一、编译安装bind
1、编译安装
# useradd -r -u 53 -s /sbin/nologin named #准备好一个名为named的系统用户
# tar xf bind-9.9.5.tar.gz
# cd bind-9.9.5
# ./configure --prefix=/usr/local/bind9 --sysconfdir=/etc/named --disable-ipv6 --disable-chroot --enable-threads
# make && make install
后续操作:
(1)修改PATH环境变量
vim /etc/profile.d/bind.sh
(2)导出帮助手册
vim /etc/man.config
(3)库文件和头文件的导出
[[email protected] ~]# useradd -r -u 53 -s /sbin/nologin named [[email protected] ~]# id named uid=53(named) gid=53(named) groups=53(named) [[email protected] ~]# tar xf bind-9.9.5.tar.gz [[email protected] ~]# ls anaconda-ks.cfg bind-9.9.5.tar.gz Documents install.log Music Public test vmware-tools-distrib bind-9.9.5 Desktop Downloads install.log.syslog Pictures Templates Videos [[email protected] ~]# cd bind-9.9.5 [[email protected] bind-9.9.5]# ls acconfig.h bind.keys config.h.win32 configure.in docutil install-sh isc-config.sh.in make srcid win32utils aclocal.m4 CHANGES config.sub contrib FAQ isc-config.sh.1 lib Makefile.in unit Atffile config.guess config.threads.in COPYRIGHT FAQ.xml isc-config.sh.docbook libtool.m4 mkinstalldirs util bin config.h.in configure doc HISTORY isc-config.sh.html ltmain.sh README version [[email protected] bind-9.9.5]# ./configure --help #查看可配置哪些功能 ... Installation directories: --prefix=PREFIX install architecture-independent files in PREFIX [/usr/local] --exec-prefix=EPREFIX install architecture-dependent files in EPREFIX [PREFIX] ... Optional Features: --disable-option-checking ignore unrecognized --enable/--with options --disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no) --enable-FEATURE[=ARG] include FEATURE [ARG=yes] ... [[email protected] bind-9.9.5]# ./configure --prefix=/usr/local/bind9 --sysconfdir=/etc/named --disable-ipv6 --disable-chroot --enable-threads ... Configuration summary: ------------------------------------------------------------------------ Optional features enabled: Multiprocessing support (--enable-threads) Print backtrace on crash (--enable-backtrace) Use symbol table for backtrace, named only (--enable-symtable) Dynamically loadable zone (DLZ) drivers: None Features disabled or unavailable on this platform: IPv6 support (--enable-ipv6) Response Rate Limiting (--enable-rrl) GSS-API (--with-gssapi) PKCS#11/Cryptoki support (--with-pkcs11) New statistics (--enable-newstats) Allow ‘fixed‘ rrset-order (--enable-fixed-rrset) Automated Testing Framework (--with-atf) OpenSSL cryptography/DNSSEC (--with-openssl) Python tools (--with-python) XML statistics (--with-libxml2) [[email protected] bind-9.9.5]# make && make install ... [[email protected] bind-9.9.5]# cd /usr/local/bind9 [[email protected] bind9]# ls bin include lib sbin share var [[email protected] bind9]# ls bin bind9-config dig host isc-config.sh nslookup nsupdate [[email protected] bind9]# ls sbin arpaname dnssec-dsfromkey dnssec-keyfromlabel dnssec-revoke dnssec-signzone genrandom lwresd named-checkconf named-compilezone nsec3hash rndc-confgen ddns-confgen dnssec-importkey dnssec-keygen dnssec-settime dnssec-verify isc-hmac-fixup named named-checkzone named-journalprint rndc [[email protected] bind9]# ls share man [[email protected] bind9]# ls lib #这里都是静态库,无共享库,不用导出 libbind9.a libdns.a libisc.a libisccc.a libisccfg.a liblwres.a [[email protected] bind9]# vim /etc/profile.d/bind.sh #修改PATH环境变量 export PATH=/usr/local/bind9/bin:/usr/local/bind9/sbin:$PATH [[email protected] bind9]# vim /etc/man.config #导出帮助手册 ... # Every automatically generated MANPATH includes these fields # MANPATH /usr/man MANPATH /usr/share/man MANPATH /usr/local/man MANPATH /usr/local/share/man MANPATH /usr/X11R6/man MANPATH /usr/local/bind9/share/man #加入这一条 ...
