DNS服务器配置过程
作者:
修改日期:2006年2月23日
基础知识介绍
域名系统(Domain Name System)是一个世界级的分布式数据库,期主要任务是将“主机名称”对应到“IP地址”上。
最常用的软件是BIND(Berkeley Internet Name Domain)。
DNS有四种资源:
A
A记录代表“主机名称”与“IP地址”的对应关系,期作用是将名称转换成IP地址。
CNAME
某些名称并没有对应的IP地址,而是对应一个主机名称的别名。CNAME记录代表“别名”与“规范主机名称”(Canoical Hostname)之间的对应关系。
MX
MX记录提供邮件路由信息。这些记录提供Domain的“邮件交换器”(Mail Exchange)的主机名称以及相对应的优先级。
PTR
PTR记录代表“IP地址”与“主机名称”的对应关系,期作用与A记录刚好相反。
SOA
域权威开始
NS
权威域名服务器
安装环境:
Fedora 4
bind-9.2.6.tar.gz
卸载原来系统自带的bind服务
# rpm -qa|grep bind
bind-libs-9.3.1-4
bind-utils-9.3.1-4
# rpm -e --nodeps bind*
一、安装BIND
1、准备工作
下载稳定的BIND服务器进行安装,下载地址:
wget
安装gcc
2、编译安装BIND
#tar zxvf bind-9.2.6.tar.gz
#cd bind-9.2.6
#./configure -sysconfdir=/etc/bind
#make
#makeinstall
配置BIND
二、配置根服务器
1、修改配置文件
# vi /etc/bind/named.conf
options {
directory "/var/bind";
};
zone "." {
type hint;
file "named.ca";
};
2、建立工作目录
#mkdir /var/bind
3、查询根DNS服务器
# dig -t NS .
; <<>> DiG 9.2.6 <<>> -t NS .
;; global options:printcmd
;; Got answer:
;; ->>HEADER<
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;.INNS
;; ANSWER SECTION:
.139616INNSG.ROOT-SERVERS.NET.
.139616INNSH.ROOT-SERVERS.NET.
.139616INNSI.ROOT-SERVERS.NET.
.139616INNSJ.ROOT-SERVERS.NET.
.139616INNSK.ROOT-SERVERS.NET.
.139616INNSL.ROOT-SERVERS.NET.
.139616INNSM.ROOT-SERVERS.NET.
.139616INNSA.ROOT-SERVERS.NET.
.139616INNSB.ROOT-SERVERS.NET.
.139616INNSC.ROOT-SERVERS.NET.
.139616INNSD.ROOT-SERVERS.NET.
.139616INNSE.ROOT-SERVERS.NET.
.139616INNSF.ROOT-SERVERS.NET.
;; ADDITIONAL SECTION:
J.ROOT-SERVERS.NET.485712INA192.58.128.30
;; Query time: 51 msec
;; SERVER: 172.xx.xx.11#53(172.xx.xx.11)
;; WHEN: Tue Feb 14 01:55:39 2006
;; MSG SIZErcvd: 244
#
#echo "nameserver 192.58.128.30" >/etc/resolv.conf
#
4、将跟记录加入到/etc/resolv.conf文件中
#echo "nameserver 192.58.128.30" >/etc/resolv.conf
5、将跟服务器的信息导入到/var/bind/named.ca文件中
#dig -t NS . >/var/bind/named.ca
#cat /var/bind/named.ca
; <<>> DiG 9.2.6 <<>> -t NS .
;; global options:printcmd
;; Got answer:
;; ->>HEADER<
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 13
;; QUESTION SECTION:
;.INNS
;; ANSWER SECTION:
.517472INNSM.ROOT-SERVERS.NET.
.517472INNSA.ROOT-SERVERS.NET.
.517472INNSB.ROOT-SERVERS.NET.
.517472INNSC.ROOT-SERVERS.NET.
.517472INNSD.ROOT-SERVERS.NET.
.517472INNSE.ROOT-SERVERS.NET.
.517472INNSF.ROOT-SERVERS.NET.
.517472INNSG.ROOT-SERVERS.NET.
.517472INNSH.ROOT-SERVERS.NET.
.517472INNSI.ROOT-SERVERS.NET.
.517472INNSJ.ROOT-SERVERS.NET.
.517472INNSK.ROOT-SERVERS.NET.
. 517472INNSL.ROOT-SERVERS.NET.
