bind在Linux下为主流的DNS服务器架设软件,本篇讲的是通过yum在RHEL7上安装与配置DNS服务器
通过yum在线安装bind软件,下载的版本为9.9.4
#yum -y install bind
主要文件存放路径:
/etc/named.conf 主配置文件
/var/named 区域文件存放路径
/etc/rndc.conf /etc/rndc.key rndc配置文件和KEY存放路径
正向区域:将FQDN地址转换为IP记录
反向区域:将IP地址反解为为FQDN
记录类型:A记录:address 域名对应的IP地址
NS记录:name server 域名服务记录,指定域名中对应的域名解析服务器所对应的服务器
一般为域名的DNS服务器,这里需配合使用A记录,成对出现
CNAME:别名记录,将不同的域名
MX记录:邮件交换记录(mail exchange),这里指定邮件交换的域名,这里有一个优先
级,数字越小,优先级越高,比如有多台邮件服务器,优先级高的服务器会先收
SOA:Start of Authority,一般书写格式为:
google.com. IN SOA ns1.google.com. adminmail.google.com
其中google.com.可以用@来代替,第四项为NS记录,最后一项为管理员邮箱,@有特殊意义,用.代替
serial 更新序列,如果序列号有变更,从服务器到了刷新时间后就会从主服务器进行同步
Refresh 刷新时长,从服务器从主服务器同步的时间间隔
Retry 重试时长,当从服务器与主服务器同步失败后,多久后会再次尝试
expire 失效时长,当从服务器与主服务器通讯失败,一直没有响应,到expire时长后,从服
器将失效,并删除区域文件
na ttl 无法解析的地址的缓存时间
默认单位为秒,可以使用M(分钟),H(小时),D(天),W(周)
TTL值:DNS缓存的时间,默认单位是秒
区域类型:
hint:根区域,一般用.表示
master:主区域
slave:从区域,声名从区域类型时,必须要指名主区域的地址masters { Master_IP; };
forward:转发区域,不负责域名解析,只将域名解析的交给指定的DNS服务器
一、单服务器配置
下面以google.com为例, 本地网段为10.1.0.0/16,ns1.google.com(10.1.17.221)为NS服务器,www.googole.com(10.1.17.221),mail.google.com(10.1.17.222),www2为www的别名,首先vim /etc/named.conf
listen-on port 53 { 10.1.17.221; }; #监控的端口,可以指定某一个IP,默认为127.0.0.1 directory "/var/named"; #定义区域文件的目录,后面的文件为相对路径 allow-query { 10.1.0.0/16; }; #允许查询的网段,这里开放内网,如果对外可使用any zone "google.com" IN { type master; file "google.zone"; }; #定义正向区域,区域文件为/var/named/google.zone zone "17.1.10.in-addr.arpa" IN { type master; file "zone.google"; }; #定义反向区域文件,.in-addr.arpa为固定格式,前面的17.1.10为10.1.17的反写
进入到/var/named下新建google.zone文件
$TTL 7200 google.com. IN SOA ns1.google.com. adminmail.google.com. ( 2015100301 2H 5M 1W 4H ) IN NS ns1 IN MX 10 mail ns1 IN A 10.1.17.221 www IN A 10.1.17.221 mail IN A 10.1.17.222 www2 IN CNAME WWW
编辑google.zone文件属性
#chmod 640 google.zone #chown root:named google.zone
将google.zone复制一份为zone.google并进行编辑
#cp -p google.zone zone.google #vim zone.google $TTL 7200 @ IN SOA ns1.google.com. adminmail.google.com. ( 2015100301 2H 5M 1W 4H ) @ IN NS ns1.google.com. 221 IN PTR ns1.google.com. 221 IN PTR www.google.com. 222 IN PTR mail.google.com.
