转载地址:http://blog.163.com/am_hk/blog/static/103375926201310125158117/
服务器环境:cent os 5.8 i686
IP:192.168.50.117
客户端(用于验证服务)两台分别:192.168.5. 192.168.9. IP任意
分成四个部分:一、基本DNS 二、多域名DNS 三、视图view 四、主从DNS
一、基本DNS
1、下载bind
wget http://down1.chinaunix.net/distfiles/bind-9.5.1-P3.tar.gz
2、安装
tar zxvf bind-9.5.1-P3.tar.gz
cd bind-9.5.1-P3
./configure --prefix=/usr/local/named --disable-openssl-version-check
## --disable-openssl-version-check 是不检查系统openssl版本,也可以升级系统openssl
make && make install
安装完成后会在/usr/local/named下生成以下目录:
# ls /usr/local/named/
bin etc include lib sbin share var
3、配置
3.1 rndc配置
rndc 是远程控制bind行为的工具,如修改某个区文件后,重新加载这个区文件用rndc zone,也可以使用关闭named进程 再重启的方法,但没有这个方便灵活。
rndc配置文件rndc.conf不能直接vim创建,需要用rndc-confgen来生成:
/usr/local/named/sbin/rndc-confgen > /usr/local/named/etc/rndc.conf
cat /usr/local/named/etc/rndc.conf
# Start of rndc.conf
key "rndc-key" {
algorithm hmac-md5;
secret "SAUGgJgyaOPSAF0eeuSrpQ==";
};
options {
default-key "rndc-key";
default-server 127.0.0.1;
default-port 953;
};
# End of rndc.conf
# Use with the following in named.conf, adjusting the allow list as needed:
# key "rndc-key" {
# algorithm hmac-md5;
# secret "SAUGgJgyaOPSAF0eeuSrpQ==";
# };
#
# controls {
# inet 127.0.0.1 port 953
# allow { 127.0.0.1; } keys { "rndc-key"; };
# };
# End of named.conf
###说明:
Key 用于安全验证
options选项:用于手动执行rndc命令不带选项时加载的项目
3.2主配置文件named.conf
实现基本的DNS功能的named.conf按理解方便可分为4大块:选项块、安全认证块、查询日志记录块和区域块。
(1)选项块
options {
directory "/data/named";
allow-query-cache {any;};
pid-file "named.pid";
};
这部分主要定义区文件以及其他数据存放的位置,如查询日志,PID文件等。注:这里将数据文件与安装目录放在不同路径,方便查看维护。
(2)安全认证块
key "rndc-key" {
algorithm hmac-md5;
secret "SAUGgJgyaOPSAF0eeuSrpQ==";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
这个文件的内容是从rndc.conf中复制过来的,另外,如果要做主从DNS,还需要Key文本块,在做视图时再修改。
(3)查询日志块
logging {
channel query_log {
file "query.log" versions 5 size 20m;
severity info;
print-time yes;
print-category yes;
};
category queries {
query_log;
};
};
file "query.log" versions 5 size 20m; 定义了查询日志名为query.log,每个日志大小为20M,当达到这个容量后,会生成新的日志。
(4)区文本块
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};
zone "hh.com" IN {
type master;
file "hh.com.zone";
allow-update { none; };
};
3.3 撰写区数据文件
(1)根区数据文件named.ca
vim /data/named/named.ca
; <<>> DiG 9.5.0b2 <<>> +bufsize=1200 +norec NS . @a.root-servers.net
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7033
;; flags: qr aa; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 20
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;. IN NS
;; ANSWER SECTION:
. 518400 IN NS D.ROOT-SERVERS.NET.
. 518400 IN NS E.ROOT-SERVERS.NET.
. 518400 IN NS F.ROOT-SERVERS.NET.
. 518400 IN NS G.ROOT-SERVERS.NET.
. 518400 IN NS H.ROOT-SERVERS.NET.
. 518400 IN NS I.ROOT-SERVERS.NET.
. 518400 IN NS J.ROOT-SERVERS.NET.
. 518400 IN NS K.ROOT-SERVERS.NET.
. 518400 IN NS L.ROOT-SERVERS.NET.
. 518400 IN NS M.ROOT-SERVERS.NET.
. 518400 IN NS A.ROOT-SERVERS.NET.
. 518400 IN NS B.ROOT-SERVERS.NET.
. 518400 IN NS C.ROOT-SERVERS.NET.
