DNS服务简介和配置详解
https://blog.51cto.com/longlei/2053983
centos下简易配置DNS服务器
DNS是域名系统(Domain Name System)的缩写,是因特网的一项核心服务,能提供域名与IP地址之间对应关系的转换服务。 这样我们就可以更方便地去访问互联网了,不用去记住那一串IP数字。本文档主要是说明如何把一台CentOS主机配置成一个DNS服务器,以便能提供域名解析服务。
硬件配置:
系统:centos 7.6
IP地址:192.168.164.137
DNS软件:Bind 9.8
测试域名:123.com
作用:主要提供解析123.com域名的服务,正反向解析
bind服务需要开放的端口和说明
UDP 53 port 用于常规解析;
TCP 53 port 用于bind同步数据等作用;
TCP 953 port 用于IPv6解析;
1.安装bind
#yum install bind
2.修改其配置文件/etc/named.conf,达到我们所需要的环境
[root@xiaoping centos]# vi /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options { //option为全局配置段:
listen-on port 53 { any; }; //可监听端口53,自行设置要监听的主机IP地址,这里设置为any表示可监听任意IP主机
listen-on-v6 port 53 { ::1; }; ///支持IP V6
directory "/var/named"; //所有的正向反向区域文件都在这个目录下创建//所有的正向反向区域文件都在这个目录下创建
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; }; //允许哪些主机使用本机作为DNS服务器查询ip
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable no; //便于测试,我们将这两个安全选项关闭
dnssec-validation no;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging { //日志配置段
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN { //区域配置段
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones"; //这是zone的存放位置,我们定义域名的文件
include "/etc/named.root.key";
3.配置/etc/named.rfc1912.zones文件,定义123.com的正反区域zone
添加如下字段
zone "123.com" IN { //正向区域解析
type master; //服务器类型为主机
file "123.com.zone"; //所使用的zone文件,稍后创建
allow-update { none; };
};
zone "164.168.192.in-addr.arpa" IN { //反向区域解析
type master;
file "192.168.164.zone";
allow-update { none; };
};
4.配置正反向区域配置文件,在/var/named目录下分别创建(注意tab 和空格)
//正向解析文件123.com.zone
$TTL 3600
$ORIGIN 123.com.
@ IN SOA ns1.123.com. admin.123.com. (
202032701
1H
10M
3D
1D )
IN NS ns1
ns1 IN A 192.168.164.137
WWW IN A 192.168.164.137
"123.com.zone" 11L, 160C
反向区域配置文件192.168.164.zone
$TTL 3600
$ORIGIN 164.168.192.in-addr.arpa.
@ IN SOA ns1.123.com. nsadmin.com. (
202032801
1H
10M
3D
12H )
IN NS ns1.123.com.
137 IN PTR ns1.123.com.
137 IN PTR WWW.123.com.
"192.168.164.zone" 11L, 220C
//特别注意的是反向解析区域的名字是倒过来的:反写的网段地址.in-addr.arpa
5.修改文件权限
# chgrp named /var/named/123.com.zone //修改文件的属组必须为named
# chmod o= /var/named/192.168.164.zone //使其他人不能对该配置文件进行任何操作
6.检查配置文件语法是否有误,重启named服务,重装zone文件,使用rndc命令
[root@xiaoping named]# named-checkconf
[root@xiaoping named]# named-checkzone 123.com /var/named/123.com.zone
zone 123.com/IN: loaded serial 202032701
OK
[root@xiaoping named]# named-checkzone 164.168.192.in-addr.arpa /var/named/192.168.164.zone
zone 164.168.192.in-addr.arpa/IN: loaded serial 202032801
OK
[root@xiaoping named]# systemctl restart named.service
[root@xiaoping named]# rndc reload
[root@xiaoping named]# rndc status //查看rndc信息
7.上诉确认无误即可测试了,使用dig命令
我们可以先查看下本机DNS服务器的相关配置的IP地址
[root@xiaoping named]# vi /etc/resolv.conf
# Generated by NetworkManager
search localdomain
nameserver 192.168.164.137 //我这里设置的是本机地址作为DNS服务器的IP地址
"/etc/resolv.conf" 3L, 76C
(1)正向测试www.123.com
[root@xiaoping named]# dig -t A www.123.com
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -t A www.123.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7738
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.123.com. IN A
;; ANSWER SECTION:
WWW.123.com. 3600 IN A 192.168.164.137 //解析出地址为我们所设置的IP地址
;; AUTHORITY SECTION:
123.com. 3600 IN NS ns1.123.com. //使用的域名服务器为ns1.123.com.
;; ADDITIONAL SECTION:
ns1.123.com. 3600 IN A 192.168.164.137
;; Query time: 1 msec
;; SERVER: 192.168.164.137#53(192.168.164.137) //服务器地址及端口
;; WHEN: Sat Mar 28 17:52:56 CST 2020
;; MSG SIZE rcvd: 94
(2)反向解析地址192.168.164.137
[root@xiaoping named]# dig -x 192.168.164.137
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -x 192.168.164.137
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20518
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;137.164.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
137.164.168.192.in-addr.arpa. 3600 IN PTR WWW.123.com. //该地址对应结果有两个域名
137.164.168.192.in-addr.arpa. 3600 IN PTR ns1.123.com.
;; AUTHORITY SECTION:
164.168.192.in-addr.arpa. 3600 IN NS ns1.123.com.
;; ADDITIONAL SECTION:
ns1.123.com. 3600 IN A 192.168.164.137
;; Query time: 0 msec
;; SERVER: 192.168.164.137#53(192.168.164.137)
;; WHEN: Sat Mar 28 17:53:20 CST 2020
;; MSG SIZE rcvd: 130
————————————————
版权声明:本文为CSDN博主「qq_44828506」的原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接及本声明。
原文链接:https://blog.csdn.net/qq_44828506/article/details/105163813