DNS服务器安装与配置
一、配置YUM
[root@dns ~]# mkdir /opt/yum
[root@dns ~]# cp -r /run/media/admin/CentOS\ 7\ x86_64/* /opt/yum/
[root@dns ~]# cat > /etc/yum.repos.d/CentOS-Base.repo <<EOF
[base]
name=CentOS-Base
baseurl=file:///opt/yum
gpgcheck=0
enabled=1
EOF
二、关闭防火墙和SeLinux
[root@dns ~]# systemctl stop firewalld
[root@dns ~]# systemctl disable firewalld.service
[root@dns ~]# setenforce 0
[root@dns ~]# sed -i "s/SELINUX=enforcing/SELINUX=disabled/" /etc/selinux/config
[root@dns ~]# getenforce
三、安装
[root@dns ~]# yum install -y bind bind-utils bind-chroot
四、验证Bind Packages
[root@dns ~]# rpm -qa| grep bind
rpcbind-0.2.0-47.el7.x86_64
bind-9.9.4-72.el7.x86_64
bind-libs-lite-9.9.4-72.el7.x86_64
bind-license-9.9.4-72.el7.noarch
bind-chroot-9.9.4-72.el7.x86_64
keybinder3-0.3.0-1.el7.x86_64
bind-libs-9.9.4-72.el7.x86_64
bind-utils-9.9.4-72.el7.x86_64
[root@dns ~]# ll /var/named/chroot/
total 0
drwxr-x---. 2 root named 44 Nov 4 16:38 dev
drwxr-x---. 2 root named 6 Nov 5 11:10 etc
drwxr-x---. 3 root named 19 Nov 4 16:38 run
drwxr-xr-x. 3 root root 19 Nov 4 16:38 usr
drwxr-x---. 2 root named 6 Nov 5 11:10 var
If you have installed the bind chroot package, the BIND service will run in the chroot environment. In that case, the initialization script will mount all of the BIND configuration files into the chroot location using the mount --bind command, so that you can manage the configuration outside this environment. There is no need to copy anything into the /var/named/chroot/ directory because it is mounted automatically.
五、mount bind
[root@centos-8 ~]# /usr/libexec/setup-named-chroot.sh /var/named/chroot on
[root@dns ~]# mount | grep chroot
/dev/mapper/centos-root on /var/named/chroot/etc/localtime type xfs (rw,relatime,seclabel,attr2,inode64,noquota)
/dev/mapper/centos-root on /var/named/chroot/etc/named type xfs (rw,relatime,seclabel,attr2,inode64,noquota)
/dev/mapper/centos-root on /var/named/chroot/etc/named.root.key type xfs (rw,relatime,seclabel,attr2,inode64,noquota)
/dev/mapper/centos-root on /var/named/chroot/etc/named.conf type xfs (rw,relatime,seclabel,attr2,inode64,noquota)
/dev/mapper/centos-root on /var/named/chroot/etc/named.rfc1912.zones type xfs (rw,relatime,seclabel,attr2,inode64,noquota)
/dev/mapper/centos-root on /var/named/chroot/etc/named.iscdlv.key type xfs (rw,relatime,seclabel,attr2,inode64,noquota)
/dev/mapper/centos-root on /var/named/chroot/etc/protocols type xfs (rw,relatime,seclabel,attr2,inode64,noquota)
/dev/mapper/centos-root on /var/named/chroot/etc/services type xfs (rw,relatime,seclabel,attr2,inode64,noquota)
/dev/mapper/centos-root on /var/named/chroot/usr/lib64/bind type xfs (rw,relatime,seclabel,attr2,inode64,noquota)
tmpfs on /var/named/chroot/run/named type tmpfs (rw,nosuid,nodev,seclabel,mode=755)
/dev/mapper/centos-root on /var/named/chroot/var/named type xfs (rw,relatime,seclabel,attr2,inode64,noquota)
六、确认当前IP地址
[root@dns ~]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.220 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::e68b:b423:5e16:f5d3 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:c1:c3:bf txqueuelen 1000 (Ethernet)
RX packets 811 bytes 75519 (73.7 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 816 bytes 967457 (944.7 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 272 bytes 25180 (24.5 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 272 bytes 25180 (24.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
virbr0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 192.168.122.1 netmask 255.255.255.0 broadcast 192.168.122.255
ether 52:54:00:d4:54:87 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
