isc bind: https://www.linuxfromscratch.org/blfs/view/svn/server/bind.html
博客: https://www.root101.net/how-to-build-bind
rndc 工具 : https://tecadmin.net/configure-rndc-for-bind9/
配置參考 : https://www.cyberpunk.rs/bind-compile-and-setup-with-dnstap-v9-1x
用戶手冊: https://bind9.readthedocs.io/en/latest/reference.html?highlight=secondary#options
前言:
為了處理在centos 7 最小化安裝版本上編譯安裝bind
1.解決依賴問題
mkdir bind_source yum install --downloadonly --downloaddir=/bind_source/ wget gcc gcc-c++ automake pcre pcre-devel zlip zlib-devel openssl openssl-devel libuv yum install --downloadonly --downloaddir=/bind_source/ audit-libs-python bind-libs checkpolicy libcgroup libsemanage-python policycoreutils-python python-IPy python-ply setools-libs yum install -y epel-release yum install --downloadonly --downloaddir=/bind_source/ libuv libuv-devel libcap-devel
cd /bind_source/ rpm -ivh *.rpm --force
2.編譯安裝,全部都安裝在一個目錄下
./configure --prefix=/opt/dns \ # --sysconfdir=/etc \ # --localstatedir=/var \ # --mandir=/usr/share/man \ # --with-libtool \ --disable-static \ --with-openssl \ make && make install
[root@localhost ]# cat /etc/profile.d/bind9.sh BIND_BIN=/opt/dns/bin BIND_SBIN=/opt/dns/sbin PATH=$PATH:$BIND_BIN:$BIND_SBIN export PATH
[root@localhost ]#source /etc/profile.d/bind9.sh
3.創建用戶 ,在這里/opt/dns/etc 目錄下 有個named 目錄里面因該放zone 文件,slave 放輔助zone 文件,pz 放反向zone 文件
groupadd -g 20 named && useradd -c "BIND Owner" -g named -s /bin/false -u 20 named && install -d -m770 -o named -g named /opt/dns
cd /opt/dns/
mkdir -p dev etc/named/{slave,pz}
4.配置rndc
[root@localhost /]# cd /opt/dns
[root@localhost /]# rndc-confgen >> rndc.conf [root@localhost /]# ls [root@localhost /]# cat rndc.conf # Start of rndc.conf key "rndc-key" { algorithm hmac-sha256; secret "ifgn0ZDNI8FN1NVqgGIx8+UFza/DoIQLvPds0vELH4E="; }; options { default-key "rndc-key"; default-server 127.0.0.1; default-port 953; }; # End of rndc.conf # Use with the following in named.conf, adjusting the allow list as needed: # key "rndc-key" { # algorithm hmac-sha256; # secret "ifgn0ZDNI8FN1NVqgGIx8+UFza/DoIQLvPds0vELH4E="; # }; # # controls { # inet 127.0.0.1 port 953 # allow { 127.0.0.1; } keys { "rndc-key"; }; # }; # End of named.conf [root@localhost /]#
5.默認沒有 named.conf 配置文件,在這里注意目錄是chroot 后的目錄,也就是/opt/dns/ 下的目錄
cat >> /opt/dns/etc/named.conf << "EOF" options { directory "/etc/named"; pid-file "/var/run/named.pid"; statistics-file "/var/run/named.stats"; }; zone "." { type hint; file "root.hints"; }; zone "0.0.127.in-addr.arpa" { type master; file "pz/127.0.0"; }; // Bind 9 now logs by default through syslog (except debug). // These are the default logging rules. logging { category default { default_syslog; default_debug; }; category unmatched { null; }; channel default_syslog { syslog daemon; // send to syslog's daemon // facility severity info; // only send priority info // and higher }; channel default_debug { file "named.run"; // write to named.run in // the working directory // Note: stderr is used instead // of "named.run" // if the server is started // with the '-f' option. severity dynamic; // log at the server's // current debug level }; channel default_stderr { stderr; // writes to stderr severity info; // only send priority info // and higher }; channel null { null; // toss anything sent to // this channel }; }; EOF
6.創建 localhost 反向 zone
cat > /opt/dns/etc/named/pz/127.0.0 << "EOF" $TTL 3D @ IN SOA ns.local.domain. hostmaster.local.domain. ( 1 ; Serial 8H ; Refresh 2H ; Retry 4W ; Expire 1D) ; Minimum TTL NS ns.local.domain. 1 PTR localhost. EOF
7.創建 root.hints 文件,這個文件是任何dns 都要有的文件,在沒有forward 轉發器dns 時,默認會向這些dns 進行遞歸解析