;; ADDITIONAL SECTION:
A.ROOT-SERVERS.NET. 3600000 IN A 198.41.0.4
A.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:503:ba3e::2:30
B.ROOT-SERVERS.NET. 3600000 IN A 192.228.79.201
C.ROOT-SERVERS.NET. 3600000 IN A 192.33.4.12
D.ROOT-SERVERS.NET. 3600000 IN A 128.8.10.90
E.ROOT-SERVERS.NET. 3600000 IN A 192.203.230.10
F.ROOT-SERVERS.NET. 3600000 IN A 192.5.5.241
F.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:500:2f::f
G.ROOT-SERVERS.NET. 3600000 IN A 192.112.36.4
H.ROOT-SERVERS.NET. 3600000 IN A 128.63.2.53
H.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:500:1::803f:235
I.ROOT-SERVERS.NET. 3600000 IN A 192.36.148.17
J.ROOT-SERVERS.NET. 3600000 IN A 192.58.128.30
J.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:503:c27::2:30
K.ROOT-SERVERS.NET. 3600000 IN A 193.0.14.129
K.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:7fd::1
L.ROOT-SERVERS.NET. 3600000 IN A 199.7.83.42
M.ROOT-SERVERS.NET. 3600000 IN A 202.12.27.33
M.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:dc3::35
;; Query time: 110 msec
;; SERVER: 198.41.0.4#53(198.41.0.4)
;; WHEN: Tue Feb 26 15:05:57 2008
;; MSG SIZE rcvd: 615
此文件可以通过命令/usr/local/named/bin/dig > /data/named/named.ca 生成,但我发现数据不全,所以拷贝的系统rpm包caching-nameserver安装生成的配置文件。
另要最新的文件可以从官网下载www.isc.org
(2)区数据文件 localhost.zone
vim /var/named/chroot/var/named/localhost.zone
$TTL 86400
$ORIGIN localhost.
@ IN SOA @ root (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS @
IN A 127.0.0.1
IN AAAA ::1
(3)区数据文件named.local
$TTL 86400
@ IN SOA localhost. root.localhost. (
1997022700 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS localhost.
1 IN PTR localhost.
(4)区数据文件 hh.com.zone
$TTL
1D
@
IN
SOA
ns1.hh.com. root.ns.hh.com.(
2013111101 ;
3H
;
15M
;
1W
;
1D )
;
IN NS
ns.hh.com.
;
IN NS
ns2.hh.com.
IN MX 10 mail.hh.com.
;A recorder
@
IN A 1.1.1.1
ns1
IN A
192.168.50.171
;ns2
IN A
192.168.50.239
www
IN A
1.1.1.2
bbs
IN A
1.1.1.3
mail
IN A
1.1.1.4
;CNAME
hh.com.
IN CNAME
www.hh.com.
bbx
IN CNAME
bbs
;
;end
配置文件说明
第1行为缓存时间,默认为秒,这里为1天,单位可以是周W、天D、小时H、分钟M。如果为0测表示不缓存
第2-7行为权威服务器设定,其中@代表域hh.com
IN SOA 代表internet的资源类型是SOA。在区数据文件中,这可以是NS、MX、A、PRT、CNAME、TXT等。
ns.hh.com.充当我的DNS主机,名为ns.hh.com 这个名称必须与域名注册商里的设置相一致,在公网才能正常使用。
第3行为序列号,用它决定是否同步从DNS的数据。每次更新数据文件后,修改这个值,从服务器就会同步。
第4行意思是从DNS每隔3小时对比检查一次主DNS序列号。
第5行意思是从DNS请求主DNS失效后,重试时间为15分钟。
第6行的意思是主DNS失效后,从DNS对外提供服务的有效期为1周。
第7行的意思是TTL缓存时间为1天。
至此,基本DNS配置完成,启动测试。
3.4 检查配置文件
/usr/local/named/sbin/named-checkzone hh.com /data/named/hh.com.zone
zone hh.com/IN: loading from master file /data/named/hh.com.zone failed: CNAME and other data
报错,baidu一下,按以下说明解决,因为我做测试,所以先把空主机头的这一行注释,并没有重新编译
(做named服务,bind原生版本编译完之后不支持空主机头的cname解析。注释掉 lib/dns/rbtdb.c 文件的
if (rbtversion != NULL &&
cname_and_other_data(rbtnode, rbtversion->serial))
return (DNS_R_CNAMEANDOTHER);
再进行编译,就可以使空主机头的cnae记录生效。)
再检查,没问题,启动测试,没问题
/usr/local/named/sbin/named
检查/data/named/query.log 可以查到查询记录
(4) 客户端验证:修改客户端机器DNS文件,将原有DNS注释,填加一行
vi /etc/resolv.conf
nameserver 192.168.50.117
下一步验证解析
# nslookup
> www.hh.com
Server: 192.168.50.117
Address: 192.168.50.117#53
Name: www.hh.com
Address: 1.1.1.2
> mail.hh.com
Server: 192.168.50.117
Address: 192.168.50.117#53
Name: bbs.hh.com
Address: 1.1.1.3
> bbx.hh.com
Server: 192.168.50.117
Address: 192.168.50.117#53
bbx.hh.com canonical name = bbs.hh.com.
