linux下安装bind

linux下安装bind

                                      

.Bind 简介。

Bind
是一款开放源码的DNS服务器软件,Bind由美国加州大学Berkeley分校开发和维护的,全名为Berkeley Internet Name Domain它是目前世界上使用最为广泛的DNS服务器软件,支持各种unix平台和windows平台。本文将介绍它在Red hat Linux 9中最基本的安装和配置。

.、软件的相关资源。

官方网站:http://www.bind.com/
源码软件包:Bind 是开源的软件,可以去其官方网站下载。http://www.isc.org/index.pl,目前最新版本为bind-9.3.1

帮助文档:http://www.isc.org/index.pl有该软件比较全面的帮助文档。

FAQ
http://www.isc.org/index.pl回答了该软件的常见问题。

配置文件样例:http://www.bind.com/bind.html 一些比较标准的配置文件样例。

.、软件的安装。

1.
安装

由其官方网站中下载其源码软件包bind-9.3.1. tar.gz。接下来我将对安装过程的一些重要步骤,给出其解释:

[root@localhost root]#tar –zvxf bind-9.3.1. tar.gz

[root@localhost root]#cd bind-9.3.1

[root@localhost bind-9.3.1]# ./configure--prefix=/usr/local/bind    

[root@localhost bind-9.3.1]#make

[root@localhost bind-9.3.1]#make install


tar –zvxf bind-9.3.1.tar.gz
解压缩软件包。

./configure
针对机器作安装的检查和设置,大部分的工作是由机器自动完成的,但是用户可以通过一些参数来完成一定的设置,其常用选项有:

./configure --help
察看参数设置帮助。

--prefix=
指定软件安装目录(默认/usr/local/)。

--enable-ipv6
支持ipv6

可以设置的参数很多,可以通过 -help察看需要的,一般情况下,默认设置就可以了。

默认情况下,安装过程是不会建立配置文件和一些默认的域名解析的,不过并不妨碍,可以从下载一些标准的配置文件(http://www.bind.com/bind.html),也可以使用本文所提供的样例文件。

默认情况下,安装在/usr/local/bind/sbin/named

默认的主配置文件,/usr/local/bind/etc/named.conf(须手动建立)。

 

四、建立BIND用户:

# groupadd bind
# useradd -g bind -d /usr/local/named -s /sbin/nologin bind

五、创建配置文件目录:

# mkdir  /usr/local/named/etc 
# chown bind:bind /usr/local/bind/etc 
# chmod 700 /usr/local/bind/etc

六、创建主要的配置文件:

# vi /usr/local/bind/etc/named.conf
===========================named.conf=======================

acl "trust-lan" { 127.0.0.1/16; 192.168.0.0/24;};
options {
         directory "/usr/local/bind/etc/";
pid-file "/var/run/named/named.pid";
version "0.0.0";
datasize 40M;
allow-transfer {
"trust-lan";};
recursion yes;
allow-notify {
"trust-lan";
};
allow-recursion {
"trust-lan";
};
auth-nxdomain no;
forwarders {
202.106.124.90;
202.106.0.20;};
};
logging {
        channel warning
        { file "/var/log/named/dns_warnings" versions 3 size 1240k;
        severity warning;
        print-category yes;
        print-severity yes;
        print-time yes;
        };
        channel general_dns
        { file "/var/log/named/dns_logs" versions 3 size 1240k;
        severity info;
        print-category yes;
        print-severity yes;
        print-time yes;
        };
        category default { warning; };
        category queries { general_dns; };
};
zone "." {
        type hint;
        file "named.root";
};

zone "0.0.127.IN-ADDR.ARPA" {
        type master;
        file "localhost";
};

zone "wang.st.com" {
        type slave;
        file "wang.st.com";
        masters {
                192.168.0.1;
        };
};

zone "0.168.192.in-addr.arpa" {
        type slave;
        file "0.168.192.in-addr";
        masters {
                192.168.0.1;
        };
};
=========================named.conf==========================

# vi /usr/local/bind/etc/home.com

============================ wang.st.com ==========================
$TTL 86400
$ORIGIN home.com.
@       IN      SOA     wang.st.com. root.wang.st.com (
        2001111601 ; serial
        28800 ; refresh
        14400 ; retry
        3600000 ; expire
        86400 ; default_ttl
        )
        IN      NS      wang.st.com.

