DNS服务器的安装配置

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了DNS服务器的安装配置相关的知识,希望对你有一定的参考价值。

一、DNS服务的安装和配置

DNS的实现为BIND(Berkerly Internat Name Domain), 后来移交给ISC维护(www.isc.org).
DNS服务的程序包名为bind, 程序名为named.
所需要的安装包如下:

  • bind
  • bind-libs
  • bind-utils
  • bind-chroot: /var/named/chroot/, 可选

1.1 bind安装

使用CentOS系统可通过yum直接安装, 也可以选择编译安装.

# yum安装
~]# yum install bind bind-libs bind-utils bind-chroot

# 编译安装请参考README

1.2 bind的配置文件

bind的服务脚本: CentOS 6(/etc/rc.d/init.d/named); CentOS 7(/usr/lib/systemd/system/named.service)
主配置文件: /etc/named.conf, /etc/named.rfc1912.zones, /etc/rndc.key
解析库文件: /var/named/ZONE_NAME.zone
NOTE:

  • rndc(remote named domain controller)默认与bind安装中哎同一主机, 且只能通过127.0.0.1来连接named进程, 提供辅助性的管理功能.
  • 一台物理服务器可同时为多个区域提供解析
  • 必须要有根区域文件
  • 应该有两个(如果包括IPv6的地址, 甚至更多)实现localhost和本地会还地址的解析库

主配置文件用于定义监听地址, 端口号、安全策略、日志和区域配置等.

# /etc/named.conf
    # 全局配置: option {};
    # 日志子系统配置: logging {};

# /etc/named.rfc1912.zones
    # 区域定义: 本机能够为哪些zone进行解析, 就要定义哪些zone
        # zone "zone_name" IN {};

NOTE: 任何服务程序如果期望能够通过网络被其他主机访问, 至少应该监听在一个能与外部主机通信的IP地址上.

1.3 bind的配置

缓存名称服务器的配置:

# 修改外部监听地址
listen-on port 53 {192.168.123.132; 127.0.0.1; };

# 关闭dnssec
dnssec-enable no;
denssec-validation no;

# 修改allow-query
allow-query { any; };

# 配置文件示例:
[[email protected] etc]# vim /etc/named.conf

options {
        listen-on port 53 { 192.168.123.132; 127.0.0.1; };
//      listen-on-v6 port 53 { ::1; }; # IPv6地址如果没有使用可以将其注释
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { any; };

        /* 
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable 
           recursion. 
         - If your recursive DNS server has a public IP address, you MUST enable access 
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification 
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface 
        */
        recursion yes;

        dnssec-enable no;
        dnssec-validation no;

        /* Path to ISC DLV key */
//      bindkeys-file "/etc/named.iscdlv.key";

//      managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

[[email protected] yum.repos.d]# systemctl start named
[[email protected] yum.repos.d]# ss -tunl | grep ":53\b"
udp    UNCONN     0      0      192.168.123.100:53                    *:*                  
udp    UNCONN     0      0      127.0.0.1:53                    *:*                  
tcp    LISTEN     0      10     192.168.123.100:53                    *:*                  
tcp    LISTEN     0      10     127.0.0.1:53                    *:*                  

主DNS服务器正向区域配置:

# 在缓存dns服务器的基础上加zone文件
# 在/etc/named.rfc1912.zones文件中定义区域

# 示例:
[[email protected] yum.repos.d]# vim /etc/named.rfc1912.zones
zone "leistudy.com" IN {
        type master;
        file "leistudy.com.zone";
};

# 定义区域解析库文件
    # 宏定义
    # 资源记录

# 示例:
[[email protected] ~]# cd /var/named/
[[email protected] named]# ls
chroot  data  dynamic  named.ca  named.empty  named.localhost  named.loopback  slaves

[[email protected] named]# vim leistudy.com.zone
$TTL 86400
$ORIGIN leistudy.com.
@       IN      SOA     ns1.leistudy.com.       admin.leistudy.com (
                        2018032901
                        1H
                        5M
                        7D
                        1D
)

