centos7搭建DNS伺服器

sunhuwh發表於2020-09-25
CentOSDNS伺服器

1. 安裝 BIND 伺服器軟體並啟動

yum -y install bind bind-utils
systemctl start named.service  // 啟動服務
systemctl enable named  // 設為開機啟動

1.1. 檢視named程式是否正常啟動

ps -eaf|grep named // 檢查程式
ss -nult|grep :53 // 檢查監聽埠

1.2. 開放 TCP 和 UDP 的 53 埠

firewall-cmd --permanent --add-port=53/tcp
firewall-cmd --permanent --add-port=53/udp
firewall-cmd --reload  // 重新載入防火牆配置,讓配置生效

2. DNS 服務的相關配置檔案

2.1. 修改主要檔案 /etc/named.conf

修改前先備份: cp -p /etc/named.conf /etc/named.conf.bak // 引數-p表示備份檔案與原始檔的屬性一致。
修改配置:vi /etc/named.conf , 配置內容如下:

options {
        listen-on port 53 { any; };
        listen-on-v6 port 53 { any; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file  "/var/named/data/named.recursing";
        secroots-file   "/var/named/data/named.secroots";
        allow-query     { any; };

        /*
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable
           recursion.
         - If your recursive DNS server has a public IP address, you MUST enable access
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface
        */
        recursion yes;

        dnssec-enable yes;
        dnssec-validation yes;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.root.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

//zone "." IN {
//      type hint;
//      file "named.ca";
//};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

檢查一下

named-checkconf  // 檢查named.conf是否有語法問題

2.2. 配置正向解析和反向解析

2.2.1. 修改/etc/named.rfc1912.zones

新增配置: vi /etc/named.rfc1912.zones , 配置內容如下:

zone "reading.zt" IN {
        type master;
        file "named.reading.zt";
        allow-update { none; };
};

zone "0.168.192.in-addr.arpa" {
        type master;
        file "named.192.168.0";
        allow-update { none; };
};

2.2.2. 新增正向解析域

基於 name.localhost 模板,建立配置檔案:cp -p /var/named/named.localhost /var/named/named.reading.zt
配置正向域名解析檔案 named.reading.zt : vi /var/named/named.reading.zt ,配置內容如下:

$TTL 1D
@   IN SOA  @ rname.invalid. (
                    0   ; serial
                    1D  ; refresh
                    1H  ; retry
                    1W  ; expire
                    3H )    ; minimum
    NS  @
    A   127.0.0.1
    AAAA    ::1
mirror  A   192.168.0.233
test    A   192.168.0.232

說明:
http://mirror.reading.zt/ 將會解析為 http://192.168.0.233/
授權 named 使用者 chown :named /var/named/named.reading.zt
檢查區域檔案是否正確 named-checkzone “reading.zt” “/var/named/named.reading.zt”

2.2.3. 新增反向解析域

基於 name.localhost 模板,建立配置檔案: cp -p /var/named/named.localhost /var/named/named.192.168.0
配置反向域名解析檔案 named.192.168.0 : vi /var/named/named.192.168.0

$TTL 1D
@   IN SOA  @ rname.invalid. (
                    0   ; serial
                    1D  ; refresh
                    1H  ; retry
                    1W  ; expire
                    3H )    ; minimum
    NS  @
    A   127.0.0.1
    AAAA    ::1
233 PTR mirror.reading.zt
232 PTR test.reading.zt

授權 named 使用者 chown :named /var/named/named.192.168.0
檢查區域檔案是否正確 named-checkzone “0.168.192.in-addr.arpa” “/var/named/named.192.168.0” ,如圖:

2.2.4. 重啟 named 服務,讓配置生效

重啟 named 服務,讓配置生效 systemctl restart named

3. 使用nslookup測試

nslookup test.reading.zt
nslookup 192.168.0.232

相關文章