本文主要是介绍DNS服务(bind9)配置过程,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!
| DNS服务(bind9)配置过程 |
| |
| 晚点发布于 2006-8-22 | 30567次阅读 字号: 大 中 小 (网友评论 103 条) 我要评论 |
作者:周立军
修改日期:2006年2月23日
安装环境:Fedora 4 bind-9.2.6.tar.gz
卸载原来系统自带的bind服务
| CODE: # rpm -qa|grep bind
bind-libs-9.3.1-4
bind-utils-9.3.1-4
# rpm -e --nodeps bind* |
一、安装BIND
1、准备工作
下载稳定的BIND服务器进行安装,下载地址:www.isc.org
wget http://ftp.isc.org/isc/bind9/9.2.6/bind-9.2.6.tar.gz
安装gcc
2 、编译安装BIND
| CODE: #tar zxvf bind-9.2.6.tar.gz
#cd bind-9.2.6
#./configure -sysconfdir=/etc/bind
#make
#makeinstall |
配置BIND
二、配置根服务器
1、修改配置文件
| CODE: # vi /etc/bind/named.conf
options {
directory "/var/bind";
};
zone "." {
type hint;
file "named.ca";
}; |
2、建立工作目录
#mkdir /var/bind
3、查询根DNS服务器
| CODE: # dig -t NS .
; <<>> DiG 9.2.6 <<>> -t NS .
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28940
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;. IN NS
;; ANSWER SECTION:
. 139616 IN NS G.ROOT-SERVERS.NET.
. 139616 IN NS H.ROOT-SERVERS.NET.
. 139616 IN NS I.ROOT-SERVERS.NET.
. 139616 IN NS J.ROOT-SERVERS.NET.
. 139616 IN NS K.ROOT-SERVERS.NET.
. 139616 IN NS L.ROOT-SERVERS.NET.
. 139616 IN NS M.ROOT-SERVERS.NET.
. 139616 IN NS A.ROOT-SERVERS.NET.
. 139616 IN NS B.ROOT-SERVERS.NET.
. 139616 IN NS C.ROOT-SERVERS.NET.
. 139616 IN NS D.ROOT-SERVERS.NET.
. 139616 IN NS E.ROOT-SERVERS.NET.
. 139616 IN NS F.ROOT-SERVERS.NET.
;; ADDITIONAL SECTION:
J.ROOT-SERVERS.NET. 485712 IN A 192.58.128.30
;; Query time: 51 msec
;; SERVER: 172.xx.xx.11#53(172.xx.xx.11)
;; WHEN: Tue Feb 14 01:55:39 2006
;; MSG SIZE rcvd: 244
#
#echo "nameserver 192.58.128.30" >/etc/resolv.conf
# |
4、将跟记录加入到/etc/resolv.conf文件中
#echo "nameserver 192.58.128.30" >/etc/resolv.conf
5、将跟服务器的信息导入到/var/bind/named.ca文件中
| CODE: #dig -t NS . >/var/bind/named.ca
#cat /var/bind/named.ca
; <<>> DiG 9.2.6 <<>> -t NS .
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16471
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 13
;; QUESTION SECTION:
;. IN NS
;; ANSWER SECTION:
. 517472 IN NS M.ROOT-SERVERS.NET.
. 517472 IN NS A.ROOT-SERVERS.NET.
. 517472 IN NS B.ROOT-SERVERS.NET.
. 517472 IN NS C.ROOT-SERVERS.NET.
. 517472 IN NS D.ROOT-SERVERS.NET.
. 517472 IN NS E.ROOT-SERVERS.NET.
. 517472 IN NS F.ROOT-SERVERS.NET.
. 517472 IN NS G.ROOT-SERVERS.NET.
. 517472 IN NS H.ROOT-SERVERS.NET.
. 517472 IN NS I.ROOT-SERVERS.NET.
. 517472 IN NS J.ROOT-SERVERS.NET.
. 517472 IN NS K.ROOT-SERVERS.NET.
. 517472 IN NS L.ROOT-SERVERS.NET.
