参考文章:https://www.jianshu.com/p/ceaa2cc5715c
1、安装 BIND 服务器软件并启动
yum -y install bind bind-utils
systemctl start named.service // 启动服务
systemctl enable named // 设为开机启动
2、查看named进程是否正常启动
# 检查进程
ps -eaf|grep named
# 检查监听端口
ss -nult|grep :53
[图片上传失败...(image-7569c8-1583830978989)]
3、开放 TCP 和 UDP 的 53 端口
firewall-cmd --permanent --add-port=53/tcp
firewall-cmd --permanent --add-port=53/udp
# 重新加载防火墙配置,让配置生效
firewall-cmd --reload
DNS 服务的相关配置文件
4、修改主要文件
参数-p表示备份文件与源文件的属性一致。
修改前先备份: cp -p /etc/named.conf /etc/named.conf.bak
修改配置:vi /etc/named.conf
配置内容如下:
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { any; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
删除这两行
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
listen-on port 53 { 127.0.0.1; }; 改为--> listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; }; 改为--> listen-on-v6 port 53 { any; };
allow-query { localhost; }; 改为--> allow-query { any; };
[图片上传失败...(image-228869-1583830978989)]
语法检查
#检查named.conf是否有语法问题
named-checkconf
5.修改/etc/named.rfc1912.zones
添加配置: vi /etc/named.rfc1912.zones , 配置内容如下:
添加自己的zone
//正向域名
zone "reading.zt" IN {
type master;
file "named.reading.zt";
allow-update { none; };
};
//反向域名
zone "0.168.192.in-addr.arpa" {
type master;
file "named.192.168.0";
allow-update { none; };
};
可以不删除现有文件
5、配置正向解析和反向解析
#基于 name.localhost 模板,创建配置文件:
cp -p /var/named/named.localhost /var/named/named.zp.com
配置正向域名解析文件 named.huanengleasing.com :
vi /var/named/named.zp.com ,配置内容如下:
$TTL 1D
@ IN SOA @ rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
A 127.0.0.1
AAAA ::1
test A 192.168.10.2
http://test.zp.com/ 将会解析为 http:192.168.10.2
授权 named 用户
chown :named /var/named/named.zp.com
检查区域文件是否正确
named-checkzone "zp.com" "/var/named/named.zp.com"
【注意】 named.zp.com 最后一行必须是空行
6、添加反向解析域
基于 name.localhost 模板,创建配置文件:
cp -p /var/named/named.localhost /var/named/named.192.168.10
配置反向域名解析文件/named.192.168.10:
vi /var/named/named.192.168.10
$TTL 1D
@ IN SOA @ rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
A 127.0.0.1
AAAA ::1
2 PTR test.zp.com
# 授权 named 用户
chown :named /var/named/named.192.168.10
#检查区域文件是否正确
named-checkzone "10.168.192.in-addr.arpa" "/var/named/named.192.168.10"
7、重启 named named-checkzone "10.168.192.in-addr.arpa" "/var/named/named.192.168.10"服务,让配置生效
systemctl restart named
注意:如果重启失败:Job for named.service failed because the control process exited with error code. See "systemctl status named.service" and "journalctl -xe" for details.
查看下提示什么问题,我的问题是53端口被占用了
使用kill -9 pid 杀掉然后就可以重启成功了。
8、在 Linux 下的 DNS 客户端的设置及测试
配置 ifcfg-xxxx ,看具体静态网卡名称
vi /etc/sysconfig/network-scripts/ifcfg-enp0s3 , 具体内容如下:
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=none
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens32
UUID=1bb02147-b6ee-4b6b-b509-5ab48091fb66
DEVICE=ens32
ONBOOT=yes
IPADDR=10.213.234.195
PREFIX=24
GATEWAY=10.213.234.195
DNS1=10.213.234.180
DNS2=202.106.0.20
DNS3=114.114.114.114
IPV6_PRIVACY=no
或者
vim /etc/resolv.conf
添加如下内容
nameserver 192.168.10.2
systemctl restart NetworkManager
测试试下:
nslookup testzp.com