CentOS6 DNS配置实例及详解

CentOS6 DNS配置实例及详解

操作系统:CentOS 6.2
BIND版本:BIND 9.7.3-P3-RedHat-9.7.3-8.P3.el6

################################################
相关配置文件
################################################
/etc/named.conf            主配置文件
/etc/named.rfc1912.zones    主要定义zone
/etc/sysconfig/named        定义chroot
################################################
1.安装包
bind
bind-chroot
bind-devel
bind-utils
bind-libs

#################################################
2.常用配置语句
        Ｃ语言风格注释
//注释            Ｃ++
#注释            UNIX和Perl风格
options            全局配置选项和默认参数
view            定义一个视图
zone            定义一个区域
logging            日志和信息来源
acl            访问控制列表
include            加载文件
key            识别和授权的密钥信息
server            服务器参数
trusted-key        信任的DNSSEC密钥
type            定义区域类型
file            指定一个区域文件
directory        指定区域文件目录
forwarders        转发到的DNS服务器
masters            主服务器
allow-transfer        指定传送主机
allow-query        允许进行查询的主机
notify            主区域数据发生变化时允许通知从服务器
##################################################
options {
    listen-on port 53 { 127.0.0.1; 192.168.100.2; 58.195.172.229; };
//    listen-on-v6 port 53 { ::1; };
    directory     "/var/named";
    dump-file     "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
    allow-query     { 192.168.100.0/24; };
    recursion yes;
//    forwarders    { 168.95.1.1; 192.168.100.1; }; #将DNS服务器收到的查询请求转发到其他的域名服务器上，通常是一个IP地址列表。
//    forward        ( only|first; );
    dnssec-enable yes;
    dnssec-validation yes;
    dnssec-lookaside auto;

   
    bindkeys-file "/etc/named.iscdlv.key";
};
acl acl_name {
    any|none|localhost|localnets;   
    }
acl "internal" {
    192.168.100.0/24;
    }

server    192.168.100.1 {
    bogus yes|no
    provide-ixfr yes|no
    request-ixfr yes|no
    support-ixfr yes|no;
    edns yes|no
    transfers number;
    transfer-format one-answer|many-answers;
    keys { key-id;key-id;... };
    }

controls {
    inet 192.168.100.1 allow { address_match_list } keys { key_list };
    };

view    view-name {
    match-clients { address_match_list };
    view_option;
    zone-statement;
    };

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

view "localhost" {
    match-clients { localhost; };
    match-destinations { localhost; };
    recursion yes;

zone "." IN {
    type hint;
    file "named.ca";
};

zone "." IN {
    type hint;
    file "named.ca";
};

zone "localhost.localdomain" IN {
    type master;
    file "named.localhost";
    allow-update { none; };
};

zone "localhost" IN {
    type master;
    file "named.localhost";
    allow-update { none; };
};

zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
    type master;
    file "named.loopback";
    allow-update { none; };
};

zone "1.0.0.127.in-addr.arpa" IN {
    type master;
    file "named.loopback";
    allow-update { none; };
};

zone "0.in-addr.arpa" IN {
    type master;
    file "named.empty";
    allow-update { none; };
};

};
///////////////////////////////////////////////////////////////////

//本地网络

view "internal" {
    match-clients { localnets; };
    match-destinations { localnets; };
    recursion yes;

zone "jlive.com" IN {
    type master;
    file "jlive.com";
    allow-transfer { 192.168.100.1; };
    update-policy { grant web name web.jlive.com. A; };
    };

zone "100.168.192.in-addr.arpa" IN {
    type master;
    file "100.168.192.zone";
    allow-transfer { 192.168.100.1; };
    };

//zone "jlive.com" IN {
//    type slave;
//    file "jlive.com";
//    masters { 192.168.100.1; };
//    };
//zone "100.168.192.in-addr.arpa" IN {
//    type slave;
//    file "100.168.192.zone";
//    masters { 192.168.100.1; };
//    };

