安裝
Bind9 是目前部署 DNS 服务最常使用的开源软件,不仅功能全面,且 100% 符合标准。
yum install bind bind-utils -y || apt install bind9 bind9utils bind9-utils bind9-dnsutils bind9-doc bind9-host bind9-libs -y
建议在 CentOS 7、Ubuntu LTS 18.04、Debian 10 或更高版本以上安装。
配置
DNS 按角色或功能划分可以分为权威DNS、递归DNS(缓存DNS)和转发DNS。通常配置了zone区域文件即实现了权威DNS;将recursion设置为yes(默认为 yes )即实现了递归DNS;将forward配置为only且forwarders不为空,则变成了转发DNS。
CentOS
主要配置文件
/etc/named.conf
#仅列出关键配置
options {
listen-on port 53 { 127.0.0.1;192.168.111.11 };
recursion yes;
allow-recursion { any; };
allow-query { any; };
dnssec-enable yes;
forwarders { 8.8.8.8 };
forward first;
}
新建区域文件
cat << EOF > /etc/named.conf
include "/etc/named.local.zones";
EOF
vi /etc/named.local.zones
配置区域/etc/named.local.zones
zone "111.168.192.in-addr.arpa" IN {
type master;
file "192.168.111.db";
};
zone "livejq.top" IN {
type master;
file "livejq.top.db";
};
正向解析
新建并编辑/var/named/livejq.top.db
$ORIGIN livejq.top.
$TTL 3600 ; 1 hour
@ IN SOA ns.livejq.top. root.livejq.top. (
2022070704 ; serial
3600 ; refresh (1 hour)
300 ; retry (5 minutes)
3600 ; expire (1 hour)
3600 ; minimum (1 hour)
)
IN NS ns.livejq.top.
IN MX 10 cloud.livejq.top.
IN MX 20 cloud.livejq.fun.
ns IN A 192.168.111.11
www IN A 192.168.111.11
IN A 192.168.111.12
blog IN CNAME www.livejq.top.
反向解析
新建并编辑/var/named/192.168.111.db
$ORIGIN 111.168.192.in-addr.arpa.
$TTL 3600 ; 1 hour
@ IN SOA ns.livejq.top. root.livejq.top. (
2022070701 ; serial
3600 ; refresh (1 hour)
300 ; retry (5 minutes)
3600 ; expire (1 hour)
3600 ; minimum (1 hour)
)
IN NS ns.livejq.top.
11 IN PTR www.livejq.top.
上面的时间默认是以秒为单位,也可以直接带单位表示,例如:5M、5H、5W、5D分别可以表示为5分钟、5小时、5周、5天。
主从配置
规划
主:192.168.111.11
从:192.168.111.12
在先前的配置中,我们已经配置好了主DNS服务,现在只需在上面添加从DNS服务的信息即可。在区域文件/etc/named.local.zones中添加allow-transfer。
zone "111.168.192.in-addr.arpa" IN {
type master;
file "192.168.111.db";
allow-transfer { 192.168.111.12; };
};
zone "livejq.top" IN {
type master;
file "livejq.top.db";
allow-transfer { 192.168.111.12; };
};
从DNS无需配置正反向解析,仅需配置好区域文件即可。在从DNS服务的区域文件中,同样也需要配置上主DNS的信息,并且将其类型修改为slave。
zone "111.168.192.in-addr.arpa" IN {
type slave;
masters { 192.168.111.11; };
file "slaves/192.168.111.db";
masterfile-format text;
};
zone "livejq.top" IN {
type slave;
masters { 192.168.111.11; };
file "slaves/sundns.com.db";
masterfile-format text;
};
检查配置语法和一致性
检查主要配置文件
named-checkconf
检查某个区域文件
# named-checkzone <区域名> <区域文件路径>
named-checkzone livejq.top /var/named/livejq.top.db
检查文件权限
chgrp named /var/named/*.db && chgrp named /etc/named.local.zones
文件权限用默认的 640 即可
重启服务
systemctl restart named
查看服务状态,显示类似如下输出则表明主从服务建立成功。
[root@mail ~]# systemctl status named
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled)
Active: active (running) since 三 2022-07-13 00:50:28 CST; 33s ago
Process: 30581 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
Process: 30578 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
Main PID: 30583 (named)
CGroup: /system.slice/named.service
└─30583 /usr/sbin/named -u named -c /etc/named.conf
7月 13 00:50:28 mail.blackberrybrothers.com named[30583]: transfer of '11.48.144.in-addr.arpa/IN' from 41.24.124.45#53: Transfer status: success
7月 13 00:50:28 mail.blackberrybrothers.com named[30583]: transfer of '11.48.144.in-addr.arpa/IN' from 41.24.124.45#53: Transfer completed: 1 messages, 9 records, 326 bytes, 0.001 secs (326000 bytes/sec)
7月 13 00:50:28 mail.blackberrybrothers.com named[30583]: transfer of '209.126.103.in-addr.arpa/IN' from 41.24.124.45#53: connected using 241.25.124.45#48606
