安装bind-chroot
1、bind软件安装后,会产生几个固有文件,分为两类:一类是配置文件在/etc目录下,一类是dns记录文件在/var/named目录下。
yum install -y bind bind-chroot bind-utils
bind:bind的主程序软件包,进程名为named
bind-chroot:为bind提供chroot功能,将bind进程限制在自己的家目录下,防止错误的权限设置影响到整个系统。
bind-utils:提供一些工具。如dig
2. bind配置
[root@VM-0-9-centos etc]#
[root@VM-0-9-centos etc]# pwd
/var/named/chroot/etc
[root@VM-0-9-centos etc]# ln /etc/named.* .
[root@VM-0-9-centos etc]# ll
total 24
drwxr-x--- 2 root named 4096 Jul 19 20:47 named
-rw-r----- 2 root named 1806 Jul 19 20:48 named.conf
-rw-r--r-- 2 root named 3923 Jul 19 20:48 named.iscdlv.key
-rw-r----- 2 root named 931 Jun 21 2007 named.rfc1912.zones
-rw-r--r-- 2 root named 1886 Apr 13 2017 named.root.key
drwxr-x--- 3 root named 4096 Sep 30 21:52 pki
[root@VM-0-9-centos etc]#
[root@VM-0-9-centos named]# pwd
/var/named/chroot/var/named
[root@VM-0-9-centos named]# ln /var/named/named.* .
[root@VM-0-9-centos named]# ll
total 16
-rw-r----- 2 root named 2253 Apr 5 2018 named.ca
-rw-r----- 2 root named 152 Dec 15 2009 named.empty
-rw-r----- 2 root named 152 Jun 21 2007 named.localhost
-rw-r----- 2 root named 168 Dec 15 2009 named.loopback
[root@VM-0-9-centos named]#
[root@VM-0-9-centos named]#
[root@VM-0-9-centos named]# mkdir data dynamic slaves
[root@VM-0-9-centos named]#
[root@VM-0-9-centos named]# chown -R named.named data/ dynamic/ slaves/
[root@VM-0-9-centos named]# systemctl start named-chroot
[root@VM-0-9-centos named]# pwd
/var/named/chroot/var/named
[root@VM-0-9-centos named]# systemctl enable named-chroot
主DNS 引入view
[root@VM-0-16-centos etc]#
[root@VM-0-16-centos etc]# cp named.rfc1912.zones named.rfc1912.zones.bj named.rfc1912.zones.nj named.rfc1912.zones.other
[root@VM-0-16-centos etc]# pwd
/var/named/chroot/etc
[root@VM-0-16-centos etc]# ll
total 704
-rw-r--r-- 5 root root 556 Oct 27 2021 localtime
drwxr-x--- 2 root named 4096 Oct 16 21:26 named
-rw-r----- 2 root named 2132 Jan 22 22:28 named.conf
-rw-r--r-- 2 root named 3923 Oct 16 21:26 named.iscdlv.key
-rw-r----- 1 root named 0 Jan 22 22:27 named.rfc1912.zones
-rw-r----- 1 root named 1060 Jan 22 22:32 named.rfc1912.zones.bj
-rw-r----- 1 root named 1060 Jan 22 22:32 named.rfc1912.zones.nj
-rw-r----- 1 root named 1063 Jan 22 22:32 named.rfc1912.zones.other
-rw-r--r-- 2 root named 1886 Apr 13 2017 named.root.key
drwxr-x--- 3 root named 4096 Jan 22 21:09 pki
-rw-r--r-- 1 root root 6545 Apr 1 2020 protocols
-rw-r----- 1 root named 100 Jan 22 21:11 rndc.key
-rw-r--r-- 1 root root 670293 Jun 7 2013 services
[root@VM-0-16-centos etc]#
[root@VM-0-16-centos etc]#
[root@VM-0-16-centos etc]# cat named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
//test
acl beijingnet {
10.206.0.16/32;
};
acl nanjingnet {
10.206.0.16/32;
};
acl othernet {
any;
};
view beijingview {
match-clients { beijingnet; };
include "/etc/named.rfc1912.zones.bj";
};
view nanjingview {
match-clients { nanjingnet; };
include "/etc/named.rfc1912.zones.nj";
};
view otherview {
match-clients { othernet; };
include "/etc/named.rfc1912.zones.other";
};
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
include "/etc/named.root.key";
[root@VM-0-16-centos etc]#
[root@VM-0-16-centos etc]#
[root@VM-0-16-centos etc]# >named.rfc1912.zones
[root@VM-0-16-centos etc]#
[root@VM-0-16-centos etc]# cat named.rfc1912.zones.bj
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
zone "magedu.org" {
type master;
file "magedu.org.zone.bj";
};
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};
[root@VM-0-16-centos etc]#
[root@VM-0-16-centos etc]# cat named.rfc1912.zones.nj
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
zone "magedu.org" {
type master;
file "magedu.org.zone.nj";
};
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};
[root@VM-0-16-centos etc]#
[root@VM-0-16-centos etc]# cat named.rfc1912.zones.other
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
zone "magedu.org" {
type master;
file "magedu.org.zone.other";
};
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};
[root@VM-0-16-centos etc]#
[root@VM-0-16-centos etc]# pwd
/var/named/chroot/etc
[root@VM-0-16-centos etc]#
[root@VM-0-16-centos named]#
[root@VM-0-16-centos named]# pwd
/var/named/chroot/var/named
[root@VM-0-16-centos named]# cat magedu.org.zone.bj
$TTL 1D
@ IN SOA ns1 admin (
1
1D
1H
1W
2H
)
NS ns1
ns1 A 172.2.2.2
www A 192.2.2.2
[root@VM-0-16-centos named]#
[root@VM-0-16-centos named]#
[root@VM-0-16-centos named]# cat magedu.org.zone.nj
$TTL 1D
@ IN SOA ns1 admin (
1
1D
1H
1W
2H
)
NS ns1
ns1 A 10.10.10.10
www A 11.11.11.11
[root@VM-0-16-centos named]#
[root@VM-0-16-centos named]#
[root@VM-0-16-centos named]# cat magedu.org.zone.other
$TTL 1D
@ IN SOA ns1 admin (
1
1D
1H
1W
2H
)
NS ns1
ns1 A 172.3.3.3
www A 192.3.3.3
[root@VM-0-16-centos named]#
[root@VM-0-16-centos named]# pwd
/var/named/chroot/var/named
[root@VM-0-16-centos named]#
[root@VM-0-16-centos named]# systemctl restart named-chroot
![]()
![]()
浙公网安备 33010602011771号