搭建DNS服务器
本文将描述在CentOS 7上使用bind9搭建DNS服务器并配置泛域名解析。
1、安装bind、bind-chroot、bind-utils
[root@node-dns ~]# yum install -y bind bind-chroot bind-utilbind-chroot使bind运行在单独的文件系统中,提高安全性;
2、初始化chroot运行环境
[root@node-dns ~]# /usr/libexec/setup-named-chroot.sh /var/named/chroot on
### 查看初始化结果 ###
[root@node-dns ~]# ll /var/named/chroot/etc/
-rw-r--r--. 5 root root 388 10月 3 2016 localtime
drwxr-x---. 2 root named 6 1月 22 21:30 named
-rw-r-----. 1 root named 1705 3月 22 2016 named.conf
-rw-r--r--. 1 root named 3923 1月 22 21:30 named.iscdlv.key
-rw-r-----. 1 root named 931 6月 21 2007 named.rfc1912.zones
-rw-r--r--. 1 root named 1587 5月 22 2017 named.root.key
drwxr-x---. 3 root named 25 4月 24 11:00 pki
-rw-r--r--. 1 root root 6545 6月 7 2013 protocols
-rw-r--r--. 1 root root 670293 6月 7 2013 services
### 启动通过bind-chroot启动bind
[root@node-dns ~]# systemctl start named-chroot
### 查看运行状态 ###
[root@node-dns ~]# systemctl status named-chroot
● named-chroot.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named-chroot.service; disabled; vendor preset: disabled) Active: active (running) since 二 2018-04-24 11:01:44 CST; 7s ago Process: 2358 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} -t /var/named/chroot $OPTIONS (code=exited, status=0/SUCCESS)
Process: 2355 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
Main PID: 2361 (named)
CGroup: /system.slice/named-chroot.service
└─2361 /usr/sbin/named -u named -c /etc/named.conf -t /var/named/chroot
4月 24 11:01:44 node-dns named[2361]: managed-keys-zone: loaded serial 0
4月 24 11:01:44 node-dns systemd[1]: Started Berkeley Internet Name Domain (DNS).
4月 24 11:01:44 node-dns named[2361]: zone 0.in-addr.arpa/IN: loaded serial 0
4月 24 11:01:44 node-dns named[2361]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
4月 24 11:01:44 node-dns named[2361]: zone localhost.localdomain/IN: loaded serial 0
4月 24 11:01:44 node-dns named[2361]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
4月 24 11:01:44 node-dns named[2361]: zone localhost/IN: loaded serial 0
4月 24 11:01:44 node-dns named[2361]: all zones loaded
4月 24 11:01:44 node-dns named[2361]: running
4月 24 11:01:44 node-dns named[2361]: error (network unreachable) resolving './DNSKEY/IN': 2001:7fd::1#53
### 设置开机自启动 ###
[root@node-dns ~]# systemctl enable named-chroot
Created symlink from /etc/systemd/system/multi-user.target.wants/named-chroot.service to /usr/lib/systemd/system/named-chroot.service.3、配置named.conf
[root@node-dns ~]# vi /var/named/chroot/etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { any; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";4、配置域
[root@node-dns ~]# vi /var/named/chroot/etc/named.rfc1912.zones
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};
// 正向解析
zone "chenlei.com" IN {
type master;
file "chenlei.com.zone";
};
// 逆向解析
zone "115.168.192.in-addr.arpa" IN {
type master;
file "115.168.192.zone";
};5、创建正向解析资源记录文件
[root@node-dns ~]# vi /var/named/chroot/var/named/chenlei.com.zone
$TTL 1D
@ IN SOA dns.chenlei.com. root.chenlei.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ NS dns
dns A 192.168.119.5
www A 192.168.115.210
* A 192.168.115.210“*”表示任何”chenlei.com”结尾的域名访问都会被解析到192.168.115.210,即泛域名解析;
6、创建逆向解析资源记录文件
[root@node-dns ~]# vi /var/named/chroot/var/named/115.168.192.zone
$TTL 1D
@ IN SOA dns.chenlei.com. root.chenlei.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS dns.chenlei.com.
210 PTR www.chenlei.com.7、测试
[root@node-dns ~]# dig www.chenlei.com @127.0.0.1 ; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.2 <<>> www.chenlei.com @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19017 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.chenlei.com. IN A
;; ANSWER SECTION: www.chenlei.com. 86400 IN A 192.168.115.210 ;; AUTHORITY SECTION: chenlei.com. 86400 IN NS dns.chenlei.com. ;; ADDITIONAL SECTION: dns.chenlei.com. 86400 IN A 192.168.119.5 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: 二 4月 24 11:56:54 CST 2018 ;; MSG SIZE rcvd: 94 [root@node-dns ~]# dig apps.chenlei.com @127.0.0.1 ; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.2 <<>> apps.chenlei.com @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37404 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;apps.chenlei.com. IN A
;; ANSWER SECTION: apps.chenlei.com. 86400 IN A 192.168.115.210 ;; AUTHORITY SECTION: chenlei.com. 86400 IN NS dns.chenlei.com. ;; ADDITIONAL SECTION: dns.chenlei.com. 86400 IN A 192.168.119.5 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: 二 4月 24 11:57:30 CST 2018 ;; MSG SIZE rcvd: 95 [root@node-dns ~]# dig -x 192.168.115.210 @127.0.0.1 ; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.2 <<>> -x 192.168.115.210 @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21051 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;210.115.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION: 210.115.168.192.in-addr.arpa. 86400 IN PTR www.chenlei.com. ;; AUTHORITY SECTION: 115.168.192.in-addr.arpa. 86400 IN NS dns.chenlei.com. ;; ADDITIONAL SECTION: dns.chenlei.com. 86400 IN A 192.168.119.5 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: 二 4月 24 12:12:02 CST 2018 ;; MSG SIZE rcvd: 120 ### 配置DNS服务器地址 ### [root@node-dns ~]# vi /etc/resolv.conf [root@node-dns ~]# nslookup apps.chenlei.com Server: 192.168.119.5 Address: 192.168.119.5#53 Name: apps.chenlei.com Address: 192.168.115.210 [root@node-dns ~]# nslookup 192.168.115.210 Server: 192.168.119.5 Address: 192.168.119.5#53 210.115.168.192.in-addr.arpa name = www.chenlei.com.