首先介绍下bind*软件,该软件是linux平台最流行的dns*软件。
安装思路:
1采用yum安装bind主程序文件
2安装bind伪装程序bind-chroot,提高安全性
3创建bind-chroot相关文件
4修改bind程序属主为named-chroot用户,linux系统服务由相应用户管理
5停用bind原进程服务,启用伪装程序服务
6允许防火墙放行
7开机自启动
具体步骤:
1、安装程序
yum install bind bind-chroot -y
2、创建bind-chroot伪装目录相关文件
touch /var/named/chroot/var/named/data/cache_dump.db
touch /var/named/chroot/var/named/data/named_stats.txt
touch /var/named/chroot/var/named/data/named_mem_stats.txt
touch /var/named/chroot/var/named/data/named.run
mkdir /var/named/chroot/var/named/dynamic
touch /var/named/chroot/var/named/dynamic/managed-keys.bind
3、修改bind程序属主
chown -R named-chroot:named-chroot /var/named
4、复制配置文件到伪装目录
安装伪装目录,相当于/var/named下配置文件都放到了/var/named/chroot下
cp -R /usr/share/doc/bind-*/sample/var/named/* /var/named/chroot/var/named/
cp -p /etc/named.conf /var/named/chroot/etc/named.conf
5、允许防火墙访问
firewall-cmd --permanent --zone=public --add-port=53/tcp
firewall-cmd --permanent --zone=public --add-port=53/udp
firewall-cmd --reload
6、设置开机启动,并禁用原有的bind服务启动方式
/usr/libexec/setup-named-chroot.sh /var/named/chroot on
systemctl stop named
systemctl disable named
--------------------------------------------------------------------------------------------
上面的步骤主从dns相同
--------------------------------------------------------------------------------------------
/------------------------------这里开始主dns相关配置-------------------------/
7、配置主dns主配置文件如下所示
vim /var/named/chroot/etc/named.conf
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "csnae.com" IN {
type master;
file "csnae.com.zone";
allow-transfer { 192.168.25.2; };
};
zone "25.168.192.in-addr.arpa" IN {
type master;
file "192.168.25.zone";
allow-transfer { 192.168.25.2; };
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
8、主dns区域文件配置,创建的区域文件必须和主配置文件指向的区域文件一致
cd/var/named/chroot/var/named
cp named.empty csnae.com.zone
cp name.empty 192.168.25.zone
vim csnae.com.zone
$TTL 3H
@ IN SOA @ rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS ns.csnae.com.
ns IN A 192.168.25.24
www IN A 192.168.25.25
ftp IN A 192.168.25.26
vim 192.168.25.zone
$TTL 3H
@ IN SOA @ rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS ns.csnae.com.
24 IN PTR ns.csnae.com.
25 IN PTR www.csnae.com.
26 IN PTR ftp.csnae.com.
9、启动服务
systemctl start named-chroot
systemctl enable named-chroot
/-----------------------------------主dns配置在这里就完成了-------------------/
/-----------------------------------从dns配置------------------------------------------/
10、从dns主配置文件配置
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "csnae.com" IN {
type slave;
file "slaves/csnae.com.zone";
masters { 192.168.25.24; };
};
zone "25.168.192.in-addr.arpa" IN {
type slave;
file "192.168.25.zone";
masters { 192.168.25.24; };
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
11、启动从服务器
systemctl start named-chroot
systemctl enable named-chroot
检查相关命令
检查主配置文件是否正确,因为使用了伪装目录,如果提示找不到区域文件是正常的
named-checkconf -z /var/named/chroot/etc/named.conf
检查区域文件是否正确
named-checkzone csnae.com /var/named/chroot/var/named/csnae.com.zone
12、客户端测试