bind安装，rndc和bind升级

最新推荐文章于 2023-04-06 17:01:53 发布

ncgege

最新推荐文章于 2023-04-06 17:01:53 发布

阅读量2.4k

点赞数

分类专栏： Linux

Linux 专栏收录该内容

118 篇文章 0 订阅

订阅专栏

有用的东西，收藏

原文地址：bind安装，rndc和bind升级 作者：海阔天空

1.原系统自带rpm格式安装的bind9.2.4。使用rpm -q检查出来版本信息，为了测试二进制安装bind，首先使用rpm -e删除bind9.2.4.
[root@jww etc]# root@jww etc]# rpm -e bind-9.2.4-2 --nodeps
warning: /etc/sysconfig/named saved as /etc/sysconfig/named.rpmsave
warning: /etc/rndc.key saved as /etc/rndc.key.rpmsave
[root@jww etc]# rpm -q bind
package bind is not installed

2.安装二进制的bind-9.4.3：
[root@jww jww]# tar -zxvf bind-9.4.3-P3.tar.gz
bind-9.4.3-P3/
bind-9.4.3-P3/bin
...
...
...
...
[root@jww jww]# cd bind-9.4.3-P3
[root@jww bind-9.4.3-P3]# ./configure
checking build system type... i686-pc-linux-gnu
checking host system type... i686-pc-linux
...
...
...
...
config.status: creating config.h
WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
WARNING WARNING
WARNING Your OpenSSL crypto library may be vulnerable to WARNING
WARNING one or more of the the following known security WARNING
WARNING flaws: WARNING
WARNING WARNING
WARNING CAN-2002-0659, CAN-2006-4339, CVE-2006-2937 and WARNING
WARNING CVE-2006-2940. WARNING
WARNING WARNING
WARNING It is recommended that you upgrade to OpenSSL WARNING
WARNING version 0.9.8d/0.9.7l (or greater). WARNING
WARNING WARNING
WARNING You can disable this warning by specifying: WARNING
WARNING WARNING
WARNING --disable-openssl-version-check WARNING
WARNING WARNING
WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
出错纠正。。。。
[root@jww bind-9.4.3-P3]# ./configure --disable-openssl-version-check
checking build system type... i686-pc-linux-gnu
checking host system type... i686-pc-linux-gnu
...
...
...
...
config.status: creating config.h
config.status: config.h is unchanged
[root@jww bind-9.4.3-P3]#
[root@jww bind-9.4.3-P3]#
[root@jww bind-9.4.3-P3]# make
...
...
...
...
[root@jww bind-9.4.3-P3]# make install
...
...
...
...
[root@jww bind-9.4.3-P3]# rpm -q bind
package bind is not installed
[root@jww bind-9.4.3-P3]#
[root@jww ~]# /usr/sbin/named -v *******二进制安装使用rpm检查不出来********
BIND 9.4.3-P3

备注：我使用二进制方式安装bind，在/etc下面没有产生named.conf文件，在/var也没有产生named文件夹及文件夹里面的7个文件和1个chroot文件夹。
因为之前我的系统中有bind-9.2.4，这些文件都有了。所以我不比去网上搜寻，直接使用。

3.生成rndc的key
# /usr/local/sbin/rndc-confgen >rndc.conf
# /usr/local/sbin/named -g
　　Jan 11 11:56:45.075 starting BIND 9.2.3 -g
　　Jan 11 11:56:45.076 using 1 CPU
　　Jan 11 11:56:45.079 loading configuration from '/etc/named.conf'
[root@jww ~]# more /etc/rndc.conf
# Start of rndc.conf
key "rndc-key" {
algorithm hmac-md5;
secret "DSqZHhpd8HuK9YtsQlZZIg==";
};

options {
default-key "rndc-key";
default-server 127.0.0.1;
default-port 953;
};
# End of rndc.conf

# Use with the following in named.conf, adjusting the allow list as needed:
# key "rndc-key" {
# algorithm hmac-md5;
# secret "DSqZHhpd8HuK9YtsQlZZIg==";
# };
#
# controls {
# inet 127.0.0.1 port 953
# allow { 127.0.0.1; } keys { "rndc-key"; };
# };
# End of named.conf
[root@jww ~]#
打开刚在/etc/rndc.conf 文件.打# Use with the following in named.conf, adjusting the allow list as needed: 这行下的所有复制到你的named.conf 文件里
[root@jww ~]# more /etc/named.conf
//
// named.conf for Red Hat caching-nameserver
//

options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";

