BIND(Berkeley Internet Name Domain,伯克利因特網名稱域)服務是全球使用最廣泛、最安全且最高效的域名解析服務程序。
1、安裝bind域名解析服務:
[root@PC1 ~]# yum install bind-chroot ## 使用chroot,俗稱牢籠機制,更加安全 Loaded plugins: langpacks, product-id, subscription-manager This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register. Resolving Dependencies --> Running transaction check ---> Package bind-chroot.x86_64 32:9.9.4-14.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: bind-chroot x86_64 32:9.9.4-14.el7 rhel7 81 k Transaction Summary ================================================================================ Install 1 Package Total download size: 81 k Installed size: 3.1 k Is this ok [y/d/N]: y Downloading packages: Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : 32:bind-chroot-9.9.4-14.el7.x86_64 1/1 Verifying : 32:bind-chroot-9.9.4-14.el7.x86_64 1/1 Installed: bind-chroot.x86_64 32:9.9.4-14.el7 Complete!
2、三個重要配置文件:
主配置文件:/etc/named.conf,用來定義bind服務的運行
區域配置文件: /etc/named.rfc1912.zones,類似於圖書館的目錄大綱,用來指定域名和IP地址對應關系文件所在位置
數據配置文件目錄:/var/named/,該目錄下具有域名和IP地址對應關系的文件
3、修改主配置文件,保證基本的服務
vim /etc/named.conf ## 修改第11行和第17行 1 // 2 // named.conf
3 // 4 // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
5 // server as a caching only nameserver (as a localhost DNS resolver only).
6 // 7 // See /usr/share/doc/bind*/sample/ for example named configuration files.
8 // 9
10 options { 11 listen-on port 53 { any; }; ## 此處修改為any,表示服務器上的所有IP地址均可提供DNS域名解析服務 12 listen-on-v6 port 53 { ::1; }; 13 directory "/var/named"; 14 dump-file "/var/named/data/cache_dump.db"; 15 statistics-file "/var/named/data/named_stats.txt"; 16 memstatistics-file "/var/named/data/named_mem_stats.txt"; 17 allow-query { any; }; ## 此處也修改為any,表示允許所有人對本服務器發送DNS查詢請求 18
19 /* 20 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. 21 - If you are building a RECURSIVE (caching) DNS server, you need to enable 22 recursion. 23 - If your recursive DNS server has a public IP address, you MUST enable access 24 control to limit queries to your legitimate users. Failing to do so will 25 cause your server to become part of large scale DNS amplification 26 attacks. Implementing BCP38 within your network would greatly 27 reduce such attack surface 28 */
29 recursion yes;
………………