;; ADDITIONAL SECTION:
A.ROOT-SERVERS.NET.603872INA198.41.0.4
B.ROOT-SERVERS.NET.603872INA192.228.79.201
C.ROOT-SERVERS.NET.603872INA192.33.4.12
D.ROOT-SERVERS.NET.603872INA128.8.10.90
E.ROOT-SERVERS.NET.603872INA192.203.230.10
F.ROOT-SERVERS.NET.603872INA192.5.5.241
G.ROOT-SERVERS.NET.603872INA192.112.36.4
H.ROOT-SERVERS.NET.603872INA128.63.2.53
I.ROOT-SERVERS.NET.603872INA192.36.148.17
J.ROOT-SERVERS.NET.603872INA192.58.128.30
K.ROOT-SERVERS.NET.603872INA193.0.14.129
L.ROOT-SERVERS.NET.603872INA198.32.64.12
M.ROOT-SERVERS.NET.603872INA202.12.27.33
;; Query time: 478 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Feb 14 12:21:35 2006
;; MSG SIZErcvd: 436
6、配置rndc
#rndc-confgen >/etc/bind/rndc.conf
# cat -n /etc/bind/rndc.conf
1# Start of rndc.conf
2key "rndc-key" {
3algorithm hmac-md5;
4secret "OJuPxS0u/5tJ71W8ypj4fA==";
5};
6
7options {
8default-key "rndc-key";
9default-server 127.0.0.1;
10default-port 953;
11};
12# End of rndc.conf
13
14# Use with the following in named.conf, adjusting the allow list as needed:
15 # key "rndc-key" {
16#algorithm hmac-md5;
17#secret "OJuPxS0u/5tJ71W8ypj4fA==";
18# };
19#
20# controls {
21#inet 127.0.0.1 port 953
22#allow { 127.0.0.1; } keys { "rndc-key"; };
23# };
24# End of named.conf
#
7、将rndc中的部分记录导入到/etc/bind/named.conf文件中,并修改/etc/bind/named.conf,将导入的配置前面的注释去掉。
#tail +13 /etc/bind/rndc.conf>>/etc/bind/named.conf
8、检查并重新启动named服务,查看日志文件并检查rndc访问状态
#ps -axu|grep named
#killall named
#ps -axu|grep named
#named
#ps -axu|grep named
#tail /var/log/messages
#rndc status
number of zones: 2
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
server is up and running
#
9、修改/etc/resolv.conf,并使用host命令测试
#echo “nameserver 127.0.0.1”>/etc/resolv.conf
# host
has address 198.133.219.25
三、配置localhost区域
(一)、配置localhost的正向区域
1、修改/etc/bind/named.conf,插入如下内容
zone "localhost" {
type master;
file "db.local";
};
2、配置/var/bind/db.local;
$TTL 900
@INSOAlocalhost.root (
2006021401;serial number
1H;refresh
15M;retry
1W;expire
1D );TTL
INNS@
INA127.0.0.1
3、测试
# rndc reload
# host localhost
# host localhost
# dig localhost
# dig -t NS localhost
# dig -t A localhost
# rndc reload
# host localhost
localhost has address 127.0.0.1
# dig localhost
; <<>> DiG 9.2.6 <<>> localhost
;; global options:printcmd
;; Got answer:
;; ->>HEADER<
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;localhost.INA
;; ANSWER SECTION:
localhost.86400INA127.0.0.1
;; AUTHORITY SECTION:
localhost.86400INNSlocalhost.
;; Query time: 52 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Feb 14 13:06:21 2006
;; MSG SIZErcvd: 57
# dig -t NS localhost
; <<>> DiG 9.2.6 <<>> -t NS localhost
;; global options:printcmd
;; Got answer:
;; ->>HEADER<
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;localhost.INNS
;; ANSWER SECTION:
localhost.86400INNSlocalhost.
;; ADDITIONAL SECTION:
localhost.86400INA127.0.0.1
;; Query time: 44 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Feb 14 13:07:54 2006
;; MSG SIZErcvd: 57
# dig -t A localhost
; <<>> DiG 9.2.6 <<>> -t A localhost
;; global options:printcmd
;; Got answer:
;; ->>HEADER<
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;localhost.INA
;; ANSWER SECTION:
localhost.86400INA127.0.0.1
;; AUTHORITY SECTION:
localhost.86400INNSlocalhost.
