说明:本文档以两台Virtual Box虚拟机为例,搭建一个简单的DNS环境,包括一台DNS服务和,和一台Client端,具体信息如下:
Host | Role | Private FQDN | Private IP Address | NAT IP Address(Connect with Internet) |
---|---|---|---|---|
dns | DNS Server | dns.example.com | 192.156.56.10 | 10.0.2.2 |
host | DNS Client Host | host.example.com | 192.156.56.100 | 10.0.2.3 |
准备工作:DNS Server设置静态IP及路由使用netplan
配置DNS Server
- 安装bind9
sudo apt update
sudo apt install bind9 bind9utils
- 设置bind9为IPv4模式
sudo vi /etc/default/bind9
修改PTIONS="-u bind “为OPTIONS=”-u bind -4 "
sudo systemctl restart bind9
- 设置Options文件
sudo vi /etc/bind/named.conf.options
named.conf.options文件编辑后如下,具体修改见下面说明(注意:分号和大括号中的空格不可忽略,否则会报语法错误 )
acl "trusted" {
192.168.56.10;
192.168.56.100;
};
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
recursion yes;
allow-recursion { trusted; };
listen-on { 192.168.56.10; };
forwarders {
10.0.13.201;
};
allow-transfer { none; };
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;
listen-on-v6 { any; };
};
Options文件说明:
Options文件增加配置如下:
acl "trusted" {
192.168.56.10;
192.168.56.100;
};
recursion yes;
allow-recursion { trusted; };
listen-on { 192.168.56.10; };
forwarders {
10.0.13.201;
};
allow-transfer { none; };
- 设置Local文件
sudo vi /etc/bind/named.conf.local
named.conf.local文件编辑后如下,具体修改见下面说明(注意:分号和大括号中的空格不可忽略,否则会报语法错误 )
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
zone "example.com" {
type master;
file "/etc/bind/db.example.com";
};
zone "56.168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.192.168.56";
};
Local文件说明:
Local文件增加配置如下:
DNS正向解析Zone。"example.com"为需要解析的域名Scope,file后面的参数"db.example.com"为固定写法,"db."后面的部分替换为需要正向解析的域名Scope即可。
zone "example.com" {
type master;
file "/etc/bind/db.example.com";
};
DNS反向解析Zone。"56.168.192.in-addr.arpa"为需要反向接续的IP网段,其中"56.158.192"为网段的反向书写;file后面的参数"db.192.168.56"为固定写法,"db."后面的部分替换为需要反向解析的IP网段即可。
zone "56.168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.192.168.56";
};
- 设置正向/反向Zone文件(步骤4中添加的正向解析zone和反向解析zone所配置的file)
Local文件每添加一个zone后,都要有相应的正向/反向Zone文件,及zone中的"file"的参数值所对应的文件。
sudo cp /etc/bind/db.local /etc/bind/db.example.com
sudo cp /etc/bind/db.127 /etc/bind/db.192.168.56
db.example.com配置完成后如下。注意:文件中不要使用"Space"键,参数之间使用"Tab"键;域名后面的"."不要忽略掉;每次对文件进行修改后,必须修改“Serial”行的数字,比当前数字大即可,一般是加1,最大不要超过10位数字,添加SRV记录值:映射为提供服务的服务器地址(活动目录客户和域控制器使用SRV资源记录决定域控制器的IP地址。)
;
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA example.com. root.example.com. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
IN NS dns.example.com.
example.com. IN A 192.168.56.10
dns.example.com. IN A 192.168.56.10
host.example.com. IN A 192.168.56.100
_ldap._tcp.example.com. SRV 0 0 389 host.example.com.
_kerberos._tcp.example.com. SRV 0 0 88 host.example.com.
_ldap._tcp.dc._msdcs.example.com. SRV 0 0 389 host.example.com.
_kerberos._tcp.dc._msdcsexample.com. SRV 0 0 88 host.example.com.
db.192.166.56置完成后如下。注意:文件中不要使用"Space"键,参数之间使用"Tab"键;域名后面的"."不要忽略掉;每次对文件进行修改后,必须修改“Serial”行的数字,比当前数字大即可,一般是加1,最大不要超过10位数字,
;
; BIND reverse data file for local loopback interface
;
$TTL 604800
@ IN SOA example.com. root.example.com. (
6 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
IN NS dns.example.com.
10 IN PTR example.com.
10 IN PTR dns.example.com.
100 IN PTR host.example.com.
- 检查配置文件正确性后
sudo named-checkconf
named-checkzone example.com db.example.com
named-checkzone 56.168.192.in-addr.arpa db.192.168.56
运行上述命令无报错后,重启bind9服务。
sudo systemctl restart bind9
配置DNS Client Host
使用netplan配置静态IP(自己选择使用哪块网卡进行配置)
sudo vi /etc/netplan/****.yaml # netplan的配置文件名称不固定,请自行使用ls查看文件名称
配置后如下。
network:
version: 2
renderer: NetworkManager
ethernets:
enp0s8: # 网卡名
dhcp4: false
addresses: [192.168.56.100/24]
nameservers:
addresses: [192.168.56.1]
配置完成后,执行
sudo netplan try
sudo netplan apply
测试DNS
在DNS Server上执行:
nslookup host.example.com
nslookup 192.168.56.100
ping host.example.com
在DNS Client Host上执行:
nslookup dns.example.com
nslookup 192.168.56.100
ping dns.example.com