一、安装BIND
[root@server ~]# yum clean all [root@server ~]# yum repolist [root@server ~]# yum list | grep '^bind\.' [root@server ~]# yum -y install bind*
二、配置主配置文件
- 备份需配置的文件,防止配置当中出错。
[root@server ~]# cp /etc/named.conf /etc/named.conf.backup
- 配置named.conf主配置文件
主要修改这两处信息。其余信息根据情况自行修改设置。
listen-on port 53 { any; };
allow-query { any; };
按
:wq保存退出
// // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // // See the BIND Administrator's Reference Manual (ARM) for details about the // configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html options { listen-on port 53 { any; }; #允许所有IP地址监听53号端口 #listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; recursing-file "/var/named/data/named.recursing"; secroots-file "/var/named/data/named.secroots"; allow-query { any; }; #允许所有使用本解析服务的网段 /* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ recursion yes; dnssec-enable yes; dnssec-validation yes; /* Path to ISC DLV key */ bindkeys-file "/etc/named.root.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";
三、配置区域配置文件。添加正向解析配置。
在末尾添加如下配置。
vim /etc/named.rfc1912.zones
zone “xybdns.com” IN {
type master;
file “xybdns.com.zone”;
allow-update { none; };
按:wq保存退出
// named.rfc1912.zones: // // Provided by Red Hat caching-nameserver package // // ISC BIND named zone configuration for zones recommended by // RFC 1912 section 4.1 : localhost TLDs and address zones // and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt // (c)2007 R W Franks // // See /usr/share/doc/bind*/sample/ for example named configuration files. // zone "localhost.localdomain" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "localhost" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "1.0.0.127.in-addr.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "0.in-addr.arpa" IN { type master; file "named.empty"; allow-update { none; }; }; zone "xybdns.com" IN { #正向解析为“pakho.com” type master; #类型:主缓存为master file "xybdns.com.zone"; #指定区域数据文件为xybdns.com.zone allow-update { none; }; };
四、配置正向区域数据文件
- 拷贝主配置文件,保留源文件的权限和属主的属性复制
cp -a named.localhost xybdns.com.zone
[root@server ~]# cd /var/named/ [root@server named]# cp -a named.localhost xybdns.com.zone [root@server named]# ll total 28 drwxr-x--- 7 root named 61 Jul 9 05:18 chroot drwxrwx--- 2 named named 49 Jul 20 03:11 data -rw-r----- 1 root named 259 Jul 14 03:42 dnsdiy.com.zone drwxrwx--- 2 named named 31 Jul 20 01:25 dynamic -rw-r----- 1 root named 2253 Apr 5 2018 named.ca -rw-r----- 1 root named 152 Dec 15 2009 named.empty -rw-r----- 1 root named 152 Jun 21 2007 named.localhost -rw-r----- 1 root named 168 Dec 15 2009 named.loopback drwxrwx--- 2 named named 6 Apr 29 10:05 slaves -rw-r----- 1 root named 515 Jul 20 04:26 xybdns.com.zone -rw-r----- 1 root named 538 Jul 14 03:53 xybdns.com.zone.bakup
- 配置正向区域数据文件
注意:“.”的书写格式,其代替了@,别遗漏
[root@server named]# vim xybdns.com.zone #进入配置文件 [root@server named]# cat xybdns.com.zone #查看配置文件 $TTL 1D #有效解析记录的生成周期 @ IN SOA xybdns.com. root.xybdns.com. ( #@表示当前的DNS区域名表示这个域名 SOA表示授权信息开启 后面表示邮件地址因为@有特殊含义 所以使用.代替 0 ; serial #更新序列号,可以是10以内的整数 1D ; refresh #刷新时间,重新下载地址数据的间隔 1H ; retry #重试延迟,下载失败后的重试延迟 1W ; expire #失效时间,超过该时间仍无法下载则放弃 3H ) ; minimum #无效解析记录的生存周期 IN NS server.xybdns.com. #记录当前区域DNS服务器的名称 IN MX 10 server.xybdns.com. #MX为邮件服务器 10表示优先级 数字越大优先级越低 server IN A 192.168.200.115 #记录正向解析域名对应的IP,即将域名与IP绑捆 web IN A 192.168.200.115 vsan7 IN A 192.168.200.118
- 修改主机名
[root@server ~]# hostnamectl set-hostname server.xybdns.com [root@server ~]# bash [root@server ~]# hostname server.xybdns.com
- 配置文件语法检查工具
named-checkconf -z /etc/named.conf
