CentOS搭建DNS服务器(安装、配置、测试)

2023-06-25  本文已影响0人  浊世翩翩佳公子

[TOC]

一、BIND服务安装、启动

1、安装BIND

yum -y install bind*

2.启动DNS服务

#CentOS6:
service named start
#开机自启
#添加nginx服务
chkconfig --add httpd 
#开机自启nginx服务
chkconfig httpd on 
#关闭开机自启
chkconfig httpd off 
#查看
chkconfig --list | grep apache 

#CentOS7:
systemctl start named.service
#开机自启
systemctl enable named

3、查看named进程状态

ps -eaf | grep named

4、验证端口监听

netstat -an | grep 53

5.开放端口:

#firewall
firewall-cmd --zone=public --add-port=53/tcp --permanent
firewall-cmd --zone=public --add-port=53/udp --permanent
firewall-cmd --reload

#iptables
vi /etc/sysconfig/iptables
-I INPUT -p tcp --dport 53 -j ACCEPT
-I INPUT -p udp --dport 53 -j ACCEPT

service iptables restart
iptables -L -n

二、DNS服务相关配置文件

1、named.conf配置文件

(1) 位置:

named.conf 配置文件

/etc/named.conf

/etc/named.conf包含include进来的其它文件。

解析库文件

/var/named/

一般名字为:ZONE_NAME.zone

(2) 格式

# 全局配置段
options{...}
# 日志配置段
logging{...}
# 区域配置段
zone{...}

(3) 备份

cp -p /etc/named.conf /etc/named.conf.bak

(4) 修改

vim /etc/named.conf

修改内容

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

options {
        listen-on port 53 { any; };         #开放IPv4
        listen-on-v6 port 53 { any; };  #开放IPv6
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file  "/var/named/data/named.recursing";
        secroots-file   "/var/named/data/named.secroots";
        allow-query     { any; };       #开放请求

        /* 
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable 
           recursion. 
         - If your recursive DNS server has a public IP address, you MUST enable access 
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification 
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface 
        */
        recursion yes;

        dnssec-enable yes;
        dnssec-validation yes;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.root.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

2、rfc1912.zone配置文件

(1) 位置

vim /etc/named.rfc1912.zones

(2) 格式

zone "ZONE_NAME" IN {
    type {master|slave|hint|forward};
    file "ZONE_NAME.zone";
};

示例

vim /etc/named.rfc1912.zones
# 添加如下内容
zone "test.com." IN {
    type master;
    file "test.com.zone";
};

3、建立test.com.zone数据文件

(1) 创建位置

vim /var/named/test.com.zone

(2) 格式

;$TTL 600
$ORIGIN mytest.cn.
; SOA record
; owner-name ttl class rr      name-server      email-addr  (sn ref ret ex min)
@                 IN   SOA     ns1.mytest.cn.   root.mytest.cn. (
                    2017031088 ; sn = serial number
                    3600       ; ref = refresh = 20m
                    180        ; uret = update retry = 1m
                    1209600    ; ex = expiry = 2w
                    10800      ; nx = nxdomain ttl = 3h
                    )
; type syntax
; host ttl class type data
; NS records
@  86400  IN  NS  ns1.mytest.cn.
@  86400  IN  NS  ns2.mytest.cn.
; A records
ns1  600  IN  A  10.10.8.1
ns2  600  IN  A  10.10.8.2

| 项目 | 说明 |
| :-: | :-- |
| TTL 600 | 表示定义默认TTL值,所以在下面的所有资源记录都不用在写TTL值; | | ORIGIN mytest.com. \| 作用是在资源记录中像"ns1.test.cn."就可以简写为ns1,会继承ORIGIN后面定义的域名; || |SOA|记录说明| |owner-name|当前域,通常用 @ 来表示| |TTL|标准的TTL值,范围 0 ~ 2147483647。<br />Note:Bind9 开始这里不再适用。| |rr|resource record 资源记录| |name-server|当前域的主DNS| |email-addr|负责此区域的人员的电子邮件地址,因为@在这里有特殊意义,所以用.替代。| |sn|序列号 – Serial,每次变更区域内容时数值+1,以通知slave同步数据。<br/>值范围1 ~ 4294967295,最大增量 2147483647| |ref|更新频率 – Refresh,slave主动向master更新。<br/>建议 1200 ~ 43200 秒| |ret|重试时间 – Retry,当slave同步数据失败,多少时间内会再次重试同步。<br/>典型值为180(3分钟)至900(15分钟)或更高。| |ex|失效时间(Expire),一直尝试的失败时间,持续到这个设定值,指示区域数据不再具有权威性。<br/>建议 1209600 ~ 2419200 秒 (2-4 weeks)| |nx / min| bind9开始将此值重新定义为负缓存时间。任何解析器都可以缓存 NAME ERROR = NXDOMAIN 结果的时间。允许的最大值是 3 hours (10800 seconds). <br/>Note:Bind4 ~ 8版本中,这里为 min,用于保存未指定显式TTL的区域中的任何RR的默认TTL值。而Bind9开始使用TTL指令定义默认的TTL值。|

示例

$TTL 3600
$ORIGIN test.com.
@       IN      SOA     test.com.  admin.test.com. (
                2017011901
                1H
                10M
                3D
                1D)
                
@       IN      NS      ns1.test.com.
@       IN      MX  10  mail.test.com.
ns1     IN      A       22.22.22.22
mail    IN      A       22.22.22.22
www     IN      A       22.22.22.22
bbs     IN      A       22.22.22.22
bbs     IN      A       22.22.22.22

(3)修改权限

#   进入zone文件目录
cd /var/named
# 修改区域文件的属组为named用户
chown :named /var/named/test.com.zone
chgrp named /var/named/test.com.zone
# 修改区域文件的权限为640
chmod 640 /var/named/test.com.zone

(4)检查语法

使用named-checkconf命令:

named-checkzone test.com. /var/named/test.com.zone

    zone test.com/IN: loaded serial 2017011901
    OK

(5)重载

rndc reload
#centos6
service named reload
service named restart
#server reload successful
#或者执行
systemctl reload named.service
systemctl restart named.service

三、正向区域测试

dig test.com @10.3.3.211
dig -t A www.test.com @10.3.3.211
dig -t NS test.com @10.3.3.211
上一篇下一篇

猜你喜欢

热点阅读