bind9根據網上的推薦,下載了9.11.18版本。
下載地址https://www.isc.org/bind/
首選需要安裝開發環境,包括openssl等開發包(最好是使用本地鏡像yum源安裝),openssl一般都是已經安裝過的,畢竟都是ssh登錄的。
yum groupinstall "Development Tools" "Server Platform Development"
1、安裝過程
#tar -zxvf bind-9.11.18.tar.gz #groupadd -g 53 -r named #useradd -u 53 -s /sbin/nolgin -r named -g named
使用53端口作為named組和named用戶的ID號
#mkdir /var/named
#chgrp named /var/named/ 修改所屬組為named
如果沒有提前加入 -s /sbin/nolgin參數,可以后期再修改 usermod -s /sbin/nologin named
cd至解壓縮目錄
./configure --prefix=/usr/local/bind9 --sysconfdir=/etc/named --disable-ipv6 --disable-chroot --enable-threads --without-python 放置到指定目錄 放置配置文件目錄 禁用ipv6(可不帶) 禁用chroot 啟用線程編譯 出現下面的報錯時加這個條件 make make install
可能會存在的報錯
configure: error: Python >= 2.7 or >= 3.2 and the PLY package are required for dnssec-keymgr and other Python-based tools. PLY may be available from your OS package manager as python-ply or python3-ply; it can also be installed via pip. To build without Python/PLY, use --without-python.
2、環境變量配置
安裝完成,但自行編譯bind源碼包會產生如下問題
(1)沒有配置文件
(2)沒有區域解析文件(包括13個根服務器的解析文件)
(3)沒有rndc的相關配置文件
解決上述問題
創建文件添加path環境變量:vim /etc/profile.d/named.sh export PATH=/usr/local/bind9/bin:/usr/local/bind9/sbin:$PATH
重讀配置文件:. /etc/profile.d/named.sh
創建導出庫文件:vim /etc/ld.so.conf.d/named.conf /usr/local/bind9/lib 生成庫文件搜索路徑;ldconfig -v
鏈接頭文件 [root@test_iptables ~]# ln -sv /usr/local/bind9/include /usr/include/named `/usr/include/named' -> `/usr/local/bind9/include'
導出幫助文檔搜索路徑 vim /etc/man.config(vim /etc/man_db.conf(centos7)) MANPATH /usr/local/bind9/share/man
編輯配置文件
[root@test_iptables ~]# cd /etc/named [root@test_iptables named]# vi named.conf options { … directory "/var/named"; }; zone "." IN { type hint; file "named.ca"; }; zone "localhost" IN { type master; file "localhost.zone"; allow-update { none; }; }; zone "0.0.127.in-addr.arpa" IN { type master; file "named.local"; allow-update { none; }; };
更改權限,這個部分可以等到區域配置文件都弄完一起弄 [root@test_iptables named]# chown root:named -R /etc/named [root@test_iptables named]# chmod 640 /etc/named/*
cd /var/named dig -t NS . @server > named.ca (server:互聯網上的dns服務器地址,前提需要聯網,也可以通過復制或者逐條添加) 不知道dns服務器地址的,也可以獲取默認的根地址,不用加@server
#在聯網的情況下直接將查詢根的結果導入根區域配置文件 [root@test_iptables named]# dig -t NS . > /var/named/named.ca [root@test_iptables named]# ll total 4 -rw-r--r--. 1 root root 797 May 12 10:10 named.ca [root@test_iptables named]# cat named.ca ; <<>> DiG 9.11.18 <<>> -t NS . ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52815 ;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;. IN NS ;; ANSWER SECTION: . 5 IN NS i.root-servers.net. . 5 IN NS c.root-servers.net. . 5 IN NS l.root-servers.net. . 5 IN NS a.root-servers.net. . 5 IN NS h.root-servers.net. . 5 IN NS m.root-servers.net. . 5 IN NS j.root-servers.net. . 5 IN NS k.root-servers.net. . 5 IN NS e.root-servers.net. . 5 IN NS d.root-servers.net. . 5 IN NS f.root-servers.net. . 5 IN NS b.root-servers.net. . 5 IN NS g.root-servers.net. ;; Query time: 20 msec ;; SERVER: 192.168.56.2#53(192.168.56.2) ;; WHEN: Tue May 12 10:10:01 CST 2020 ;; MSG SIZE rcvd: 228
#然后創建各區域的配置文件,上面已經配置了根區域
#配置正向解析區域
[root@test_iptables named]# vi localhost.zone $TTL 1d @ IN SOA localhost. admin.localhost. ( 2020051210 1H 5M 7D 1D ) IN NS localhost. localhost. IN A 127.0.0.1
#配置反向解析區域
[root@test_iptables named]# vi named.local $TTL 1d N SOA localhost. admin.localhost. ( 2020051210 1H 5M 7D 1D ) IN NS localhost. 1 IN PTR localhost.
更改配置文件的屬組和權限
chown root:named -R /var/named/
chmod 640 /var/named/*
生成rndc配置文件
[root@test_iptables named]# rndc-confgen -r /dev/urandom > /etc/named/rndc.conf [root@test_iptables named]# ll total 12 -rw-r-----. 1 root named 1859 May 12 09:08 bind.keys -rw-r-----. 1 root named 335 May 12 10:29 named.conf -rw-r--r--. 1 root root 479 May 12 10:37 rndc.conf [root@test_iptables named]# cat rndc.conf # Start of rndc.conf key "rndc-key" { algorithm hmac-md5; secret "gVaS8XiuZQncnBMiQINYIQ=="; }; options { default-key "rndc-key"; default-server 127.0.0.1; default-port 953; }; # End of rndc.conf # Use with the following in named.conf, adjusting the allow list as needed: # key "rndc-key" { # algorithm hmac-md5; # secret "gVaS8XiuZQncnBMiQINYIQ=="; # }; # # controls { # inet 127.0.0.1 port 953 # allow { 127.0.0.1; } keys { "rndc-key"; }; # }; # End of named.conf
生成完成后,還需要將上面住宿的部分添加至/etc/named/named.conf,並取消注釋。
[root@test_iptables named]# cat /etc/named/named.conf
ptions {
directory "/var/named";
};
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};
key "rndc-key" {
algorithm hmac-md5;
secret "gVaS8XiuZQncnBMiQINYIQ==";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
測試
[root@centfils named]# named -u named -f -g -d 3 #-u 為指定named用戶執行 #-f 為運行在前台 #-g 把標准錯誤顯示出來 #-d 指明調試等級
[root@test_iptables ~]# ss -tunl | grep 53 udp UNCONN 0 0 192.168.56.147:53 *:* udp UNCONN 0 0 127.0.0.1:53 *:* udp UNCONN 0 0 :::53 :::* tcp LISTEN 0 10 192.168.56.147:53 *:* tcp LISTEN 0 10 127.0.0.1:53 *:* tcp LISTEN 0 10 :::53 :::* tcp LISTEN 0 128 127.0.0.1:953 *:*