初探bind9
背景
升级升级,升级到9.18.48
[root@mail bind]# /usr/local/bind/sbin/named -V
BIND 9.18.48 (Extended Support Version) <id:b7f82d8>
running on Linux x86_64 3.10.0-1160.el7.x86_64 #1 SMP Mon Oct 19 16:18:59 UTC 2020
built by make with '--prefix=/usr/local/bind' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--with-openssl=/usr/local/bind' '--with-json-c' '--with-libxml2' '--with-jemalloc' '--enable-dnstap' '--disable-doh' 'LDFLAGS=-L/usr/local/bind/lib -Wl,-rpath,/usr/local/bind/lib' 'PKG_CONFIG_PATH=/usr/local/bind/lib/pkgconfig:/opt/rh/devtoolset-10/root/usr/lib64/pkgconfig:/usr/local/lib/pkgconfig'
compiled by GCC 10.2.1 20210130 (Red Hat 10.2.1-11)
compiled with OpenSSL version: OpenSSL 3.0.20 7 Apr 2026
linked to OpenSSL version: OpenSSL 3.0.20 7 Apr 2026
compiled with libuv version: 1.44.2
linked to libuv version: 1.44.2
compiled with libxml2 version: 2.9.1
linked to libxml2 version: 20901
compiled with json-c version: 0.11
linked to json-c version: 0.11
compiled with zlib version: 1.2.7
linked to zlib version: 1.3.1
compiled with protobuf-c version: 1.4.1
linked to protobuf-c version: 1.4.1
threads support is enabled
DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448
DS algorithms: SHA-1 SHA-256 SHA-384
HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512
TKEY mode 2 support (Diffie-Hellman): yes
TKEY mode 3 support (GSS-API): no
default paths:
named configuration: /etc/bind/named.conf
rndc configuration: /etc/bind/rndc.conf
DNSSEC root key: /etc/bind/bind.keys
nsupdate session key: /var/run/named/session.key
named PID file: /var/run/named/named.pid
named lock file: /var/run/named/named.lock
目录结构
/usr/local/bind/ # BIND 安装根目录 (--prefix)
├── bin/ # 客户端工具
│ ├── arpaname # ARPA名称转换
│ ├── delv # DNS查找验证工具
│ ├── dig # DNS查询工具
│ ├── dnssec-cds # CDS记录管理
│ ├── dnssec-dsfromkey # DS记录生成
│ ├── dnssec-importkey # 密钥导入
│ ├── dnssec-keyfromlabel # 标签密钥生成
│ ├── dnssec-keygen # DNSSEC密钥生成
│ ├── dnssec-revoke # 密钥撤销
│ ├── dnssec-settime # 密钥时间设置
│ ├── dnssec-signzone # 区域签名
│ ├── dnssec-verify # 签名验证
│ ├── dnstap-read # dnstap读取
│ ├── host # 主机查询
│ ├── mdig # 多路DNS查询
│ ├── named-checkconf # 配置检查
│ ├── named-checkzone # 区域文件检查
│ ├── named-compilezone # 区域编译
│ ├── named-journalprint # 日志打印
│ ├── named-rrchecker # 资源记录检查
│ ├── nsec3hash # NSEC3哈希
│ ├── nslookup # DNS查询(交互式)
│ └── nsupdate # 动态更新
│
├── sbin/ # 服务端程序
│ ├── named # DNS主程序
│ ├── ddns-confgen # DDNS密钥生成
│ ├── rndc # 远程控制客户端
│ ├── rndc-confgen # rndc配置生成
│ └── tsig-keygen # TSIG密钥生成
│
├── include/ # 头文件
│ ├── bind9/ # BIND9接口
│ ├── dns/ # DNS库
