二、DNS 部署
环境介绍
服务器3台、系统centos
安装软件
yum install -y bind bind-utils bind-chrootbind 主包bind-utils 客户端测试工具(host 、dig 、nslookup)bind-chroot chroot环境 禁锢dns服务器的工作目录caching-nameserver(rhel5提供模板文本,缓存服务) rhel6不需要
关闭防火墙
systemctl stop firewalld && setenforce 0
启动服务
# systemctl start named如果启动服务没有工作目录的文件夹
工作目录
/var/named/chroot/etc 存放主配置文件/var/named/chroot/var/named
配置文件
备份配置文件
cp /etc/named.conf /etc/named.conf.backup修改配置文件:
[root@wing etc]# vim /etc/named.conf
options {# 监听在主机的53端口上。any代表监听所有的主机listen-on port 53 { any; };listen-on-v6 port 53 { ::1; };# 如果此档案底下有规范到正反解的zone file 档名时,该档名预设应该放置在哪个目录底下directory "/var/named";# 下面三项是服务的相关统计信息dump-file "/var/named/data/cache_dump.db";statistics-file "/var/named/data/named_stats.txt";memstatistics-file "/var/named/data/named_mem_stats.txt";# 谁可以对我的DNS服务器提出查询请求。any代表任何人allow-query { any; };/* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.- If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so willcause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatlyreduce such attack surface */recursion yes;dnssec-enable yes;dnssec-validation yes;dnssec-lookaside auto;forwarders { # 指定上层DNS服务器(网关)192.168.1.1;};/* Path to ISC DLV key */bindkeys-file "/etc/named.iscdlv.key";managed-keys-directory "/var/named/dynamic";pid-file "/run/named/named.pid";session-keyfile "/run/named/session.key";
};logging {channel default_debug {file "data/named.run";severity dynamic;};
};zone "." IN {type hint;file "named.ca";
};include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
增加zone信息
vim /etc/named.rfc1912.zones
zone "baidu.com" IN { # 定义要解析主域名type master;file "baidu.com.zone"; # 具体相关解析的配置文件保存在 /var/named/baidu.com.zone 文件中
};编辑区域配置文件
vim /var/named/baidu.com.zone$TTL 1D
@ IN SOA baidu.com. root (1 ; serial1D ; refresh1H ; retry1W ; expire0 ) ; minimumIN NS baidu.com.IN A 192.168.101.1
www IN A 192.168.101.244
test IN A 192.168.101.129
增加权限 并启动服务
chown root:named /var/named/baidu.com.zone
systemctl restart named
systemctl enable named
journalctl -xe 查看DNS的运行状态