DNS服务（bind9）配置过程

作者：周立军

修改日期：2006年2月23日

安装环境：Fedora 4　　bind-9.2.6.tar.gz

卸载原来系统自带的bind服务

[code]# rpm -qa|grep bind

bind-libs-9.3.1-4

bind-utils-9.3.1-4

# rpm -e --nodeps bind*[/code]

一、安装BIND

1、准备工作

下载稳定的BIND服务器进行安装，下载地址：www.isc.org

wget http://ftp.isc.org/isc/bind9/9.2.6/bind-9.2.6.tar.gz

安装gcc

2 、编译安装BIND

[code]#tar zxvf bind-9.2.6.tar.gz

#cd bind-9.2.6

#./configure -sysconfdir=/etc/bind

#make

#makeinstall[/code]

配置BIND

二、配置根服务器

1、修改配置文件

[code]# vi /etc/bind/named.conf

options {

directory "/var/bind";

};

zone "." {

type hint;

file "named.ca";

};[/code]

2、建立工作目录

#mkdir /var/bind

3、查询根DNS服务器

[code]# dig -t NS .

; <<>> DiG 9.2.6 <<>> -t NS .

;; global options: printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28940

;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 1



;; QUESTION SECTION:

;. IN NS



;; ANSWER SECTION:

. 139616 IN NS G.ROOT-SERVERS.NET.

. 139616 IN NS H.ROOT-SERVERS.NET.

. 139616 IN NS I.ROOT-SERVERS.NET.

. 139616 IN NS J.ROOT-SERVERS.NET.

. 139616 IN NS K.ROOT-SERVERS.NET.

. 139616 IN NS L.ROOT-SERVERS.NET.

. 139616 IN NS M.ROOT-SERVERS.NET.

. 139616 IN NS A.ROOT-SERVERS.NET.

. 139616 IN NS B.ROOT-SERVERS.NET.

. 139616 IN NS C.ROOT-SERVERS.NET.

. 139616 IN NS D.ROOT-SERVERS.NET.

. 139616 IN NS E.ROOT-SERVERS.NET.

. 139616 IN NS F.ROOT-SERVERS.NET.



;; ADDITIONAL SECTION:

J.ROOT-SERVERS.NET. 485712 IN A 192.58.128.30



;; Query time: 51 msec

;; SERVER: 172.xx.xx.11#53(172.xx.xx.11)

;; WHEN: Tue Feb 14 01:55:39 2006

;; MSG SIZE rcvd: 244

#

#echo "nameserver 192.58.128.30" >/etc/resolv.conf

#[/code]

4、将跟记录加入到/etc/resolv.conf文件中

#echo "nameserver 192.58.128.30" >/etc/resolv.conf

5、将跟服务器的信息导入到/var/bind/named.ca文件中

[code]#dig -t NS . >/var/bind/named.ca

#cat /var/bind/named.ca

; <<>> DiG 9.2.6 <<>> -t NS .

;; global options: printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16471

;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 13



;; QUESTION SECTION:

;. IN NS



;; ANSWER SECTION:

. 517472 IN NS M.ROOT-SERVERS.NET.

. 517472 IN NS A.ROOT-SERVERS.NET.

. 517472 IN NS B.ROOT-SERVERS.NET.

. 517472 IN NS C.ROOT-SERVERS.NET.

. 517472 IN NS D.ROOT-SERVERS.NET.

. 517472 IN NS E.ROOT-SERVERS.NET.

. 517472 IN NS F.ROOT-SERVERS.NET.

. 517472 IN NS G.ROOT-SERVERS.NET.

. 517472 IN NS H.ROOT-SERVERS.NET.

. 517472 IN NS I.ROOT-SERVERS.NET.

. 517472 IN NS J.ROOT-SERVERS.NET.

. 517472 IN NS K.ROOT-SERVERS.NET.

. 517472 IN NS L.ROOT-SERVERS.NET.