│ ├── dst/ # DNSSEC库
│ ├── irs/ # 接口解析
│ ├── isc/ # ISC通用库
│ ├── isccc/ # ISC控制通道
│ └── isccfg/ # 配置解析
│ └── ns/ # 名称服务器
│
├── lib/ # 库文件
│ ├── bind/ # BIND相关
│ ├── libbind9-9.18.48.so # 区域管理库
│ ├── libbind9.so -> libbind9-9.18.48.so
│ ├── libcap.so -> libcap.so.2
│ ├── libcap.so.2 -> libcap.so.2.22
│ ├── libcap.so.2.22
│ ├── libcrypto.so -> libcrypto.so.3
│ ├── libcrypto.so.3 # OpenSSL加密库
│ ├── libdns-9.18.48.so # DNS协议库
│ ├── libdns.so -> libdns-9.18.48.so
│ ├── libirs-9.18.48.so # 解析器库
│ ├── libirs.so -> libirs-9.18.48.so
│ ├── libisc-9.18.48.so # ISC通用库
│ ├── libisc.so -> libisc-9.18.48.so
│ ├── libisccc-9.18.48.so # 控制通道库
│ ├── libisccc.so -> libisccc-9.18.48.so
│ ├── libisccfg-9.18.48.so # 配置解析库
│ ├── libisccfg.so -> libisccfg-9.18.48.so
│ ├── libjemalloc.so -> libjemalloc.so.1
│ ├── libjemalloc.so.1 # 内存分配器
│ ├── libjson-c.so -> libjson-c.so.2.0.1
│ ├── libjson-c.so.2 -> libjson-c.so.2.0.1
│ ├── libjson-c.so.2.0.1 # JSON支持
│ ├── libns-9.18.48.so # 名称服务器库
│ ├── libns.so -> libns-9.18.48.so
│ ├── libssl.so -> libssl.so.3
│ ├── libssl.so.3 # SSL/TLS库
│ ├── libuv.so -> libuv.so.1.0.0
│ ├── libuv.so.1 -> libuv.so.1.0.0
│ ├── libuv.so.1.0.0 # 事件循环库
│ ├── libxml2.so -> libxml2.so.2.9.1
│ ├── libxml2.so.2 -> libxml2.so.2.9.1
│ └── libxml2.so.2.9.1 # XML解析库
│
└── share/ # 共享文件
└── man/ # 手册页
└── man* # 各章节手册
/etc/bind/ # 配置文件目录 (--sysconfdir)
├── named.conf # 主配置文件(需要创建)
├── named.conf.default-zones # 默认区域配置(可选)
├── rndc.conf # rndc配置(需要创建)
├── rndc.key # rndc密钥(需要生成)
└── bind.keys # DNSSEC根密钥(已存在)
/var/ # 运行时和状态目录 (--localstatedir)
├── run/
│ └── named/
│ ├── named.pid # 进程PID文件
│ ├── named.lock # 进程锁文件
│ └── session.key # nsupdate会话密钥
│
├── log/
│ └── named/
│ └── named.log # DNS日志文件
│
└── named/ # DNS数据目录
├── data/ # 数据文件目录
│ ├── cache_dump.db # 缓存转储
│ ├── named_stats.txt # 统计信息
│ ├── named_mem_stats.txt # 内存统计
│ └── named.recursing # 递归查询信息
│
├── dynamic/ # 动态更新区域
│ └── *.jnl # 区域日志文件
│
├── localhost.zone # 本地正向解析
├── 127.0.0.1.zone # 本地反向解析
└── named.ca # 根提示文件
创建必要的目录和用户
# 创建 named 用户(如果不存在)
useradd -r -s /sbin/nologin named
# 创建配置文件目录(如果不存在)
mkdir -p /etc/bind
# 创建运行目录
mkdir -p /var/run/named
mkdir -p /var/log/named
# 创建 zone 文件目录
mkdir -p /var/named
# 创建 dynamic 目录
mkdir -p /var/named/dynamic
mkdir -p /var/named/data
设置目录权限
chown -R named:named /var/run/named /var/log/named /var/named
chmod 755 /var/run/named /var/named
chmod 750 /var/log/named
创建配置文件named.conf
/etc/bind/named.conf
options {
# 监听所有IPv4地址的53端口,响应来自任何IP的DNS查询
listen-on port 53 { any; };
# 监听IPv6地址:本地回环(::1)和所有IPv6地址(any)
listen-on-v6 port 53 { ::1; any; };
