1.环境:
本地机器: win11
虚拟机: centos-release-7-9.2009.1.el7.centos.x86_64
DNS(named):BIND 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.16 (Extended Support Version) <id:7107deb>
2.地址说明:
网关路由器: 192.168.3.1
本地机器: 192.168.3.9
本地虚拟机:192.168.3.101
本地虚拟机:192.168.3.102
本地虚拟机:192.168.3.103
3.规划:
192.168.3.101 dns.vm.com # DNS服务器,named
192.168.3.101 vm101.vm.com
192.168.3.102 vm102.vm.com
192.168.3.103 vm103.vm.com
4.101DNS配置:
注: 修改处,以 $$$标注,使用时可以删除
配置1、 /etc/named.conf
# vim /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
listen-on port 53 { $$$any;$$$ };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { $$$any;$$$ };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.root.key";
// forward first;
// 设置转发到公网 DNS 服务器
$$$forwarders { 8.8.8.8; 8.8.4.4; };$$$
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
配置2、 /etc/named.rfc1912.zones
# vim /etc/named.rfc1912.zones
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};
$$$
// 正向解析
zone "vm.com" IN {
type master;
file "named.vm.com.zone";
allow-update { none; };
};
// 反向解析
zone "3.168.192.in-addr.arpa" IN {
type master;
file "named.3.168.192.zone";
allow-update { none; };
};
$$$
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};
配置3、 /var/named/named.vm.com.zone
注: 全新文档,可复制 /var/named/named.localhost然后修改
# vim /var/named/named.vm.com.zone
$TTL 1D
@ IN SOA vm.com. root.vm.com. (
1 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS dns.vm.com.
dns A 192.168.3.101
vm101 A 192.168.3.101
vm102 A 192.168.3.102
vm103 A 192.168.3.103
vm104 A 192.168.3.104
vm105 A 192.168.3.105
vmc CNAME vm103
配置4、 /var/named/named.3.168.192.zone
注: 全新文档,可复制 /var/named/named.empty 然后修改
vim /var/named/named.3.168.192.zone
$TTL 3H
@ IN SOA vm.com. root.vm.com. (
1 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS dns.vm.com.
101 PTR dns.vm.com.
101 PTR vm101.vm.com.
102 PTR vm102.vm.com.
103 PTR vm103.vm.com.
104 PTR vm104.vm.com.
105 PTR vm105.vm.com.
103 PTR vmc.vm.com.
5.启动dns服务
1)启动named
systemctl start named # 启动DNS服务
systemctl stop named # 停止DNS服务
systemctl restart named # 重启DNS服务
可能问题1: 加载named.vm.com.zone 失败。 需要文档授权。
# chmod o+r /var/named/named.vm.com.zone # chmod o+r /var/named/named.3.168.192.zone
可能问题2: 防火墙可以关闭,可以开放dns的53端口
# firewall-cmd --permanent --add-port=53/tcp --zone=public # firewall-cmd --permanent --add-port=53/udp --zone=public
6、 本地机器配置
设置DNS
# vim /etc/sysconfig/network-scripts/ifcfg-eth0
TYPE="Ethernet"
PROXY_METHOD="none"
BROWSER_ONLY="no"
BOOTPROTO="static"
IPADDR="192.168.3.101"
NETMASK="255.255.255.0"
GATEWAY="192.168.3.1"
DNS1="192.168.3.101"
DEFROUTE="yes"
IPV4_FAILURE_FATAL="no"
IPV6INIT="yes"
IPV6_AUTOCONF="yes"
IPV6_DEFROUTE="yes"
IPV6_FAILURE_FATAL="no"
IPV6_ADDR_GEN_MODE="stable-privacy"
NAME="eth0"
UUID="0dc95cee-525a-48a7-a2c8-XXXX"
DEVICE="eth0"
ONBOOT="yes"
IPV6_PRIVACY="no"
7、 测试验证:
ping dns.vm.com # PING dns.vm.com (192.168.3.101) 56(84) bytes of data.
ping vm101.vm.com # PING vm101.vm.com (192.168.3.101) 56(84) bytes of data.
ping vm103.vm.com # PING vm103.vm.com (192.168.3.103) 56(84) bytes of data.
ping www.baidu.com # PING www.a.shifen.com (153.3.238.110) 56(84) bytes of data.
ping www.baidu.com # PING www.a.shifen.com (153.3.238.110) 56(84) bytes of data.
ping www.made-in-chian.com # PING www.made-in-chian.com (95.211.189.152) 56(84) bytes of data.