七、配置/etc/named.conf
[root@dns ~]# vi /etc/named.conf
options {
listen-on port 53 { 127.0.0.1; any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { localhost; any; };
allow-query-cache { localhost; any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
八、增加zone records
在named.rfc1912.zones结尾增加如下记录
[root@dns ~]# vi /etc/named.rfc1912.zones
zone "it.com" IN {
type master;
file "it.com.zone";
allow-update { none; };
};
zone "1.168.192.in-addr.arpa" IN {
type master;
file "it.com.rzone";
allow-update { none; };
};
九、创建正向解析文件
[root@dns ~]# cd /var/named/
[root@dns named]# ll
total 16
drwxr-x---. 7 root named 61 Nov 5 11:55 chroot
drwxrwx---. 2 named named 6 Oct 31 2018 data
drwxrwx---. 2 named named 6 Oct 31 2018 dynamic
-rw-r-----. 1 root named 2281 May 22 2017 named.ca
-rw-r-----. 1 root named 152 Dec 15 2009 named.empty
-rw-r-----. 1 root named 152 Jun 21 2007 named.localhost
-rw-r-----. 1 root named 168 Dec 15 2009 named.loopback
drwxrwx---. 2 named named 6 Oct 31 2018 slaves
[root@dns named]# cp named.loopback it.com.zone
[root@dns named]# chmod 644 it.com.zone
[root@dns named]# chown root:named it.com.zone
[root@dns named]# ll it.com.zone
-rw-r--r--. 1 root named 168 Nov 5 12:18 it.com.zone
[root@dns named]# vi it.com.zone
$TTL 1D
@ IN SOA dns.it.com. root.it.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
IN NS dns.it.com.
dns IN A 192.168.1.220
rac-scan IN A 192.168.1.118
rac-scan IN A 192.168.1.119
rac-scan IN A 192.168.1.120
server01 IN A 192.168.1.221
server02 IN A 192.168.1.222
十、创建反向解析文件
[root@dns named]# cp named.localhost it.com.rzone
[root@dns named]# chmod 644 it.com.rzone
[root@dns named]# chown root:named it.com.rzone
[root@dns named]# ls -l it.com.rzone
-rw-r--r--. 1 root named 152 Nov 5 12:55 it.com.rzone
[root@dns named]# vi it.com.rzone
$TTL 1D
@ IN SOA dns.it.com. root.it.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
IN NS dns.it.com.
118 IN PTR rac-scan.it.com.
119 IN PTR rac-scan.it.com.
120 IN PTR rac-scan.it.com.
221 IN PTR server01.it.com.
222 IN PTR server02.it.com.
十一、验证bind chroot配置
[root@dns named]# named-checkconf -t /var/named/chroot /etc/named.conf
十二、开启named-chroot服务
systemctl stop named
systemctl disable named
systemctl start named-chroot
systemctl enable named-chroot
systemctl status named-chroot
十三、配置resolv.conf
[root@dns ~]# vim /etc/resolv.conf
nameserver 192.168.1.220
十四、rac节点配置resolv.conf
[root@rac1 ~]# vi /etc/resolv.conf
domain it.com
nameserver 192.168.1.220
options rotate
options timeout:2
options attempts:5
[root@rac2 ~]# vi /etc/resolv.conf
domain it.com
nameserver 192.168.1.220
options rotate
options timeout:2
options attempts:5
十五、验证DNS
[root@rac1 ~]# nslookup rac-scan.it.com
Server: 192.168.1.220
Address: 192.168.1.220#53
Name: rac-scan.it.com
Address: 192.168.1.118
Name: rac-scan.it.com
Address: 192.168.1.120
Name: rac-scan.it.com
Address: 192.168.1.119
[root@rac2 ~]# nslookup rac-scan.it.com
Server: 192.168.1.220
Address: 192.168.1.220#53
Name: rac-scan.it.com
Address: 192.168.1.119
Name: rac-scan.it.com
Address: 192.168.1.118
Name: rac-scan.it.com
Address: 192.168.1.120
[root@ra1 ~]# dig -x 192.168.1.220
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7 <<>> -x 192.168.1.220
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3185
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;117.1.168.192.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
1.168.192.in-addr.arpa. 10800 IN SOA it.com. root.it.com. 0 86400 3600 604800 10800
;; Query time: 0 msec
;; SERVER: 192.168.1.220#53(192.168.1.220)
;; WHEN: Fri Nov 05 15:34:24 CST 2021
;; MSG SIZE rcvd: 102