;; ADDITIONAL SECTION:
A.ROOT-SERVERS.NET. 603872 IN A 198.41.0.4
B.ROOT-SERVERS.NET. 603872 IN A 192.228.79.201
C.ROOT-SERVERS.NET. 603872 IN A 192.33.4.12
D.ROOT-SERVERS.NET. 603872 IN A 128.8.10.90
E.ROOT-SERVERS.NET. 603872 IN A 192.203.230.10
F.ROOT-SERVERS.NET. 603872 IN A 192.5.5.241
G.ROOT-SERVERS.NET. 603872 IN A 192.112.36.4
H.ROOT-SERVERS.NET. 603872 IN A 128.63.2.53
I.ROOT-SERVERS.NET. 603872 IN A 192.36.148.17
J.ROOT-SERVERS.NET. 603872 IN A 192.58.128.30
K.ROOT-SERVERS.NET. 603872 IN A 193.0.14.129
L.ROOT-SERVERS.NET. 603872 IN A 198.32.64.12
M.ROOT-SERVERS.NET. 603872 IN A 202.12.27.33
;; Query time: 478 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Feb 14 12:21:35 2006
;; MSG SIZE rcvd: 436 |
6、配置rndc
| CODE: #rndc-confgen >/etc/bind/rndc.conf
# cat -n /etc/bind/rndc.conf
1 # Start of rndc.conf
2 key "rndc-key" {
3 algorithm hmac-md5;
4 secret "OJuPxS0u/5tJ71W8ypj4fA==";
5 };
6
7 options {
8 default-key "rndc-key";
9 default-server 127.0.0.1;
10 default-port 953;
11 };
12 # End of rndc.conf
13
14 # Use with the following in named.conf, adjusting the allow list as needed:
15 # key "rndc-key" {
16 # algorithm hmac-md5;
17 # secret "OJuPxS0u/5tJ71W8ypj4fA==";
18 # };
19 #
20 # controls {
21 # inet 127.0.0.1 port 953
22 # allow { 127.0.0.1; } keys { "rndc-key"; };
23 # };
24 # End of named.conf
# |
7、将rndc中的部分记录导入到/etc/bind/named.conf文件中,并修改/etc/bind/named.conf,将导入的配置前面的注释去掉。
#tail +13 /etc/bind/rndc.conf>>/etc/bind/named.conf
8、检查并重新启动named服务,查看日志文件并检查rndc访问状态
| CODE: #ps -axu|grep named
#killall named
#ps -axu|grep named
#named
#ps -axu|grep named
#tail /var/log/messages
#rndc status
number of zones: 2
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
server is up and running
# |
9、修改/etc/bind/named.conf,并使用host命令测试
| CODE: #echo “nameserver 127.0.0.1”>/etc/bind/named.conf
# host www.cisco.com
www.cisco.com has address 198.133.219.25 |
三、配置localhost区域
(一)、配置localhost的正向区域
1、修改/etc/bind/named.conf,插入如下内容
| CODE: zone "localhost" {
type master;
file "db.local";
}; |
2、配置/var/bind/db.local;
| CODE: $TTL 900
@ IN SOA localhost. root (
2006021401 ;serial number
1H ;refresh
15M ;retry
1W ;expire
1D ) ;TTL
IN NS @
IN A 127.0.0.1 |
3、测试
| CODE: # rndc reload
# host localhost
# host localhost
# dig localhost
# dig -t NS localhost
# dig -t A localhost
# rndc reload
# host localhost
localhost has address 127.0.0.1
# dig localhost
; <<>> DiG 9.2.6 <<>> localhost
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27414
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;localhost. IN A
;; ANSWER SECTION:
localhost. 86400 IN A 127.0.0.1
;; AUTHORITY SECTION:
localhost. 86400 IN NS localhost.
;; Query time: 52 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Feb 14 13:06:21 2006
;; MSG SIZE rcvd: 57
# dig -t NS localhost
; <<>> DiG 9.2.6 <<>> -t NS localhost
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13067
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;localhost. IN NS
;; ANSWER SECTION:
localhost. 86400 IN NS localhost.