Name: bbs.hh.com
Address: 1.1.1.3
>
OK,验证通过,没有问题。
4、验证rndc
修改数据文件,/data/named/hh.com.zone的序列号或增加解析,
执行/usr/local/named/sbin/rndc reload
观察执行后的输出,查看系统日志messages
二、填加多域名DNS,填加hh.net解析
1、修改主配置文件,追加到之前的配置文件中。
#vi /usr/local/named/etc/named.conf
zone "hh.net" IN {
type master;
file "hh.net.zone";
allow-update { none; };
};
2、编写区数据文件hh.net.zone
这个文件可以拷贝之前的hh.com.zone,来修改一部分就可以了
$TTL 1D
@ IN SOA ns1.hh.net. root.ns.hh.com.(
2013111201 ;
3H ;
15M ;
1W ;
1D ) ;
IN NS ns.hh.com.
; IN NS ns2.hh.com.
IN MX 10 mail.hh.net.
;A recorder
@ IN A 3.3.3.1
ns IN A 192.168.50.171
;ns2 IN A 192.168.50.239
www IN A 3.3.3.1
bbs IN A 3.3.3.2
mail IN A 3.3.3.3
haha IN A 3.3.3.4
;CNAME
bbx IN CNAME bbs
sports
IN CNAME haha.hh.net.
说明,因为是同一个DNS系统,所以授权服务器(SOA)是同一名称
3、检查区文件,并从新加载
# /usr/local/named/sbin/named-checkzone hh.net /data/named/hh.net.zone
zone hh.net/IN: loaded serial 2013111201
OK
显示如上信息,证明通过
# /usr/local/named/sbin/rndc reload
server reload successful
客户端验证:略
三、视图功能(实现智能DNS)
测试环境使用两个网段和其他来做视图,客户端网段为192.168.5.0/24 (cnc)、192.168.9.0/24(telecom)和其它(other)
1、acl文件(也就是源IP段文件)
由于我们是测试环境,没有抓取公网IP段,只用两个网段来测试功能,所以此文件很简单
模拟网通
#vi /data/named/cnc.acl.conf
acl CNC {
192.168.5.0/24;
};
模拟电信
#vi /data/named/telcom.acl.conf
acl TELCOM {
192.168.9.0/24;
};
2、主配置文件named.conf及区文件
在日志定义部分下一行填加如下,并将原基本配置也都定义为include文件(便于维护)
注:匹配文件有先后顺序,我之前将include放在了最后,结果全部先匹配到我的other视图,原因为other定义的IP段为any
(1) 主配置文件
修改后的主配置文件如下:
# cat /usr/local/named/etc/named.conf
options {
directory "/data/named";
allow-query-cache {any;};
pid-file "named.pid";
};
key "rndc-key" {
algorithm hmac-md5;
secret "SAUGgJgyaOPSAF0eeuSrpQ==";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
logging {
channel query_log {
file "query.log" versions 5 size 20m;
severity info;
print-time yes;
print-category yes;
};
category queries {
query_log;
};
};
include "/data/named/cnc.acl.conf";
include "/data/named/telcom.acl.conf";
include "/data/named/view_cnc.conf";
include "/data/named/view_telcom.conf";
view "other" {
match-clients { any; };
recursion yes;
allow-transfer { none; };
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};
zone "hh.com" IN {
type master;
file "hh.com.zone";
allow-update { none; };
};
zone "hh.net" IN {
type master;
file "hh.net.zone";
allow-update { none; };
};
};
(2)、网通视图文件
vi /data/named/view_cnc.conf
view "view_cnc" {
match-clients { CNC; };
recursion yes;
allow-transfer { none; };
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};
zone "hh.com" IN {
type master;
file "cnc_hh.com.zone";
allow-update { none; };
};
zone "hh.net" IN {
type master;
file "cnc_hh.net.zone";
allow-update { none; };
};
(3)、电信视图文件
# vi /data/named/view_telcom.conf
view "view_telcom" {
match-clients { TELCOM; };
recursion yes;
allow-transfer { none; };
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};
zone "hh.com" IN {
type master;
file "telcom_hh.com.zone";
allow-update { none; };
};
zone "hh.net" IN {
type master;
file "telcom_hh.net.zone";
allow-update { none; };
};
};
(4)、建立相应区文件
各文件区别是把相应的解析地址改为不同的IP,从而实现简单智能DNS
# vi /data/named/cnc_hh.com.zone
$TTL 1D
@ IN SOA ns1.hh.com. root.ns.hh.com.(
2013111102 ;
3H ;
15M ;
1W ;
1D ) ;
IN NS ns.hh.com.
