场景:
局域网内需要有一个为内网提供域名解析的服务器,内网用户可以像访问互联网那样使用域名来访问,而不用使用IP地址+端口号。
解决此类的方案有很多:
(1)譬如在内网用户的电脑修改hosts文件,但是每台电脑都去添加,费时费力。
(2)比较便捷的方式,我想应该是在内网构建私有DNS服务来解决。
下面将通过在本地构建私有DNS的方式来解决,所以我将步骤逐步记录下来,供自己个人及广大网友参考。
一、环境:Centos7.6 + BIND9
#查看Linux版本
[root@hdss7-11 ~]# cat /etc/redhat-release
CentOS Linux release 7.6.1810 (Core)
#查看Linux内核版本
[root@hdss7-11 ~]# uname -a
Linux hdss7-11.host.com 3.10.0-957.el7.x86_64 #1 SMP Thu Nov 8 23:39:32 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
二、使用yum工具安装BIND
[root@hdss7-11 ~]# yum install bind
Loaded plugins: fastestmirror, langpacks
Existing lock /var/run/yum.pid: another copy is running as pid 20365.
Another app is currently holding the yum lock; waiting for it to exit...
The other application is: PackageKit
Memory : 157 M RSS (576 MB VSZ)
Started: Sat Jan 13 21:40:49 2024 - 02:07 ago
State : Sleeping, pid: 20365
Another app is currently holding the yum lock; waiting for it to exit...
The other application is: PackageKit
Memory : 157 M RSS (576 MB VSZ)
Started: Sat Jan 13 21:40:49 2024 - 02:09 ago
State : Sleeping, pid: 20365
Another app is currently holding the yum lock; waiting for it to exit...
The other application is: PackageKit
Memory : 157 M RSS (576 MB VSZ)
Started: Sat Jan 13 21:40:49 2024 - 02:11 ago
State : Sleeping, pid: 20365
Another app is currently holding the yum lock; waiting for it to exit...
The other application is: PackageKit
Memory : 157 M RSS (576 MB VSZ)
Started: Sat Jan 13 21:40:49 2024 - 02:13 ago
State : Sleeping, pid: 20365
Another app is currently holding the yum lock; waiting for it to exit...
刚开始安装时出现yum进程在执行,一直无法进入bind安装界面,此时通过终止进程的方式来解决该问题kill -9 20365 #20365为进程ID
[root@hdss7-11 ~]# yum install bind
===================================================================================
Package Arch Version Repository Size
===================================================================================
Installing:
bind x86_64 32:9.11.4-26.P2.el7_9.15 updates 2.3 M
三、配置缓存DNS
编辑主配置文件/etc/named.conf
options {
listen-on port 53 { 192.168.2.111; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
四、检查配置文件
named-checkconf 如果没有报错则为正确。
[root@hdss7-11 ~]# named-checkconf 五、启动bind9服务
[root@hdss7-11 ~]# systemctl start named.service
六、检查bind9服务状态
[root@hdss7-11 ~]# systemctl status named.service
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled)
Active: active (running) since Sat 2024-01-13 21:52:44 CST; 5s ago
Process: 21602 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
Process: 21599 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
Main PID: 21604 (named)
Tasks: 7
CGroup: /system.slice/named.service
└─21604 /usr/sbin/named -u named -c /etc/named.conf
Jan 13 21:52:45 hdss7-11.host.com named[21604]: FORMERR resolving './NS/IN': 19...3
Jan 13 21:52:45 hdss7-11.host.com named[21604]: FORMERR resolving './NS/IN': 19...3
Jan 13 21:52:45 hdss7-11.host.com named[21604]: FORMERR resolving './NS/IN': 19...3
Jan 13 21:52:45 hdss7-11.host.com named[21604]: FORMERR resolving './NS/IN': 19...3
Jan 13 21:52:45 hdss7-11.host.com named[21604]: FORMERR resolving './NS/IN': 19...3
Jan 13 21:52:45 hdss7-11.host.com named[21604]: FORMERR resolving './NS/IN': 19...3
Jan 13 21:52:45 hdss7-11.host.com named[21604]: FORMERR resolving './NS/IN': 19...3
Jan 13 21:52:45 hdss7-11.host.com named[21604]: FORMERR resolving './NS/IN': 19...3
Jan 13 21:52:45 hdss7-11.host.com named[21604]: FORMERR resolving './NS/IN': 20...3
Jan 13 21:52:45 hdss7-11.host.com named[21604]: resolver priming query complete
Hint: Some lines were ellipsized, use -l to show in full.
[root@hdss7-11 ~]# netstat -luntp|grep 53
tcp 0 0 192.168.2.111:53 0.0.0.0:* LISTEN 21604/named
tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 10156/dnsmasq
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 21604/named
tcp6 0 0 ::1:953 :::* LISTEN 21604/named
udp 0 0 192.168.2.111:53 0.0.0.0:* 21604/named
udp 0 0 192.168.122.1:53 0.0.0.0:* 10156/dnsmasq
udp 0 0 0.0.0.0:33162 0.0.0.0:* 8853/avahi-daemon:
udp 0 0 0.0.0.0:5353 0.0.0.0:* 8853/avahi-daemon:
这样就完成了一个最基本的转发DNS的部署,它可以为我们的内网用户提供DNS递归查询,例如查询并返回www.baidu.com的解析结果。
七、配置DNS服务器指向
配置DNS服务器的ip地址为我们部署的主机ip
[root@hdss7-11 ~]# vim /etc/resolv.conf
八、验证解析
通过查找,发现是防火墙的53号端口没有打开。
[root@hdss7-11 ~]# firewall-cmd --query-port=53/udp
no
[root@hdss7-11 ~]# firewall-cmd --add-port=53/udp
success
[root@hdss7-11 ~]# ping baidu.com
ping: baidu.com: Name or service not known
[root@hdss7-11 ~]# systemctl restart named
[root@hdss7-11 ~]# ping baidu.com
PING baidu.com (110.242.68.66) 56(84) bytes of data.
64 bytes from 110.242.68.66 (110.242.68.66): icmp_seq=1 ttl=50 time=52.6 ms
64 bytes from 110.242.68.66 (110.242.68.66): icmp_seq=2 ttl=50 time=64.2 ms
64 bytes from 110.242.68.66 (110.242.68.66): icmp_seq=3 ttl=50 time=53.8 ms
64 bytes from 110.242.68.66 (110.242.68.66): icmp_seq=4 ttl=50 time=90.3 ms
坚持原创技术分享,您的支持将鼓励我继续创作!
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
