软件:
bind-9.3,4
操作系统:Linux/FreeBSD
下载:
[root@srv-3 src]# tar -xzf bind*.gz
Change to the source tree and run configure:
[root@srv-3 src]# cd bind*
[root@srv-3 bind-9.1.2]# ./configure
creating cache ./config.cache
checking host system type... i586-pc-linux-gnu
checking whether make sets ${MAKE}... yes
checking for ranlib... ranlib
checking for a BSD compatible install... /usr/bin/install -c
checking for ar... /usr/bin/ar
.
.
.
creating doc/Makefile
creating doc/arm/catalog
creating doc/arm/nominum-docbook-html.dsl
creating doc/arm/validate.sh
creating doc/arm/genhtml.sh
creating isc-config.sh
creating config.h
|
Run make and make install: While it is compiling, check out /usr/local/src/bind-9.1.2/doc/arm/Bv9ARM.html
[root@srv-3 bind-9.1.2]# make
making all in /usr/local/src/bind-9.1.2/make
make[1]: Entering directory `/usr/local/src/bind-9.1.2/make'
.
.
.
gcc -g -O2 -o named-checkzone named-checkzone.o check-tool.o
../../lib/dns/libdns.a ../../lib/isc/libisc.a -lnsl -lpthread
make[2]: Leaving directory `/usr/local/src/bind-9.1.2/bin/check'
make[1]: Leaving directory `/usr/local/src/bind-9.1.2/bin'
making all in /usr/local/src/bind-9.1.2/doc
make[1]: Entering directory `/usr/local/src/bind-9.1.2/doc'
make[1]: Leaving directory `/usr/local/src/bind-9.1.2/doc'
[root@srv-3 bind-9.1.2]#
[root@srv-3 bind-9.1.2]# make install
making install in /usr/local/src/bind-9.1.2/make
make[1]: Entering directory `/usr/local/src/bind-9.1.2/make'
make[1]: Leaving directory `/usr/local/src/bind-9.1.2/make'
.
.
.
/bin/sh ./mkinstalldirs /usr/local/bin
/usr/bin/install -c isc-config.sh /usr/local/bin
[root@srv-3 bind-9.1.2]#
|
Let's see if all is good and the version checks out:
[root@srv-3 bind-9.1.2]# named -v
BIND 9.1.2
|
Here is our /etc/named.conf file:
[root@srv-3 /etc]# cat /etc/named.conf
options {
directory "/var/named";
pid-file "/var/named/named.pid";
};
zone "." {
type hint;
file "named.ca";
};
zone "100.50.10.in-addr.arpa" {
type master;
file "db.100.50.10.in-addr.arpa";
};
zone "signalq.com" {
type master;
file "db.signalq.com";
};
|
The directory option tells where the config files are. The pid-file option is useful because we are going to change the user to a nonprivileged user that will need to edit the named.pid file, and we don't want to do this in /var. The zone "." section tells where the cache file is. The cache file tells where BIND can find the root servers. The zone 10.50.10... section loads the reverse zone (lookup by ip address) and the zone signalq.com section loads the forward zone.
Make a /var/named directory:
[root@srv-3 /etc]# cd /var
[root@srv-3 /var]# ls
arpwatch db lib lock lost+found nis preserve spool tmp www
cache ftp local log mail opt run state tux yp
[root@srv-3 /var]# mkdir named
[root@srv-3 /var]#
|
Here are our forward and reverse zone files:
[root@srv-3 /var]# cd named
[root@srv-3 named]# cat db.signalq.com
$TTL 86400
@ IN SOA srv-3.signalq.com. dnsadmin.signalq.com. (
2001050801 ; Serial
21600 ; Refresh, 6 hours
1800 ; Retry, 30 minutes
1209600 ; Expire, 2 weeks
432000) ; Minimum, 5 days
IN NS srv-3.signalq.com.
IN MX 10 srv-3.signalq.com.
localhost IN A 127.0.0.1
srv-33 IN A 10.50.100.51
srv-3 IN A 10.50.100.52
srv-34 IN A 10.50.100.53
www IN CNAME srv-34
[root@srv-3 named]#
[root@srv-3 named]# cat db.100.50.10.in-addr.arpa
$TTL 86400
@ IN SOA srv-3.signalq.com. dnsadmin@signalq.com (
2001050801 ; Serial
21600 ; Refresh, 6 hours
1800 ; Retry, 30 minutes
1209600 ; Expire, 2 weeks
432000) ; Minimum, 5 days
IN NS srv-3.signalq.com.