;; ADDITIONAL SECTION:

A.ROOT-SERVERS.NET. 603872 IN A 198.41.0.4

B.ROOT-SERVERS.NET. 603872 IN A 192.228.79.201

C.ROOT-SERVERS.NET. 603872 IN A 192.33.4.12

D.ROOT-SERVERS.NET. 603872 IN A 128.8.10.90

E.ROOT-SERVERS.NET. 603872 IN A 192.203.230.10

F.ROOT-SERVERS.NET. 603872 IN A 192.5.5.241

G.ROOT-SERVERS.NET. 603872 IN A 192.112.36.4

H.ROOT-SERVERS.NET. 603872 IN A 128.63.2.53

I.ROOT-SERVERS.NET. 603872 IN A 192.36.148.17

J.ROOT-SERVERS.NET. 603872 IN A 192.58.128.30

K.ROOT-SERVERS.NET. 603872 IN A 193.0.14.129

L.ROOT-SERVERS.NET. 603872 IN A 198.32.64.12

M.ROOT-SERVERS.NET. 603872 IN A 202.12.27.33



;; Query time: 478 msec

;; SERVER: 127.0.0.1#53(127.0.0.1)

;; WHEN: Tue Feb 14 12:21:35 2006

;; MSG SIZE rcvd: 436[/code]

6、配置rndc

[code]#rndc-confgen >/etc/bind/rndc.conf

# cat -n /etc/bind/rndc.conf

1 # Start of rndc.conf

2 key "rndc-key" {

3 algorithm hmac-md5;

4 secret "OJuPxS0u/5tJ71W8ypj4fA==";

5 };

6

7 options {

8 default-key "rndc-key";

9 default-server 127.0.0.1;

10 default-port 953;

11 };

12 # End of rndc.conf

13

14 # Use with the following in named.conf, adjusting the allow list as needed:

15 # key "rndc-key" {

16 # algorithm hmac-md5;

17 # secret "OJuPxS0u/5tJ71W8ypj4fA==";

18 # };

19 #

20 # controls {

21 # inet 127.0.0.1 port 953

22 # allow { 127.0.0.1; } keys { "rndc-key"; };

23 # };

24 # End of named.conf

#[/code]

7、将rndc中的部分记录导入到/etc/bind/named.conf文件中，并修改/etc/bind/named.conf，将导入的配置前面的注释去掉。

#tail +13 /etc/bind/rndc.conf>>/etc/bind/named.conf

8、检查并重新启动named服务，查看日志文件并检查rndc访问状态

[code]#ps -axu|grep named

#killall named

#ps -axu|grep named

#named

#ps -axu|grep named

#tail /var/log/messages

#rndc status

number of zones: 2

debug level: 0

xfers running: 0

xfers deferred: 0

soa queries in progress: 0

query logging is OFF

server is up and running

#[/code]

9、修改/etc/bind/named.conf，并使用host命令测试

[code]#echo “nameserver 127.0.0.1”>/etc/bind/named.conf

# host www.cisco.com

www.cisco.com has address 198.133.219.25[/code]

三、配置localhost区域

（一）、配置localhost的正向区域

1、修改/etc/bind/named.conf，插入如下内容

[code]zone "localhost" {

type master;

file "db.local";

};[/code]

2、配置/var/bind/db.local;

[code]$TTL 900

@ IN SOA localhost. root (

2006021401 ;serial number

1H ;refresh

15M ;retry

1W ;expire

1D ) ;TTL

IN NS @

IN A 127.0.0.1[/code]

3、测试

[code]# rndc reload

# host localhost

# host localhost

# dig localhost

# dig -t NS localhost

# dig -t A localhost

# rndc reload

# host localhost

localhost has address 127.0.0.1

# dig localhost



; <<>> DiG 9.2.6 <<>> localhost

;; global options: printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27414

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0



;; QUESTION SECTION:

;localhost. IN A



;; ANSWER SECTION:

localhost. 86400 IN A 127.0.0.1



;; AUTHORITY SECTION:

localhost. 86400 IN NS localhost.



;; Query time: 52 msec

;; SERVER: 127.0.0.1#53(127.0.0.1)

;; WHEN: Tue Feb 14 13:06:21 2006

;; MSG SIZE rcvd: 57

# dig -t NS localhost



; <<>> DiG 9.2.6 <<>> -t NS localhost

;; global options: printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13067

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1



;; QUESTION SECTION:

;localhost. IN NS



;; ANSWER SECTION:

localhost. 86400 IN NS localhost.



