isc bind: https://www.linuxfromscratch.org/blfs/view/svn/server/bind.html
博客: https://www.root101.net/how-to-build-bind
rndc 工具 : https://tecadmin.net/configure-rndc-for-bind9/
配置参考 : https://www.cyberpunk.rs/bind-compile-and-setup-with-dnstap-v9-1x
用户手册: https://bind9.readthedocs.io/en/latest/reference.html?highlight=secondary#options
前言:
为了处理在centos 7 最小化安装版本上编译安装bind
1.解决依赖问题
mkdir bind_source yum install --downloadonly --downloaddir=/bind_source/ wget gcc gcc-c++ automake pcre pcre-devel zlip zlib-devel openssl openssl-devel libuv yum install --downloadonly --downloaddir=/bind_source/ audit-libs-python bind-libs checkpolicy libcgroup libsemanage-python policycoreutils-python python-IPy python-ply setools-libs yum install -y epel-release yum install --downloadonly --downloaddir=/bind_source/ libuv libuv-devel libcap-devel
cd /bind_source/
rpm -ivh *.rpm --force
2.编译安装,全部都安装在一个目录下
./configure --prefix=/opt/dns \ # --sysconfdir=/etc \ # --localstatedir=/var \ # --mandir=/usr/share/man \ # --with-libtool \ --disable-static \ --with-openssl \ make && make install
[root@localhost ]# cat /etc/profile.d/bind9.sh BIND_BIN=/opt/dns/bin BIND_SBIN=/opt/dns/sbin PATH=$PATH:$BIND_BIN:$BIND_SBIN export PATH
[root@localhost ]#source /etc/profile.d/bind9.sh
3.创建用户 ,在这里/opt/dns/etc 目录下 有个named 目录里面因该放zone 文件,slave 放辅助zone 文件,pz 放反向zone 文件
groupadd -g 20 named && useradd -c "BIND Owner" -g named -s /bin/false -u 20 named && install -d -m770 -o named -g named /opt/dns
cd /opt/dns/
mkdir -p dev etc/named/{slave,pz}
4.配置rndc
[root@localhost /]# cd /opt/dns
[root@localhost /]# rndc-confgen >> rndc.conf [root@localhost /]# ls [root@localhost /]# cat rndc.conf # Start of rndc.conf key "rndc-key" { algorithm hmac-sha256; secret "ifgn0ZDNI8FN1NVqgGIx8+UFza/DoIQLvPds0vELH4E="; }; options { default-key "rndc-key"; default-server 127.0.0.1; default-port 953; }; # End of rndc.conf # Use with the following in named.conf, adjusting the allow list as needed: # key "rndc-key" { # algorithm hmac-sha256; # secret "ifgn0ZDNI8FN1NVqgGIx8+UFza/DoIQLvPds0vELH4E="; # }; # # controls { # inet 127.0.0.1 port 953 # allow { 127.0.0.1; } keys { "rndc-key"; }; # }; # End of named.conf [root@localhost /]#
5.默认没有 named.conf 配置文件,在这里注意目录是chroot 后的目录,也就是/opt/dns/ 下的目录
cat >> /opt/dns/etc/named.conf << "EOF" options { directory "/etc/named"; pid-file "/var/run/named.pid"; statistics-file "/var/run/named.stats"; }; zone "." { type hint; file "root.hints"; }; zone "0.0.127.in-addr.arpa" { type master; file "pz/127.0.0"; }; // Bind 9 now logs by default through syslog (except debug). // These are the default logging rules. logging { category default { default_syslog; default_debug; }; category unmatched { null; }; channel default_syslog { syslog daemon; // send to syslog's daemon // facility severity info; // only send priority info // and higher }; channel default_debug { file "named.run"; // write to named.run in // the working directory // Note: stderr is used instead // of "named.run" // if the server is started // with the '-f' option. severity dynamic; // log at the server's // current debug level }; channel default_stderr { stderr; // writes to stderr severity info; // only send priority info // and higher }; channel null { null; // toss anything sent to // this channel }; }; EOF
6.创建 localhost 反向 zone
cat > /opt/dns/etc/named/pz/127.0.0 << "EOF" $TTL 3D @ IN SOA ns.local.domain. hostmaster.local.domain. ( 1 ; Serial 8H ; Refresh 2H ; Retry 4W ; Expire 1D) ; Minimum TTL NS ns.local.domain. 1 PTR localhost. EOF
7.创建 root.hints 文件,这个文件是任何dns 都要有的文件,在没有forward 转发器dns 时,默认会向这些dns 进行递归解析