// query-source address * port 53;
};
key "rndc-key" {
algorithm hmac-md5;
secret "DSqZHhpd8HuK9YtsQlZZIg==";
};

controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};

//
// a caching only nameserver config
//
#controls {
# inet 127.0.0.1 allow { localhost; } keys { rndckey; };
#};

zone "." IN {
type hint;
file "named.ca";
};

4.创建链接
# ln -s /usr/local/sbin/rndc /usr/sbin/rndc
# ln -s /usr/local/sbin/named /usr/sbin/named

5.启动bind
[root@jww ~]# /usr/sbin/named -gc /etc/named.conf
11-Aug-2009 12:04:50.406 starting BIND 9.4.3-P3 -gc /etc/named.conf
11-Aug-2009 12:04:50.408 using up to 4096 sockets
11-Aug-2009 12:04:50.503 loading configuration from '/etc/named.conf'
11-Aug-2009 12:04:50.527 using default UDP/IPv4 port range: [1024, 65535]
11-Aug-2009 12:04:50.529 using default UDP/IPv6 port range: [1024, 65535]
11-Aug-2009 12:04:50.545 listening on IPv4 interface lo, 127.0.0.1#53
11-Aug-2009 12:04:50.552 listening on IPv4 interface eth0, 10.8.1.195#53
11-Aug-2009 12:04:50.679 automatic empty zone: 127.IN-ADDR.ARPA
11-Aug-2009 12:04:50.682 automatic empty zone: 254.169.IN-ADDR.ARPA
11-Aug-2009 12:04:50.683 automatic empty zone: 2.0.192.IN-ADDR.ARPA
11-Aug-2009 12:04:50.684 automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
11-Aug-2009 12:04:50.684 automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
11-Aug-2009 12:04:50.685 automatic empty zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
11-Aug-2009 12:04:50.687 automatic empty zone: D.F.IP6.ARPA
11-Aug-2009 12:04:50.688 automatic empty zone: 8.E.F.IP6.ARPA
11-Aug-2009 12:04:50.688 automatic empty zone: 9.E.F.IP6.ARPA
11-Aug-2009 12:04:50.689 automatic empty zone: A.E.F.IP6.ARPA
11-Aug-2009 12:04:50.689 automatic empty zone: B.E.F.IP6.ARPA
11-Aug-2009 12:04:50.710 command channel listening on 127.0.0.1#953
11-Aug-2009 12:04:50.711 ignoring config file logging statement due to -g option
11-Aug-2009 12:04:50.765 zone 0.in-addr.arpa/IN: NS 'localhost.0.in-addr.arpa' has no address records (A or AAAA)
11-Aug-2009 12:04:50.767 zone 0.in-addr.arpa/IN: loaded serial 42
11-Aug-2009 12:04:50.778 zone 0.0.127.in-addr.arpa/IN: loaded serial 1997022700
11-Aug-2009 12:04:50.830 zone 255.in-addr.arpa/IN: NS 'localhost.255.in-addr.arpa' has no address records (A or AAAA)
11-Aug-2009 12:04:50.831 zone 255.in-addr.arpa/IN: loaded serial 42
11-Aug-2009 12:04:50.835 zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 1997022700
11-Aug-2009 12:04:50.841 zone localdomain/IN: loaded serial 42
11-Aug-2009 12:04:50.844 zone localhost/IN: loaded serial 42
11-Aug-2009 12:04:50.845 running
只要有最后一行，那么你的配置就算是基本成功了。
第一次启动遇到如下问题：
[root@jww ~]# /usr/sbin/named -gc /etc/named.conf
11-Aug-2009 12:10:44.292 starting BIND 9.4.3-P3 -gc /etc/named.conf
11-Aug-2009 12:10:44.294 using up to 4096 sockets
11-Aug-2009 12:10:44.307 loading configuration from '/etc/named.conf'
11-Aug-2009 12:10:44.309 /etc/rndc.key:1: key 'rndc-key': already exists previous definition: /etc/named.conf:18
11-Aug-2009 12:10:44.311 loading configuration: failure
11-Aug-2009 12:10:44.312 exiting (due to fatal error)
[root@jww ~]#
解决方法：将/etc/rndc.key文件屏蔽
第二次启动出现如下错误：
[root@jww etc]# /usr/local/sbin/named -gc /etc/named.conf
10-Dec-2008 00:26:07.283 starting BIND 9.6.1-P1 -gc /etc/named.conf
10-Dec-2008 00:26:07.288 built with '--disable-openssl-version-check'
10-Dec-2008 00:26:07.289 using up to 4096 sockets
10-Dec-2008 00:26:07.305 loading configuration from '/etc/named.conf'
10-Dec-2008 00:26:07.308 /etc/named.conf:92: open: /etc/rndc.key: file not found
10-Dec-2008 00:26:07.311 loading configuration: file not found
10-Dec-2008 00:26:07.312 exiting (due to fatal error)
解决方法：将named.conf文件的第92行屏蔽

