分类: LINUX
2006-08-22 00:49:27
DNS服务器配置过程
作者:
修改日期:2006年2月23日
基础知识介绍
域名系统(Domain Name System)是一个世界级的分布式数据库,期主要任务是将“主机名称”对应到“IP地址”上。
最常用的软件是BIND(Berkeley Internet Name Domain)。
DNS有四种资源:
A
A记录代表“主机名称”与“IP地址”的对应关系,期作用是将名称转换成IP地址。
CNAME
某些名称并没有对应的IP地址,而是对应一个主机名称的别名。CNAME记录代表“别名”与“规范主机名称”(Canoical Hostname)之间的对应关系。
MX
MX记录提供邮件路由信息。这些记录提供Domain的“邮件交换器”(Mail Exchange)的主机名称以及相对应的优先级。
PTR
PTR记录代表“IP地址”与“主机名称”的对应关系,期作用与A记录刚好相反。
SOA
域权威开始
NS
权威域名服务器
安装环境:
Fedora 4
bind-9.2.6.tar.gz
卸载原来系统自带的bind服务
# rpm -qa|grep bind
bind-libs-
bind-utils-
# rpm -e --nodeps bind*
一、安装BIND
1、准备工作
下载稳定的BIND服务器进行安装,下载地址:
wget
安装gcc
2 、编译安装BIND
#tar zxvf bind-9.2.6.tar.gz #cd bind-9.2.6 #./configure -sysconfdir=/etc/bind #make #makeinstall |
配置BIND
二、配置根服务器
1、修改配置文件
# vi /etc/bind/named.conf options { directory "/var/bind"; }; zone "." { type hint; file "named.ca"; }; |
2、建立工作目录
#mkdir /var/bind
3、查询根DNS服务器
# dig -t NS . ; <<>> DiG 9.2.6 <<>> -t NS . ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28940 ;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;. IN NS ;; ANSWER SECTION: . 139616 IN NS G.ROOT-SERVERS.NET. . 139616 IN NS H.ROOT-SERVERS.NET. . 139616 IN NS I.ROOT-SERVERS.NET. . 139616 IN NS J.ROOT-SERVERS.NET. . 139616 IN NS K.ROOT-SERVERS.NET. . 139616 IN NS L.ROOT-SERVERS.NET. . 139616 IN NS M.ROOT-SERVERS.NET. . 139616 IN NS A.ROOT-SERVERS.NET. . 139616 IN NS B.ROOT-SERVERS.NET. . 139616 IN NS C.ROOT-SERVERS.NET. . 139616 IN NS D.ROOT-SERVERS.NET. . 139616 IN NS E.ROOT-SERVERS.NET. . 139616 IN NS F.ROOT-SERVERS.NET. ;; ADDITIONAL SECTION: J.ROOT-SERVERS.NET. 485712 IN A 192.58.128.30 ;; Query time: 51 msec ;; SERVER: 172.xx.xx.11#53(172.xx.xx.11) ;; WHEN: Tue Feb 14 ;; MSG SIZE rcvd: 244 # #echo "nameserver 192.58.128.30" >/etc/resolv.conf # |
4、将跟记录加入到/etc/resolv.conf文件中
#echo "nameserver 192.58.128.30" >/etc/resolv.conf |
5、将跟服务器的信息导入到/var/bind/named.ca文件中
#dig -t NS . >/var/bind/named.ca #cat /var/bind/named.ca ; <<>> DiG 9.2.6 <<>> -t NS . ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16471 ;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 13 ;; QUESTION SECTION: ;. IN NS ;; ANSWER SECTION: . 517472 IN NS M.ROOT-SERVERS.NET. . 517472 IN NS A.ROOT-SERVERS.NET. . 517472 IN NS B.ROOT-SERVERS.NET. . 517472 IN NS C.ROOT-SERVERS.NET. . 517472 IN NS D.ROOT-SERVERS.NET. . 517472 IN NS E.ROOT-SERVERS.NET. . 517472 IN NS F.ROOT-SERVERS.NET. . 517472 IN NS G.ROOT-SERVERS.NET. . 517472 IN NS H.ROOT-SERVERS.NET. . 517472 IN NS I.ROOT-SERVERS.NET. . 517472 IN NS J.ROOT-SERVERS.NET. . 517472 IN NS K.ROOT-SERVERS.NET. . 517472 IN NS L.ROOT-SERVERS.NET. ;; ADDITIONAL SECTION: A.ROOT-SERVERS.NET. 603872 IN A 198.41.0.4 B.ROOT-SERVERS.NET. 603872 IN A 192.228.79.201 C.ROOT-SERVERS.NET. 603872 IN A 192.33.4.12 D.ROOT-SERVERS.NET. 603872 IN A 128.8.10.90 E.ROOT-SERVERS.NET. 603872 IN A 192.203.230.10 F.ROOT-SERVERS.NET. 603872 IN A 192.5.5.241 G.ROOT-SERVERS.NET. 603872 IN A 192.112.36.4 H.ROOT-SERVERS.NET. 603872 IN A 128.63.2.53 I.ROOT-SERVERS.NET. 603872 IN A 192.36.148.17 J.ROOT-SERVERS.NET. 603872 IN A 192.58.128.30 K.ROOT-SERVERS.NET. 603872 IN A 193.0.14.129 L.ROOT-SERVERS.NET. 603872 IN A 198.32.64.12 M.ROOT-SERVERS.NET. 603872 IN A 202.12.27.33 ;; Query time: 478 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Feb 14 ;; MSG SIZE rcvd: 436 |
