DNS服务器搭建

注意正式运行的dns服务器主dns设置 中没有启用转发器，所以部分网页如taobao解析时可能很慢。开启转发器即可转发器地址指向电信dns。

[root@master ~]# lsb_release -a
LSB Version:    :core-4.0-ia32:core-4.0-noarch:graphics-4.0-ia32:graphics-4.0-noarch:printing-4.0-ia32:printing-4.0-noarch
Distributor ID: CentOS
Description:    CentOS release 5.11 (Final)
Release:        5.11
Codename:       Final

yum install –y bind bind-chroot bind-utils caching-nameserver

cd /var/named/chroot/etc/
cp -p named.caching-nameserver.conf named.conf  #加-p 保持属组不变
cp -p named.rfc1912.zones named.rfc1912.zones.bak  备份反向解析文件

[root@master etc]# vim named.conf
//
// named.caching-nameserver.conf
//
// Provided by Red Hat caching-nameserver package to configure the
// ISC BIND named(8) DNS server as a caching only nameserver
// (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// DO NOT EDIT THIS FILE - use system-config-bind or an editor
// to create named.conf - edits to this file will be lost on
// caching-nameserver package upgrade.
//
options {
        listen-on port 53 { any; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";

        // Those options should be used carefully because they disable port
        // randomization
        // query-source    port 53;
        // query-source-v6 port 53;

        allow-query     { any; };
        allow-query-cache { any; };
    forwarders{ 219.149.6.99; 219.148.204.66; };  #转发器配置：当你设置了转发器后，所有非本域的和在缓存中无法找到的域名查询都将转发到设置的 DNS 转发器上，由这台 DNS 来完成解析工作并做缓存。
};
logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};
view localhost_resolver {
        match-clients      { any; };
        match-destinations { any; };
        recursion yes;
        include "/etc/named.rfc1912.zones";
};
"named.conf" 41L, 1200C written

# vim named.rfc1912.zones
### 配置内容如下：
[root@master etc]# cat named.rfc1912.zones
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
zone "." IN {
        type hint;
        file "named.ca";
};

zone "ddit.com" IN {
        type master;
        file "ddit.com.zone";
        allow-update { none; };
};

zone "0.168.192.in-addr.arpa" IN {
        type master;
        file "ddit.com.local";
        allow-update { none; };
};

区域文件配置：
[root@master etc]# cd /var/named/chroot/var/named/
[root@master named]# ls
data  localdomain.zone  localhost.zone  named.broadcast  named.ca  named.ip6.local  named.local  named.zero  slaves
[root@master named]# cp -p localhost.zone ddit.com.zone  拷贝正向解析文件
[root@master named]# cp -p named.local ddit.com.local    拷贝反向解析文件

正向解析配置
[root@master named]# vim ddit.com.zone
                IN NS           @
                IN A            127.0.0.1
                IN AAAA         ::1
$TTL    86400
@               IN SOA  @       root (
                                        42              ; serial (d. adams)
                                        3H              ; refresh
                                        15M             ; retry
                                        1W              ; expiry
                                        1D )            ; minimum

                IN NS           dns.ddit.com.
                IN MX   10      mail.ddit.com.
360             IN A            192.168.0.252
oa              IN A            192.168.0.100
www             IN CNAME        360.ddit.com.

反向解析配置
[root@master named]# cat ddit.com.local
$TTL    86400
@       IN      SOA     localhost. root.localhost.  (
                                      1997022700 ; Serial
                                      28800      ; Refresh
                                      14400      ; Retry
                                      3600000    ; Expire
                                      86400 )    ; Minimum
        IN      NS      dns.ddit.com.
252       IN      PTR     360.ddit.com.
100       IN      PTR     oa.ddit.com.

测试
应该新增DNS服务地址，及自己dns服务器
[root@master named]# cat /etc/resolv.conf
search dnsserver
nameserver 192.168.0.1
nameserver 219.149.6.99
nameserver 219.148.204.66

> [root@master named]# nslookup
> server 127.0.0.1
Default server: 127.0.0.1
Address: 127.0.0.1#53
> 360.ddit.com
Server:         127.0.0.1
Address:        127.0.0.1#53

Name:   360.ddit.com
Address: 192.168.0.252
> oa.ddit.com
Server:         127.0.0.1
Address:        127.0.0.1#53

Name:   oa.ddit.com
Address: 192.168.0.100
> 192.168.0.252
Server:         127.0.0.1
Address:        127.0.0.1#53

252.0.168.192.in-addr.arpa      name = 360.ddit.com.
> 192.168.0.100
Server:         127.0.0.1
Address:        127.0.0.1#53

