linux dns配置bind9,DNS服务(bind9)配置过程
DNS服務(bind9)配置過程
發布時間:2006-08-22 08:57:40來源:紅聯作者:晚點
作者:周立軍
修改日期:2006年2月23日
安裝環境:Fedora 4 bind-9.2.6.tar.gz
卸載原來系統自帶的bind服務
[code]# rpm -qa|grep bind
bind-libs-9.3.1-4
bind-utils-9.3.1-4
# rpm -e --nodeps bind*[/code]
一、安裝BIND
1、準備工作
下載穩定的BIND服務器進行安裝,下載地址:www.isc.org
wget http://ftp.isc.org/isc/bind9/9.2.6/bind-9.2.6.tar.gz
安裝gcc
2 、編譯安裝BIND
[code]#tar zxvf bind-9.2.6.tar.gz
#cd bind-9.2.6
#./configure -sysconfdir=/etc/bind
#make
#makeinstall[/code]
配置BIND
二、配置根服務器
1、修改配置文件
[code]# vi /etc/bind/named.conf
options {
directory "/var/bind";
};
zone "." {
type hint;
file "named.ca";
};[/code]
2、建立工作目錄
#mkdir /var/bind
3、查詢根DNS服務器
[code]# dig -t NS .
; <<>> DiG 9.2.6 <<>> -t NS .
;; global options: printcmd
;; Got answer:
;; ->>HEADER<
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;. IN NS
;; ANSWER SECTION:
. 139616 IN NS G.ROOT-SERVERS.NET.
. 139616 IN NS H.ROOT-SERVERS.NET.
. 139616 IN NS I.ROOT-SERVERS.NET.
. 139616 IN NS J.ROOT-SERVERS.NET.
. 139616 IN NS K.ROOT-SERVERS.NET.
. 139616 IN NS L.ROOT-SERVERS.NET.
. 139616 IN NS M.ROOT-SERVERS.NET.
. 139616 IN NS A.ROOT-SERVERS.NET.
. 139616 IN NS B.ROOT-SERVERS.NET.
. 139616 IN NS C.ROOT-SERVERS.NET.
. 139616 IN NS D.ROOT-SERVERS.NET.
. 139616 IN NS E.ROOT-SERVERS.NET.
. 139616 IN NS F.ROOT-SERVERS.NET.
;; ADDITIONAL SECTION:
J.ROOT-SERVERS.NET. 485712 IN A 192.58.128.30
;; Query time: 51 msec
;; SERVER: 172.xx.xx.11#53(172.xx.xx.11)
;; WHEN: Tue Feb 14 01:55:39 2006
;; MSG SIZE rcvd: 244
#
#echo "nameserver 192.58.128.30" >/etc/resolv.conf
#[/code]
4、將跟記錄加入到/etc/resolv.conf文件中
#echo "nameserver 192.58.128.30" >/etc/resolv.conf
5、將跟服務器的信息導入到/var/bind/named.ca文件中
[code]#dig -t NS . >/var/bind/named.ca
#cat /var/bind/named.ca
; <<>> DiG 9.2.6 <<>> -t NS .
;; global options: printcmd
;; Got answer:
;; ->>HEADER<
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 13
;; QUESTION SECTION:
;. IN NS
;; ANSWER SECTION:
. 517472 IN NS M.ROOT-SERVERS.NET.
. 517472 IN NS A.ROOT-SERVERS.NET.
. 517472 IN NS B.ROOT-SERVERS.NET.
. 517472 IN NS C.ROOT-SERVERS.NET.
. 517472 IN NS D.ROOT-SERVERS.NET.
. 517472 IN NS E.ROOT-SERVERS.NET.
. 517472 IN NS F.ROOT-SERVERS.NET.
. 517472 IN NS G.ROOT-SERVERS.NET.
. 517472 IN NS H.ROOT-SERVERS.NET.
. 517472 IN NS I.ROOT-SERVERS.NET.
. 517472 IN NS J.ROOT-SERVERS.NET.
. 517472 IN NS K.ROOT-SERVERS.NET.
. 517472 IN NS L.ROOT-SERVERS.NET.