# 被注释:完全禁用IPv6监听(备选方案)
#listen-on-v6 port 53 { none; };
# 禁用 IPv6 查询
#disable-algorithms "." { RSASHA1; };
# 工作目录,存放区域文件、缓存文件等
directory "/var/named";
# 缓存转储文件路径
dump-file "/var/named/data/cache_dump.db";
# 统计信息输出文件
statistics-file "/var/named/data/named_stats.txt";
# 内存统计文件
memstatistics-file "/var/named/data/named_mem_stats.txt";
# 递归查询状态文件
recursing-file "/var/named/data/named.recursing";
# DNSSEC信任锚文件
secroots-file "/var/named/data/named.secroots";
# 允许任何客户端查询(递归解析器常用)
allow-query { any; };
# 开启递归查询功能(作为递归DNS服务器)
recursion yes;
# 自动进行DNSSEC验证(使用内置信任锚)
dnssec-validation auto;
# BIND内置的信任锚密钥文件(用于DNSSEC)
bindkeys-file "/etc/bind/bind.keys";
# 动态管理的DNSSEC密钥目录
managed-keys-directory "/var/named/dynamic";
# 进程ID文件位置
pid-file "/var/run/named/named.pid";
# 会话密钥文件(用于rndc控制)
session-keyfile "/var/run/named/session.key";
};
/* 日志配置 - 必须在 options 块外面 */
logging {
channel default_debug {
file "/var/log/named/named.log";
severity dynamic;
print-time yes;
};
category default {
default_debug;
};
};
# 定义名为default_debug的日志通道
# 日志输出文件路径
# 动态日志级别(随调试模式变化)
# 每条日志前打印时间戳
# 默认日志类别
# 使用default_debug通道输出
zone "." IN {
type hint;
file "named.ca";
};
# 根域(.)配置,IN表示Internet类
# hint类型:从根提示文件获取根服务器列表
# 根提示文件(包含13组根服务器地址)
zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};
# 正向解析:localhost域名
# 主区域(本地维护)
# 区域数据文件
# 禁止动态更新(只读)
zone "0.0.127.in-addr.arpa" IN {
type master;
file "127.0.0.1.zone";
allow-update { none; };
};
# 反向解析:127.0.0.0/8网段(回环地址)
controls {
inet 127.0.0.1 port 1953 allow { 127.0.0.1; } keys { "rndckey"; };
};
# rndc控制通道配置
# 监听本地1953端口
# 仅允许本地连接
# 使用密钥"rndckey"认证
include "/etc/bind/rndc.key";
# 引入rndc密钥文件(通常包含rndckey定义)
创建 rndc 配置文件
# 生成 rndc 密钥
[root@mail bind]# ./rndc-confgen -a -k rndckey -c /etc/bind/rndc.key -t /etc/bind
wrote key file "/etc/bind/rndc.key"
[root@mail bind]# ls -la /etc/bind/rndc.key
-rw------- 1 root root 100 May 19 15:57 /etc/bind/rndc.key
[root@mail bind]# cat /etc/bind/rndc.key
key "rndckey" {
algorithm hmac-sha256;
secret "0N4/nlFFWvFskJySg2nuLO7ANSVm+BH535YJmnkXjVY=";
};
# 创建 rndc.conf
cat > /etc/bind/rndc.conf << 'EOF'
key "rndckey" {
algorithm hmac-sha256;
secret "0N4/nlFFWvFskJySg2nuLO7ANSVm+BH535YJmnkXjVY=";
};
options {
default-server 127.0.0.1;
default-key "rndckey";
default-port 1953;
};
server 127.0.0.1 {
key "rndckey";
};
EOF
创建必要的 zone 文件
# 创建 localhost.zone
cat > /var/named/localhost.zone << 'EOF'
$ORIGIN localhost.
$TTL 86400
@ IN SOA localhost. root.localhost. (
2024051901 ; serial
3600 ; refresh
1800 ; retry
604800 ; expire
86400 ) ; minimum
@ IN NS localhost.
