需求
内网需要的服务比较多了,不能都用IP地址来处理相关服务,得搭建个内网的DNS服务器来区分相关业务。
安装bind
这里选择yum直接安装,也可以编译安装使用。
yum install bind bind-utils配置bind主配置文件
vim /etc/named.conf
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
#listen-on port 53 { 127.0.0.1; };
listen-on port 53 { 127.0.0.1; 192.66.0.113; }; # 这里添加本机地址或者直接any也可以
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; }; # 这里需要注意一下修改成any,要不其他机器不能访问
forward only;
forwarders {223.5.5.5;8.8.8.8;}; # 添加上游DNS
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recurs ion.
- If you are building a RECURSIVE (caching) DNS server, you need to ena ble
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so w ill
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes; # 允许向上游查询为yes,反之为no
dnssec-enable no; # 安全检查,修改成no。要不会导致未配置的域名不向上游查询,导致查询错误
dnssec-validation no; # 安全检查,修改成no。要不会导致未配置的域名不向上游查询,导致查询错误
/* Path to ISC DLV key */
bindkeys-file "/etc/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";域名配置
vim /etc/named.rfc1912.zones
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};
zone "code.ciomp" IN {
type master;
file "code.ciomp.zone";
allow-update { any; };
};
# 添加自己需要配置的域名
zone "ciomp-code.com" IN {
type master;
file "ciomp-code.com.zone"; #此为此域名对应配置文件名
allow-update { any; };
};域名详细配置
这里注意一下目录,由于主配置中配置了文件夹。相对的域名配置文件直接放在这即可。
vim /var/named/ciomp-code.com.zone
$ORIGIN ciomp-code.com.
$TTL 600 ; 10 minutes
@ IN SOA dns.ciomp-code.com. dnsadmin.ciomp-code.com. (
2023062101 ; serial
10800 ; refresh (3 hours)
900 ; retry (15 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS dns.ciomp-code.com.
$TTL 60 ; 1 minute
* A 10.66.0.11- 注意:serial字段在每次修改配置文件时数值+1
启动dns服务
systemctl start named ## 启动dns
systemctl enable named ## 设置开机启动
- 注意:系统防火墙的53端口记得需要开放出来
检查
dns服务检查
[root@localhost named]# netstat -lntup | grep 53
tcp 0 0 192.66.0.113:53 0.0.0.0:* LISTEN 7473/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 7473/named
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 7473/named
tcp6 0 0 ::1:53 :::* LISTEN 7473/named
tcp6 0 0 ::1:953 :::* LISTEN 7473/named
udp 0 0 192.66.0.113:53 0.0.0.0:* 7473/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 7473/named
udp 0 0 0.0.0.0:5353 0.0.0.0:* 869/avahi-daemon: r
udp6 0 0 ::1:53 :::* 7473/named
[root@localhost named]#客户端检查(需要将DNS地址修改成DNS服务器的ip)
C:\Users\Administrator>nslookup www.ciomp-code.com
服务器: UnKnown
Address: 192.66.0.113
名称: www.ciomp-code.com
Address: 10.66.0.11