        IN      NS      ns1
        IN      NS      ns2
        IN      MX  10  mx1
        IN      MX  20  mx2
ns1     IN      A       192.168.123.100
ns2     IN      A       192.168.123.101
mx1     IN      A       192.168.123.100
mx2     IN      A       192.168.123.101
www     IN      A       192.168.123.100
web     IN      CNAME   www

# 检查zone配置文件是否有错误
[[email protected] named]# named-checkzone "leistudy.com" /var/named/leistudy.com.zone      
zone leistudy.com/IN: loaded serial 2018032901
OK

# 重新加载配置文件
[[email protected] named]# rndc reload
server reload successful

# 测试
[[email protected] named]# dig -t A www.leistudy.com @192.168.123.100

; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.2 <<>> -t A www.leistudy.com @192.168.123.100
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29655
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.leistudy.com.              IN      A

;; ANSWER SECTION:
www.leistudy.com.       86400   IN      A       192.168.123.100

;; AUTHORITY SECTION:
leistudy.com.           86400   IN      NS      ns2.leistudy.com.
leistudy.com.           86400   IN      NS      ns1.leistudy.com.

;; ADDITIONAL SECTION:
ns1.leistudy.com.       86400   IN      A       192.168.123.100
ns2.leistudy.com.       86400   IN      A       192.168.123.101

;; Query time: 0 msec
;; SERVER: 192.168.123.100#53(192.168.123.100)
;; WHEN: Thu Mar 29 17:11:04 CST 2018
;; MSG SIZE  rcvd: 129

主DNS服务器反向区域配置:

# 区域名称: 网络地址反写.in-addr.arpa
192.168.123. --> 100.16.172.in-addr.arpa

# 定义区域: /etc/named.rfc1912.zones
[[email protected] ~]# vim /etc/named.rfc1912.zones
zone "123.168.192.in-addr.arpa" IN {
        type master;
        file "123.168.192.in-addr.arpa.zone";
};

# 定义反向区域解析库文件
[[email protected] ~]# vim /var/named/123.168.192.in-addr.arpa.zone
$TTL 86400
$ORIGIN 123.168.192.in-addr.arpa.
@       IN      SOA     ns1.leistudy.com.       admin.leistudy.com. (
                        2018032901
                        1H
                        5M
                        7D
                        1D
)

        IN      NS      ns1.leistudy.com.
        IN      NS      ns2.leistudy.com.
100     IN      PTR     ns1.leistudy.com.
101     IN      PTR     ns2.leistudy.com.
100     IN      PTR     mx1.leistudy.com.
101     IN      PTR     mx2.leistudy.com.
100     IN      PTR     www.leistudy.com.

# 区域解析库文件测试
[[email protected] ~]# named-checkzone "123.168.192.in-addr.arpa" /var/named/123.168.192.in-addr.arpa.zone 
zone 123.168.192.in-addr.arpa/IN: loaded serial 2018032901
OK

# 重新加载配置文件
[[email protected] ~]# rndc reload
server reload successful

# 反解测试
[[email protected] ~]# host -t PTR 192.168.123.100 192.168.123.100
Using domain server:
Name: 192.168.123.100
Address: 192.168.123.100#53
Aliases: 

100.123.168.192.in-addr.arpa domain name pointer ns1.leistudy.com.
100.123.168.192.in-addr.arpa domain name pointer www.leistudy.com.
100.123.168.192.in-addr.arpa domain name pointer mx1.leistudy.com.

[[email protected] ~]# dig -x 192.168.123.100 @192.168.123.100

; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.2 <<>> -x 192.168.123.100 @192.168.123.100
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34713
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;100.123.168.192.in-addr.arpa.  IN      PTR

;; ANSWER SECTION:
100.123.168.192.in-addr.arpa. 86400 IN  PTR     www.leistudy.com.
100.123.168.192.in-addr.arpa. 86400 IN  PTR     ns1.leistudy.com.
100.123.168.192.in-addr.arpa. 86400 IN  PTR     mx1.leistudy.com.