};

include "/etc/named.rfc1912.zones";

# Use with the following in named.conf, adjusting the allow list as needed:
#RNDC远程管理DNS
1.检查已经存在于DNS缓存中的资料
2.重新更新某个zone而不需重新启动整个DNS
3.检查DNS状态与统计资料

建立RNDC KEY的相关数据
执行rndc-confgen，将输出贴到rndc.conf文件中

# Start of rndc.conf
key "rndc-key" {
    algorithm hmac-md5;
    secret "PqS2wtxdK3hWhF4FPP71Ng==";
};

options {
    default-key "rndc-key";
    default-server 127.0.0.1;
    default-port 953;
};
将以下输出贴到named.conf中
# End of rndc.conf
key "rndc-key" {
     algorithm hmac-md5;
     secret "PqS2wtxdK3hWhF4FPP71Ng==";
};

controls {
     inet 127.0.0.1 port 953
         allow { 127.0.0.1; } keys { "rndc-key"; };
};
修改权限
chmod 640 /etc/rndc.conf
chown root.named /etc/rndc.conf

架设动态DNS主机
cd /var/named/chroot/etc/pki/dnssec-keys
dnssec-keygen -a HMAC-MD5 -b 128 -n HOST web

#dnssec-keygen
key "web"
{    algorithm hmac-md5;
    secret "YajpQJPNSk+S33Yp1HxQxA==";
};

vi /etc/named.rfc1912.zones
zone "****" {
    type
    file
    allow-transfer
    update-policy {
    grant web name web.jlive.com. A;
    };
}


cd /var/named/chroot/etc/pki/dnssec-keys
nsupdate -k Kweb.+157+50096.key

>server    192.168.100.2
>update    delete web.jlive.com
>update add web.jlive.com 600 A 192.168.100.1
>send
>^D

自动更新脚本
#!/bin/bash
export PATH=/usr/lib/qt-3.3/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
basedir="/var/named/chroot/etc/pki/dnssec-keys"
key="${basedir}/Kweb.+157+50096.key"
ttl=600
outif="eth0"
hostname="web.jlive.com"
servername="192.168.100.2"

newip=$(ifconfig ${outif}|grep 'inet addr'|gawk '{print $2}'|sed -e 's/addr\://')

checkip=$(echo $newip|grep '_[0-9]')
if [ "$checkip" == "" ];then
    echo "$0: the interface can't connect internet..."
    exit 1
fi

tmp=${basedir}/tmp.txt
cd $basedir
echo "server $servername" >$tmp
echo "update delete $hostname A" >>$tmp
echo "update add $hostname $ttl A $newip" >>$tmp
echo "send" >>$tmp

nsupdate -k $key -v $tmp

###################################################
区域类型及其说明
master        主DNS
slave        从DNS
forward        转发
stub        与从DNS类似，但只保留DNS服务器名称
hint        根域名服务器
##################################################


##################################################
常用资源记录类型
TTL    time to live ,允许客户端缓存所查询的数据的时间
A    映射主机名到IP地址
NS    域名服务器
SOA    start of authority 授权开始记录
CNAME    canonical name 别名，将多个名称映射到同一台计算机上
PTR    pointer，指针记录，用于映射IP地址到主机名
WKS    已知的服务描述
RP    文本字符串，包含相关主机的连接点信息
HINFO    host information
MINFO    电子信箱或邮件列表信息
MX    mail exchanger ，指向一个邮件服务器
TXT     文本字符串
##################################################
2.vi /etc/named.conf

listen-on port 53 { any; };

vi /etc/named.rfc1912.zones

zone "jlive.com" IN {
    type master;
    file "jlive.com";
    allow-transfer { 192.168.100.1; };
    update-policy { grant web name web.jlive.com. A; };
    };

zone "100.168.192.in-addr.arpa" IN {
    type master;
    file "100.168.192.zone";
    allow-transfer { 192.168.100.1; };
    };
##################################################
正向解析