6、配置rndc
#rndc-confgen >/etc/bind/rndc.conf # cat -n /etc/bind/rndc.conf 1 # Start of rndc.conf 2 key "rndc-key" { 3 algorithm hmac-md5; 4 secret "OJuPxS0u/5tJ71W8ypj4fA=="; 5 }; 6 7 options { 8 default-key "rndc-key"; 9 default-server 127.0.0.1; 10 default-port 953; 11 }; 12 # End of rndc.conf 13 14 # Use with the following in named.conf, adjusting the allow list as needed: 15 # key "rndc-key" { 16 # algorithm hmac-md5; 17 # secret "OJuPxS0u/5tJ71W8ypj4fA=="; 18 # }; 19 # 20 # controls { 21 # inet 127.0.0.1 port 953 22 # allow { 127.0.0.1; } keys { "rndc-key"; }; 23 # }; 24 # End of named.conf # |
7、将rndc中的部分记录导入到/etc/bind/named.conf文件中,并修改/etc/bind/named.conf,将导入的配置前面的注释去掉。
#tail +13 /etc/bind/rndc.conf>>/etc/bind/named.conf |
8、检查并重新启动named服务,查看日志文件并检查rndc访问状态
#ps -axu|grep named #killall named #ps -axu|grep named #named #ps -axu|grep named #tail /var/log/messages #rndc status number of zones: 2 debug level: 0 xfers running: 0 xfers deferred: 0 soa queries in progress: 0 query logging is OFF server is up and running # |
9、修改/etc/resolv.conf,并使用host命令测试
#echo “nameserver 127.0.0.1”>/etc/resolv.conf # host has address 198.133.219.25 |
三、配置localhost区域
(一)、配置localhost的正向区域
1、修改/etc/bind/named.conf,插入如下内容
zone "localhost" { type master; file "db.local"; }; |
2、配置/var/bind/db.local;
$TTL 900 @ IN SOA localhost. root ( 2006021401 ;serial number 1H ;refresh 15M ;retry 1W ;expire 1D ) ;TTL IN NS @ IN A 127.0.0.1 |
3、测试
# rndc reload
# host localhost
# host localhost
# dig localhost
# dig -t NS localhost
# dig -t A localhost
# rndc reload # host localhost localhost has address 127.0.0.1 # dig localhost ; <<>> DiG 9.2.6 <<>> localhost ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27414 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;localhost. IN A ;; ANSWER SECTION: localhost. 86400 IN A 127.0.0.1 ;; AUTHORITY SECTION: localhost. 86400 IN NS localhost. ;; Query time: 52 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Feb 14 ;; MSG SIZE rcvd: 57 # dig -t NS localhost ; <<>> DiG 9.2.6 <<>> -t NS localhost ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13067 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;localhost. IN NS ;; ANSWER SECTION: localhost. 86400 IN NS localhost. ;; ADDITIONAL SECTION: localhost. 86400 IN A 127.0.0.1 ;; Query time: 44 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Feb 14 ;; MSG SIZE rcvd: 57 # dig -t A localhost ; <<>> DiG 9.2.6 <<>> -t A localhost ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31098 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;localhost. IN A ;; ANSWER SECTION: localhost. 86400 IN A 127.0.0.1 ;; AUTHORITY SECTION: localhost. 86400 IN NS localhost. ;; Query time: 42 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Feb 14 ;; MSG SIZE rcvd: 57 # |
(二)、配置127.0.0的反向区域