仅检查语法不检查逻辑关系。当显示的全为0时表示没有语法错误
[root@server ~]# named-checkconf -z /etc/named.conf zone localhost.localdomain/IN: loaded serial 0 zone localhost/IN: loaded serial 0 zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0 zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0 zone 0.in-addr.arpa/IN: loaded serial 0 zone xybdns.com/IN: loaded serial 0
五、启动DNS服务
- 启动前,检查防火墙、SELINUX安全模式是否是关闭或允许状态
关闭防火墙并设置开机不自启动防火墙
[root@server ~]# systemctl stop firewalld && systemctl disable firewalld [root@server ~]# systemctl status firewalld ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled) Active: inactive (dead) Docs: man:firewalld(1)
关闭SELINUX安全模式
[root@server ~]# cat /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=disabled #修改为disabled保存退出 # SELINUXTYPE= can take one of three values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted [root@server ~]# getenforce #重启生效 Disabled
- 启动dns服务
systemctl start named
systemctl enable named
[root@server ~]# systemctl start named [root@server ~]# systemctl enable named [root@server ~]# systemctl status named
- 查看53号监听端口是否开启
若执行不了netstat命令,请先输入
yum install -y net-tools命令安装net-tools工具netstat -anpt | grep 53
[root@server ~]# netstat -anpt | grep 53 tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 2416/named tcp 0 0 192.168.200.115:53 0.0.0.0:* LISTEN 2416/named tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 2416/named tcp6 0 0 ::1:953 :::* LISTEN 2416/named
六、测试DNS服务器
- 在Windows 10环境下测试
设置所在网络配置,添加DNS服务器地址、默认网关等信息。如图所示。
- 在linux环境下测试
设置dns
DNS=192.168.200.115
按:wq保存退出
[root@test ~]# cat /etc/sysconfig/network-scripts/ifcfg-ens32 TYPE=Ethernet PROXY_METHOD=none BROWSER_ONLY=no BOOTPROTO=static DEFROUTE=yes IPV4_FAILURE_FATAL=no NAME=ens32 UUID=db4e154b-6cc7-420c-a43c-e5a27af7749d DEVICE=ens32 ONBOOT=yes IPADDR=192.168.200.120 NETMASK=255.255.255.0 GATEWAY=192.168.200.1 DNS=192.168.200.115
安装nslookup
yum provides nslookup
yum install -y bind-utils
[root@test ~]# yum provides nslookup Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile 32:bind-utils-9.11.4-9.P2.el7.x86_64 : Utilities for querying DNS name servers Repo : centos Matched from: Filename : /usr/bin/nslookup 32:bind-utils-9.11.4-9.P2.el7.x86_64 : Utilities for querying DNS name servers Repo : @centos Matched from: Filename : /usr/bin/nslookup [root@test ~]# yum install -y bind-utils Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile Package 32:bind-utils-9.11.4-9.P2.el7.x86_64 already installed and latest version Nothing to do
[root@test ~]# ping baidu.com PING baidu.com (220.181.38.148) 56(84) bytes of data. 64 bytes from 220.181.38.148 (220.181.38.148): icmp_seq=1 ttl=128 time=45.0 ms ^C --- baidu.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 45.080/45.080/45.080/0.000 ms [root@test ~]# ping server.xybdns.com PING server.xybdns.com (192.168.200.115) 56(84) bytes of data. 64 bytes from 192.168.200.115 (192.168.200.115): icmp_seq=1 ttl=64 time=0.148 ms 64 bytes from 192.168.200.115 (192.168.200.115): icmp_seq=2 ttl=64 time=0.330 ms ^C --- server.xybdns.com ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1002ms rtt min/avg/max/mdev = 0.148/0.239/0.330/0.091 ms [root@test ~]# nslookup www.baidu.com Server: 192.168.200.115 Address: 192.168.200.115#53 Non-authoritative answer: www.baidu.com canonical name = www.a.shifen.com. Name: www.a.shifen.com Address: 180.101.49.11 Name: www.a.shifen.com Address: 180.101.49.12 [root@test ~]# nslookup server.xybdns.com Server: 192.168.200.115 Address: 192.168.200.115#53 Name: server.xybdns.com Address: 192.168.200.115