;; Query time: 42 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Feb 14 13:08:00 2006
;; MSG SIZErcvd: 57
#
(二)、配置127.0.0的反向区域
1、修改/etc/bind/named.conf,添加如下内容
zone "0.0.127.in-addr.arpa" {
type master;
file "127.0.0.zone";
};
2、创建/var/bind/127.0.0.zone,添加如下内容
$TTL 900
@INSOA@root.localhost. (
20060214
1H
15M
1W
1D )
INNSlocalhost.
1INPTRlocalhost.
3、重新启动rndc访问,并测试
# rndc reload
#host 127.0.0.1
1.0.0.127.in-addr.arpa domain name pointer localhost.
# dig -x 127.0.0.1
; <<>> DiG 9.2.6 <<>> -x 127.0.0.1
;; global options:printcmd
;; Got answer:
;; ->>HEADER<
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;1.0.0.127.in-addr.arpa.INPTR
;; ANSWER SECTION:
1.0.0.127.in-addr.arpa. 86400INPTRlocalhost.
;; AUTHORITY SECTION:
0.0.127.in-addr.arpa.86400INNSlocalhost.
;; ADDITIONAL SECTION:
localhost.86400INA127.0.0.1
;; Query time: 73 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Feb 14 15:47:31 2006
;; MSG SIZErcvd: 93
#
×××××××××××××××××××××××××××××××××××××××
四、配置zhoullj.com区域
(一)、配置zhoullj.com区域
1、配置/etc/bind/named.conf文件,加入如下内容
zone "zhoulj.com" {
type master;
file " db.zhoulj.com ";
};
2、配置/var/bind/ db.zhoulj.com
$TTL 900
@INSOAzhoulj.com.root (
2006021401;serial number
1H;refresh
15M;retry
1W;expire
1D );TTL
INNS@
zhoulj.comINMX 10mx1.zhoulj.com
zhoulj.comINMX 20mx2.zhoulj.com
INA172.17.1.172
nsINA172.17.1.172
wwwINA172.17.1.201
mx1INA172.17.1.1
mx2INA172.17.1.2
ftpINA172.17.1.201
newsINCNAMEwww
3、重新启动rndc服务进行测试
# rndc reload
# host -t A zhoulj.com
zhoulj.com has address 172.17.1.172
# host -t A zhoulj.com
zhoulj.com has address 172.17.1.172
# host -t NS zhoulj.com
zhoulj.com name server zhoulj.com.
(二)、增加的反向区域
1、修改/etc/bind/named.conf,添加如下内容
zone "1.17.172.in-addr.arpa" {
type master;
file "db.172.17.1 ";
};
2、创建/var/bind/db.172.17.1,添加如下内容
$TTL 900
@INSOAzhoulj.comroot.zhoulj.com. (
2006022301
1H
15M
1W
1D )
INNSzhoulj.com.
201INPTR
1INPTRmail.zhoulj.com.
202INPTRftp.zhoulj.com.
3、重新启动rndc访问,并测试
# rndc reload
[root@localhost named]# host 172.17.1.201
201.1.17.172.in-addr.arpa domain name pointer
201.1.17.172.in-addr.arpa domain name pointer ftp.zhoulj.com.
[root@localhost named]# host 172.17.1.1
1.1.17.172.in-addr.arpa domain name pointer mail.zhoulj.com.
[root@localhost named]# dig -x 172.17.1.201
; <<>> DiG 9.2.6 <<>> -x 172.17.1.201
;; global options:printcmd
;; Got answer:
;; ->>HEADER<
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;201.1.17.172.in-addr.arpa.INPTR
;; ANSWER SECTION:
201.1.17.172.in-addr.arpa. 86400 INPTR
201.1.17.172.in-addr.arpa. 86400 INPTRftp.zhoulj.com.
;; AUTHORITY SECTION:
1.17.172.in-addr.arpa.86400INNSzhoulj.com.
