centos 7.6的域名服务搭建

在公司内部访问域名时，希望直接解析为局域网地址，通过搭建DNS服务器完成。

yum -y install bind bind-utils bind-chroot
cp -R /usr/share/doc/bind-9.11.4/sample/var/named/* /var/named/chroot/var/named/
touch /var/named/chroot/var/named/data/cache_dump.db
touch /var/named/chroot/var/named/data/named_stats.txt
touch /var/named/chroot/var/named/data/named_mem_stats.txt
touch /var/named/chroot/var/named/data/named.run
mkdir /var/named/chroot/var/named/dynamic
touch /var/named/chroot/var/named/dynamic/managed-keys.bind
chmod -R 777 /var/named/chroot/var/named/data
chmod -R 777 /var/named/chroot/var/named/dynamic
cp -R /etc/named* /var/named/chroot/etc/
chown -R root.named /var/named/chroot/
vim /var/named/chroot/etc/named.conf

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

options {
	listen-on port 53 { any; };                              #修改为any，正式文件不要此注释
	listen-on-v6 port 53 { ::1; };
	directory 	"/var/named";
	dump-file 	"/var/named/data/cache_dump.db";
	statistics-file "/var/named/data/named_stats.txt";
	memstatistics-file "/var/named/data/named_mem_stats.txt";
	recursing-file  "/var/named/data/named.recursing";
	secroots-file   "/var/named/data/named.secroots";
	allow-query     { any; };                                #修改为any，正式文件不要此注释

	/* 
	 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
	 - If you are building a RECURSIVE (caching) DNS server, you need to enable 
	   recursion. 
	 - If your recursive DNS server has a public IP address, you MUST enable access 
	   control to limit queries to your legitimate users. Failing to do so will
	   cause your server to become part of large scale DNS amplification 
	   attacks. Implementing BCP38 within your network would greatly
	   reduce such attack surface 
	*/
	recursion yes;

	dnssec-enable yes;
	dnssec-validation yes;

	/* Path to ISC DLV key */
	bindkeys-file "/etc/named.root.key";

	managed-keys-directory "/var/named/dynamic";

	pid-file "/run/named/named.pid";
	session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
	type hint;
	file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

vim /var/named/chroot/etc/named.rfc1912.zones

zone "your-domain-name.net" IN { 
        type master; 
        file "your-domain-name.net.zone";
};

cp /var/named/chroot/var/named/named.localhost /var/named/chroot/var/named/your-domain-name.net.zone
vim /var/named/chroot/var/named/your-domain-name.net.zone

$TTL 1D
@	IN SOA	@ rname.invalid. (
					0	; serial
					1D	; refresh
					1H	; retry
					1W	; expire
					3H )	; minimum
	NS	@
	A	127.0.0.1
	AAAA	::1
in      IN A    192.168.0.222
svn     IN A    192.168.0.29

iptables -t filter -I INPUT 3 -p tcp --dport 53 -j ACCEPT
iptables -t filter -i INPUT 3 -p udp --dport 53 -j ACCEPT
 
systemctl start named-chroot
systemctl status named-chroot.service
systemctl enable named-chroot