51 IN PTR srv-33.signalq.com.
52 IN PTR srv-3.signalq.com.
53 IN PTR srv-34.signalq.com.
[root@srv-3 named]#
|
We can make our own named.ca file:
$dig @a.root-servers.net . ns > named.ca
|
Here is what it looks like:
$cat named.ca
; <<>> DiG 9.1.0 <<>> @a.root-servers.net . ns
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37920
;; flags: qr aa rd; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 13
;; QUESTION SECTION:
;. IN NS
;; ANSWER SECTION:
. 518400 IN NS A.ROOT-SERVERS.NET.
. 518400 IN NS H.ROOT-SERVERS.NET.
. 518400 IN NS C.ROOT-SERVERS.NET.
. 518400 IN NS G.ROOT-SERVERS.NET.
. 518400 IN NS F.ROOT-SERVERS.NET.
. 518400 IN NS B.ROOT-SERVERS.NET.
. 518400 IN NS J.ROOT-SERVERS.NET.
. 518400 IN NS K.ROOT-SERVERS.NET.
. 518400 IN NS L.ROOT-SERVERS.NET.
. 518400 IN NS M.ROOT-SERVERS.NET.
. 518400 IN NS I.ROOT-SERVERS.NET.
. 518400 IN NS E.ROOT-SERVERS.NET.
. 518400 IN NS D.ROOT-SERVERS.NET.
;; ADDITIONAL SECTION:
A.ROOT-SERVERS.NET. 3600000 IN A 198.41.0.4
H.ROOT-SERVERS.NET. 3600000 IN A 128.63.2.53
C.ROOT-SERVERS.NET. 3600000 IN A 192.33.4.12
G.ROOT-SERVERS.NET. 3600000 IN A 192.112.36.4
F.ROOT-SERVERS.NET. 3600000 IN A 192.5.5.241
B.ROOT-SERVERS.NET. 3600000 IN A 128.9.0.107
J.ROOT-SERVERS.NET. 3600000 IN A 198.41.0.10
K.ROOT-SERVERS.NET. 3600000 IN A 193.0.14.129
L.ROOT-SERVERS.NET. 3600000 IN A 198.32.64.12
M.ROOT-SERVERS.NET. 3600000 IN A 202.12.27.33
I.ROOT-SERVERS.NET. 3600000 IN A 192.36.148.17
E.ROOT-SERVERS.NET. 3600000 IN A 192.203.230.10
D.ROOT-SERVERS.NET. 3600000 IN A 128.8.10.90
;; Query time: 86 msec
;; SERVER: 198.41.0.4#53(a.root-servers.net)
;; WHEN: Tue May 8 14:52:03 2001
;; MSG SIZE rcvd: 436
|
Let's check our forward and reverse zones:
[root@srv-3 named]# named-checkzone db.signalq.com
OK
[root@srv-3 named]# named-checkzone db.100.50.10.in-addr.arpa
OK
[root@srv-3 named]#
|
All OK!!
Let's test with a live named and do some dig queries:
[root@srv-3 named]#named [root@srv-3 named]# dig @srv-3 signalq.com any
; <<>> DiG 9.1.2 <<>> @srv-3 signalq.com any
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15967
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;signalq.com. IN ANY
;; ANSWER SECTION:
signalq.com. 86400 IN SOA srv-3.signalq.com.
dnsadmin.signalq.com. 2001050801 21600 1800 1209600 432000
signalq.com. 86400 IN NS srv-3.signalq.com.
signalq.com. 86400 IN MX 10 srv-3.signalq.com.
;; AUTHORITY SECTION:
signalq.com. 86400 IN NS srv-3.signalq.com.
;; ADDITIONAL SECTION:
srv-3.signalq.com. 86400 IN A 10.50.100.52
;; Query time: 14 msec
;; SERVER: 10.50.100.52#53(srv-3)
;; WHEN: Tue May 8 16:02:43 2001
;; MSG SIZE rcvd: 140
[root@srv-3 named]# dig @srv-3 100.50.10.in-addr.arpa any
; <<>> DiG 9.1.2 <<>> @srv-3 100.50.10.in-addr.arpa any
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21245
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;100.50.10.in-addr.arpa. IN ANY
;; ANSWER SECTION:
100.50.10.in-addr.arpa. 86400 IN SOA srv-3.signalq.com.
dnsadmin@signalq.com.100.50.10.in-addr.arpa. 2001050801 21600
1800 1209600 432000
100.50.10.in-addr.arpa. 86400 IN NS srv-3.signalq.com.
;; AUTHORITY SECTION:
100.50.10.in-addr.arpa. 86400 IN NS srv-3.signalq.com.