@ IN A 127.0.0.1
EOF
# 创建 127.0.0.1.zone
cat > /var/named/127.0.0.1.zone << 'EOF'
$ORIGIN 0.0.127.in-addr.arpa.
$TTL 86400
@ IN SOA localhost. root.localhost. (
2024051901 ; serial
3600 ; refresh
1800 ; retry
604800 ; expire
86400 ) ; minimum
@ IN NS localhost.
1 IN PTR localhost.
EOF
# 下载 named.ca (根服务器列表)
curl -o /var/named/named.ca https://www.internic.net/domain/named.root
# 如果没有 curl,可以使用 wget
# wget -O /var/named/named.ca https://www.internic.net/domain/named.root
测试配置文件
# 测试 named.conf 语法
/usr/local/bind/bin/named-checkconf /etc/bind/named.conf
# 测试 zone 文件语法
/usr/local/bind/bin/named-checkzone localhost /var/named/localhost.zone
/usr/local/bind/bin/named-checkzone 0.0.127.in-addr.arpa /var/named/127.0.0.1.zone
启动 named 服务
# 前台运行(用于测试)
/usr/local/bind/sbin/named -u named -g -c /etc/bind/named.conf
# 后台运行
/usr/local/bind/sbin/named -u named -c /etc/bind/named.conf
# 检查进程
ps aux | grep named
# 检查端口监听
netstat -tulnp | grep 53
# 或
ss -tulnp | grep 53
测试 DNS 解析
# 使用 nslookup 测试
/usr/local/bind/bin/nslookup www.baidu.com 127.0.0.1
# 使用 dig 测试
/usr/local/bind/bin/dig @127.0.0.1 www.baidu.com
# 测试 rndc 管理
[root@mail bind]# /usr/local/bind/sbin/rndc -s 127.0.0.1 -p 1953 status
WARNING: key file (/etc/bind/rndc.key) exists, but using default configuration file (/etc/bind/rndc.conf)
version: BIND 9.18.48 (Extended Support Version) <id:b7f82d8>
running on localhost: Linux x86_64 3.10.0-1160.el7.x86_64 #1 SMP Mon Oct 19 16:18:59 UTC 2020
boot time: Tue, 19 May 2026 12:05:41 GMT
last configured: Tue, 19 May 2026 12:05:59 GMT
configuration file: /etc/bind/named.conf
CPUs found: 4
worker threads: 4
UDP listeners per interface: 4
number of zones: 103 (100 automatic)
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/900/1000
tcp clients: 0/150
TCP high-water: 0
server is up and running
创建 systemd 服务文件(可选)
cat > /etc/systemd/system/named.service << 'EOF'
[Unit]
Description=BIND Domain Name Server
Documentation=man:named(8)
After=network.target
[Service]
Type=forking
User=named
Group=named
EnvironmentFile=-/etc/sysconfig/named
ExecStart=/usr/local/bind/sbin/named -c /etc/bind/named.conf -u named $OPTIONS
ExecReload=/bin/kill -HUP $MAINPID
PIDFile=/var/run/named/named.pid
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
# 启用并启动服务
systemctl daemon-reload
systemctl enable named
systemctl start named
给 named 可执行文件添加能力
# 给 named 二进制文件添加 CAP_NET_BIND_SERVICE 能力
[root@mail ~]# sudo setcap 'cap_net_bind_service=+ep' /usr/local/bind/sbin/named
# 验证是否添加成功
[root@mail ~]# sudo getcap /usr/local/bind/sbin/named
/usr/local/bind/sbin/named = cap_net_bind_service+ep
防火墙配置(如果启用)
# 开放 DNS 端口
firewall-cmd --permanent --add-service=dns
firewall-cmd --reload
# 或者使用 iptables
# iptables -A INPUT -p udp --dport 53 -j ACCEPT
# iptables -A INPUT -p tcp --dport 53 -j ACCEPT
故障排查
# 查看 named 日志
tail -f /var/log/named/named.log
# 或使用 journalctl
journalctl -u named -f
# 检查系统消息
dmesg | tail -20
浙公网安备 33010602011771号