;; ADDITIONAL SECTION:
A.ROOT-SERVERS.NET. 603872 IN A 198.41.0.4
B.ROOT-SERVERS.NET. 603872 IN A 192.228.79.201
C.ROOT-SERVERS.NET. 603872 IN A 192.33.4.12
D.ROOT-SERVERS.NET. 603872 IN A 128.8.10.90
E.ROOT-SERVERS.NET. 603872 IN A 192.203.230.10
F.ROOT-SERVERS.NET. 603872 IN A 192.5.5.241
G.ROOT-SERVERS.NET. 603872 IN A 192.112.36.4
H.ROOT-SERVERS.NET. 603872 IN A 128.63.2.53
I.ROOT-SERVERS.NET. 603872 IN A 192.36.148.17
J.ROOT-SERVERS.NET. 603872 IN A 192.58.128.30
K.ROOT-SERVERS.NET. 603872 IN A 193.0.14.129
L.ROOT-SERVERS.NET. 603872 IN A 198.32.64.12
M.ROOT-SERVERS.NET. 603872 IN A 202.12.27.33
;; Query time: 478 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Feb 14 12:21:35 2006
;; MSG SIZE rcvd: 436[/code]
6、配置rndc
[code]#rndc-confgen >/etc/bind/rndc.conf
# cat -n /etc/bind/rndc.conf
1 # Start of rndc.conf
2 key "rndc-key" {
3 algorithm hmac-md5;
4 secret "OJuPxS0u/5tJ71W8ypj4fA==";
5 };
6
7 options {
8 default-key "rndc-key";
9 default-server 127.0.0.1;
10 default-port 953;
11 };
12 # End of rndc.conf
13
14 # Use with the following in named.conf, adjusting the allow list as needed:
15 # key "rndc-key" {
16 # algorithm hmac-md5;
17 # secret "OJuPxS0u/5tJ71W8ypj4fA==";
18 # };
19 #
20 # controls {
21 # inet 127.0.0.1 port 953
22 # allow { 127.0.0.1; } keys { "rndc-key"; };
23 # };
24 # End of named.conf
#[/code]
7、將rndc中的部分記錄導入到/etc/bind/named.conf文件中,并修改/etc/bind/named.conf,將導入的配置前面的注釋去掉。
#tail +13 /etc/bind/rndc.conf>>/etc/bind/named.conf
8、檢查并重新啟動named服務,查看日志文件并檢查rndc訪問狀態
[code]#ps -axu|grep named
#killall named
#ps -axu|grep named
#named
#ps -axu|grep named
#tail /var/log/messages
#rndc status
number of zones: 2
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
server is up and running
#[/code]
9、修改/etc/bind/named.conf,并使用host命令測試
[code]#echo “nameserver 127.0.0.1”>/etc/bind/named.conf
# host www.cisco.com
www.cisco.com has address 198.133.219.25[/code]
三、配置localhost區域
(一)、配置localhost的正向區域
1、修改/etc/bind/named.conf,插入如下內容
[code]zone "localhost" {
type master;
file "db.local";
};[/code]
2、配置/var/bind/db.local;
[code]$TTL 900
@ IN SOA localhost. root (
2006021401 ;serial number
1H ;refresh
15M ;retry
1W ;expire
1D ) ;TTL
IN NS @
IN A 127.0.0.1[/code]
3、測試
[code]# rndc reload
# host localhost
# host localhost
# dig localhost
# dig -t NS localhost
# dig -t A localhost
# rndc reload
# host localhost
localhost has address 127.0.0.1
# dig localhost
; <<>> DiG 9.2.6 <<>> localhost
;; global options: printcmd
;; Got answer:
;; ->>HEADER<
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;localhost. IN A
;; ANSWER SECTION:
localhost. 86400 IN A 127.0.0.1
;; AUTHORITY SECTION:
localhost. 86400 IN NS localhost.
;; Query time: 52 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Feb 14 13:06:21 2006
;; MSG SIZE rcvd: 57
# dig -t NS localhost
; <<>> DiG 9.2.6 <<>> -t NS localhost
;; global options: printcmd
;; Got answer:
;; ->>HEADER<
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;localhost. IN NS
;; ANSWER SECTION:
localhost. 86400 IN NS localhost.