7月 13 00:50:28 mail.blackberrybrothers.com named[30583]: transfer of '26.124.45.in-addr.arpa/IN' from 41.24.124.45#53: connected using 241.25.124.45#55073
7月 13 00:50:28 mail.blackberrybrothers.com named[30583]: zone 209.126.103.in-addr.arpa/IN: transferred serial 2022070701
7月 13 00:50:28 mail.blackberrybrothers.com named[30583]: transfer of '209.126.103.in-addr.arpa/IN' from 41.24.124.45#53: Transfer status: success
7月 13 00:50:28 mail.blackberrybrothers.com named[30583]: transfer of '209.126.103.in-addr.arpa/IN' from 41.24.124.45#53: Transfer completed: 1 messages, 5 records, 212 bytes, 0.001 secs (212000 bytes/sec)
7月 13 00:50:28 mail.blackberrybrothers.com named[30583]: zone 26.124.45.in-addr.arpa/IN: transferred serial 2022070701
7月 13 00:50:28 mail.blackberrybrothers.com named[30583]: transfer of '26.124.45.in-addr.arpa/IN' from 41.24.124.45#53: Transfer status: success
7月 13 00:50:28 mail.blackberrybrothers.com named[30583]: transfer of '26.124.45.in-addr.arpa/IN' from 41.24.124.45#53: Transfer completed: 1 messages, 5 records, 212 bytes, 0.001 secs (212000 bytes/sec)
乱码问题
查看从DNS/var/named/slaves/目录下的 db 文件信息,发现是乱码。
bͩГ
sundnscom1nsayidccomns2ayidccomxY°,-
sundnscomnsns2?
edbj-hd-axy2sundnscom0
-|¢g~ϒ5dsh-hk-axy168sundnscom-|¨5dsh-jp-axy242sundnscom¹dsh-jp-axy244sundnscom¹
其实Bind9可以通过named-compilezone命令转储到其他格式,常见的有 raw 二进制格式和 text 文本格式,而主从传输过程中默认使用的是 raw 格式,要想改成 text 文本格式,可以在区域配置中指定。
masterfile-format text;
text 转 raw 格式命令
named-compilezone -f text -F raw -o livejq.top.raw livejq.top livejq.top.db
raw 转 text 格式命令
named-compilezone -f raw -F text -o livejq.top.db livejq.top livejq.top.raw
内网部署 Bind 无法解析外网域名
root@fqdn:~# nslookup google.com 127.0.0.1
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:
Name: google.com
Address: 46.82.174.69
** server can't find google.com: SERVFAIL
需要在 named 配置文件中设置
dnssec-validation no;
Ubuntu
这里主要是列出了几点跟
CentOS配置差异的地方,总体上的配置大同小异。
主要配置文件
/etc/bind/named.conf.options
forwarders {
1.1.1.1;
8.8.8.8;
};
dnssec-validation no;
allow-query { any; };
listen-on { 127.0.0.1;192.168.199.111; };
listen-on-v6 { any; };
重启服务
systemctl restart bind9
# 或者
systemctl restart named
防火墙放行服务
ufw allow bind9
主从配置
规划
主:192.168.199.110
从:192.168.199.111
Master
区域配置文件/etc/bind/named.conf.local
zone "livejq.com" IN {
type master;
allow-transfer { 192.168.199.111; };
also-notify { 192.168.199.111; };
file "/etc/bind/db.livejq.com";
};
zone "199.168.192.in-addr.arpa" IN {
type master;
allow-transfer { 192.168.199.111; };
also-notify { 192.168.199.111; };
file "/etc/bind/db.192.168.199";
};
添加正向解析/etc/bind/db.livejq.com
$TTL 3600
@ IN SOA ns.livejq.com. root.livejq.com (
2022072406 ; serial
3600 ; refresh
300 ; retry
3600 ; expire
3600 ) ; minimum
IN NS ns.livejq.com.
IN A 127.0.0.1
ns IN A 192.168.199.111
openstack IN A 192.168.199.113
controller IN A 192.168.199.113
compute IN A 192.168.199.112
添加反向解析/etc/bind/db.192.168.199
$TTL 3600
@ IN SOA ns.livejq.com. root.livejq.com. (
2022072406 ; serial
3600 ; refresh
300 ; retry
3600 ; expire
3600 ) ; minimum
IN NS ns.livejq.com.
111 IN PTR ns.livejq.com.
113 IN PTR controller.livejq.com.
112 IN PTR compute.livejq.com.
Slave
正反解析文件会从主DNS上同步到/var/cache/bind/目录中,从DNS服务只需配置好区域文件即可。
区域配置文件/etc/bind/named.conf.local
zone "livejq.com" IN {
type slave;
file "db.livejq.com";
masters { 192.168.199.110; };
};
zone "199.168.192.in-addr.arpa" IN {
type slave;
file "db.192.168.199";
masters { 192.168.199.110; };
};
当主DNS更改配置并重启服务时,会自动将配置同步到从服务器这边来。每次更改配置时,都必须更新serial值,否则更改将无法生效。
评论区