已经有3年多没有用linux的bind了,最近因为工作需要,又开始搭建一个bind来工作。Centos7的bind一般是没有问题的,但是,如果要加入chroot就会有一些改动。这个改动也让我研究了几天。呵呵。

环境CenOS7.2 本机IP:172.31.21.245

直接上代码:

  1. yum安装bind bind-utils bind-chroot

[root@localhost ~]# yum -y install bind bind-utils bind-chroot

    bind   bind主程序

    bind-utils  bind的一些工具,如:nslookup

    bind-chroot    bind的安全性软件

2.将named.conf复制到/var/named/choot/etc里面

[root@localhost ~]# cp -p /etc/named.conf /var/named/chroot/etc/

3.修改named.conf

[root@localhost ~]# vi /var/named/chroot/etc/named.conf 

//

// named.conf

//

// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS

// server as a caching only nameserver (as a localhost DNS resolver only).

//

// See /usr/share/doc/bind*/sample/ for example named configuration files.

//


options {

        listen-on port 53 { any; }; //监听端口

        listen-on-v6 port 53 { ::1; };

        directory       "/var/named";

        dump-file       "/var/named/data/cache_dump.db";

        statistics-file "/var/named/data/named_stats.txt";

        memstatistics-file "/var/named/data/named_mem_stats.txt";

        allow-query     { any; }; //查询


        /*

         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.

         - If you are building a RECURSIVE (caching) DNS server, you need to enable

           recursion.

         - If your recursive DNS server has a public IP address, you MUST enable access

           control to limit queries to your legitimate users. Failing to do so will

           cause your server to become part of large scale DNS amplification

           attacks. Implementing BCP38 within your network would greatly

           reduce such attack surface

        */

        recursion yes;


        dnssec-enable yes;

        dnssec-validation yes;


        /* Path to ISC DLV key */

        bindkeys-file "/etc/named.iscdlv.key";


        managed-keys-directory "/var/named/dynamic";


        pid-file "/run/named/named.pid";

        session-keyfile "/run/named/session.key";

};


logging {

        channel default_debug {

                file "data/named.run";

                severity dynamic;

        };

};


zone "." IN {

        type hint;

        file "named.ca";

};

//添加正向解析

zone "zy.com" IN {

        type master;

        file "zy.com.zone";

};


include "/etc/named.rfc1912.zones";

include "/etc/named.root.key";

4.复制解析配置文件,并复制一个修改

[root@localhost ~]# cp -R /usr/share/doc/bind-9.9.4/sample/var/named/* /var/named/chroot/var/named/

[root@localhost ~]# cd /var/named/chroot/var/named/

[root@localhost named]# cp -p named.localhost zy.com.zone

5.修改正向解析文件

[root@localhost named]# vi zy.com.zone 

$TTL 1D

@       IN SOA  ns1.zy.com. admin.zy.com. (

                                        0       ; serial

                                        1D      ; refresh

                                        1H      ; retry

                                        1W      ; expire

                                        3H )    ; minimum

        NS      ns1.zy.com.

ns1     A       172.31.21.245

@       A       172.31.21.245

www     A       172.31.21.245

6.启动服务并修改DNS服务器

[root@localhost named]# service named restart

Redirecting to /bin/systemctl restart  named.service

[root@localhost named]# vi /etc/resolv.conf 

# Generated by NetworkManager

nameserver 172.31.21.245

7.测试解析