已经有3年多没有用linux的bind了,最近因为工作需要,又开始搭建一个bind来工作。Centos7的bind一般是没有问题的,但是,如果要加入chroot就会有一些改动。这个改动也让我研究了几天。呵呵。
环境CenOS7.2 本机IP:172.31.21.245
直接上代码:
- yum安装bind bind-utils bind-chroot
[[email protected] ~]# yum -y install bind bind-utils bind-chroot |
bind bind主程序
bind-utils bind的一些工具,如:nslookup
bind-chroot bind的安全性软件
2.将named.conf复制到/var/named/choot/etc里面
[[email protected] ~]# cp -p /etc/named.conf /var/named/chroot/etc/ |
3.修改named.conf
[[email protected] ~]# vi /var/named/chroot/etc/named.conf // // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // options { listen-on port 53 { any; }; //监听端口 listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { any; }; //查询 /* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ recursion yes; dnssec-enable yes; dnssec-validation yes; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; //添加正向解析 zone "zy.com" IN { type master; file "zy.com.zone"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; |
4.复制解析配置文件,并复制一个修改
[[email protected] ~]# cp -R /usr/share/doc/bind-9.9.4/sample/var/named/* /var/named/chroot/var/named/ [[email protected] ~]# cd /var/named/chroot/var/named/ [[email protected] named]# cp -p named.localhost zy.com.zone |
5.修改正向解析文件
[[email protected] named]# vi zy.com.zone $TTL 1D @ IN SOA ns1.zy.com. admin.zy.com. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS ns1.zy.com. ns1 A 172.31.21.245 @ A 172.31.21.245 www A 172.31.21.245 |
6.启动服务并修改DNS服务器
[[email protected] named]# service named restart Redirecting to /bin/systemctl restart named.service [[email protected] named]# vi /etc/resolv.conf # Generated by NetworkManager nameserver 172.31.21.245 |
7.测试解析