;; ADDITIONAL SECTION:
localhost. 86400 IN A 127.0.0.1
;; Query time: 44 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Feb 14 13:07:54 2006
;; MSG SIZE rcvd: 57
# dig -t A localhost
; <<>> DiG 9.2.6 <<>> -t A localhost
;; global options: printcmd
;; Got answer:
;; ->>HEADER<
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;localhost. IN A
;; ANSWER SECTION:
localhost. 86400 IN A 127.0.0.1
;; AUTHORITY SECTION:
localhost. 86400 IN NS localhost.
;; Query time: 42 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Feb 14 13:08:00 2006
;; MSG SIZE rcvd: 57
#[/code]
(二)、配置127.0.0的反向區域
1、修改/etc/bind/named.conf,添加如下內容
[code]zone "0.0.127.in-addr.arpa" {
type master;
file "127.0.0.zone";
};[/code]
2、創建/var/bind/127.0.0.zone,添加如下內容
[code]$TTL 900
@ IN SOA @ root.localhost. (
20060214
1H
15M
1W
1D )
IN NS localhost.
1 IN PTR localhost.[/code]
3、重新啟動rndc訪問,并測試
[code]# rndc reload
#host 127.0.0.1
1.0.0.127.in-addr.arpa domain name pointer localhost.
# dig -x 127.0.0.1
; <<>> DiG 9.2.6 <<>> -x 127.0.0.1
;; global options: printcmd
;; Got answer:
;; ->>HEADER<
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;1.0.0.127.in-addr.arpa. IN PTR
;; ANSWER SECTION:
1.0.0.127.in-addr.arpa. 86400 IN PTR localhost.
;; AUTHORITY SECTION:
0.0.127.in-addr.arpa. 86400 IN NS localhost.
;; ADDITIONAL SECTION:
localhost. 86400 IN A 127.0.0.1
;; Query time: 73 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Feb 14 15:47:31 2006
;; MSG SIZE rcvd: 93
#[/code]
×××××××××××××××××××××××××××××××××××××××
四、配置zhoullj.com區域
(一)、配置zhoullj.com區域
1、配置/etc/bind/named.conf文件,加入如下內容
[code]zone "zhoulj.com" {
type master;
file " db.zhoulj.com ";
}; [/code]
2、配置/var/bind/ db.zhoulj.com
[code]$TTL 900
@ IN SOA zhoulj.com. root (
2006021401 ;serial number
1H ;refresh
15M ;retry
1W ;expire
1D ) ;TTL
IN NS @
IN MX 10 mail
IN A 172.17.1.172
ns IN A 172.17.1.172
www IN A 172.17.1.201
mail IN A 172.17.1.1
ftp IN A 172.17.1.201
news IN CNAME www[/code]
3、重新啟動rndc服務進行測試
[code]# rndc reload
# host -t A zhoulj.com
zhoulj.com has address 172.17.1.172
# host -t A zhoulj.com
zhoulj.com has address 172.17.1.172
# host -t NS zhoulj.com
zhoulj.com name server zhoulj.com.[/code]
(二)、增加的反向區域
1、修改/etc/bind/named.conf,添加如下內容
[code]zone "1.17.172.in-addr.arpa" {
type master;
file "db.172.17.1 ";
};[/code]
2、創建/var/bind/db.172.17.1,添加如下內容
[code]$TTL 900
@ IN SOA zhoulj.com root.zhoulj.com. (
2006022301
1H
15M
1W
1D )
IN NS zhoulj.com.
201 IN PTR www.zhoulj.com.
1 IN PTR mail.zhoulj.com.
202 IN PTR ftp.zhoulj.com.[/code]
3、重新啟動rndc訪問,并測試
[code]# rndc reload
[root@localhost named]# host 172.17.1.201
201.1.17.172.in-addr.arpa domain name pointer www.zhoulj.com.
201.1.17.172.in-addr.arpa domain name pointer ftp.zhoulj.com.
[root@localhost named]# host 172.17.1.1
1.1.17.172.in-addr.arpa domain name pointer mail.zhoulj.com.
[root@localhost named]# dig -x 172.17.1.201
; <<>> DiG 9.2.6 <<>> -x 172.17.1.201
;; global options: printcmd
;; Got answer:
;; ->>HEADER<
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;201.1.17.172.in-addr.arpa. IN PTR
;; ANSWER SECTION:
201.1.17.172.in-addr.arpa. 86400 IN PTR www.zhoulj.com.