cat > /opt/dns/etc/named/root.hints << "EOF" . 6D IN NS A.ROOT-SERVERS.NET. . 6D IN NS B.ROOT-SERVERS.NET. . 6D IN NS C.ROOT-SERVERS.NET. . 6D IN NS D.ROOT-SERVERS.NET. . 6D IN NS E.ROOT-SERVERS.NET. . 6D IN NS F.ROOT-SERVERS.NET. . 6D IN NS G.ROOT-SERVERS.NET. . 6D IN NS H.ROOT-SERVERS.NET. . 6D IN NS I.ROOT-SERVERS.NET. . 6D IN NS J.ROOT-SERVERS.NET. . 6D IN NS K.ROOT-SERVERS.NET. . 6D IN NS L.ROOT-SERVERS.NET. . 6D IN NS M.ROOT-SERVERS.NET. A.ROOT-SERVERS.NET. 6D IN A 198.41.0.4 A.ROOT-SERVERS.NET. 6D IN AAAA 2001:503:ba3e::2:30 B.ROOT-SERVERS.NET. 6D IN A 192.228.79.201 B.ROOT-SERVERS.NET. 6D IN AAAA 2001:500:200::b C.ROOT-SERVERS.NET. 6D IN A 192.33.4.12 C.ROOT-SERVERS.NET. 6D IN AAAA 2001:500:2::c D.ROOT-SERVERS.NET. 6D IN A 199.7.91.13 D.ROOT-SERVERS.NET. 6D IN AAAA 2001:500:2d::d E.ROOT-SERVERS.NET. 6D IN A 192.203.230.10 E.ROOT-SERVERS.NET. 6D IN AAAA 2001:500:a8::e F.ROOT-SERVERS.NET. 6D IN A 192.5.5.241 F.ROOT-SERVERS.NET. 6D IN AAAA 2001:500:2f::f G.ROOT-SERVERS.NET. 6D IN A 192.112.36.4 G.ROOT-SERVERS.NET. 6D IN AAAA 2001:500:12::d0d H.ROOT-SERVERS.NET. 6D IN A 198.97.190.53 H.ROOT-SERVERS.NET. 6D IN AAAA 2001:500:1::53 I.ROOT-SERVERS.NET. 6D IN A 192.36.148.17 I.ROOT-SERVERS.NET. 6D IN AAAA 2001:7fe::53 J.ROOT-SERVERS.NET. 6D IN A 192.58.128.30 J.ROOT-SERVERS.NET. 6D IN AAAA 2001:503:c27::2:30 K.ROOT-SERVERS.NET. 6D IN A 193.0.14.129 K.ROOT-SERVERS.NET. 6D IN AAAA 2001:7fd::1 L.ROOT-SERVERS.NET. 6D IN A 199.7.83.42 L.ROOT-SERVERS.NET. 6D IN AAAA 2001:500:9f::42 M.ROOT-SERVERS.NET. 6D IN A 202.12.27.33 M.ROOT-SERVERS.NET. 6D IN AAAA 2001:dc3::35 EOF
8.将 rndc.conf 文件中的 ,添加到named.conf 文件中,保证key 一致
key "rndc-key" { algorithm hmac-sha256; secret "nk3U0+86Joa8SCty/AWQp1Oy0HF+odOmNyhFSKkmcTg="; };
# Start of rndc.conf key "rndc-key" { algorithm hmac-sha256; secret "nk3U0+86Joa8SCty/AWQp1Oy0HF+odOmNyhFSKkmcTg="; }; controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; }; }; # End of named.conf
9.添加系统systemctl 守护进程
[root@localhost etc]# cat /usr/lib/systemd/system/named.service [Unit] Description=Berkeley Internet Name Domain (DNS) After=network.target [Service] Type=forking ExecStart=/opt/dns/sbin/named -4 -u named -c /opt/dns/etc/named.conf #ExecStart=/opt/dns/sbin/named -4 -u named -t /opt/dns -c /etc/named.conf
#这里没有使用,当我用-t 指定 chroot 目录时有点问题,忘记啥问题了,因此在named.conf 文件指定目录时也应该全量路径,上面的只是copy 的 ExecReload=/opt/dns/sbin/rndc reload ExecStop=/opt/dns/sbin/rndc stop [Install] WantedBy=multi-user.target [root@localhost etc]#
10.启动
[root@localhost etc]# systemctl start named [root@localhost etc]# rndc status version: BIND 9.16.24 (Extended Support Version) <id:93e3098> running on localhost.localdomain: Linux x86_64 3.10.0-957.el7.x86_64 #1 SMP Thu Nov 8 23:39:32 UTC 2018 boot time: Tue, 11 Jan 2022 22:16:35 GMT last configured: Tue, 11 Jan 2022 22:37:13 GMT configuration file: /opt/dns/etc/named.conf CPUs found: 1 worker threads: 1 UDP listeners per interface: 1 number of zones: 103 (99 automatic) debug level: 0 xfers running: 0 xfers deferred: 0 soa queries in progress: 0 query logging is ON recursive clients: 0/900/1000 tcp clients: 0/150 TCP high-water: 0 server is up and running [root@localhost etc]#
11.注意事项
在9.16.24 版本中没有了dnssec-enable 这个参数,默认开启了 dnssec-validation yes
// dnssec-enable yes; 这个参数无了 ,加了报错 // dnssec-validation yes; 这个默认开启,你禁用也开始,在dns 解析时会 dnssec-validation no; #所有在不使用 dnssec 时要 no
| DS | 43 | RFC 4034 | 委托签发者 | 此记录用于鉴定DNSSEC已授权区域的签名密钥。 |
开启后解析这样: 查域 的签名授权
06:32:37.423733 IP gateway.55369 > localhost.localdomain.domain: 34830+ [1au] A? www.baidu.com. (54) 06:32:37.424363 IP localhost.localdomain.60092 > public1.114dns.com.domain: 2004+% [1au] A? www.baidu.com. (54) 06:32:37.458952 IP public1.114dns.com.domain > localhost.localdomain.60092: 2004 3/0/1 CNAME www.a.shifen.com., A 110.242.68.3, A 110.242.68.4 (101) 06:32:37.459336 IP localhost.localdomain.51420 > public1.114dns.com.domain: 23319+% [1au] DS? com. (44)