1、修改/etc/bind/named.conf,添加如下内容
zone "0.0.127.in-addr.arpa" { type master; file "127.0.0.zone"; }; |
2、创建/var/bind/127.0.0.zone,添加如下内容
$TTL 900 @ IN SOA @ root.localhost. ( 20060214 1H 15M 1W 1D ) IN NS localhost. 1 IN PTR localhost. |
3、重新启动rndc访问,并测试
# rndc reload #host 127.0.0.1 1.0.0.127.in-addr.arpa domain name pointer localhost. # dig -x 127.0.0.1 ; <<>> DiG 9.2.6 <<>> -x 127.0.0.1 ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5834 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;1.0.0.127.in-addr.arpa. IN PTR ;; ANSWER SECTION: 1.0.0.127.in-addr.arpa. 86400 IN PTR localhost. ;; AUTHORITY SECTION: 0.0.127.in-addr.arpa. 86400 IN NS localhost. ;; ADDITIONAL SECTION: localhost. 86400 IN A 127.0.0.1 ;; Query time: 73 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Feb 14 ;; MSG SIZE rcvd: 93 # |
×××××××××××××××××××××××××××××××××××××××
四、配置zhoullj.com区域
(一)、配置zhoullj.com区域
1、配置/etc/bind/named.conf文件,加入如下内容
zone "zhoulj.com" { type master; file " db.zhoulj.com "; }; |
2、配置/var/bind/ db.zhoulj.com
$TTL 900 @ IN SOA zhoulj.com. root ( 2006021401 ;serial number 1H ;refresh 15M ;retry 1W ;expire 1D ) ;TTL IN NS @ zhoulj.com IN MX 10 mx1.zhoulj.com zhoulj.com IN MX 20 mx2.zhoulj.com IN A 172.17.1.172 ns IN A 172.17.1.172 www IN A 172.17.1.201 mx1 IN A 172.17.1.1 mx2 IN A 172.17.1.2 ftp IN A 172.17.1.201 news IN CNAME www |
3、重新启动rndc服务进行测试
# rndc reload # host -t A zhoulj.com zhoulj.com has address 172.17.1.172 # host -t A zhoulj.com zhoulj.com has address 172.17.1.172 # host -t NS zhoulj.com zhoulj.com name server zhoulj.com. |
(二)、增加的反向区域
1、修改/etc/bind/named.conf,添加如下内容
zone "1.17.172.in-addr.arpa" { type master; file "db.172.17.1 "; }; |
2、创建/var/bind/db.172.17.1,添加如下内容
$TTL 900 @ IN SOA zhoulj.com root.zhoulj.com. ( 2006022301 1H 15M 1W 1D ) IN NS zhoulj.com. 201 IN PTR 1 IN PTR mail.zhoulj.com. 202 IN PTR ftp.zhoulj.com. |
3、重新启动rndc访问,并测试
# rndc reload [root@localhost named]# host 172.17.1.201 201.1.17.172.in-addr.arpa domain name pointer 201.1.17.172.in-addr.arpa domain name pointer ftp.zhoulj.com. [root@localhost named]# host 172.17.1.1 1.1.17.172.in-addr.arpa domain name pointer mail.zhoulj.com. [root@localhost named]# dig -x 172.17.1.201 ; <<>> DiG 9.2.6 <<>> -x 172.17.1.201 ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25538 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;201.1.17.172.in-addr.arpa. IN PTR ;; ANSWER SECTION: 201.1.17.172.in-addr.arpa. 86400 IN PTR 201.1.17.172.in-addr.arpa. 86400 IN PTR ftp.zhoulj.com. ;; AUTHORITY SECTION: 1.17.172.in-addr.arpa. 86400 IN NS zhoulj.com. ;; ADDITIONAL SECTION: zhoulj.com. 86400 IN A 172.17.1.172 ;; Query time: 67 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Feb 14 ;; MSG SIZE rcvd: 119 |
五、建立授权子域
1、修改/var/bind/zhoulj.com.db,添加如下内容
domain IN NS ns.domain ns.domain IN A 172.17.1.171 |
重启动rndc服务
#rndc reload
