主DNS配置

一，安装BIND

[root@localhost ~]# yum install bind bind-chroot bind-utils
Loaded plugins: product-id, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
cdrom                                                                      | 4.1 kB  00:00:00
Resolving Dependencies
--> Running transaction check
---> Package bind.x86_64 32:9.9.4-14.el7 will be installed
--> Processing Dependency: bind-libs = 32:9.9.4-14.el7 for package: 32:bind-9.9.4-14.el7.x86_64
--> Processing Dependency: libbind9.so.90()(64bit) for package: 32:bind-9.9.4-14.el7.x86_64
--> Processing Dependency: libdns.so.100()(64bit) for package: 32:bind-9.9.4-14.el7.x86_64
--> Processing Dependency: libisc.so.95()(64bit) for package: 32:bind-9.9.4-14.el7.x86_64
--> Processing Dependency: libisccc.so.90()(64bit) for package: 32:bind-9.9.4-14.el7.x86_64
--> Processing Dependency: libisccfg.so.90()(64bit) for package: 32:bind-9.9.4-14.el7.x86_64
--> Processing Dependency: liblwres.so.90()(64bit) for package: 32:bind-9.9.4-14.el7.x86_64
---> Package bind-chroot.x86_64 32:9.9.4-14.el7 will be installed
---> Package bind-utils.x86_64 32:9.9.4-14.el7 will be installed
--> Running transaction check
---> Package bind-libs.x86_64 32:9.9.4-14.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

==================================================================================================
Package                 Arch               Version                       Repository         Size
==================================================================================================
Installing:
bind                    x86_64             32:9.9.4-14.el7               cdrom             1.8 M
bind-chroot             x86_64             32:9.9.4-14.el7               cdrom              81 k
bind-utils              x86_64             32:9.9.4-14.el7               cdrom             198 k
Installing for dependencies:
bind-libs               x86_64             32:9.9.4-14.el7               cdrom             1.0 M

Transaction Summary
==================================================================================================
Install  3 Packages (+1 Dependent package)

Total download size: 3.0 M
Installed size: 7.2 M
Is this ok [y/d/N]: y
Downloading packages:
--------------------------------------------------------------------------------------------------
Total                                                              45 MB/s | 3.0 MB  00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : 32:bind-libs-9.9.4-14.el7.x86_64                                               1/4
Installing : 32:bind-9.9.4-14.el7.x86_64                                                    2/4
Installing : 32:bind-chroot-9.9.4-14.el7.x86_64                                             3/4
Installing : 32:bind-utils-9.9.4-14.el7.x86_64                                              4/4
Verifying  : 32:bind-9.9.4-14.el7.x86_64                                                    1/4
Verifying  : 32:bind-libs-9.9.4-14.el7.x86_64                                               2/4
Verifying  : 32:bind-chroot-9.9.4-14.el7.x86_64                                             3/4
Verifying  : 32:bind-utils-9.9.4-14.el7.x86_64                                              4/4

Installed:
bind.x86_64 32:9.9.4-14.el7                     bind-chroot.x86_64 32:9.9.4-14.el7
bind-utils.x86_64 32:9.9.4-14.el7

Dependency Installed:
bind-libs.x86_64 32:9.9.4-14.el7

Complete!

二，BIND配置

/etc/named.conf 主配置文件

/etc/named.rfc1912.zones 区域配置文件

/var/named/named.localhost 资源记录配置文件

1，编辑主配置文件

[root@localhost ~]# vim /etc/named.conf

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
listen-on port 53 { any; };  //将“127.0.0.1”改为any，可监听任何IP地址（域名服务器的IP）
listen-on-v6 port 53 { ::1; };
directory       "/var/named";
dump-file       "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query     { any; };  //将“localhost”改为any，代表允许任何主机查询

/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;

dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;

/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";

managed-keys-directory "/var/named/dynamic";

pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};

logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};

zone "." IN {
type hint;
file "named.ca";
};

include "/etc/named.rfc1912.zones";  //区域配置文件
include "/etc/named.root.key";

2，编辑区域配置文件

[root@localhost ~]# vim /etc/named.rfc1912.zones

// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt // (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};

zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};

zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};

zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};

zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};
zone "kernel.org" IN {          //"kernel.org"为域名
type master;            //"master"代表主域名服务器
file "kernel.org.zone"; //"kernel.org.zone"为资源信息记录文件，在/var/named/目录下
allow-update { none; };
};

3，编辑资源信息文件

[root@localhost ~]# cp -a  /var/named/named.localhost  /var/named/kernel.org.zone
[root@localhost ~]# vim /var/named/kernel.org.zone

$TTL 1D
@       IN SOA  @ rname.invalid. (                        //"@"表示域名，相当于"kernel.org"可替换成"kernel.org"  "SOA"表示权威区域的开始 "rname.invalid."表示域名管理员邮箱
0       ; serial  //区域传送序列号
1D      ; refresh //从服务器更新主服务器资源的时间
1H      ; retry   //"refresh"失败，重试的时间间隔
1W      ; expire  //从服务器过期时长
3H )    ; minimum //无效解析记录过期时长

NS ns.kernel.org. //域名服务器记录
ns IN A 192.168.16.20 //域名地址记录

IN      MX   10      mail.kernel.org. //邮箱交换记录
www     IN A    192.168.16.20  //加入一条资源信息，即"www.kernel.org"和"192.168.16.20"的对应关系
mail    IN A 192.168.16.21

将DNS指向域名服务器IP地址

[root@localhost ~]# vim /etc/resolv.conf

# Generated by NetworkManager
nameserver 192.168.16.20 //如果在其他客户端测试需要将其DNS地址更改为本域名服务器IP:"nameserver 192.168.16.20"

关闭SELinux、firewalld，清空防火墙

[root@localhost ~]# setenforce 0
[root@localhost ~]# getenforce
Permissive
[root@localhost ~]# systemctl stop firewalld
[root@localhost ~]# iptables -F

三，验证DNS

在另一台客户端查询“www.kernel.org”IP地址，需要将客户端DNS改为域名服务器IP地址

[root@localhost ~]# dig www.kernel.org

; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> www.kernel.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28937
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.kernel.org.            IN    A

;; ANSWER SECTION:
www.kernel.org.        86400    IN    A    192.168.16.20

;; AUTHORITY SECTION:
kernel.org.        86400    IN    NS    ns.kernel.org.

;; ADDITIONAL SECTION:
ns.kernel.org.        86400    IN    A    192.168.16.20

;; Query time: 1 msec
;; SERVER: 192.168.16.20#53(192.168.16.20)
;; WHEN: Fri Feb 12 04:05:22 CST 2016
;; MSG SIZE  rcvd: 92

查询“kernel.org”域的邮件记录

[root@localhost ~]# dig -t mx kernel.org

; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> -t mx kernel.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55363
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;kernel.org.            IN    MX

;; AUTHORITY SECTION:
kernel.org.        10800    IN    SOA    kernel.org. rname.invalid. 0 86400 3600 604800 10800

;; Query time: 1 msec
;; SERVER: 192.168.16.20#53(192.168.16.20)
;; WHEN: Fri Feb 12 04:07:53 CST 2016
;; MSG SIZE  rcvd: 88