;; ADDITIONAL SECTION:
localhost. 86400 IN A 127.0.0.1
;; Query time: 44 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Feb 14 13:07:54 2006
;; MSG SIZE rcvd: 57
# dig -t A localhost
; <<>> DiG 9.2.6 <<>> -t A localhost
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31098
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;localhost. IN A
;; ANSWER SECTION:
localhost. 86400 IN A 127.0.0.1
;; AUTHORITY SECTION:
localhost. 86400 IN NS localhost.
;; Query time: 42 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Feb 14 13:08:00 2006
;; MSG SIZE rcvd: 57
# |
(二)、配置127.0.0的反向区域
1、修改/etc/bind/named.conf,添加如下内容
| CODE: zone "0.0.127.in-addr.arpa" {
type master;
file "127.0.0.zone";
}; |
2、创建/var/bind/127.0.0.zone,添加如下内容
| CODE: $TTL 900
@ IN SOA @ root.localhost. (
20060214
1H
15M
1W
1D )
IN NS localhost.
1 IN PTR localhost. |
3、重新启动rndc访问,并测试
| CODE: # rndc reload
#host 127.0.0.1
1.0.0.127.in-addr.arpa domain name pointer localhost.
# dig -x 127.0.0.1
; <<>> DiG 9.2.6 <<>> -x 127.0.0.1
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5834
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;1.0.0.127.in-addr.arpa. IN PTR
;; ANSWER SECTION:
1.0.0.127.in-addr.arpa. 86400 IN PTR localhost.
;; AUTHORITY SECTION:
0.0.127.in-addr.arpa. 86400 IN NS localhost.
;; ADDITIONAL SECTION:
localhost. 86400 IN A 127.0.0.1
;; Query time: 73 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Feb 14 15:47:31 2006
;; MSG SIZE rcvd: 93
# |
×××××××××××××××××××××××××××××××××××××××
四、配置zhoullj.com区域
(一)、配置zhoullj.com区域
1、配置/etc/bind/named.conf文件,加入如下内容
| CODE: zone "zhoulj.com" {
type master;
file " db.zhoulj.com ";
}; |
2、配置/var/bind/ db.zhoulj.com
| CODE: $TTL 900
@ IN SOA zhoulj.com. root (
2006021401 ;serial number
1H ;refresh
15M ;retry
1W ;expire
1D ) ;TTL
IN NS @
IN MX 10 mail
IN A 172.17.1.172
ns IN A 172.17.1.172
www IN A 172.17.1.201
mail IN A 172.17.1.1
ftp IN A 172.17.1.201
news IN CNAME www |
3、重新启动rndc服务进行测试
| CODE: # rndc reload
# host -t A zhoulj.com
zhoulj.com has address 172.17.1.172
# host -t A zhoulj.com
zhoulj.com has address 172.17.1.172
# host -t NS zhoulj.com
zhoulj.com name server zhoulj.com. |
(二)、增加的反向区域
1、修改/etc/bind/named.conf,添加如下内容
| CODE: zone "1.17.172.in-addr.arpa" {
type master;
file "db.172.17.1 ";
}; |
2、创建/var/bind/db.172.17.1,添加如下内容
| CODE: $TTL 900
@ IN SOA zhoulj.com root.zhoulj.com. (
2006022301
1H
15M
1W
1D )
IN NS zhoulj.com.
201 IN PTR www.zhoulj.com.
1 IN PTR mail.zhoulj.com.
202 IN PTR ftp.zhoulj.com. |
3、重新启动rndc访问,并测试
| CODE: # rndc reload
[root@localhost named]# host 172.17.1.201
201.1.17.172.in-addr.arpa domain name pointer www.zhoulj.com.
201.1.17.172.in-addr.arpa domain name pointer ftp.zhoulj.com.
[root@localhost named]# host 172.17.1.1
1.1.17.172.in-addr.arpa domain name pointer mail.zhoulj.com.
[root@localhost named]# dig -x 172.17.1.201
; <<>> DiG 9.2.6 <<>> -x 172.17.1.201
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25538
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;201.1.17.172.in-addr.arpa. IN PTR
;; ANSWER SECTION:
201.1.17.172.in-addr.arpa. 86400 IN PTR www.zhoulj.com.
