BIND9的安装部署

企业级web dns 构建实战

BIND9的安装部署

---

安装部署BIND9

操作系统版本和内核版本

#cat /etc/redhat-release
CentOS Linux release 7.6.1810 (Core)
#uname -aLinux node 3.10.0-862.el7.x86_64 
#1 SMP Fri Apr 20 16:44:24 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

使用yum安装BIND9

#yum install bind
=============================================================================================================================================================
 Package                                       Arch                          Version                                    Repository                      Size
=============================================================================================================================================================
Installing:
 bind                                          x86_64                        32:9.9.4-73.el7_6                          updates                        1.8 M

安装的版本为9.9.4

BIND9主配置文件/etc/named.conf

1. 主配置文件的格式

   options{     
   		//全局选项
   }
   zone　"zone name" {   
           //定于区域
   }
   logging{    
           //日志文件
   }
   include：加载别的文件
   

2. 主配置文件的配置注意事项

   • 语法严格，分号，空格
   • 文件的权限，属主：root，属组：named，640

3. 主配置文件范例

   
   options {
   	listen-on port 53 { 10.4.7.11; };
   	directory 	"/var/named";
   	dump-file 	"/var/named/data/cache_dump.db";
   	statistics-file "/var/named/data/named_stats.txt";
   	memstatistics-file "/var/named/data/named_mem_stats.txt";
   	allow-query     { any; };
   
   	/* 
   	 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
   	 - If you are building a RECURSIVE (caching) DNS server, you need to enable 
   	   recursion. 
   	 - If your recursive DNS server has a public IP address, you MUST enable access 
   	   control to limit queries to your legitimate users. Failing to do so will
   	   cause your server to become part of large scale DNS amplification 
   	   attacks. Implementing BCP38 within your network would greatly
   	   reduce such attack surface 
   	*/
   	recursion yes;
   	
   		dnssec-enable no;
   		dnssec-validation no;
   
   	/* Path to ISC DLV key */
   	bindkeys-file "/etc/named.iscdlv.key";
   
   	managed-keys-directory "/var/named/dynamic";
   
   	pid-file "/run/named/named.pid";
   	session-keyfile "/run/named/session.key";
   };
   
   
   logging {
           channel default_debug {
                   file "data/named.run";
                   severity dynamic;
           };
   };
   
   zone "." IN {
   	type hint;
   	file "named.ca";
   };
   
   include "/etc/named.rfc1912.zones";
   include "/etc/named.root.key";
   

BIND9服务的启动

检查配置文件

# named-checkconf

没有报错就是正常的

启动BIND9服务

# systemctl start named

检查BIND9服务状态

# systemctl status named

这样就完成了一个最基本的转发DNS的部署，它可以为我们的内网客户端提供DNS递归查询，例如查询并返回www.baidu.com的解析结果。

验证解析

配置DNS服务器指向

在/etc/resole里配置DNS服务器的ip地址为我们部署的主机ip

# cat /etc/resolv.conf    # Generated by NetworkManagernameserver 10.4.7.11

验证解析

# ping baidu.comPING baidu.com (220.181.57.216) 56(84) bytes of data.