;; ADDITIONAL SECTION:

localhost. 86400 IN A 127.0.0.1



;; Query time: 44 msec

;; SERVER: 127.0.0.1#53(127.0.0.1)

;; WHEN: Tue Feb 14 13:07:54 2006

;; MSG SIZE rcvd: 57



# dig -t A localhost



; <<>> DiG 9.2.6 <<>> -t A localhost

;; global options: printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31098

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0



;; QUESTION SECTION:

;localhost. IN A



;; ANSWER SECTION:

localhost. 86400 IN A 127.0.0.1



;; AUTHORITY SECTION:

localhost. 86400 IN NS localhost.



;; Query time: 42 msec

;; SERVER: 127.0.0.1#53(127.0.0.1)

;; WHEN: Tue Feb 14 13:08:00 2006

;; MSG SIZE rcvd: 57

#[/code]

（二）、配置127.0.0的反向区域

1、修改/etc/bind/named.conf，添加如下内容

[code]zone "0.0.127.in-addr.arpa" {

type master;

file "127.0.0.zone";

};[/code]

2、创建/var/bind/127.0.0.zone，添加如下内容

[code]$TTL 900

@ IN SOA @ root.localhost. (

20060214

1H

15M

1W

1D )

IN NS localhost.

1 IN PTR localhost.[/code]

3、重新启动rndc访问，并测试

[code]# rndc reload

#host 127.0.0.1

1.0.0.127.in-addr.arpa domain name pointer localhost.

# dig -x 127.0.0.1



; <<>> DiG 9.2.6 <<>> -x 127.0.0.1

;; global options: printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5834

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1



;; QUESTION SECTION:

;1.0.0.127.in-addr.arpa. IN PTR



;; ANSWER SECTION:

1.0.0.127.in-addr.arpa. 86400 IN PTR localhost.



;; AUTHORITY SECTION:

0.0.127.in-addr.arpa. 86400 IN NS localhost.



;; ADDITIONAL SECTION:

localhost. 86400 IN A 127.0.0.1



;; Query time: 73 msec

;; SERVER: 127.0.0.1#53(127.0.0.1)

;; WHEN: Tue Feb 14 15:47:31 2006

;; MSG SIZE rcvd: 93

#[/code]

×××××××××××××××××××××××××××××××××××××××

四、配置zhoullj.com区域

（一）、配置zhoullj.com区域

1、配置/etc/bind/named.conf文件，加入如下内容

[code]zone "zhoulj.com" {

type master;

file " db.zhoulj.com ";

}; [/code]

2、配置/var/bind/ db.zhoulj.com

[code]$TTL 900

@ IN SOA zhoulj.com. root (

2006021401 ;serial number

1H ;refresh

15M ;retry

1W ;expire

1D ) ;TTL

IN NS @

IN MX 10 mail

IN A 172.17.1.172

ns IN A 172.17.1.172

www IN A 172.17.1.201

mail IN A 172.17.1.1

ftp IN A 172.17.1.201

news IN CNAME www[/code]

3、重新启动rndc服务进行测试

[code]# rndc reload

# host -t A zhoulj.com

zhoulj.com has address 172.17.1.172

# host -t A zhoulj.com

zhoulj.com has address 172.17.1.172

# host -t NS zhoulj.com

zhoulj.com name server zhoulj.com.[/code]

（二）、增加的反向区域

1、修改/etc/bind/named.conf，添加如下内容

[code]zone "1.17.172.in-addr.arpa" {

type master;

file "db.172.17.1 ";

};[/code]

2、创建/var/bind/db.172.17.1，添加如下内容

[code]$TTL 900

@ IN SOA zhoulj.com root.zhoulj.com. (

2006022301

1H

15M

1W

1D )

IN NS zhoulj.com.

201 IN PTR www.zhoulj.com.

1 IN PTR mail.zhoulj.com.

202 IN PTR ftp.zhoulj.com.[/code]

3、重新启动rndc访问，并测试

[code]# rndc reload

[root@localhost named]# host 172.17.1.201

201.1.17.172.in-addr.arpa domain name pointer www.zhoulj.com.

201.1.17.172.in-addr.arpa domain name pointer ftp.zhoulj.com.

[root@localhost named]# host 172.17.1.1

1.1.17.172.in-addr.arpa domain name pointer mail.zhoulj.com.