;; AUTHORITY SECTION:
123.168.192.in-addr.arpa. 86400 IN      NS      ns2.leistudy.com.
123.168.192.in-addr.arpa. 86400 IN      NS      ns1.leistudy.com.

;; ADDITIONAL SECTION:
ns1.leistudy.com.       86400   IN      A       192.168.123.100
ns2.leistudy.com.       86400   IN      A       192.168.123.101

;; Query time: 0 msec
;; SERVER: 192.168.123.100#53(192.168.123.100)
;; WHEN: Fri Mar 30 10:06:13 CST 2018
;; MSG SIZE  rcvd: 187

主从复制:

# 1. 从服务器应该为一台独立的名称服务器
# 2. 主服务器的区域解析库文件中必须有一条NS记录指向从服务器
# 3. 从服务器只需要定义区域, 而无需提供解析库文件, 解析库文件应该放置于/var/named/slaves目录中
# 4. 主服务器得允许从服务器做区域传送
# 5. 主从无武器时间应该同步, 可同ntp进行
# 6. bind程序的版本应该保持一致, 否则应该从高主低

# 定义从区域:
[[email protected] ~]# ip add sh | grep ens33 | tail -1
    inet 192.168.123.101/24 brd 192.168.123.255 scope global ens33

[[email protected] slaves]# vim /etc/named.rfc1912.zones     
zone "leistudy.com" IN {
        type slave;
        masters { 192.168.123.100; };
        file "slaves/leistudy.com.zone";
};

zone "123.168.192.in-addr.arpa" IN {
        type slave;
        masters { 192.168.123.100; };
        file "slaves/123.168.192.in-addr.arpa.zone";
};

# 查看区域文件是否同步
[[email protected] slaves]# cd /var/named/slaves/
[[email protected] slaves]# ll
total 8
-rw-r--r--. 1 named named 416 Mar 30 10:44 123.168.192.in-addr.arpa.zone
-rw-r--r--. 1 named named 561 Mar 30 10:46 leistudy.com.zone

# 测试
[[email protected] slaves]# host -t A www.leistudy.com 192.168.123.101
Using domain server:
Name: 192.168.123.101
Address: 192.168.123.101#53
Aliases: 

www.leistudy.com has address 192.168.123.100

[[email protected] slaves]# host -t PTR 192.168.123.100 192.168.123.101  
Using domain server:
Name: 192.168.123.101
Address: 192.168.123.101#53
Aliases: 

100.123.168.192.in-addr.arpa domain name pointer ns1.leistudy.com.
100.123.168.192.in-addr.arpa domain name pointer mx1.leistudy.com.
100.123.168.192.in-addr.arpa domain name pointer www.leistudy.com.

二、rndc命令

rndc用于连接rndc服务端, rndc服务端随着named一起启动, 监听端口号为tcp的953号端口号.

[[email protected] slaves]# ss -tnl | grep ":953\b"
LISTEN     0      128    127.0.0.1:953                      *:*                  
LISTEN     0      128        ::1:953                     :::*     

# 用法: rndc COMMAND
# COMMAND:
    # reload: 重载主配置文件和区域解析库文件
    # relaod zone: 只重载区域解析库文件, 不重载主配置文件
    # retransfer zone: 手动启动区域传送过程, 而不管序列号是否增加
    # notify zone: 重新对区域传送发通知
    # reconfig: 重载主配置文件
    # querylog: 开启或关闭查询日志
    # trace: 递增debug级别
    # trace [LEVEL]: 指定使用的级别

以上是关于DNS服务器的安装配置的主要内容,如果未能解决你的问题,请参考以下文章

DNS服务器的安装配置

02-DNS的安装与简单配置

dns安装和配置

域名解析服务器DNS的安装配置

DNS 安装配置

Centos 安装DNS服务器并配置无查询结果转发功能