; IN NS ns2.hh.com.
IN MX 10 mail.hh.com.
;A recorder
@ IN A 6.6.6.1
ns IN A 192.168.50.171
;ns2 IN A 192.168.50.239
www IN A 6.6.6.2
bbs IN A 6.6.6.3
mail IN A 6.6.6.4
haha IN A 6.6.6.5
;CNAME
;hh.com. IN CNAME www.hh.com.
bbx IN CNAME bbs
# vi /data/named/cnc_hh.net.zone
$TTL 1D
@ IN SOA ns1.hh.net. root.ns.hh.com.(
2013111201 ;
3H ;
15M ;
1W ;
1D ) ;
IN NS ns.hh.com.
; IN NS ns2.hh.com.
IN MX 10 mail.hh.net.
;A recorder
@ IN A 8.8.8.1
ns IN A 192.168.50.171
;ns2 IN A 192.168.50.239
www IN A 8.8.8.1
bbs IN A 8.8.8.2
mail IN A 8.8.8.3
haha IN A 8.8.8.4
;CNAME
bbx IN CNAME bbs
sports IN CNAME haha.hh.net.
# vi /data/named/telcom_hh.com.zone
$TTL 1D
@ IN SOA ns1.hh.com. root.ns.hh.com.(
2013111102 ;
3H ;
15M ;
1W ;
1D ) ;
IN NS ns.hh.com.
; IN NS ns2.hh.com.
IN MX 10 mail.hh.com.
;A recorder
@ IN A 5.5.5.1
ns IN A 192.168.50.171
;ns2 IN A 192.168.50.239
www IN A 5.5.5.2
bbs IN A 5.5.5.3
mail IN A 5.5.5.4
haha IN A 5.5.5.5
;CNAME
;hh.com. IN CNAME www.hh.com.
bbx IN CNAME bbs
# vi /data/named/telcom_hh.net.zone
$TTL 1D
@ IN SOA ns1.hh.net. root.ns.hh.com.(
2013111201 ;
3H ;
15M ;
1W ;
1D ) ;
IN NS ns.hh.com.
; IN NS ns2.hh.com.
IN MX 10 mail.hh.net.
;A recorder
@ IN A 7.7.7.1
ns IN A 192.168.50.171
;ns2 IN A 192.168.50.239
www IN A 7.7.7.1
bbs IN A 7.7.7.2
mail IN A 7.7.7.3
haha IN A 7.7.7.4
;CNAME
bbx IN CNAME bbs
sports IN CNAME haha.hh.net.
(5)、原有配置保存在named.conf中,改为other视图(意思为来源IP不在以上两个ACL中的IP均解析到此配置指定的记录)
view "other" {
match-clients { any; };
recursion yes;
allow-transfer { none; };
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};
zone "hh.com" IN {
type master;
file "hh.com.zone";
allow-update { none; };
};
zone "hh.net" IN {
type master;
file "hh.net.zone";
allow-update { none; };
};
};
3、测试
(1) 检查区文件
/usr/local/named/sbin/named-checkzone hh.net /data/named/cnc_hh.net.zone
/usr/local/named/sbin/named-checkzone hh.net /data/named/telcom_hh.net.zone
/usr/local/named/sbin/named-checkzone hh.com /data/named/telcom_hh.com.zone
/usr/local/named/sbin/named-checkzone hh.com /data/named/cnc_hh.com.zone
(2) 重新加载
/usr/local/named/sbin/rndc reload
这两个检查配置文件非常好用,根据messages报错提示可以逐一排除
(3) 客户端测试
在192.168.5和192.168.9网段以及其他网段分别测试,修改resolv.conf文件指向nameserver 192.168.50.117
nslookup测试,过程略