linux dns缓存搭建,Linux下DNS缓存服务器的搭建

CentOS 6.10搭建本地DNS缓存服务器

系统环境

1 [root@test ~]# cat /etc/redhat-release2 CentOS release 6.10(Final)3 [root@test ~]# uname -r4 2.6.32-754.el6.x86_645 [root@test ~]# getenforce6 Disabled7 [root@test ~]# /etc/init.d/iptables stop

安装DNS服务包

1 [root@test ~]# yum -y install bind bind-libs bind-utils

修改配置文件

bind DNS服务的主配置文件是/etc/named.conf，默认情况下是已经启用了本地缓存功能。不过为了加快查询速度和解决一些报错，通常情况下我们还需要一些调整。

1 [root@test ~]# cat /etc/named.conf2 //

3 //named.conf4 //

5 //Provided by Red Hat bind package to configure the ISC BIND named(8) DNS6 //server as a caching only nameserver (as a localhost DNS resolver only).7 //

8 //See /usr/share/doc/bind*/sample/ for example named configuration files.9 //10

11 options {12 listen-on port 53{ any; };13 //listen-on-v6 port 53 { ::1; };

14 directory "/var/named";15 dump-file "/var/named/data/cache_dump.db";16 statistics-file "/var/named/data/named_stats.txt";17 memstatistics-file "/var/named/data/named_mem_stats.txt";18 allow-query { any; };19 recursion yes;20 forworders { 114.114.114.114; 8.8.8.8; };21 dnssec-enable no;22 dnssec-validation yes;23

24 /*Path to ISC DLV key*/

25 bindkeys-file "/etc/named.iscdlv.key";26

27 managed-keys-directory "/var/named/dynamic";28 };29

30 logging {31 channel default_debug {32 file "data/named.run";33 severity dynamic;34 };35 };36

37 zone "."IN {38 type hint;39 file "named.ca";40 };41

42 include "/etc/named.rfc1912.zones";43 include "/etc/named.root.key";

此时已完成了一个本地缓存服务器的配置。

测试本地缓存服务器

1 [root@test ~]# ip a2 1: lo: mtu 65536qdisc noqueue state UNKNOWN3 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

4 inet 127.0.0.1/8scope host lo5 inet6 ::1/128scope host6 valid_lft forever preferred_lft forever7 2: eth0: mtu 1500 qdisc pfifo_fast state UP qlen 1000

8 link/ether 00:0c:29:18:98:2b brd ff:ff:ff:ff:ff:ff9 inet 10.0.0.77/24 brd 10.0.0.255scope global eth010 inet6 fe80::20c:29ff:fe18:982b/64scope link11 valid_lft forever preferred_lft forever12

13 [root@test ~]# cat /etc/resolv.conf14 nameserver 10.0.0.77

15

16 [root@test ~]# nslookup17 >www.baidu.com18 Server: 10.0.0.77

19 Address: 10.0.0.77#53

20

21 Non-authoritative answer:22 www.baidu.com canonical name =www.a.shifen.com.23 Name: www.a.shifen.com24 Address: 115.239.210.27

25 Name: www.a.shifen.com26 Address: 115.239.211.112

27 [root@test ~]# pingbaidu.com28 PING baidu.com (220.181.57.216) 56(84) bytes of data.29 64 bytes from 220.181.57.216: icmp_seq=1 ttl=128 time=30.5ms30 64 bytes from 220.181.57.216: icmp_seq=2 ttl=128 time=30.9 ms

禁用IPv6解析

1)注释主配置文件的IPv6选项

2)修改/etc/sysconfig/named文件

OPTIONS="whatever" 改为 OPTIONS="-4"

# 注意OPTIONS选项的值可以是：whatever、-4、-6中的一个

禁用dnssec功能

为什么禁用？

1 Dec 20 14:52:22 test named[2159]: error (insecurity proof failed) resolving 'in-addr.arpa/DNSKEY/IN': 114.114.114.114#53

2 Dec 20 14:52:22 test named[2159]: validating @0x7fc654456820: 123.in-addr.arpa SOA: got insecure response; parent indicates it should be secure3 Dec 20 14:52:22 test named[2159]: error (no valid RRSIG) resolving '125.123.in-addr.arpa/DS/IN': 114.114.114.114#53

4 Dec 20 14:52:22 test named[2159]: validating @0x7fc6544574b0: 123.in-addr.arpa DNSKEY: got insecure response; parent indicates it should be secure

dnssec功能会对解析结果进行验证，是否为权威解答，不是就会报错，虽然不影响使用，但是看着不爽。

怎么禁用？

修改主配置文件

1 # vim /etc/named.conf2 dnssec-enable no;3 dnssec-validation no;

创建本地DNS服务器，解析本地DNS记录

我们只需要在上面的DNS缓存服务器上增加个zone区域文件即可。

1 # vim /etc/named.rfc1912.zones2 # 最后面加上这个zone3 zone "test"IN {4 type master;5 file "test.zone";6 allow-update { none; };7 };

# 创建对应的test.zone文件(配置解析记录)

1 [root@test ~]# cp -a /var/named/named.localhost /var/named/test.zone

把要解析的记录写进该文件

重启DNS服务即可

listen与query项出于安全考虑，也可以将any设置为192.168.1.0/24这样的格式；

dump-file项需要注意的是默认情况下dns本地缓存数据都是存放在内存中，只有在使用rndc dumpdb -all 时才会将内存中的数据保存在本地盘中，保存的路径就是该项配置的名称；

启用forwarders查询会减少本地流量的浪费，直接从转发的服务器上查询的结果返回；