$TTL 3D
@    IN SOA    ct6.jlive.com. 　liujun_ok.hotmail.com. (
                    20120504; serial
                    1D    ; refresh
                    1H    ; retry
                    1W    ; expire
                    3H )    ; minimum

@        IN    NS    dns.ct6.jlive.com.
dns        IN    A    192.168.100.2
ftp        IN    A    192.168.100.2
www        IN    A    192.168.100.2
*        IN    A    192.168.100.2 #泛域名解析
.        IN    A    192.168.100.2 #直接解析
mail        IN    MX  10  mail.ct6.jlive.com.
mail        IN    MX  12  mail2
@        IN    MX  9    linux

jun        IN    CNAME    dns
xiao        IN    CNAME    dns

sun        IN    TXT    "The sun solaris OS"
sun        IN    HINFO    "Celeron 1G""solaris 10"

##################################################
反向解析
$TTL 3D
@    IN SOA    ct6.jlive.com. 　liujun_ok.hotmail.com. (
                    20120504; serial
                    1D    ; refresh
                    1H    ; retry
                    1W    ; expire
                    3H )    ; minimum

@        IN    NS    dns.ct6.jlive.com.
2        IN    PTR    dns.ct6.jlive.com.
1        IN    PTR    www.sunrun.com.
3        IN    PTR    www.lei.com.
4        IN    PTR    www.ang.com.
5        IN    PTR    www.yue.com.

##################################################

以下是个个的named.conf和named.rfc1912.zones
############
named.conf
############
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
    listen-on port 53 { any; };
//    listen-on-v6 port 53 { ::1; };
    directory     "/var/named";
    dump-file     "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
    allow-query     { 192.168.100.0/24; };
    recursion yes;
//    forwarders    { 168.95.1.1; };
//    forward        ( only|first; );
    dnssec-enable yes;
    dnssec-validation yes;
    dnssec-lookaside auto;

   
    bindkeys-file "/etc/named.iscdlv.key";

};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};



# Use with the following in named.conf, adjusting the allow list as needed:
key "rndc-key" {
     algorithm hmac-md5;
     secret "PqS2wtxdK3hWhF4FPP71Ng==";
};

controls {
     inet 127.0.0.1 port 953
         allow { 127.0.0.1; } keys { "rndc-key"; };
};
# End of named.conf

#dnssec-keygen
key "web"
{    algorithm hmac-md5;
    secret "YajpQJPNSk+S33Yp1HxQxA==";
};

include "/etc/named.rfc1912.zones";


############
named.rfc1912.zones
############

// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-dra ... -local-zones-02.txt
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
//本机

zone "." IN {
    type hint;
    file "named.ca";
};

zone "localhost.localdomain" IN {
    type master;
    file "named.localhost";
    allow-update { none; };
};

zone "localhost" IN {
    type master;
    file "named.localhost";
    allow-update { none; };
};

//zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
//    type master;
//    file "named.loopback";
//    allow-update { none; };
//};

zone "1.0.0.127.in-addr.arpa" IN {
    type master;
    file "named.loopback";
    allow-update { none; };
};

zone "0.in-addr.arpa" IN {
    type master;
    file "named.empty";
    allow-update { none; };
};

///////////////////////////////////////////////////////////////////

//本地网络

zone "jlive.com" IN {
    type master;
    file "jlive.com";
    allow-transfer { 192.168.100.1; };
    update-policy { grant web name web.jlive.com. A; };
    };

zone "100.168.192.in-addr.arpa" IN {
    type master;
    file "100.168.192.zone";
    allow-transfer { 192.168.100.1; };
    };

//zone "jlive.com" IN {
//    type slave;
//    file "jlive.com";
//    masters { 192.168.100.1; };
//    };
//zone "100.168.192.in-addr.arpa" IN {
//    type slave;
//    file "100.168.192.zone";
//    masters { 192.168.100.1; };
//    };