201.1.17.172.in-addr.arpa. 86400 IN PTR ftp.zhoulj.com.
;; AUTHORITY SECTION:
1.17.172.in-addr.arpa. 86400 IN NS zhoulj.com.
;; ADDITIONAL SECTION:
zhoulj.com. 86400 IN A 172.17.1.172
;; Query time: 67 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Feb 14 18:15:20 2006
;; MSG SIZE rcvd: 119[/code]
五、建立授權子域
1、修改/var/bind/zhoulj.com.db,添加如下內容
[code]domain IN NS ns.domain
ns.domain IN A 172.17.1.171[/code]
重啟動rndc服務
[code]#rndc reload[/code]
2、安裝一臺子域服務器,安裝BIND服務器后,配置根域等(前面和主域服務器的內容基本一致),配置子域服務器上的/etc/bind/named.conf配置文件,添加一個子域,內容如下內容
[code]zone "domain.zhoulj.com" {
type master;
file "domain.zhoulj.com.db";
};[/code]
3、編輯子域里面的/var/bind/ domain.zhoulj.com.db
[code]$TTL 900
@ IN SOA zhoulj.com. root (
2006021502 ;serial
36000 ;1hour
7500 ;15M
3600000 ;
86400 ) ;TTL
IN NS ns
ns IN A 172.17.1.171
www IN A 172.16.17.2[/code]
4、重啟動服務,測試分別在主域的服務器和子域服務器上測試,分別在子域控制
[code]#rndc reload
# host www.domain.zhoulj.com
www.domain.zhoulj.com has address 172.16.17.2[/code]
六、DNS訪問的安全控制
1、修改配置文件/etc/bind/named.conf,在options 中加入pid文件的目錄
[code]options {
directory "/var/bind";
pid-file "/var/run/bind/named.pid";
};[/code]
2、建立named用戶,建立bind的pid文件的目,并更改權限為named用戶所有
[code]# useradd -s /bin/false -d /dev/null named
# id named
uid=501(named) gid=501(named) groups=501(named)
# chown named.named /var/run/bind
# chmod 700 /var/run/bind[/code]
3、重啟named服務
[code]# killall -9 named
# named -u named
# tail /var/log/messages
# ps -axu|grep named[/code]
4、添加到系統服務中,使其跟服務器同時啟動
[code]# which named
/usr/local/sbin/named
# echo "/usr/local/sbin/named -u named" >> /etc/ rc.local[/code]
七、DNS高級控制
1、建立訪問控制列表
修改配置文件/etc/bind/named.conf,在options 前面加入acl規則,語法如下:
[code]acl our-nets {
10.140.0.0/16;
};[/code]
2、允許acl中的IP地址進行遞歸查詢
修改配置文件/etc/bind/named.conf,在options{ };中加入允許查詢的規則,語法如下:
[code]allow-recursion {
our-nets;
};[/code]
用host和nslookup進行測試
3、允許acl中的IP地址進行查詢
修改配置文件/etc/bind/named.conf,在options{ };中加入允許查詢的規則,語法如下:
[code]allow-recursion {
our-nets;
};[/code]
用host和nslookup進行測試
八、配置輔助域名服務器
1、配置輔助域名服務器的配置文件/etc/bind/named.conf,前面和主域名服務器是相同的,加入如下內容:
[code]zone "zhoulj.com" {
type slave;
file "zhoulj.com.db.slave";
masters { 172.17.1.172; };
};[/code]
2、更改/var/bind目錄的權限,讓named組可以寫,這一點很重要,如果不可以寫,輔助域的文件不能建立。
[code]# chgrp -R named named/
# chmod g+w /var/bind/[/code]
3、進行測試
停掉主dns服務器,查看備份dns是否能夠正常工作,
可以查看/var/log/messages文件,檢查備份服務器的狀態。
4、允許特定的備份服務器進行dns備份工作,在/etc/bind/named.conf里面添加下面內容:
[code]//allow slave DNS server to back up.
allow-transfer
{
any;
};[/code]
any參數允許所有的機器進行備份,把any可以換成特定的IP地址。
總結
以上是生活随笔為你收集整理的linux dns配置bind9,DNS服务(bind9)配置过程的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: Linux 信号量 源码,一文读懂go中
- 下一篇: linux循环条件,shell脚本编写