概念術語:
完整主機名(FQDN):Fully Qualified Domain Name
正解:從主機名查詢到IP的流程
反解:從IP反解析到主機名的流程
區域:每個領域的記錄
SOA(Start of Authority):,開始驗證
NS(NameServer):名稱服務器
A(Address): 地址
可以使用dig +trace命令來查看域名查詢的整個過程
DNS 第一次查詢使用UDP端口53來查詢,如果第一次失敗,則使用TCP端口53查詢,所以防火牆需要開啟53端口。
第一步:下載最新的Bind
wget https://www.isc.org/downloads/file/bind-9-11-0/?version=tar-gz --no-check-certificate
第二步:安裝編譯環境gcc , perl, openssl, openssl-devel
yum install –y gcc yum install –y perl yum install –y openssl yum install –y openssl-devel
第三步:解壓至/opt/tmp目錄
tar –zxvf bind-9.11.0.tar.gz –C /opt/tmp
第四步:編譯安裝
cd /opt/tmp ./configure --prefix=/opt/soft/named --enable-threads --enable-largefile --disable-ipv6 && make && make install
(1)增加bind用戶與組
groupadd bind
useradd -g bind -d /opt/soft/named -s /sbin/nologin bind
第五步:建立配置文件
cd /otp/soft/named/ sbin/rndc-confgen > etc/rndc.conf #生成rndc控制命令的Key文件 #若無法生成,解決方案,手動添加一個random文件 vi /opt/soft/random asdkfjalsjdflajsldfjlasjdflajsldfjalsjdflajslfjalsjflasjfl sbin/rndc-confgen -r /opt/soft/random > rndc.key #從rndc.conf中提取named.conf用的key tail -10 etc/rndc.conf | head -9 | sed s/#\ //g > etc/named.conf
第六步:配置named.conf加如下配置文件
vi /opt/soft/named/etc/named.conf options { listen-on port 53 { any; }; directory "/opt/soft/named/var"; pid-file "named.pid"; allow-query { any ;}; dump-file "/usr/local/named/data/cache_dump.db"; statistics-file "/usr/local/named/data/named_stats.txt"; forwarders {202.96.209.5;114.114.114.114;}; recursion yes; }; zone "." IN { Type hint; File "named.root"; }; Zone "localhost" IN { type master; file "localhost.zone"; allow-update {none;}; }; Zone "0.0.127.in-addr.arpa" IN { type master; file "localhost.rev"; allow-update {none;}; }; zone "eye.com" IN { type master; file "eye.com.zone"; allow-update {none;}; }; zone "111.168.192.in-add.arpa" IN { type master; file "111.168.192.in-add.arpa"; allow-update {none;}; };
第七步:建立區目錄文件 cd /opt/soft/named/var
(1)建立named.root文件
wget ftp://ftp.rs.internic.net/domain/named.root 或者自己生成 dig @a.root-servers.net . ns > named.root
(2)建立localhsot.zone文件
$TTL 86400 $ORIGIN localhost. @ 1D IN SOA @ root ( 42 ; serial (d. adams) 3H ; refresh 15M ; retry 1W ; expiry 1D ) ; minimum 1D IN NS @ 1D IN A 127.0.0.1
(3)建立localhost.rev文件
N SOA localhost. root.localhost. ( 1; serial 3600; refresh every hour 900; retry every 15 minutes 3600000; expire 1000 hours 3600); minimun 1 hour IN NS localhost. 1 IN PTR localhost.
(4)建立eye.com.zone文件
$TTL 86400 @ IN SOA dns.eye.com. root.localhost ( 2 ; serial 28800 ; refresh 7200 ; retry 604800 ; expire 86400 ; ttl ) IN NS dns.eye.com. IN A 192.168.111.111 www IN A 192.168.111.111 ntp IN A 192.168.132.191 waffle IN A 192.168.132.199 nfs IN A 192.168.111.206 ftp.nas IN A 192.168.111.207 mongotest IN A 192.168.111.113 mongo1 IN A 192.168.132.190 mongo2 IN A 192.168.132.189 mongo3 IN A 192.168.132.188 openldap-a IN A 192.168.132.191 dns IN A 192.168.111.111
(5)建立111.168.192.in-add.arpa文件
$TTL 86400 @ IN SOA dns.eye.com. root.eye.com. ( 1997022700 ; Serial 28800 ; Refresh 14400 ; Retry 3600000 ; Expire 86400 ) ; Minimum @ IN NS dns.eye.com. 111 IN PTR www.eye.com. 191 IN PTR ntp.eye.com. 199 IN PTR waffle.eye.com. 206 IN PTR nfs.eye.com. 207 IN PTR ftp.nas.eye.com. 113 IN PTR mongotest.eye.com. 190 IN PTR mongo1.eye.com. 189 IN PTR mongo2.eye.com. 188 IN PTR mongo3.eye.com. 191 IN PTR openldap-a.eye.com.
第八步:啟動程序且加入調試信息,如果是running, 表示啟動成功
/opt/soft/named/sbin/named -gc /opt/soft/named/etc/named.conf -u bind &
第九步:查看狀態
/usr/local/named/sbin/rndc status
#若修改配置信息,如下命令可重啟
/opt/soft/named/sbin/rndc reload
第十步:修改主機網卡信息
vi /etc/sysconfig/network-scripts/ifcfg-eth0 DNS1=192.168.111.111 DNS2=202.96.209.5
第十一步:配置開機自啟,啟動腳本 vi /etc/rc.d/init.d/named
#!/bin/bash # named a network name service. # chkconfig: 345 35 75 # description: a name server if [ `id -u` -ne 0 ] then echo "ERROR:For bind to port 53,must run as root." exit 1 fi case "$1" in start) if [ -x /opt/soft/named/sbin/named ]; then /opt/soft/named/sbin/named -c /opt/soft/named/etc/named.conf -u bind && echo . && echo 'BIND9 server started' fi
;;
stop) kill `cat /opt/soft/named/var/named.pid` && echo . && echo 'BIND9 server stopped' ;;
restart) echo . echo "Restart BIND9 server" $0 stop sleep 10 $0 start ;; reload) /opt/soft/named/sbin/rndc reload ;;
status) /opt/soft/named/sbin/rndc status ;;
*) echo "$0 start | stop | restart |reload |status" ;; esac
(2)修改權限,增加到服務項
chmod 755 /etc/rc.d/init.d/named chkconfig --add named service named start
第十步:測試
dig @127.0.0.1 dns.eye.com
第十一步:配置防火牆
iptables -A INPUT -p udp -s 0/0 --dport 53 -j ACCEPT iptables -A INPUT -p tcp -s 0/0 --dport 53 -j ACCEPT