6.使用rndc控制named
[root@jww ~]# rndc status
number of zones: 17
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running
[root@jww ~]#
[root@jww named]# /usr/sbin/rndc stop
10-Dec-2008 00:43:29.579 received control channel command 'stop'
10-Dec-2008 00:43:29.581 shutting down: flushing changes
10-Dec-2008 00:43:29.582 stopping command channel on 127.0.0.1#953
[root@jww named]# 10-Dec-2008 00:43:29.588 no longer listening on 127.0.0.1#53
10-Dec-2008 00:43:29.589 no longer listening on 10.8.1.195#53
10-Dec-2008 00:43:29.600 exiting

[1]+ Done /usr/local/sbin/named -gc /etc/named.conf (wd: /etc)
(wd now: /var/named)
[root@jww named]#

7.升级到bind-9.6.1
停止named服务
[root@jww jww]# tar -zxvf bind-9.6.1-P1.tar.gz
[root@jww jww]# cd bind-9.6.1-P1
[root@jww bind-9.6.1-P1]# ./configure --disable-openssl-version-check
[root@jww bind-9.6.1-P1]# make
[root@jww bind-9.6.1-P1]# make install
[root@jww bind-9.6.1-P1]# /usr/sbin/named -v
BIND 9.6.1-P1
[root@jww bind-9.6.1-P1]#/usr/local/sbin/rndc-confgen >rndc.conf
使用rndc.conf中的key和named.conf文件覆盖。
[root@jww etc]# /usr/local/sbin/named -gc /etc/named.conf & 后台启动named
[root@jww etc]# /usr/local/sbin/rndc status
version: 9.6.1-P1
number of zones: 17
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is ON
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running
[root@jww etc]

8.打开系统防火墙，打开53端口TCP和UDP应用。这个是为了别的机器使用本机的域名解析服务。

9.测试：
[root@jww named]# dig @10.8.1.195 www.sohu.com

; <<>> DiG 9.6.1-P1 <<>> @10.8.1.195 www.sohu.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10924
;; flags: qr rd ra; QUERY: 1, ANSWER: 10, AUTHORITY: 3, ADDITIONAL: 0

;; QUESTION SECTION:
; www.sohu.com. IN A

;; ANSWER SECTION:
www.sohu.com. 600 IN CNAME d7.a.sohu.com.
d7.a.sohu.com. 1200 IN CNAME pgcnctct07.a.sohu.com.
pgcnctct07.a.sohu.com. 300 IN A 61.135.179.160
pgcnctct07.a.sohu.com. 300 IN A 61.135.179.184
pgcnctct07.a.sohu.com. 300 IN A 61.135.179.190
pgcnctct07.a.sohu.com. 300 IN A 61.135.133.37
pgcnctct07.a.sohu.com. 300 IN A 61.135.133.38
pgcnctct07.a.sohu.com. 300 IN A 61.135.133.88
pgcnctct07.a.sohu.com. 300 IN A 61.135.133.89
pgcnctct07.a.sohu.com. 300 IN A 61.135.179.155

;; AUTHORITY SECTION:
a.sohu.com. 3600 IN NS z.a.sohu.com.
a.sohu.com. 3600 IN NS x.a.sohu.com.
a.sohu.com. 3600 IN NS y.a.sohu.com.

;; Query time: 926 msec
;; SERVER: 10.8.1.195#53(10.8.1.195)
;; WHEN: Wed Dec 10 00:37:35 2008
;; MSG SIZE rcvd: 250