DNS 架设笔记
很多次架设单位的DNS,但间隔时间比较长了,之前没有来的及记录,导致每次架设都要重新查阅资料。因此,以后还是每次记录下,以作参考查阅。以下都是基于CentOS7.6进行的配置。
DNS安装启动
安装
Linux上几乎都是使用的bind
yum -y install bind bind-utils 注:如果想加强安全还可以安装bind-chroot,其将会更改配置和数据记录的路径
/etc => /var/named/chroot/etc
/var/named => /var/named/chroot/var/named/启动相关
启动:systemctl start named
停止:systemctl stop named
重启:systemctl restart named
允许自启动:systemctl enable named
禁止自启动:systemctl disable named如果安装了bind-chroot,则原有的named服务要关闭,使用named-chroot服务
DNS主从配置
主服务器的IP地址为:192.168.1.3/24,域名为:dns.test.org
从服务器的IP地址为:192.168.1.4/24,域名为:dns2.test.org
注:此域名为自己内部使用
主服务器配置
配置named.conf
# vim /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
# change ( listen all )
listen-on port 53 { any; };
# change if not use IPv6
listen-on-v6 { none; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
# query range ( set internal server and so on )
allow-query { any; };
# transfer range ( set it if you have secondary DNS )
allow-transfer { 192.168.1.0/24; };
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
# 设置日志记录版本及最大占用空间为20MiB(否则日志会占满整个硬盘空间)
file "data/named.run" version 3 size 20m;
severity dynamic;
};
};
# change all from here
view "internal" {
match-clients { any; };
match-destinations { any; };
recursion yes;
# .为根,如果不需要连接外部可以删除
/*
zone "." IN {
# 3种类型: hint - 根, master - 主,slave辅
type hint;
# 默认的13个根服务器
file "named.ca";
};
*/
zone "test.org" IN {
type master;
file "name.test.org.lan.zone"; // 一般正向解析以zone结尾
allow-update { none; };
};
zone "1.168.192.in-addr.arpa" IN {
type master;
file "name.1.128.192.arpa"; // 一般反向解析以arpa结尾
allow-update { none; };
};
include "/etc/named.rfc1912.zones"; // 可以把上面的正向和反向的配置写在此文件中
//include "/etc/named.root.key";
};
/* 暂时没有用到
view "external" {
match-clients { any; };
allow-query { any; };
recursion no;
};
*/
# allow-query ⇒ query range you permit
# allow-transfer ⇒ the range you permit to transfer zone info
# recursion ⇒ allow or not to search recursively
# view "internal" { *** }; ⇒ write for internal definition
# view "external" { *** }; ⇒ write for external definition说明: 可以使用named-checkconf来检查配置文件语法。
配置正向解析区
# vim /var/named/name.test.org.zone
$TTL 1D
@ IN SOA test.org. root (
; test.org.:名字随意,一般为域名。
; root:是管理员邮箱,此处为本地。邮箱[email protected]要写成admin.test.org.
20190130 ; Serial - 更新序列号,一般为当前更改的时间,主DNS的一定要比从DNS的大
1D ;Refresh
1H ;Retry
1W ;Expire
3H ;Minimum TTL
)
# define name server (master)
IN NS dns
# internal IP address of name server
IN A 192.168.1.3
# define Mail
IN MX 10 mail
# define name server (slave)
IN NS dns2
# define IP address and hostname
dns IN A 192.168.1.3
# 注意:删除上面一行,'named-checkzone'检查时会报 zone test.org/IN NS 'dns.3rd.pla95929' has no address records (A or AAAA)
dns2 IN A 192.168.1.4 说明:可以使用下面的命令来检查解析文件
named-checkzone test.org /var/named/name.test.org.zone配置反向解析区
# vim /var/named/name.1.168.192.arpa
$TTL 1D
@ IN SOA test.org. root (
; test.org.:名字随意,一般为域名。
; root:是管理员邮箱,此处为本地。邮箱[email protected]要写成admin.test.org.
20190130 ; Serial - 更新序列号,一般为当前更改的时间,主DNS的一定要比从DNS的大
1D ;Refresh
1H ;Retry
1W ;Expire
3H ;Minimum TTL
)
# define name server
IN NS dlp.srv.world.
dns IN A 192.168.1.3
# 注意:删除上面一行,'named-checkzone'检查时会报 zone test.org/IN NS 'dns.3rd.pla95929' has no address records (A or AAAA)
# define hostname of an IP address
3 IN PTR dns.test.org.
4 IN PTR dns2.test.org.说明:可以使用下面的命令来检查解析文件
named-checkzone test.org /var/named/name.1.168.192.arpa从服务器配置
主服务器中需要添加的配置
首先在主服务器的named.conf中需要添加
option {
......
# add an IP address of slave DNS server
allow-transfer { localhost; 192.168.1.0/24; };
......然后在主服务器的正向解析文件中添加从服务器的定义
......
# add Slave server
IN NS dns2
......
dns2 IN A 192.168.1.4
......从服务器中配置named.conf
view "internal" {
......
# add lines like follows
zone "test.org" IN {
type slave;
masters { 192.168.1.4; };
file "slaves/name.test.org.zone";
notify no;
};
include "/etc/named.rfc1912.zones";
......
}重启dns服务即可: systemctl restart named
DNS转发配置
分为全局和区域条件转发,全局转发在option中定义,区域条件转发在zone定义中,以下为区域转发,对于到达dns.test.org服务器的对于simple.org的域名解析请求,转发给dns.simple.org进行处理,dns.simple.org的ip地址为192.168.11.3/24,在dns.test.org的named.conf(或者named.rfc1912.zone)文件中添加
zone "simple.org" IN {
type forward;
forwarders { 192.168.2.3; }; // dns.simple.org的ip地址
forward first; // first - 优先转发,only - 只转发
};DNS安全相关配置
# firewall-cmd --add-service=dns --permanent
# firewall-cmd --reload