;; -- default address -

@       IN      A       192.168.0.1

;; -- wang SerVer --

wang    IN      A               192.168.0.1
           IN      MX      0       wang.st.com.
          IN       MX      10      wang.st.com 
IN      HINFO           "Fedora 3".
           IN      TXT             "The internet gateway".

dns     IN      CNAME   wang
www     IN      CNAME   wang
mail    IN      CNAME   wang
ftp     IN      CNAME   wang
============================ wang.st.com ==========================

# vi /usr/local/bind/etc/0.168.192.in-addr

======================== 0.168.192.in-addr =====================
$TTL 86400
@       IN      SOA     wang.st.com. root.wang.st.com. (
                2001111601      ; Serial
                28800           ; refresh
                14400           ; retry
                3600000         ; expire
                86400 )         ; minimum

@       IN      NS      wang.st.com.
1       IN      PTR     wang.st..com..
1       IN      PTR     www.wang.com.
1       IN      PTR     mail.wang.com.
1       IN      PTR     ftp.wang.com.
======================== 0.168.192.in-addr ======================

# vi /usr/local/bind/etc/localhost
=========================== localhost ===========================
$TTL    3600
@       IN      SOA     wang.st.com. root.wang.st.com.  (
                                20040526  ; Serial
                                3600       ; Refresh
                                900        ; Retry
                                3600000   ; Expire
                                3600 )    ; Minimum
        IN      NS      wang.st.com.
1       IN      PTR    wang.st.com.
=========================== localhost ===========================

更新根区文件:

# cd /usr/local/bind/etc/
# wget ftp://ftp.internic.org/domain/named.root

或者
# cd /usr/local/bind/etc/
# vi named.root

=========================== name.root ===========================
;       This file holds the information on root name servers needed to

;       initialize cache of Internet domain name servers

;       (e.g. reference this file in the "cache  .  <file>"

;       configuration file of BIND domain name servers).

;

;       This file is made available by InterNIC

;       under anonymous FTP as

;           file                /domain/named.root

;           on server           FTP.INTERNIC.NET

;       -OR-                    RS.INTERNIC.NET

;

;       last update:    Jan 29, 2004

;       related version of root zone:   2004012900

;

;

; formerly NS.INTERNIC.NET

;

.                        3600000  IN  NS    A.ROOT-SERVERS.NET.

A.ROOT-SERVERS.NET.      3600000      A     198.41.0.4

;

; formerly NS1.ISI.EDU

;

.                        3600000      NS    B.ROOT-SERVERS.NET.

B.ROOT-SERVERS.NET.      3600000      A     192.228.79.201

;

; formerly C.PSI.NET

;

.                        3600000      NS    C.ROOT-SERVERS.NET.

C.ROOT-SERVERS.NET.      3600000      A     192.33.4.12

;

; formerly TERP.UMD.EDU

;

.                        3600000      NS    D.ROOT-SERVERS.NET.

D.ROOT-SERVERS.NET.      3600000      A     128.8.10.90

;

; formerly NS.NASA.GOV

;

.                        3600000      NS    E.ROOT-SERVERS.NET.

E.ROOT-SERVERS.NET.      3600000      A     192.203.230.10

;

; formerly NS.ISC.ORG

;

.                        3600000      NS    F.ROOT-SERVERS.NET.

F.ROOT-SERVERS.NET.      3600000      A     192.5.5.241

;

; formerly NS.NIC.DDN.MIL

;

.                        3600000      NS    G.ROOT-SERVERS.NET.

G.ROOT-SERVERS.NET.      3600000      A     192.112.36.4

;

; formerly AOS.ARL.ARMY.MIL

;

.                        3600000      NS    H.ROOT-SERVERS.NET.

H.ROOT-SERVERS.NET.      3600000      A     128.63.2.53

;

; formerly NIC.NORDU.NET

;

.                        3600000      NS    I.ROOT-SERVERS.NET.

I.ROOT-SERVERS.NET.      3600000      A     192.36.148.17

;

; operated by VeriSign, Inc.

;

.                        3600000      NS    J.ROOT-SERVERS.NET.

J.ROOT-SERVERS.NET.      3600000      A     192.58.128.30

;

; operated by RIPE NCC

;

.                        3600000      NS    K.ROOT-SERVERS.NET.

K.ROOT-SERVERS.NET.      3600000      A     193.0.14.129

;

; operated by ICANN

;

.                        3600000      NS    L.ROOT-SERVERS.NET.

