DNS服务器安装与配置

一、配置YUM

[root@dns ~]# mkdir /opt/yum
[root@dns ~]# cp -r /run/media/admin/CentOS\ 7\ x86_64/* /opt/yum/

[root@dns ~]# cat > /etc/yum.repos.d/CentOS-Base.repo <<EOF
[base]
name=CentOS-Base
baseurl=file:///opt/yum
gpgcheck=0
enabled=1

EOF

二、关闭防火墙和SeLinux

[root@dns ~]# systemctl stop firewalld
[root@dns ~]# systemctl disable firewalld.service

[root@dns ~]# setenforce 0
[root@dns ~]# sed -i "s/SELINUX=enforcing/SELINUX=disabled/" /etc/selinux/config
[root@dns ~]# getenforce 

三、安装

[root@dns ~]# yum install -y bind bind-utils bind-chroot  

四、验证Bind Packages

[root@dns ~]# rpm -qa| grep bind
rpcbind-0.2.0-47.el7.x86_64
bind-9.9.4-72.el7.x86_64
bind-libs-lite-9.9.4-72.el7.x86_64
bind-license-9.9.4-72.el7.noarch
bind-chroot-9.9.4-72.el7.x86_64
keybinder3-0.3.0-1.el7.x86_64
bind-libs-9.9.4-72.el7.x86_64
bind-utils-9.9.4-72.el7.x86_64

[root@dns ~]# ll /var/named/chroot/
total 0
drwxr-x---. 2 root named 44 Nov  4 16:38 dev
drwxr-x---. 2 root named  6 Nov  5 11:10 etc
drwxr-x---. 3 root named 19 Nov  4 16:38 run
drwxr-xr-x. 3 root root  19 Nov  4 16:38 usr
drwxr-x---. 2 root named  6 Nov  5 11:10 var

If you have installed the bind chroot package, the BIND service will run in the chroot environment. In that case, the initialization script will mount all of the BIND configuration files into the chroot location using the mount --bind command, so that you can manage the configuration outside this environment. There is no need to copy anything into the /var/named/chroot/ directory because it is mounted automatically.

五、mount bind

[root@centos-8 ~]# /usr/libexec/setup-named-chroot.sh /var/named/chroot on

[root@dns ~]# mount | grep chroot
/dev/mapper/centos-root on /var/named/chroot/etc/localtime type xfs (rw,relatime,seclabel,attr2,inode64,noquota)
/dev/mapper/centos-root on /var/named/chroot/etc/named type xfs (rw,relatime,seclabel,attr2,inode64,noquota)
/dev/mapper/centos-root on /var/named/chroot/etc/named.root.key type xfs (rw,relatime,seclabel,attr2,inode64,noquota)
/dev/mapper/centos-root on /var/named/chroot/etc/named.conf type xfs (rw,relatime,seclabel,attr2,inode64,noquota)
/dev/mapper/centos-root on /var/named/chroot/etc/named.rfc1912.zones type xfs (rw,relatime,seclabel,attr2,inode64,noquota)
/dev/mapper/centos-root on /var/named/chroot/etc/named.iscdlv.key type xfs (rw,relatime,seclabel,attr2,inode64,noquota)
/dev/mapper/centos-root on /var/named/chroot/etc/protocols type xfs (rw,relatime,seclabel,attr2,inode64,noquota)
/dev/mapper/centos-root on /var/named/chroot/etc/services type xfs (rw,relatime,seclabel,attr2,inode64,noquota)
/dev/mapper/centos-root on /var/named/chroot/usr/lib64/bind type xfs (rw,relatime,seclabel,attr2,inode64,noquota)
tmpfs on /var/named/chroot/run/named type tmpfs (rw,nosuid,nodev,seclabel,mode=755)
/dev/mapper/centos-root on /var/named/chroot/var/named type xfs (rw,relatime,seclabel,attr2,inode64,noquota)

六、确认当前IP地址

[root@dns ~]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.220  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::e68b:b423:5e16:f5d3  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:c1:c3:bf  txqueuelen 1000  (Ethernet)
        RX packets 811  bytes 75519 (73.7 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 816  bytes 967457 (944.7 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 272  bytes 25180 (24.5 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 272  bytes 25180 (24.5 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

virbr0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 192.168.122.1  netmask 255.255.255.0  broadcast 192.168.122.255
        ether 52:54:00:d4:54:87  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

七、配置/etc/named.conf

[root@dns ~]# vi /etc/named.conf

options {
        listen-on port 53 { 127.0.0.1; any; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file  "/var/named/data/named.recursing";
        secroots-file   "/var/named/data/named.secroots";
        allow-query     { localhost; any; };
        allow-query-cache { localhost; any; };