201.1.17.172.in-addr.arpa. 86400 IN PTR ftp.zhoulj.com.
;; AUTHORITY SECTION:
1.17.172.in-addr.arpa. 86400 IN NS zhoulj.com.
;; ADDITIONAL SECTION:
zhoulj.com. 86400 IN A 172.17.1.172
;; Query time: 67 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Feb 14 18:15:20 2006
;; MSG SIZE rcvd: 119 |
五、建立授权子域
1、修改/var/bind/zhoulj.com.db,添加如下内容
| CODE: domain IN NS ns.domain
ns.domain IN A 172.17.1.171 |
重启动rndc服务
2、安装一台子域服务器,安装BIND服务器后,配置根域等(前面和主域服务器的内容基本一致),配置子域服务器上的/etc/bind/named.conf配置文件,添加一个子域,内容如下内容
| CODE: zone "domain.zhoulj.com" {
type master;
file "domain.zhoulj.com.db";
}; |
3、编辑子域里面的/var/bind/ domain.zhoulj.com.db
| CODE: $TTL 900
@ IN SOA zhoulj.com. root (
2006021502 ;serial
36000 ;1hour
7500 ;15M
3600000 ;
86400 ) ;TTL
IN NS ns
ns IN A 172.17.1.171
www IN A 172.16.17.2 |
4、重启动服务,测试分别在主域的服务器和子域服务器上测试,分别在子域控制
| CODE: #rndc reload
# host www.domain.zhoulj.com
www.domain.zhoulj.com has address 172.16.17.2 |
六、DNS访问的安全控制
1、修改配置文件/etc/bind/named.conf,在options 中加入pid文件的目录
| CODE: options {
directory "/var/bind";
pid-file "/var/run/bind/named.pid";
}; |
2、建立named用户,建立bind的pid文件的目,并更改权限为named用户所有
| CODE: # useradd -s /bin/false -d /dev/null named
# id named
uid=501(named) gid=501(named) groups=501(named)
# chown named.named /var/run/bind
# chmod 700 /var/run/bind |
3、重启named服务
| CODE: # killall -9 named
# named -u named
# tail /var/log/messages
# ps -axu|grep named |
4、添加到系统服务中,使其跟服务器同时启动
| CODE: # which named
/usr/local/sbin/named
# echo "/usr/local/sbin/named -u named" >> /etc/ rc.local |
七、DNS高级控制
1、建立访问控制列表
修改配置文件/etc/bind/named.conf,在options 前面加入acl规则,语法如下:
| CODE: acl our-nets {
10.140.0.0/16;
}; |
2、允许acl中的IP地址进行递归查询
修改配置文件/etc/bind/named.conf,在options{ };中加入允许查询的规则,语法如下:
| CODE: allow-recursion {
our-nets;
}; |
用host和nslookup进行测试
3、允许acl中的IP地址进行查询
修改配置文件/etc/bind/named.conf,在options{ };中加入允许查询的规则,语法如下:
| CODE: allow-recursion {
our-nets;
}; |
用host和nslookup进行测试
八、配置辅助域名服务器
1、配置辅助域名服务器的配置文件/etc/bind/named.conf,前面和主域名服务器是相同的,加入如下内容:
| CODE: zone "zhoulj.com" {
type slave;
file "zhoulj.com.db.slave";
masters { 172.17.1.172; };
}; |
2、更改/var/bind目录的权限,让named组可以写,这一点很重要,如果不可以写,辅助域的文件不能建立。
| CODE: # chgrp -R named named/
# chmod g+w /var/bind/ |
3、进行测试
停掉主dns服务器,查看备份dns是否能够正常工作,
可以查看/var/log/messages文件,检查备份服务器的状态。
4、允许特定的备份服务器进行dns备份工作,在/etc/bind/named.conf里面添加下面内容:
| CODE: //allow slave DNS server to back up.
allow-transfer
{
any;
}; |
any参数允许所有的机器进行备份,把any可以换成特定的IP地址。 |
|
这篇关于DNS服务(bind9)配置过程的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!