L.ROOT-SERVERS.NET.      3600000      A     198.32.64.12

;

; operated by WIDE

;

.                        3600000      NS    M.ROOT-SERVERS.NET.

M.ROOT-SERVERS.NET.      3600000      A     202.12.27.33

; End of File

=========================== name.root ===========================


创建PID和日志文件:

# mkdir /var/run/named/
# chmod 777 /var/run/named/
# chown bind:bind /var/run/named/

# mkdir /var/log/named/
# touch /var/log/named/dns_warnings
# touch /var/log/named/dns_logs
# chown bind:bind /var/log/named/* 

生成rndc-key

# cd /usr/local/bind/etc/
# ../sbin/rndc-confgen > rndc.conf

rndc.conf中:
# Use with the following in named.conf, adjusting the allow list as needed: 
后面以的部分加到/usr/local/bind/etc/named.conf中并去掉注释

 

七、启动:

[root@localhost root]# /usr/local/sbin/named -g


状态检查:

# /usr/local/bind/sbin/rndc status


/usr/local/bind/sbin/named
默认情况是一个后台deamon ,-g选项表示前台运行,并将调试信息打印到标准输出,这在我们安装调试阶段是非常有帮助的。

如果建立了配置文件和域名解析文件(关于怎样建立将在下面的部分讲到),ps aux 应该可以查到named 的进程,或netstat -an 也可以看到53端口的服务已经起来了。(DNS默认端口为53

如果要设置开机自启动DNS server,只需在/etc/rc.d/rc.local中加入一行

/usr/local/bind/sbin/named

#!/bin/sh

#

# This script will be executed *after* all the other init scripts.

# You can put your own initialization stuff in here if you don't

# want to do the full Sys V style init stuff.

touch /var/lock/subsys/local

 

/usr/local/bind/sbin/named

 

八、安装使用的一些经验:

1.带调试信息的启动

named -g

/usr/local/sbin/named默认情况是一个后台deamon ,-g选项表示前台运行,并将调试信息打印到标准输出,这在我们安装调试阶段是非常有帮助的。