2、安装一台子域服务器,安装BIND服务器后,配置根域等(前面和主域服务器的内容基本一致),配置子域服务器上的/etc/bind/named.conf配置文件,添加一个子域,内容如下内容
zone "domain.zhoulj.com" { type master; file "domain.zhoulj.com.db"; }; |
3、编辑子域里面的/var/bind/ domain.zhoulj.com.db
$TTL 900 @ IN SOA zhoulj.com. root ( 2006021502 ;serial 36000 ;1hour 7500 ;15M 3600000 ; 86400 ) ;TTL IN NS ns ns IN A 172.17.1.171 www IN A 172.16.17.2 |
4、重启动服务,测试分别在主域的服务器和子域服务器上测试,分别在子域控制
#rndc reload # host has address 172.16.17.2 |
六、DNS访问的安全控制
1、修改配置文件/etc/bind/named.conf,在options 中加入pid文件的目录
options { directory "/var/bind"; pid-file "/var/run/bind/named.pid"; }; |
2、建立named用户,建立bind的pid文件的目,并更改权限为named用户所有
# useradd -s /bin/false -d /dev/null named # id named uid=501(named) gid=501(named) groups=501(named) # chown named.named /var/run/bind # chmod 700 /var/run/bind |
3、重启named服务
# killall -9 named # named -u named # tail /var/log/messages # ps -axu|grep named |
4、添加到系统服务中,使其跟服务器同时启动
# which named /usr/local/sbin/named # echo "/usr/local/sbin/named -u named" >> /etc/ rc.local |
七、DNS高级控制
1、建立访问控制列表
修改配置文件/etc/bind/named.conf,在options 前面加入acl规则,语法如下:
acl our-nets { 10.140.0.0/16; }; |
2、允许acl中的IP地址进行递归查询
修改配置文件/etc/bind/named.conf,在options{ };中加入允许查询的规则,语法如下:
allow-recursion { our-nets; }; |
用host和nslookup进行测试
3、允许acl中的IP地址进行查询
修改配置文件/etc/bind/named.conf,在options{ };中加入允许查询的规则,语法如下:
allow-recursion { our-nets; }; |
用host和nslookup进行测试
假设foo.com域的邮件服务器为mail.foo.com;bar.com该域的域的邮件服务器为mail.bar.com。foo.com域有一个名为Jack的用户。他要给bar.com的Rose用户发信。首先他的邮件服务器通过DNS查询bar.com的MX记录,找到他的MX记录,然后foo.com的邮件服务器mail.foo.com把新发给bar.com域的邮件服务器mail.bar.com,mail.bar.com察看是给自己域的用户的信,收下该信,投递到Rose用户的邮箱里面,等待Rose来收取。
在本例中有2条MX记录
zhoulj.com IN MX 10 mx1.zhoulj.com
zhoulj.com IN MX 20 mx2.zhoulj.com
第一列是域名,第二列(IN)表示这些资源都在Intenet上,第三列(MX)表示他们是“邮件交换器”(Mail eXchange)的资源记录,第四列是优先级,最后一列是主机名。
这里需要说明的是优先级的值,是0~65535之间的数字,数值越小优先级高。
# dig -t MX
zhoulj.com ; <<>> DiG
9.2.6 <<>> -t MX zhoulj.com ;; global
options: printcmd ;; Got answer: ;;
->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16927 ;; flags: qr aa rd
ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 3 ;; QUESTION SECTION: ;zhoulj.com. IN MX ;; ANSWER SECTION: zhoulj.com. 900 IN
MX 20 mx2.zhoulj.com. zhoulj.com. 900 IN
MX 10 mx1.zhoulj.com. ;; AUTHORITY
SECTION: zhoulj.com. 900 IN
NS zhoulj.com. ;; ADDITIONAL
SECTION: mx1.zhoulj.com. 900 IN
A 172.17.1.1 mx2.zhoulj.com. 900 IN
A 172.17.1.2 zhoulj.com. 900 IN
A 172.17.1.172 ;; Query time: 3
msec ;; SERVER:
127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Feb 14 ;; MSG SIZE rcvd: 130 |
九、配置辅助域名服务器
1、配置辅助域名服务器的配置文件/etc/bind/named.conf,前面和主域名服务器是相同的,加入如下内容:
zone "zhoulj.com" { type slave; file "zhoulj.com.db.slave"; masters { 172.17.1.172; }; }; |
2、更改/var/bind目录的权限,让named组可以写,这一点很重要,如果不可以写,辅助域的文件不能建立。
# chgrp -R named named/ # chmod g+w /var/bind/ |
3、进行测试
停掉主dns服务器,查看备份dns是否能够正常工作,
可以查看/var/log/messages文件,检查备份服务器的状态。
4、允许特定的备份服务器进行dns备份工作,在/etc/bind/named.conf里面添加下面内容:
//allow slave DNS server to back up. allow-transfer { any; }; |
any参数允许所有的机器进行备份,把any可以换成特定的IP地址。