Linux中搭建DNS服务器
(1)、关于DNS
DNS(Domain Name Service) 域名解析服务,就是将域名和ip之间做相应的转换,利用TCP和UDP的53号端口
DNS系统作用
正向解析:根据域名查找对应的ip地址
反向解析:根据ip地址查找对应的域名
DNS服务器的分类
主要名称服务器:存放该区域中相关设置的DNS服务器,其存放的是区域文件的正本数据
辅助名称服务器:从其他服务器中复制数据,数据为副本无法修改
主控名称服务器:提供趋于数据复制的DNS服务器
缓存域名服务器:通过像根或其他服务器查询获得域名到ip的解析关系,将查询结果缓存到本地,提高重复查找速度
(2)、 DNS服务器的安装与部署
程序所需的包: bind (DNS服务器软件包) 、bind-utils(DNS测试工具,包含dig、host、nslookup等)、bind-chroot(使BIND运行在指定的目录中的安全增强工具)、caching-nameserver(高速缓存DNS服务器的基本配置文件,建议一定安装)
可执行文件所在目录: /usr/sbin/named (Rhel7) /etc/init.d/named (Rhel6)
配置文件所在目录: /etc/named.conf
区域配置文件所在目录:/var/named/xxx.zone
安装DNS程序: yum -y install bind*
修改主配置文件:/etc/named.conf
添加并修改区域配置文件 /var/named/xxx.zone
修改文件权限: chown named:named /var/named/xxx.zone
开启服务,并验证
(3)、 DNS服务器的配置样例
3.1 主配置文件 /etc/named.conf
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 | // // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // // See the BIND Administrator's Reference Manual (ARM) for details about the // configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html options { listen-on port 53 { any; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; datasize 102400M; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; recursing-file "/var/named/data/named.recursing"; secroots-file "/var/named/data/named.secroots"; allow-query { any; }; forwarders { 8.8.8.8; }; /* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ recursion yes; dnssec-enable no; dnssec-validation no; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; zone "lichangyang.com." IN { type master; file "lichangyang.zone"; }; zone "220.97.180.in-addr.arpa" IN { type master; file "220.97.180.zone"; }; zone "30.186.222.in-addr.arpa" IN { type master; file "30.186.222.zone"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; |
3.2 正向解析区域配置文件
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | @ IN SOA master.lichangyang.com. root.lichangyang.com. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum @ IN NS master.lichangyang.com. @ IN MX 10 mail.lichangyang.com. master IN A 180.97.220.155 www IN A 180.97.220.155 bbs IN A 180.97.220.103 blog IN A 180.97.220.33 mail IN A 180.97.220.155 mall IN A 222.186.30.100 |
3.3 反向解析区域配置文件
220.97.180.zone文件内容
1 2 3 4 5 6 7 8 9 10 11 12 |
30.186.222.zone 文件内容
1 2 3 4 5 6 7 8 9 | @ IN SOA master.lichangyang.com. root.lichangyang.com. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum @ IN NS master.lichangyang.com. @ IN MX 10 mail.lichangyang.com. 100 IN PTR mall |
