CentOS搭建DNS服务器

DNS服务器踩坑路

说明

  • DNS服务器是…(此处省略1万字)

  • 乘着热乎劲,先写明几点坑 :

    • FQDN术语是:完全合格的域名
    • 正向解析是:从FQDN解析成IP地址
    • 反向解析是:从IP地址获得FQDN
    • 配置文件中域名后面都有个".",表示的是FQDN,如果没有"."结尾,表示域名前缀
    • 自定义zone文件,所属组一定是"named",所属用户没关系,默认即可
    • 反向解析命名规则:如果地址是"192.168.120.10",则需定义成"120.168.192.ip-addr.arpa"
    • 反向解析头几行和正向解析是一致,下面的主体内容第一列是"IP的第四位",第二列"IN",第三列"PTR",第四列"你的FQDN"
    • 配置文件中,区分都是tab 或者空格,多注意下排版,增加阅读性

实操

环境准备

在阿里云上搭建验证, 弄了Centos Stream 8.0两台机器。
分配的IP是 10.255.255.23 ,用于搭建dns服务
分配的IP是10.255.255.21 ,用于client客户端

安装

注:先关闭服务器和客户机上的防火墙和SELinux

一行命令搞定安装

dnf install -y bind bind-utils

bind是主程序

bind-utils 是工具包,有nslookup 、dig等

bind-chroot 是一个安全增强工具,深入玩可以加上

安装之后,有涉及到几个主要配置文件的修改

/etc/named.conf 主配置文件 服务器运行参数

/etc/named.rfc1912.zones 区域文件 服务器解析的区域配置

/var/named/xx.xx 数据文件 主机名和IP地址的对应关系

配置 named.conf

改动地方有做注释 , 编辑文件 vim /etc/named.conf

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
        listen-on port 53 { any; };	//这里修改监听,也可以是本机IP
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        secroots-file   "/var/named/data/named.secroots";
        recursing-file  "/var/named/data/named.recursing";
        allow-query     { any; };//这里修改允许访问的IP

        /* 
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable 
           recursion. 
         - If your recursive DNS server has a public IP address, you MUST enable access 
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification 
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface 
        */
        recursion yes;//是否找上级DNS

        dnssec-enable yes;
        dnssec-validation yes;

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";

        /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
        include "/etc/crypto-policies/back-ends/bind.config";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};


include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

配置named.rfc1912.zones

vim /etc/named.rfc1912.zones

// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package 
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and https://tools.ietf.org/html/rfc6303
// (c)2007 R W Franks
// 
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// Note: empty-zones-enable yes; option is default.
// If private ranges should be forwarded, add 
// disable-empty-zone "."; into options
// 

zone "localhost.localdomain" IN {
        type master;
        file "named.localhost";
        allow-update { none; };
};

zone "localhost" IN {
        type master;
        file "named.localhost";
        allow-update { none; };
};

zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
        type master;
        file "named.loopback";
        allow-update { none; };
};

zone "1.0.0.127.in-addr.arpa" IN {
        type master;
        file "named.loopback";
        allow-update { none; };
};

zone "0.in-addr.arpa" IN {
        type master;
        file "named.empty";
        allow-update { none; };
};

// 下面的是追加的
// zone "bdqn.com"是根据实际情况定义的。
// zone "255.255.10.in-addr.arpa" 是根据当前环境IP倒排的,具体看文章开头说明

zone "bdqn.com" IN {	//创建了一个bdqn.com正向解析
        type master;
        file "bdqn.com.zone";	//解析规则在这里文件中定义
        allow-update { none; };
};

zone "255.255.10.in-addr.arpa" IN {	//创建了一个255.255.10.in-addr.arpa反向解析
        type master;
        file "255.255.10.arpa";		//解析规则在这里文件中定义
        allow-update { none; };
};

配置bdqn.com.zone

vim /var/named/bdqn.com.zone

$TTL 1D
@       IN SOA  bdqn.com. admin.bdqn.com. (
                                        0       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
        NS      @
        A       10.255.255.23
ftp     A       10.255.255.21

释义s:

​ NS @ 这行就是个列声明

​ A 10.255.255.23 表示 bdqn.com的A记录指向10.255.255.23

ftp A 10.255.255.21 表示ftp.bdqn.com的A记录指向10.255.255.21

配置255.255.10.arpa

vim /var/named/255.255.10.arpa

$TTL 1D
@       IN SOA  bdqn.com. admin.bdqn.com. (
                                        0       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
        NS      bdqn.com.
23      IN      PTR     bdqn.com.
21      IN      PTR     ftp.bdqn.com.

释义:

​ NS bdqn.com. 这行是列

23 IN PTR bdqn.com. 这行 [ 23]是IP地址的第四位 ,[bdqn.com]是完整的FQDN

21 IN PTR ftp.bdqn.com. 同上

启动验证

修改自定义的两个文件权限

chown named:named /var/named/bdqn.com.zone

chown named:named /var/named/255.255.10.arpa

启动并添加到服务

systemctl start named
systemctl enable named
systemctl status named

验证,主要用nslookup和dig

[root@iZj6chbiu4zjrnce992ua1Z named]# nslookup bdqn.com
Server:         127.0.0.1
Address:        127.0.0.1#53

Name:   bdqn.com
Address: 10.255.255.23

[root@iZj6chbiu4zjrnce992ua1Z named]# nslookup 10.255.255.23
23.255.255.10.in-addr.arpa      name = bdqn.com.

[root@iZj6chbiu4zjrnce992ua1Z named]# dig 10.255.255.23

; <<>> DiG 9.11.36-RedHat-9.11.36-3.el8 <<>> 10.255.255.23
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 17837
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 65f8a5b0a9643fe9073dbb836225c71445f51dd16dae50cf (good)
;; QUESTION SECTION:
;10.255.255.23.                 IN      A

;; AUTHORITY SECTION:
.                       10800   IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2022030700 1800 900 604800 86400

;; Query time: 10 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Mar 07 16:49:24 CST 2022
;; MSG SIZE  rcvd: 145

[root@iZj6chbiu4zjrnce992ua1Z named]# dig ftp.bdqn.com

; <<>> DiG 9.11.36-RedHat-9.11.36-3.el8 <<>> ftp.bdqn.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28436
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: bb82a9330d94890e18e1e03d6225c72ac64d3a110f4aef98 (good)
;; QUESTION SECTION:
;ftp.bdqn.com.                  IN      A

;; ANSWER SECTION:
ftp.bdqn.com.           86400   IN      A       10.255.255.21

;; AUTHORITY SECTION:
bdqn.com.               86400   IN      NS      bdqn.com.

;; ADDITIONAL SECTION:
bdqn.com.               86400   IN      A       10.255.255.23

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Mar 07 16:49:46 CST 2022
;; MSG SIZE  rcvd: 115

你可能感兴趣的:(综合,linux)