;; ADDITIONAL SECTION:
srv-3.signalq.com. 86400 IN A 10.50.100.52
;; Query time: 13 msec
;; SERVER: 10.50.100.52#53(srv-3)
;; WHEN: Tue May 8 16:06:22 2001
;; MSG SIZE rcvd: 158
|
Now a reverse query:
[root@srv-3 named]# dig -x 10.50.100.53
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25145
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;53.100.50.10.in-addr.arpa. IN PTR
;; ANSWER SECTION:
53.100.50.10.in-addr.arpa. 86400 IN PTR srv-34.signalq.com.
;; AUTHORITY SECTION:
100.50.10.in-addr.arpa. 86400 IN NS srv-3.signalq.com.
;; ADDITIONAL SECTION:
srv-3.signalq.com. 86400 IN A 10.50.100.52
;; Query time: 10 msec
;; SERVER: 10.50.100.52#53(10.50.100.52)
;; WHEN: Tue May 8 16:13:28 2001
;; MSG SIZE rcvd: 113
|
Now, it would be nice to run as a nonprivileged user, so we will use the -u flag and create a user called bindrun with a uid of 53:
[root@srv-3 /etc]# adduser -u 53 bindrun
|
named will have to create named.pid, so we will change the ownership of /var/named:
[root@srv-3 /etc]# cd /var
[root@srv-3 /var]# chown bindrun named
|
Lastly, we put:
/usr/local/sbin/named -u 53at the bottom of /etc/rc.local so that named will start when the server starts.
Note that there is also an option (-t) to start up BIND in a chrooted environment that you can use to make BIND more secure. What this means is that even if a security hole is exploited to get access to your machine via named, then the only part of the filesystem that the intruder will see is your chrooted "jail". You will have to copy all files that named needs into the chrooted directory (/var/named, most likely).
Let's reboot to make sure all starts up, and then look at /var/log/messages:
[root@srv-3 /root]# tail /var/log/messages
... /usr/local/sbin/named[618]: starting BIND 9.1.2 -u 53
... /usr/local/sbin/named[618]: using 1 CPU
... /usr/local/sbin/named[624]: loading configuration from '/etc/named.conf'
... /usr/local/sbin/named[624]: the default for the 'auth-nxdomain' option is now 'no'
... /usr/local/sbin/named[624]: no IPv6 interfaces found
... /usr/local/sbin/named[624]: listening on IPv4 interface lo, 127.0.0.1#53
... /usr/local/sbin/named[624]: listening on IPv4 interface eth0, 10.50.100.52#53
... /usr/local/sbin/named[624]: running
补充:
最简单的例子:
有2台服务器:
DNS :192.168.100.200/25
name:gw
mail:192.168.100.201/25
name:
将mail 服务器的dns解析设为 192.168.100.200
vi /etc/resolv.conf
nameserver
192.168.100.200
:wq
[root@gw ~]# cat /etc/named.conf
options {
directory "/var/named";
pid-file "/var/named/named.pid";
};
zone "." {
type hint;
file "named.ca";
};
zone "100.168.192.in-addr.arpa" {
type master;
file "db.100.168.192.in-addr.arpa";
};
zone "pppope.com" {
type master;
file "db.pppope.com";
};
[root@gw ~]#
[root@gw ~]# cat /etc/named.conf
options {
directory "/var/named";
pid-file "/var/named/named.pid";
};
zone "." {
type hint;
file "named.ca";
};
zone "100.168.192.in-addr.arpa" {
type master;
file "db.100.168.192.in-addr.arpa";
};
zone "pppope.com" {
type master;
file "db.pppope.com";
};
[root@gw ~]#
[root@gw ~]# cat /var/named/db.100.168.192.in-addr.arpa
$TTL 2d ; 172800 secs
$ORIGIN pppope.com.
@ IN SOA gw.pppope.com. hostmaster.pppope.com. (
2003080800 ; serial number
12h ; refresh
15m ; update retry
3w ; expiry
3h ; minimum
)
IN NS gw.pppope.com.
200 IN PTR gw.pppope.com.
201 IN PTR mail.pppope.com.
;;160 IN PTR
[root@gw ~]#
[root@gw ~]# cat /var/named/db.pppope.com
$TTL 2d ; default TTL is 2 days
$ORIGIN pppope.com.
@ IN SOA gw.pppope.com. hostmaster.pppope.com. (
2003080800 ; serial number
2h ; refresh = 2 hours
15M ; update retry = 15 minutes
3W12h ; expiry = 3 weeks + 12 hours
2h20M ; minimum = 2 hours + 20 minutes
)
IN NS gw.pppope.com.
IN MX 10 gw.pppope.com.
gw IN A 192.168.100.200
mail IN A 192.168.100.201
;;www IN A 10.5.4.160
[root@gw ~]#
阅读(1451) | 评论(0) | 转发(0) |