现在检查配置文件,开放防火墙,开机启动
#named-checkconf #systemctl enable named ln -s '/usr/lib/systemd/system/named.service' '/etc/systemd/system/multi-user.target.wants/named.service' #firewall-cmd --permanent --add-service=dns success #firewall-cmd --reload success #named-checkzone google.com /var/named/google.zone zone google.com/IN: loaded serial 2015100301 OK #named-checkzone 17.1.10.in-addr.arpa /var/named/zone.google zone 17.1.10.in-addr.arpa/IN: loaded serial 2015100301 OK # systemctl start named
使用dig解析
dig -t A www.google.com @10.1.17.221 ; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> -t A www.google.com @10.1.17.221 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53996 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.google.com. IN A ;; ANSWER SECTION: www.google.com. 7200 IN A 10.1.17.221 ;; AUTHORITY SECTION: google.com. 7200 IN NS ns1.google.com. ;; ADDITIONAL SECTION: ns1.google.com. 7200 IN A 10.1.17.221 ;; Query time: 0 msec ;; SERVER: 10.1.17.221#53(10.1.17.221) ;; WHEN: Sat Oct 03 18:16:06 CST 2015 ;; MSG SIZE rcvd: 93
dig -t NS google.com @10.1.17.221 ; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> -t NS google.com @10.1.17.221 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35541 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;google.com. IN NS ;; ANSWER SECTION: google.com. 7200 IN NS ns1.google.com. ;; ADDITIONAL SECTION: ns1.google.com. 7200 IN A 10.1.17.221 ;; Query time: 0 msec ;; SERVER: 10.1.17.221#53(10.1.17.221) ;; WHEN: Sat Oct 03 18:16:49 CST 2015 ;; MSG SIZE rcvd: 73
反解10.1.17.222
dig -x 10.1.17.222 @10.1.17.221 ; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> -x 10.1.17.222 @10.1.17.221 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46954 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;222.17.1.10.in-addr.arpa. IN PTR ;; ANSWER SECTION: 222.17.1.10.in-addr.arpa. 7200 IN PTR mail.google.com. ;; AUTHORITY SECTION: 17.1.10.in-addr.arpa. 7200 IN NS ns1.google.com. ;; ADDITIONAL SECTION: ns1.google.com. 7200 IN A 10.1.17.221 ;; Query time: 0 msec ;; SERVER: 10.1.17.221#53(10.1.17.221) ;; WHEN: Sat Oct 03 18:17:37 CST 2015 ;; MSG SIZE rcvd: 116
二、主从配置
现在新增一台服务器,IP地址为10.1.17.249
#yum -y install bind #systemctl enable bind #firewall-cmd --permanent --add-service=dns success # firewall-cmd --reload success
配置主控上的google.zone区域文件,加入两行,定义从服务器的ns记录,并将序列号改为2015100302
google.com. IN NS ns2 ns2 IN A 10.1.17.249
从新加载配置文件#systemctl restart named
配置从服务器的配置文件/etc/named.conf
listen-on port 53 { 10.1.17.249; }; allow-query { 10.1.0.0/16; }; zone "google.com" IN { type slave; masters { 10.1.17.221; }; file "slaves/google.zone"; }; zone "17.1.10.in-addr.arpa" IN { type slave; masters { 10.1.17.221; }; file "slaves/zone.google"; };
无需新建zone文件,启动named服务
#systemctl start named #tail -n 30 /var/log/messages Oct 3 10:54:48 sunny named[70231]: zone google.com/IN: transferred serial 2015100301 Oct 3 10:54:48 sunny named[70231]: transfer of 'google.com/IN' from 10.1.17.221#53: Transfer completed: 1 messages, 8 records, 224 bytes, 0.002 secs (112000 bytes/sec) Oct 3 10:54:48 sunny named[70231]: zone 17.1.10.in-addr.arpa/IN: Transfer started. Oct 3 10:54:48 sunny named[70231]: transfer of '17.1.10.in-addr.arpa/IN' from 10.1.17.221#53: connected using 10.1.17.249#54080 Oct 3 10:54:48 sunny named[70231]: zone 17.1.10.in-addr.arpa/IN: transferred serial 2015100301 Oct 3 10:54:48 sunny named[70231]: transfer of '17.1.10.in-addr.arpa/IN' from 10.1.17.221#53: Transfer completed: 1 messages, 6 records, 207 bytes, 0.002 secs (103500 bytes/sec)
查看/var/named/slaves目录
# ll slaves/ total 8 -rw-r--r--. 1 named named 401 Oct 3 10:54 google.zone -rw-r--r--. 1 named named 333 Oct 3 10:54 zone.google
可见区域文件已经传送过来了