2.客户端命令nslookup简介

windows ,linux 平台均支持此调试命令。

键入nslookup即进入与服务器交互状态,这时键入域名或ip地址就可以向服务器正向或逆向查询。

>www.test.com 正向域名解析

>192.168.0.1 逆向IP解析  

>exit 退出。

DNS解析BIND 9(适用于WINDOWS桌面系统) 完全改进: Security Fixes Treat an all zero netmask as invalid when generating the localnets acl to workaround bug on Windows platform. [CVE-2013-6230] [RT #34687] Fix crashes when serving some NSEC3 signed zones. memcpy was incorrectly called with overlapping ranges, resulting in malformed names being generated on some platforms. This could cause INSIST failures. (CVE 2014-0591) [RT #35120] Features Changes Add the ability to specify ndots to "nslookup". [RT #34711] Introduce a new tool "dnssec-importkey" to allow externally-generated DNSKEY to be imported into the DNSKEY management framework. [RT #34698] Check that EDNS subnet client options are well formed. [RT #34718] "named" now preserves the capitalization of names when responding to queries. [RT #34737] Include a comment in .nzf files (used for adding new zones via "rndc"), giving the name of the associated view. [RT #34765] Use separate rate limiting queues for refresh and notify requests. [RT #30589] Adjust when a master server is deemed unreachable to be less aggressive. [RT #27075] Create delegations for all "children" of empty zones except "forward first". [RT #34826] Changed the name of "isc-config.sh" developers script (for outputting compiler and linker flags) to "bind9-config". [RT #23825] Add "dig" option to keep the TCP socket open between successive queries (+[no]keepopen). [RT #34918] Add dns_client_createx2() function to DNS Client API to provide a way to specify the local address for use when sending update packets. [RT #34811] "named-checkconf -z" now checks zones of type hint as well as master. [RT #35046] Update config.guess and config.sub to add support for ppc64le (powerpc 64-bit Little Endian). [RT #35060] Update the Windows build system to support feature selection and WIN64 builds. This is a work in progress. [RT #34160] Add "dnssec-signzone -Q" switch to drop signatures from keys that are still published but no longer active. [RT #34990] Add a more detailed "not found" message to "rndc" commands which specify a zone name. [RT #35059] named will now warn when a zone's configured "key-directory" does not exist or is not a directory. [RT #35108] Added improvements to statistics channel XSL stylesheet: the stylesheet can now be cached by the browser; section headers are omitted from the stats display when there is no data in those sections to be displayed; counters are now right-justified for easier readability. (Only available with ./configure --enable-newstats.) [RT #35117] "named-checkconf" can now obscure shared secrets when printing by specifying '-x'. [RT #34465] "named" can now accept integer timestamps in RRSIG records. [RT #35185] The export-library API call for loading "resolv.conf", irs_resconf_load(), has been modified to return ISC_R_FILENOTFOUND when the file does not exist and initializes the resconf structure as if the file had existed and configured with nameservers at the localhost addresses (127.0.0.1 and ::1). [RT #35194] Bug Fixes Treat type 65533 (KEYDATA) as opaque except when used in a key zone. [RT #34238] Fix "host" and "nslookup" so don't need dot after the domain by checking ndots when searching. Only continue searching on NXDOMAIN responses. [RT #34711] Handle changes to sig-validity-interval settings better. [RT #34625] Fix bug where journal filename string could be set incorrectly, causing garbage in log messages. [RT #34738] Address a race condition when shutting down a zone. [RT #34750] Address race condition with manual notify requests. [RT #34806] Fix nslookup crash where some readline clones don't accept NULL pointers when calling add_history. [RT #34842] Fix Linux compilation issue when libcap-devel is installed. [RT #34838] Fix installation on Solaris -- don't add explicit make dependencies/rules for python programs as make won't use the implicit rules. [RT #34835] Fix hanging server with inline-signed zones by addressing lock order reversal deadlock with inline zones. [RT #34856] Fix "host" failure if a UDP query timed out. [RT #34870] Address bugs in dns_rdata_fromstruct and dns_rdata_tostruct for WKS and ISDN types. [RT #34910] Updated OpenSSL PKCS#11 patches to fix active list locking and other bugs. [RT #34855] Fix a potential hang with failure to release lock on error in receive_secure_db. #34944] Fix cast in lex.c which could see 0xff treated as EOF. This fixes issue with potential bad data in a database used by DLZ or SDB. [RT #34993] Fix build issue on newer FreeBSD needing -lhx509 for GSSAPI build. [RT #35001] Address read after free in server side of lwres_getrrsetbyname. [RT #29075] Fix "nsupdate" memory leak if "realm" was used multiple times. [RT #35073] Fix "dig" for cleaning up TCP sockets still waiting on connect(). [RT #35074] Fix "dnssec-importkey" so imported key won't overwrite an existing non-imported private key. Fix issue where queries covered by a disabled Response Policy Zone (query type was '*') are answered with TTL of 0. [RT #35026] Fix "nsupdate" memory leak if "realm" was used multiple times. [RT #35073] Fix "dig" for cleaning up TCP sockets still waiting on connect(). [RT #35074] Fix issue with "rndc retransfer" with inline-signing replacing NSEC3 with NSEC records. [RT #34745] Fix issue with "rndc refresh" failing to sign slave zones using inline-signing. [RT #35105] Fix potential hang (detected by our inline-signing system test) with null pointer dereference in libdns zone_xfrdone. [RT #35042] Address bug in libdns loadnode function that could return a freed node on out of memory. [RT #35106] Fixed a bug causing an insecure delegation from one "static-stub" zone to another to fail with a broken trust chain. [RT #35081] Fixed problem where iterative responses could be discarded when the "query-source" port for an upstream query was the same as the listener port (53). [RT #34925] Fix crashes in RBTDB implementation. Two calls to dns_db_getoriginnode were fatal if there was no data at the node. [RT #35080] Fix a possible race and crash in the socket_search() function in dispatch.c. [RT #35107] Fix "dig" so it can handle AXFR style IXFR responses which span multiple messages. [RT #35137] Fix a "host" tool problem with converting UTF-8 textname to IDN encoding by handling "." as a search list element when IDN support is enabled. [RT #35133] Fix "queryperf" to prevent a possible integer overflow when printing results. [RT #35182] Prevent a theoretically possible race and crash when obtaining a socket in dispatch.c [RT #35128] Use built-in versions of strptime() and timegm() on all platforms to avoid portability issues. [RT #35183] Fix a bug which could cause a crash when running "rndc reconfig" or "rndc reload" after configuration is changed from regular zones to automatic empty zones. [RT #35177]
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值