概念术语:
完整主机名(FQDN):Fully Qualified Domain Name
正解:从主机名查询到IP的流程
反解:从IP反解析到主机名的流程
区域:每个领域的记录
SOA(Start of Authority):,开始验证
NS(NameServer):名称服务器
A(Address): 地址
可以使用dig +trace命令来查看域名查询的整个过程
DNS 第一次查询使用UDP端口53来查询,如果第一次失败,则使用TCP端口53查询,所以防火墙需要开启53端口。
第一步:下载最新的Bind
wget https://www.isc.org/downloads/file/bind-9-11-0/?version=tar-gz --no-check-certificate
第二步:安装编译环境gcc , perl, openssl, openssl-devel
yum install –y gcc yum install –y perl yum install –y openssl yum install –y openssl-devel
第三步:解压至/opt/tmp目录
tar –zxvf bind-9.11.0.tar.gz –C /opt/tmp
第四步:编译安装
cd /opt/tmp ./configure --prefix=/opt/soft/named --enable-threads --enable-largefile --disable-ipv6 && make && make install
(1)增加bind用户与组
groupadd bind
useradd -g bind -d /opt/soft/named -s /sbin/nologin bind
第五步:建立配置文件
cd /otp/soft/named/ sbin/rndc-confgen > etc/rndc.conf #生成rndc控制命令的Key文件 #若无法生成,解决方案,手动添加一个random文件 vi /opt/soft/random asdkfjalsjdflajsldfjlasjdflajsldfjalsjdflajslfjalsjflasjfl sbin/rndc-confgen -r /opt/soft/random > rndc.key #从rndc.conf中提取named.conf用的key tail -10 etc/rndc.conf | head -9 | sed s/#\ //g > etc/named.conf
第六步:配置named.conf加如下配置文件
vi /opt/soft/named/etc/named.conf options { listen-on port 53 { any; }; directory "/opt/soft/named/var"; pid-file "named.pid"; allow-query { any ;}; dump-file "/usr/local/named/data/cache_dump.db"; statistics-file "/usr/local/named/data/named_stats.txt"; forwarders {202.96.209.5;114.114.114.114;}; recursion yes; }; zone "." IN { Type hint; File "named.root"; }; Zone "localhost" IN { type master; file "localhost.zone"; allow-update {none;}; }; Zone "0.0.127.in-addr.arpa" IN { type master; file "localhost.rev"; allow-update {none;}; }; zone "eye.com" IN { type master; file "eye.com.zone"; allow-update {none;}; }; zone "111.168.192.in-add.arpa" IN { type master; file "111.168.192.in-add.arpa"; allow-update {none;}; };
第七步:建立区目录文件 cd /opt/soft/named/var
(1)建立named.root文件
wget ftp://ftp.rs.internic.net/domain/named.root 或者自己生成 dig @a.root-servers.net . ns > named.root
(2)建立localhsot.zone文件
$TTL 86400 $ORIGIN localhost. @ 1D IN SOA @ root ( 42 ; serial (d. adams) 3H ; refresh 15M ; retry 1W ; expiry 1D ) ; minimum 1D IN NS @ 1D IN A 127.0.0.1
(3)建立localhost.rev文件
N SOA localhost. root.localhost. ( 1; serial 3600; refresh every hour 900; retry every 15 minutes 3600000; expire 1000 hours 3600); minimun 1 hour IN NS localhost. 1 IN PTR localhost.
(4)建立eye.com.zone文件
$TTL 86400 @ IN SOA dns.eye.com. root.localhost ( 2 ; serial 28800 ; refresh 7200 ; retry 604800 ; expire 86400 ; ttl ) IN NS dns.eye.com. IN A 192.168.111.111 www IN A 192.168.111.111 ntp IN A 192.168.132.191 waffle IN A 192.168.132.199 nfs IN A 192.168.111.206 ftp.nas IN A 192.168.111.207 mongotest IN A 192.168.111.113 mongo1 IN A 192.168.132.190 mongo2 IN A 192.168.132.189 mongo3 IN A 192.168.132.188 openldap-a IN A 192.168.132.191 dns IN A 192.168.111.111
(5)建立111.168.192.in-add.arpa文件
$TTL 86400 @ IN SOA dns.eye.com. root.eye.com. ( 1997022700 ; Serial 28800 ; Refresh 14400 ; Retry 3600000 ; Expire 86400 ) ; Minimum @ IN NS dns.eye.com. 111 IN PTR www.eye.com. 191 IN PTR ntp.eye.com. 199 IN PTR waffle.eye.com. 206 IN PTR nfs.eye.com. 207 IN PTR ftp.nas.eye.com. 113 IN PTR mongotest.eye.com. 190 IN PTR mongo1.eye.com. 189 IN PTR mongo2.eye.com. 188 IN PTR mongo3.eye.com. 191 IN PTR openldap-a.eye.com.
第八步:启动程序且加入调试信息,如果是running, 表示启动成功
/opt/soft/named/sbin/named -gc /opt/soft/named/etc/named.conf -u bind &
第九步:查看状态
/usr/local/named/sbin/rndc status
#若修改配置信息,如下命令可重启
/opt/soft/named/sbin/rndc reload
第十步:修改主机网卡信息
vi /etc/sysconfig/network-scripts/ifcfg-eth0 DNS1=192.168.111.111 DNS2=202.96.209.5
第十一步:配置开机自启,启动脚本 vi /etc/rc.d/init.d/named
#!/bin/bash # named a network name service. # chkconfig: 345 35 75 # description: a name server if [ `id -u` -ne 0 ] then echo "ERROR:For bind to port 53,must run as root." exit 1 fi case "$1" in start) if [ -x /opt/soft/named/sbin/named ]; then /opt/soft/named/sbin/named -c /opt/soft/named/etc/named.conf -u bind && echo . && echo 'BIND9 server started' fi
;;
stop) kill `cat /opt/soft/named/var/named.pid` && echo . && echo 'BIND9 server stopped' ;;
restart) echo . echo "Restart BIND9 server" $0 stop sleep 10 $0 start ;; reload) /opt/soft/named/sbin/rndc reload ;;
status) /opt/soft/named/sbin/rndc status ;;
*) echo "$0 start | stop | restart |reload |status" ;; esac
(2)修改权限,增加到服务项
chmod 755 /etc/rc.d/init.d/named chkconfig --add named service named start
第十步:测试
dig @127.0.0.1 dns.eye.com
第十一步:配置防火墙
iptables -A INPUT -p udp -s 0/0 --dport 53 -j ACCEPT iptables -A INPUT -p tcp -s 0/0 --dport 53 -j ACCEPT