CentOS 6.10搭建本地DNS缓存服务器
系统环境
1 [root@test ~]# cat /etc/redhat-release2 CentOS release 6.10(Final)3 [root@test ~]# uname -r4 2.6.32-754.el6.x86_645 [root@test ~]# getenforce6 Disabled7 [root@test ~]# /etc/init.d/iptables stop
安装DNS服务包
1 [root@test ~]# yum -y install bind bind-libs bind-utils
修改配置文件
bind DNS服务的主配置文件是/etc/named.conf,默认情况下是已经启用了本地缓存功能。不过为了加快查询速度和解决一些报错,通常情况下我们还需要一些调整。
1 [root@test ~]# cat /etc/named.conf2 //
3 //named.conf4 //
5 //Provided by Red Hat bind package to configure the ISC BIND named(8) DNS6 //server as a caching only nameserver (as a localhost DNS resolver only).7 //
8 //See /usr/share/doc/bind*/sample/ for example named configuration files.9 //10
11 options {12 listen-on port 53{ any; };13 //listen-on-v6 port 53 { ::1; };
14 directory "/var/named";15 dump-file "/var/named/data/cache_dump.db";16 statistics-file "/var/named/data/named_stats.txt";17 memstatistics-file "/var/named/data/named_mem_stats.txt";18 allow-query { any; };19 recursion yes;20 forworders { 114.114.114.114; 8.8.8.8; };21 dnssec-enable no;22 dnssec-validation yes;23
24 /*Path to ISC DLV key*/
25 bindkeys-file "/etc/named.iscdlv.key";26
27 managed-keys-directory "/var/named/dynamic";28 };29
30 logging {31 channel default_debug {32 file "data/named.run";33 severity dynamic;34 };35 };36
37 zone "."IN {38 type hint;39 file "named.ca";40 };41
42 include "/etc/named.rfc1912.zones";43 include "/etc/named.root.key";
此时已完成了一个本地缓存服务器的配置。
测试本地缓存服务器
1 [root@test ~]# ip a2 1: lo: mtu 65536qdisc noqueue state UNKNOWN3 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
4 inet 127.0.0.1/8scope host lo5 inet6 ::1/128scope host6 valid_lft forever preferred_lft forever7 2: eth0: mtu 1500 qdisc pfifo_fast state UP qlen 1000
8 link/ether 00:0c:29:18:98:2b brd ff:ff:ff:ff:ff:ff9 inet 10.0.0.77/24 brd 10.0.0.255scope global eth010 inet6 fe80::20c:29ff:fe18:982b/64scope link11 valid_lft forever preferred_lft forever12
13 [root@test ~]# cat /etc/resolv.conf14 nameserver 10.0.0.77
15
16 [root@test ~]# nslookup17 >www.baidu.com18 Server: 10.0.0.77
19 Address: 10.0.0.77#53
20
21 Non-authoritative answer:22 www.baidu.com canonical name =www.a.shifen.com.23 Name: www.a.shifen.com24 Address: 115.239.210.27
25 Name: www.a.shifen.com26 Address: 115.239.211.112
27 [root@test ~]# pingbaidu.com28 PING baidu.com (220.181.57.216) 56(84) bytes of data.29 64 bytes from 220.181.57.216: icmp_seq=1 ttl=128 time=30.5ms30 64 bytes from 220.181.57.216: icmp_seq=2 ttl=128 time=30.9 ms
禁用IPv6解析
1)注释主配置文件的IPv6选项
2)修改/etc/sysconfig/named文件
OPTIONS="whatever" 改为 OPTIONS="-4"
# 注意OPTIONS选项的值可以是:whatever、-4、-6中的一个
禁用dnssec功能
为什么禁用?
1 Dec 20 14:52:22 test named[2159]: error (insecurity proof failed) resolving 'in-addr.arpa/DNSKEY/IN': 114.114.114.114#53
2 Dec 20 14:52:22 test named[2159]: validating @0x7fc654456820: 123.in-addr.arpa SOA: got insecure response; parent indicates it should be secure3 Dec 20 14:52:22 test named[2159]: error (no valid RRSIG) resolving '125.123.in-addr.arpa/DS/IN': 114.114.114.114#53
4 Dec 20 14:52:22 test named[2159]: validating @0x7fc6544574b0: 123.in-addr.arpa DNSKEY: got insecure response; parent indicates it should be secure
dnssec功能会对解析结果进行验证,是否为权威解答,不是就会报错,虽然不影响使用,但是看着不爽。
怎么禁用?
修改主配置文件
1 # vim /etc/named.conf2 dnssec-enable no;3 dnssec-validation no;
创建本地DNS服务器,解析本地DNS记录
我们只需要在上面的DNS缓存服务器上增加个zone区域文件即可。
1 # vim /etc/named.rfc1912.zones2 # 最后面加上这个zone3 zone "test"IN {4 type master;5 file "test.zone";6 allow-update { none; };7 };
# 创建对应的test.zone文件(配置解析记录)
1 [root@test ~]# cp -a /var/named/named.localhost /var/named/test.zone
把要解析的记录写进该文件
重启DNS服务即可
listen与query项出于安全考虑,也可以将any设置为192.168.1.0/24这样的格式;
dump-file项需要注意的是默认情况下dns本地缓存数据都是存放在内存中,只有在使用rndc dumpdb -all 时才会将内存中的数据保存在本地盘中,保存的路径就是该项配置的名称;
启用forwarders查询会减少本地流量的浪费,直接从转发的服务器上查询的结果返回;