100.0.168.192.in-addr.arpa      name = oa.ddit.com.

rndc工具使用

使用rndc可以在不停止DNS服务器工作的情况下进行数据的更新，使配置生效。953提供给rndc工具用来管理DNS服务器。

# rndc-confgen > /etc/rndc.conf     //生产配置文件
### 配置内容如下：
# Start of rndc.conf
key "rndckey" {
         algorithm hmac-md5;
         secret "xO/qxwFJjYE41OrsbEAexQ==";
};

options {
         default-key "rndckey";
         default-server 127.0.0.1;
         default-port 953;
};
# End of rndc.conf

# Use with the following in named.conf, adjusting the allow list as needed:
# key "rndckey" {
#       algorithm hmac-md5;
#       secret "xO/qxwFJjYE41OrsbEAexQ==";
# };
#
# controls {
#       inet 127.0.0.1 port 953
#               allow { 127.0.0.1; } keys { "rndckey"; };
# };
# End of named.conf
### 结束 ###

# ln -s /var/named/chroot/etc/named.conf /etc/    //创建软连接

# vim /etc/named.conf   //拷贝有 # 号注释的内容到named.conf末尾
### 添加内容如下：
### rndc.conf 2011-08-26 ###
key "rndckey" {
       algorithm hmac-md5;
       secret "xO/qxwFJjYE41OrsbEAexQ==";
};

controls {
       inet 127.0.0.1 port 953
               allow { 127.0.0.1; } keys { "rndckey"; };
};
### configure end ###
### 结束 ###

# service named restart
# rndc reload          //修改完.zone文件，使用rndc工具加载即可，可以查考第四部分进行测试

辅助DNS

备注：安装内容同主DNS安装
# scp -p 22 root@192.168.113.100:/var/named/chroot/etc/* ./       //拷贝主DNS服务器配置文件到辅助DNS上
# chown root.named /var/named/chroot/etc/named.conf   //修改其权限
备注：以上操作在辅助DNS上操作

（1）修改主DNS服务器配置文件
# vim /etc/named.rfc1912.zones

### 配置内容如下：
zone "." IN {
         type hint;
         file "named.ca";
};

zone "laowafang.com" IN {
         type master;
         file "laowafang.com.zone";
         allow-update { none; };
         allow-transfer{ 192.168.0.2; };    //注意{空格192.168.0.2;空格}分号
        also-notify{ 192.168.0.2; };
};

zone "113.168.192.in-addr.arpa" IN {
         type master;
         file "laowafang.com.local";
         allow-update { none; };
         allow-transfer{ 192.168.0.2; };
         also-notify{ 192.168.0.2; };
};
### 结束 ###
（2）修改辅助DNS服务器配置文件

[root@slave ~]# cat /etc/named.rfc1912.zones
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
zone "." IN {
        type hint;
        file "named.ca";
};

zone "ddit.com" IN {
        type slave;
        file "slaves/ddit.com.zone";
        masters { 192.168.0.1; };
};

zone "0.168.192.in-addr.arpa" IN {
        type slave;
        file "slaves/ddit.com.local";
        masters { 192.168.0.1; };
};

[root@slave ~]#
# ln -s /var/named/chroot/etc/named.conf /etc/    //创建软连接
# ll /etc/name*  //查看连接是否创建成功
# service named restart
# tail /var/log/messages    //查看日志存在 running 及成功启动
# ls /var/named/chroot/var/named/slaves/   //查看是否同步了区域文件

最后都测试dns好用后，做启动项加载 chkconfig named on

防火墙的设定;（一般都关了防火墙）
[root@master ~]# netstat -antup |grep named
tcp        0      0 192.168.0.1:53              0.0.0.0:*                   LISTEN      17831/named        
tcp        0      0 127.0.0.1:53                0.0.0.0:*                   LISTEN      17831/named        
tcp        0      0 127.0.0.1:953               0.0.0.0:*                   LISTEN      17831/named   #这个是rndc     
tcp        0      0 ::1:53                      :::*                        LISTEN      17831/named        
udp        0      0 192.168.0.1:53              0.0.0.0:*                               17831/named        
udp        0      0 127.0.0.1:53                0.0.0.0:*                               17831/named        
udp        0      0 ::1:53                      :::*                                    17831/named

 

[root@master ~]# vi /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 953 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
[root@master ~]# service iptables restart
Applying iptables firewall rules: [  OK  ]
Loading additional iptables modules: ip_conntrack_netbios_ns [  OK  ]

 

注意事项：只有主DNS服务器中Serial number大于辅助DNS服务器中Serial number号的时候才开始传送同步