[root@localhost named]# dig -x 172.17.1.201



; <<>> DiG 9.2.6 <<>> -x 172.17.1.201

;; global options: printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25538

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1



;; QUESTION SECTION:

;201.1.17.172.in-addr.arpa. IN PTR



;; ANSWER SECTION:

201.1.17.172.in-addr.arpa. 86400 IN PTR www.zhoulj.com.

201.1.17.172.in-addr.arpa. 86400 IN PTR ftp.zhoulj.com.



;; AUTHORITY SECTION:

1.17.172.in-addr.arpa. 86400 IN NS zhoulj.com.



;; ADDITIONAL SECTION:

zhoulj.com. 86400 IN A 172.17.1.172

;; Query time: 67 msec

;; SERVER: 127.0.0.1#53(127.0.0.1)

;; WHEN: Tue Feb 14 18:15:20 2006

;; MSG SIZE rcvd: 119[/code]

五、建立授权子域

1、修改/var/bind/zhoulj.com.db，添加如下内容

[code]domain IN NS ns.domain

ns.domain IN A 172.17.1.171[/code]

重启动rndc服务

[code]#rndc reload[/code]

2、安装一台子域服务器，安装BIND服务器后，配置根域等（前面和主域服务器的内容基本一致），配置子域服务器上的/etc/bind/named.conf配置文件，添加一个子域，内容如下内容

[code]zone "domain.zhoulj.com" {

type master;

file "domain.zhoulj.com.db";

};[/code]

3、编辑子域里面的/var/bind/ domain.zhoulj.com.db

[code]$TTL 900

@ IN SOA zhoulj.com. root (

2006021502 ;serial

36000 ;1hour

7500 ;15M

3600000 ;

86400 ) ;TTL

IN NS ns

ns IN A 172.17.1.171

www IN A 172.16.17.2[/code]

4、重启动服务，测试分别在主域的服务器和子域服务器上测试，分别在子域控制

[code]#rndc reload

# host www.domain.zhoulj.com

www.domain.zhoulj.com has address 172.16.17.2[/code]

六、DNS访问的安全控制

1、修改配置文件/etc/bind/named.conf，在options 中加入pid文件的目录

[code]options {

directory "/var/bind";

pid-file "/var/run/bind/named.pid";

};[/code]

2、建立named用户，建立bind的pid文件的目，并更改权限为named用户所有

[code]# useradd -s /bin/false -d /dev/null named

# id named

uid=501(named) gid=501(named) groups=501(named)

# chown named.named /var/run/bind

# chmod 700 /var/run/bind[/code]

3、重启named服务

[code]# killall -9 named

# named -u named

# tail /var/log/messages

# ps -axu|grep named[/code]

4、添加到系统服务中，使其跟服务器同时启动

[code]# which named

/usr/local/sbin/named

# echo "/usr/local/sbin/named -u named" >> /etc/ rc.local[/code]

七、DNS高级控制

1、建立访问控制列表

修改配置文件/etc/bind/named.conf，在options 前面加入acl规则，语法如下：

[code]acl our-nets {

10.140.0.0/16;

};[/code]

2、允许acl中的IP地址进行递归查询

修改配置文件/etc/bind/named.conf，在options{ };中加入允许查询的规则，语法如下：

[code]allow-recursion {

our-nets;

};[/code]

用host和nslookup进行测试

3、允许acl中的IP地址进行查询

修改配置文件/etc/bind/named.conf，在options{ };中加入允许查询的规则，语法如下：

[code]allow-recursion {

our-nets;

};[/code]

用host和nslookup进行测试

八、配置辅助域名服务器

1、配置辅助域名服务器的配置文件/etc/bind/named.conf，前面和主域名服务器是相同的，加入如下内容:

[code]zone "zhoulj.com" {

type slave;

file "zhoulj.com.db.slave";

masters { 172.17.1.172; };

};[/code]

2、更改/var/bind目录的权限，让named组可以写，这一点很重要，如果不可以写，辅助域的文件不能建立。

[code]# chgrp -R named named/

# chmod g+w /var/bind/[/code]

3、进行测试

停掉主dns服务器，查看备份dns是否能够正常工作，

可以查看/var/log/messages文件，检查备份服务器的状态。

4、允许特定的备份服务器进行dns备份工作，在/etc/bind/named.conf里面添加下面内容：

[code]//allow slave DNS server to back up.

allow-transfer

{

any;

};[/code]

any参数允许所有的机器进行备份，把any可以换成特定的IP地址。