cat > /opt/dns/etc/named/root.hints << "EOF" . 6D IN NS A.ROOT-SERVERS.NET. . 6D IN NS B.ROOT-SERVERS.NET. . 6D IN NS C.ROOT-SERVERS.NET. . 6D IN NS D.ROOT-SERVERS.NET. . 6D IN NS E.ROOT-SERVERS.NET. . 6D IN NS F.ROOT-SERVERS.NET. . 6D IN NS G.ROOT-SERVERS.NET. . 6D IN NS H.ROOT-SERVERS.NET. . 6D IN NS I.ROOT-SERVERS.NET. . 6D IN NS J.ROOT-SERVERS.NET. . 6D IN NS K.ROOT-SERVERS.NET. . 6D IN NS L.ROOT-SERVERS.NET. . 6D IN NS M.ROOT-SERVERS.NET. A.ROOT-SERVERS.NET. 6D IN A 198.41.0.4 A.ROOT-SERVERS.NET. 6D IN AAAA 2001:503:ba3e::2:30 B.ROOT-SERVERS.NET. 6D IN A 192.228.79.201 B.ROOT-SERVERS.NET. 6D IN AAAA 2001:500:200::b C.ROOT-SERVERS.NET. 6D IN A 192.33.4.12 C.ROOT-SERVERS.NET. 6D IN AAAA 2001:500:2::c D.ROOT-SERVERS.NET. 6D IN A 199.7.91.13 D.ROOT-SERVERS.NET. 6D IN AAAA 2001:500:2d::d E.ROOT-SERVERS.NET. 6D IN A 192.203.230.10 E.ROOT-SERVERS.NET. 6D IN AAAA 2001:500:a8::e F.ROOT-SERVERS.NET. 6D IN A 192.5.5.241 F.ROOT-SERVERS.NET. 6D IN AAAA 2001:500:2f::f G.ROOT-SERVERS.NET. 6D IN A 192.112.36.4 G.ROOT-SERVERS.NET. 6D IN AAAA 2001:500:12::d0d H.ROOT-SERVERS.NET. 6D IN A 198.97.190.53 H.ROOT-SERVERS.NET. 6D IN AAAA 2001:500:1::53 I.ROOT-SERVERS.NET. 6D IN A 192.36.148.17 I.ROOT-SERVERS.NET. 6D IN AAAA 2001:7fe::53 J.ROOT-SERVERS.NET. 6D IN A 192.58.128.30 J.ROOT-SERVERS.NET. 6D IN AAAA 2001:503:c27::2:30 K.ROOT-SERVERS.NET. 6D IN A 193.0.14.129 K.ROOT-SERVERS.NET. 6D IN AAAA 2001:7fd::1 L.ROOT-SERVERS.NET. 6D IN A 199.7.83.42 L.ROOT-SERVERS.NET. 6D IN AAAA 2001:500:9f::42 M.ROOT-SERVERS.NET. 6D IN A 202.12.27.33 M.ROOT-SERVERS.NET. 6D IN AAAA 2001:dc3::35 EOF
8.將 rndc.conf 文件中的 ,添加到named.conf 文件中,保證key 一致
key "rndc-key" { algorithm hmac-sha256; secret "nk3U0+86Joa8SCty/AWQp1Oy0HF+odOmNyhFSKkmcTg="; };
# Start of rndc.conf key "rndc-key" { algorithm hmac-sha256; secret "nk3U0+86Joa8SCty/AWQp1Oy0HF+odOmNyhFSKkmcTg="; }; controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; }; }; # End of named.conf
9.添加系統systemctl 守護進程
[root@localhost etc]# cat /usr/lib/systemd/system/named.service [Unit] Description=Berkeley Internet Name Domain (DNS) After=network.target [Service] Type=forking ExecStart=/opt/dns/sbin/named -4 -u named -c /opt/dns/etc/named.conf #ExecStart=/opt/dns/sbin/named -4 -u named -t /opt/dns -c /etc/named.conf
#這里沒有使用,當我用-t 指定 chroot 目錄時有點問題,忘記啥問題了,因此在named.conf 文件指定目錄時也應該全量路徑,上面的只是copy 的 ExecReload=/opt/dns/sbin/rndc reload ExecStop=/opt/dns/sbin/rndc stop [Install] WantedBy=multi-user.target [root@localhost etc]#
10.啟動
[root@localhost etc]# systemctl start named [root@localhost etc]# rndc status version: BIND 9.16.24 (Extended Support Version) <id:93e3098> running on localhost.localdomain: Linux x86_64 3.10.0-957.el7.x86_64 #1 SMP Thu Nov 8 23:39:32 UTC 2018 boot time: Tue, 11 Jan 2022 22:16:35 GMT last configured: Tue, 11 Jan 2022 22:37:13 GMT configuration file: /opt/dns/etc/named.conf CPUs found: 1 worker threads: 1 UDP listeners per interface: 1 number of zones: 103 (99 automatic) debug level: 0 xfers running: 0 xfers deferred: 0 soa queries in progress: 0 query logging is ON recursive clients: 0/900/1000 tcp clients: 0/150 TCP high-water: 0 server is up and running [root@localhost etc]#
11.注意事項
在9.16.24 版本中沒有了dnssec-enable 這個參數,默認開啟了 dnssec-validation yes
// dnssec-enable yes; 這個參數無了 ,加了報錯 // dnssec-validation yes; 這個默認開啟,你禁用也開始,在dns 解析時會 dnssec-validation no; #所有在不使用 dnssec 時要 no
| DS | 43 | RFC 4034 | 委托簽發者 | 此記錄用於鑒定DNSSEC已授權區域的簽名密鑰。 |
開啟后解析這樣: 查域 的簽名授權
06:32:37.423733 IP gateway.55369 > localhost.localdomain.domain: 34830+ [1au] A? www.baidu.com. (54) 06:32:37.424363 IP localhost.localdomain.60092 > public1.114dns.com.domain: 2004+% [1au] A? www.baidu.com. (54) 06:32:37.458952 IP public1.114dns.com.domain > localhost.localdomain.60092: 2004 3/0/1 CNAME www.a.shifen.com., A 110.242.68.3, A 110.242.68.4 (101) 06:32:37.459336 IP localhost.localdomain.51420 > public1.114dns.com.domain: 23319+% [1au] DS? com. (44)