc/named.conf -t /var/named/chroot
    root       6007   1392  0 06:21 pts/0    00:00:00 grep --color=auto named

     

    3.8、测试DNS服务,本例在本机上测试,也可在其他电脑上测试,修改DNS服务的ip地址即可(命令:vim /etc/resolv.conf ),然后使用命令dig(命令:dig www.example.net)测试

    [root@20liuzhenchao ~]# vim /etc/resolv.conf
    # Generated by NetworkManager
    #nameserver 114.114.114.114
    nameserver 127.0.0.1
    
    //测试结果:
    [root@20liuzhenchao ~]# dig www.example.net
    
    ; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> www.example.net
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59100
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 3
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;www.example.net.		IN	A
    
    ;; ANSWER SECTION:
    www.example.net.	86400	IN	A	192.168.0.168 //域名解析的IP地址
    
    ;; AUTHORITY SECTION:
    example.net.		86400	IN	NS	example.net.
    
    ;; ADDITIONAL SECTION:
    example.net.		86400	IN	A	127.0.0.1
    example.net.		86400	IN	AAAA	::1
    
    ;; Query time: 0 msec
    ;; SERVER: 127.0.0.1#53(127.0.0.1)
    //DNS服务器地址
    ;; WHEN: 501 06:29:56 CST 2019
    ;; MSG SIZE  rcvd: 118

     

    注:非本机测试需要修改主配置文件named.conf,允许任何ip访问,然后重启服务器

  • 相关阅读:
    创建FLASK,同步docker
    FLASK Buleprint
    restful api
    Angular JS
    线程日志
    将项目部署到linux下的docker容器中
    安装和卸载docker
    学习目录总编
    Ansible
    装饰器
  • 原文地址:https://www.cnblogs.com/liuzhenchao/p/10798404.html
Copyright © 2020-2023  润新知