        /*
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable
           recursion.
         - If your recursive DNS server has a public IP address, you MUST enable access
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface
        */
        recursion yes;

        dnssec-enable yes;
        dnssec-validation yes;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

八、增加zone records

在named.rfc1912.zones结尾增加如下记录
[root@dns ~]# vi  /etc/named.rfc1912.zones

zone "it.com" IN {
        type master;
        file "it.com.zone";
        allow-update { none; };
};

zone "1.168.192.in-addr.arpa" IN {
        type master;
        file "it.com.rzone";
        allow-update { none; };
};

九、创建正向解析文件

[root@dns ~]# cd /var/named/
[root@dns named]# ll
total 16
drwxr-x---. 7 root  named   61 Nov  5 11:55 chroot
drwxrwx---. 2 named named    6 Oct 31  2018 data
drwxrwx---. 2 named named    6 Oct 31  2018 dynamic
-rw-r-----. 1 root  named 2281 May 22  2017 named.ca
-rw-r-----. 1 root  named  152 Dec 15  2009 named.empty
-rw-r-----. 1 root  named  152 Jun 21  2007 named.localhost
-rw-r-----. 1 root  named  168 Dec 15  2009 named.loopback
drwxrwx---. 2 named named    6 Oct 31  2018 slaves

[root@dns named]# cp named.loopback it.com.zone

[root@dns named]# chmod 644 it.com.zone
[root@dns named]# chown root:named it.com.zone
[root@dns named]# ll it.com.zone
-rw-r--r--. 1 root named 168 Nov  5 12:18 it.com.zone

[root@dns named]# vi it.com.zone

$TTL 1D
@       IN SOA  dns.it.com. root.it.com. (
                                        0       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
                IN   NS         dns.it.com.
dns             IN   A       192.168.1.220
rac-scan        IN   A       192.168.1.118
rac-scan        IN   A       192.168.1.119
rac-scan        IN   A       192.168.1.120
server01        IN   A       192.168.1.221
server02        IN   A       192.168.1.222

十、创建反向解析文件

[root@dns named]# cp named.localhost it.com.rzone

[root@dns named]# chmod 644 it.com.rzone
[root@dns named]# chown root:named it.com.rzone
[root@dns named]# ls -l it.com.rzone
-rw-r--r--. 1 root named 152 Nov  5 12:55 it.com.rzone

[root@dns named]# vi it.com.rzone

$TTL 1D
@       IN SOA  dns.it.com.    root.it.com. (
                                        0       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
        IN NS   dns.it.com.
118     IN PTR  rac-scan.it.com.
119     IN PTR  rac-scan.it.com.
120     IN PTR  rac-scan.it.com.
221     IN PTR  server01.it.com.
222     IN PTR  server02.it.com.

十一、验证bind chroot配置

[root@dns named]# named-checkconf -t /var/named/chroot /etc/named.conf

十二、开启named-chroot服务

systemctl stop named
systemctl disable named
systemctl start named-chroot
systemctl enable named-chroot
systemctl status named-chroot

十三、配置resolv.conf

[root@dns ~]# vim /etc/resolv.conf
nameserver 192.168.1.220

十四、rac节点配置resolv.conf

[root@rac1 ~]# vi /etc/resolv.conf
domain  it.com
nameserver 192.168.1.220
options rotate
options timeout:2
options attempts:5

[root@rac2 ~]# vi /etc/resolv.conf
domain  it.com
nameserver 192.168.1.220
options rotate
options timeout:2
options attempts:5

十五、验证DNS

[root@rac1 ~]# nslookup rac-scan.it.com
Server:         192.168.1.220
Address:        192.168.1.220#53

Name:   rac-scan.it.com
Address: 192.168.1.118
Name:   rac-scan.it.com
Address: 192.168.1.120
Name:   rac-scan.it.com
Address: 192.168.1.119

[root@rac2 ~]# nslookup rac-scan.it.com
Server:         192.168.1.220
Address:        192.168.1.220#53

Name:   rac-scan.it.com
Address: 192.168.1.119
Name:   rac-scan.it.com
Address: 192.168.1.118
Name:   rac-scan.it.com
Address: 192.168.1.120

[root@ra1 ~]# dig -x 192.168.1.220

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7 <<>> -x 192.168.1.220
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3185
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;117.1.168.192.in-addr.arpa.    IN      PTR

;; AUTHORITY SECTION:
1.168.192.in-addr.arpa. 10800   IN      SOA     it.com. root.it.com. 0 86400 3600 604800 10800

;; Query time: 0 msec
;; SERVER: 192.168.1.220#53(192.168.1.220)
;; WHEN: Fri Nov 05 15:34:24 CST 2021
;; MSG SIZE  rcvd: 102