dig -t ns google.com @10.1.17.249 ; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> -t ns google.com @10.1.17.249 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33041 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;google.com. IN NS ;; ANSWER SECTION: google.com. 7200 IN NS ns2.google.com. google.com. 7200 IN NS ns1.google.com. ;; ADDITIONAL SECTION: ns1.google.com. 7200 IN A 10.1.17.221 ns2.google.com. 7200 IN A 10.1.17.249 ;; Query time: 0 msec ;; SERVER: 10.1.17.249#53(10.1.17.249) ;; WHEN: Sat Oct 03 11:01:46 CST 2015 ;; MSG SIZE rcvd: 107
主从同步成功,这里有一点要注意,新增NS记录时,需要对区域文件中的serial序列号进行+1操作,这样就可以主动通知从服务器同步了,否则需要等到刷新时间才会进行同步
三、转发服务器的设置
需要先在主配置文件中将dnssec相关配置改掉
主 dnssec-lookaside auto;
定义一个区域文件
zone "google.com" IN { type forward; forward first; forwarders { 10.1.17.221; }; };
first选项代表先进行转发,如果转发无效的时候,则向根进行查询,另外一个选项为only,代表只转发
forwarders代表你向哪一台DNS服务器进行请求转发
dig -t A mail.google.com ; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> -t A mail.google.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51515 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;mail.google.com. IN A ;; ANSWER SECTION: mail.google.com. 7200 IN A 10.1.17.222 ;; AUTHORITY SECTION: google.com. 7200 IN NS ns2.google.com. google.com. 7200 IN NS ns1.google.com. ;; ADDITIONAL SECTION: ns2.google.com. 7200 IN A 10.1.17.249 ns1.google.com. 7200 IN A 10.1.17.221 ;; Query time: 2 msec ;; SERVER: 10.1.17.224#53(10.1.17.224) ;; WHEN: Sat Oct 03 11:47:31 CST 2015 ;; MSG SIZE rcvd: 128
在第三台机器上进行测试,可以正常显示
四、定义子域
目前有一个子域叫tech.google.com.交由现在第三个服务器10.1.17.224进行管理,首先对主控的区域配置文件进行编辑vim /var/named/google.zone
$TTL 7200 google.com. IN SOA ns1.google.com. adminmail.google.com. ( 2015100303 2H 5M 1W 4H ) IN NS ns1 IN MX 10 mail google.com. IN NS ns2 tech IN NS ns1.tech ns1.tech IN A 10.1.17.224 ns2 IN A 10.1.17.249 ns1 IN A 10.1.17.221 www IN A 10.1.17.221 mail IN A 10.1.17.222 www2 IN CNAME WWW #修改序列号,新增tech的ns记录和A记录,注意主控中的dnssec-enable no;dnssec-validation no;这两项要改为no
修改子域的主配置文件
zone "tech.google.com" IN { type master; file "tech.google.zone"; };
新建一个区域文件tech.google.zone,并设置好权限
$TTL 7200 @ IN SOA ns1.tech.google.com. admin.tech.google.com. ( 2015100301 2H 5M 1W 4H ) IN NS ns1 ns1 IN A 10.1.17.224 info IN A 10.1.17.226 www IN A 10.1.17.225
在子域上进行测试
dig -t A www.tech.google.com ; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> -t A www.tech.google.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62468 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.tech.google.com. IN A ;; ANSWER SECTION: www.tech.google.com. 7200 IN A 10.1.17.225 ;; AUTHORITY SECTION: tech.google.com. 7200 IN NS ns1.tech.google.com. ;; ADDITIONAL SECTION: ns1.tech.google.com. 7200 IN A 10.1.17.224 ;; Query time: 0 msec ;; SERVER: 10.1.17.224#53(10.1.17.224) ;; WHEN: Sat Oct 03 14:39:37 CST 2015 ;; MSG SIZE rcvd: 98
提示为权威应答
下面在父域上进行测试
dig -t A www.tech.google.com @10.1.17.221 ; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> -t A www.tech.google.com @10.1.17.221 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23320 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.tech.google.com. IN A ;; ANSWER SECTION: www.tech.google.com. 7183 IN A 10.1.17.225 ;; AUTHORITY SECTION: tech.google.com. 6832 IN NS ns1.tech.google.com. ;; ADDITIONAL SECTION: ns1.tech.google.com. 6832 IN A 10.1.17.224 ;; Query time: 0 msec ;; SERVER: 10.1.17.221#53(10.1.17.221) ;; WHEN: Sat Oct 03 22:38:38 CST 2015 ;; MSG SIZE rcvd: 98
父域上测试正常
四、 view视图功能
可以根据网络地址源的不同,让DNS解析的为不同的地址,可以用来做CDN加速, bind支持ACL功能,通过不同的ACL定义不同的网络
#vim /etc/named.conf acl intranet { 10.1.0.0/16; }; acl internet { ! 10.1.0.0/16; any; }; view "lan" { match-client { "intranet" }; zone "google.com" IN { type master; file "google.zone.lan"; }; }; view "wan" { match-client { "internet" }; zone "17.1.10.in-addr.arpa" IN { type master; file "google.zone.wan"; }; }; 下面分别定义不同的zone文件,里面解析对应的A记录为不同的地址,则用户通过DNS解析时拿到的地址就不一样了