BIND 服务安装及配置流程
简介
BIND 是 DNS 服务软件,在本文中会有 bind1,bind2 两台设备完成此次安装。
主机搭建
1
| hostnamectl set-hostname <bind1_host>.<domain>
|
1
| yum -y install bind bind-utils
|
1
2
| mv /etc/named.conf /etc/named.conf.bk
vim /etc/named.conf
|
填入如下配置
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
| options {
listen-on port 53 { any; };
listen-on-v6 { any; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; };
allow-transfer { localhost; <bind-2_ip>; };
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
bindkeys-file "/etc/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
zone "<domain>" IN {
type master;
file "<domain>.lan";
allow-update { none; };
};
zone "<reverse_ip_area>.in-addr.arpa" IN {
type master;
file "<reverse_ip_area>.db";
allow-update { none; };
};
|
注:reverse_ip_area 为反向书写的IP地址(去掉最后一位),例如: 1.168.192
1
| vim /var/named/<domain>.lan
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
| $TTL 86400
@ IN SOA dlp.<domain>. <bind1_host>.<domain>. (
2019100301 ;Serial
3600 ;Refresh
1800 ;Retry
604800 ;Expire
86400 ;Minimum TTL
)
IN NS dlp.<domain>.
IN A <bind1_ip>
IN MX 10 dlp.<domain>.
dlp IN A <bind1_ip>
<bind1_host> IN A <bind1_ip>
<bind2_host> IN A <bind2_ip>
|
1
| vim /var/named/<reverse_ip_area>.db
|
1
2
3
4
5
6
7
8
9
10
11
12
13
| $TTL 86400
@ IN SOA dlp.<domain>. <bind1_host>.<domain>. (
2019100301 ;Serial
3600 ;Refresh
1800 ;Retry
604800 ;Expire
86400 ;Minimum TTL
)
IN NS dlp.<domain>.
<bind1_ip> IN PTR dlp.<domain>.
<bind1_ip> IN PTR <bind1_host>.<domain>.
<bind2_ip> IN PTR <bind2_host>.<domain>.
|
注:此处 IP 只填写最后一位
1
2
3
| systemctl enable --now named
firewall-cmd --add-service=dns --permanent
firewall-cmd --reload
|
从机搭建
从机搭建逻辑与主机相同,但是只需要配置 /etc/named.conf 文件即可
1
| hostnamectl set-hostname <bind2_host>.<domain>
|
1
| yum -y install bind bind-utils
|
1
2
| mv /etc/named.conf /etc/named.conf.bk
vim /etc/named.conf
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
| options {
listen-on port 53 { any; };
listen-on-v6 { any; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; };
allow-transfer { localhost; <bind-2_ip>; };
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
bindkeys-file "/etc/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
zone "<domain>" IN {
type slave;
masters { <bind1_ip>; };
masterfile-format text;
file "slaves/<domain>.lan";
notify no;
};
zone "<reverse_ip_area>.in-addr.arpa" IN {
type slave;
masters { <bind1_ip>; };
masterfile-format text;
file "slaves/reverse_ip_area.db";
notify no;
};
|
1
2
3
| systemctl enable --now named
firewall-cmd --add-service=dns --permanent
firewall-cmd --reload
|
若出现配置文件则证明解析正常。
使用配置好的 BIND 服务器
1
2
| nmcli connection modify <name> ipv4.dns <dns_server_ip>
nmcli connection down <name>; nmcli connection up <name>
|
动态配置
bind 服务适配了 RFC2136 规范,如果在 /etc/named.conf 文件中打开配置项,即可完成动态更新。
首先需要在外部 DNS 服务器上运行如下命令,生成密钥:
1
| tsig-keygen -a hmac-sha256 externaldns-key
|
应该得到这样的输出,将其放置在 /etc/named.conf 文件中,并将其保存成密钥文件 key.txt:
1
2
3
4
| key "externaldns" {
algorithm hmac-sha256;
secret "<secret>";
};
|
之后在需要更新的 zone 部分进行如下配置即可:
1
2
3
4
5
6
7
8
9
10
| zone "xxxx" {
type master;
file "xxxx";
allow-transfer {
key "externaldns-key";
};
update-policy {
grant externaldns-key zonesub ANY;
};
};
|
测试命令如下:
然后输入如下内容:
1
2
3
4
5
| > server <server_ip>
> zone <domain>
> update add <host> 86400 A <ip>
> send
> quit
|
注:若没有额外的错误输出则证明配置完成。
之后即可进行如下测试:
注:若出现配置的 IP 则证明动态更新成功。
常见问题
Permission Denied
此处问题大多是由于 SELinux 权限限制的问题可以暂时关闭 SELinux 进行测试
注: 此处命令只能是单次生效如果需要完全关闭则还需要修改配置文件
然后修改配置项即可 SELINUX=disabled
部分域名无法解析
此问题可能是 Bind 在转发 DNS 时遇到了网络问题,可以按照如下逻辑修改配置项:
1
2
3
4
5
6
7
8
| options {
....
dnssec-enable no;
dnssec-validation no;
forward only;
forwarders { 114.114.114.114; };
....
};
|
注:此处的 114.114.114.114 (电信公共 DNS) 仅仅是示例,可以根据网络条件进行填写。
参考资料
官方文档
RFC2136