;; ADDITIONAL SECTION:
zhoulj.com.86400INA172.17.1.172
;; Query time: 67 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Feb 14 18:15:20 2006
;; MSG SIZErcvd: 119
五、建立授权子域
1、修改/var/bind/zhoulj.com.db,添加如下内容
domainINNSns.domain
ns.domain INA172.17.1.171
重启动rndc服务
#rndc reload
2、安装一台子域服务器,安装BIND服务器后,配置根域等(前面和主域服务器的内容基本一致),配置子域服务器上的/etc/bind/named.conf配置文件,添加一个子域,内容如下内容
zone "domain.zhoulj.com" {
type master;
file "domain.zhoulj.com.db";
};
3、编辑子域里面的/var/bind/ domain.zhoulj.com.db
$TTL 900
@INSOAzhoulj.com.root (
2006021502;serial
36000;1hour
7500;15M
3600000;
86400 );TTL
INNSns
nsINA172.17.1.171
wwwINA172.16.17.2
4、重启动服务,测试分别在主域的服务器和子域服务器上测试,分别在子域控制
#rndc reload
# host
has address 172.16.17.2
六、DNS访问的安全控制
1、修改配置文件/etc/bind/named.conf,在options中加入pid文件的目录
options {
directory "/var/bind";
pid-file "/var/run/bind/named.pid";
};
2、建立named用户,建立bind的pid文件的目,并更改权限为named用户所有
# useradd -s /bin/false -d /dev/null named
# id named
uid=501(named) gid=501(named) groups=501(named)
# chown named.named /var/run/bind
# chmod 700 /var/run/bind
3、重启named服务
# killall -9 named
# named -u named
# tail /var/log/messages
# ps -axu|grep named
4、添加到系统服务中,使其跟服务器同时启动
# which named
/usr/local/sbin/named
# echo "/usr/local/sbin/named -u named" >> /etc/ rc.local
七、DNS高级控制
1、建立访问控制列表
修改配置文件/etc/bind/named.conf,在options前面加入acl规则,语法如下:
acl our-nets {
10.140.0.0/16;
};
2、允许acl中的IP地址进行递归查询
修改配置文件/etc/bind/named.conf,在options{};中加入允许查询的规则,语法如下:
allow-recursion {
our-nets;
};
用host和nslookup进行测试
3、允许acl中的IP地址进行查询
修改配置文件/etc/bind/named.conf,在options{};中加入允许查询的规则,语法如下:
allow-recursion {
our-nets;
};
用host和nslookup进行测试
八、DNS与邮件系统
假设foo.com域的邮件服务器为mail.foo.com;bar.com该域的域的邮件服务器为mail.bar.com。foo.com域有一个名为Jack的用户。他要给bar.com的Rose用户发信。首先他的邮件服务器通过DNS查询bar.com的MX记录,找到他的MX记录,然后foo.com的邮件服务器mail.foo.com把新发给bar.com域的邮件服务器mail.bar.com,mail.bar.com察看是给自己域的用户的信,收下该信,投递到Rose用户的邮箱里面,等待Rose来收取。
在本例中有2条MX记录
zhoulj.comINMX 10mx1.zhoulj.com
zhoulj.comINMX 20mx2.zhoulj.com
第一列是域名,第二列(IN)表示这些资源都在Intenet上,第三列(MX)表示他们是“邮件交换器”(Mail eXchange)的资源记录,第四列是优先级,最后一列是主机名。
这里需要说明的是优先级的值,是0~65535之间的数字,数值越小优先级高。
# dig -t MX
zhoulj.com
; <<>> DiG
9.2.6 <<>> -t MX zhoulj.com
;; global
options:printcmd
;; Got answer:
;;
->>HEADER<
;; flags: qr aa rd
ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 3
;; QUESTION SECTION:
;zhoulj.com.INMX
;; ANSWER SECTION:
zhoulj.com.900INMX20 mx2.zhoulj.com.
zhoulj.com.900INMX10 mx1.zhoulj.com.
;; AUTHORITY
SECTION:
zhoulj.com.900INNSzhoulj.com.
;; ADDITIONAL
SECTION:
mx1.zhoulj.com.900INA172.17.1.1
mx2.zhoulj.com.900INA172.17.1.2
zhoulj.com.900INA172.17.1.172
;; Query time: 3
msec
;; SERVER:
127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Feb 1418:40:252006
;; MSG SIZErcvd: 130
九、配置辅助域名服务器
1、配置辅助域名服务器的配置文件/etc/bind/named.conf,前面和主域名服务器是相同的,加入如下内容:
zone "zhoulj.com" {
type slave;
file "zhoulj.com.db.slave";
masters { 172.17.1.172; };
};
2、更改/var/bind目录的权限,让named组可以写,这一点很重要,如果不可以写,辅助域的文件不能建立。
# chgrp -R named named/
# chmod g+w /var/bind/
3、进行测试
停掉主dns服务器,查看备份dns是否能够正常工作,
可以查看/var/log/messages文件,检查备份服务器的状态。
4、允许特定的备份服务器进行dns备份工作,在/etc/bind/named.conf里面添加下面内容:
//allow slave DNS server to back up.
allow-transfer
{
any;
};
any参数允许所有的机器进行备份,把any可以换成特定的IP地址。
扫一扫
375
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