2、提供主配置文件/etc/named/named.conf
options {
directory "/var/named";
recursion yes;
};
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "127.0.0.zone";
allow-update { none; };
};
[[email protected] ~]# ls /etc/named bind.keys [[email protected] ~]# vim /etc/named/named.conf options { directory "/var/named"; #定义工作目录 recursion yes; }; zone "." IN { #定义根区域 type hint; file "named.ca"; }; zone "localhost" IN { type master; file "localhost.zone"; allow-update { none; }; }; zone "1.0.0.127.in-addr.arpa" IN { type master; file "loopback.zone"; allow-update { none; }; }; zone "inception.com" IN { type master; file "inception.com.zone"; }; [[email protected] ~]# named-checkconf [[email protected] ~]# chgrp named /etc/named/named.conf #将配置文件属主改为named [[email protected] ~]# chmod 640 /etc/named/named.conf #不允许其它用户访问该文件 [[email protected] ~]# ll /etc/named/named.conf -rw-r----- 1 root named 656 Nov 15 22:42 /etc/named/named.conf
3、为根及localhost提供区域解析库
(1)named.ca
# dig -t NS . @a.root-servers.net > /var/named/named.ca
(2)localhost.zone
$TTL 86400
@ IN SOA localhost. admin.localhost. (
2015121101
3H
15M
7D
1D )
IN NS localhost.
IN A 127.0.0.1
(3)loopback.zone
$TTL 86400
@ IN SOA localhost. admin.localhost. (
2015121101
3H
15M
7D
1D )
IN NS localhost.
IN PTR localhost.
注意:创建解析文件后要修改其属组和权限
[[email protected] ~]# mkdir -pv /var/named/slaves #创建工作目录和slaves目录 mkdir: created directory `/var/named‘ mkdir: created directory `/var/named/slaves‘ [[email protected] ~]# chgrp named /var/named #将工作目录属组改为named [[email protected] ~]# chmod 750 /var/named #修改工作目录权限 [[email protected] ~]# ls -ld /var/named drwxr-x--- 3 root named 4096 Nov 16 02:15 /var/named [[email protected] ~]# cd /var/named [[email protected] named]# ls slaves [[email protected] named]# dig -t NS . @a.root-servers.net > named.ca #生成根区域解析库 [[email protected] named]# cat named.ca ; <<>> DiG 9.9.5 <<>> -t NS . @a.root-servers.net ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12835 ;; flags: qr aa rd; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 25 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;. IN NS ;; ANSWER SECTION: . 518400 IN NS f.root-servers.net. . 518400 IN NS a.root-servers.net. . 518400 IN NS b.root-servers.net. . 518400 IN NS e.root-servers.net. ... ... [[email protected] named]# vim localhost.zone $TTL 86400 @ IN SOA localhost. admin.localhost. ( 2015121101 3H 15M 7D 1D ) IN NS localhost. IN A 127.0.0.1 #localhost被解析为127.0.0.1 [[email protected] named]# vim loopback.zone $TTL 86400 @ IN SOA localhost. admin.localhost. ( 2015121101 3H 15M 7D 1D ) IN NS localhost. IN PTR localhost. #127.0.0.1被反解为localhost [[email protected] named]# vim inception.com.zone ... [[email protected] named]# named-checkzone localhost localhost.zone zone localhost/IN: loaded serial 2015121101 OK [[email protected] named]# named-checkzone 1.0.0.127.in-addr.arpa loopback.zone zone 1.0.0.127.in-addr.arpa/IN: loaded serial 2015121101 OK [[email protected] named]# named-checkzone inception.com inception.com.zone zone inception.com/IN: loaded serial 2015121101 OK [[email protected] named]# ll total 20 -rw-r--r-- 1 root root 487 Nov 16 02:36 inception.com.zone -rw-r--r-- 1 root root 312 Nov 16 02:02 localhost.zone -rw-r--r-- 1 root root 264 Nov 16 02:50 loopback.zone -rw-r--r-- 1 root root 2173 Nov 16 01:45 named.ca drwxr-xr-x 2 root root 4096 Nov 15 22:43 slaves [[email protected] named]# chgrp named inception.com.zone localhost.zone loopback.zone named.ca [[email protected] named]# chmod 640 inception.com.zone localhost.zone loopback.zone named.ca [[email protected] named]# chown named:named slaves [[email protected] named]# chmod 770 slaves [[email protected] named]# ll total 20 -rw-r----- 1 root named 487 Nov 16 02:36 inception.com.zone -rw-r----- 1 root named 312 Nov 16 02:02 localhost.zone -rw-r----- 1 root named 264 Nov 16 02:50 loopback.zone -rw-r----- 1 root named 2173 Nov 16 01:45 named.ca drwxrwx--- 2 named named 4096 Nov 15 22:43 slaves
4、尝试启动缓存名称服务器
# named-checkconf
# named [-g] -u named -c /etc/named/named.conf
-u:指定以哪个用户的身份启动
-c:指定配置文件
-g:让named进程在前台运行
[[email protected] named]# named -u named -c /etc/named/named.conf [[email protected] named]# netstat -tuanp | grep ‘named‘ tcp 0 0 192.168.30.20:53 0.0.0.0:* LISTEN 26012/named tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 26012/named udp 0 0 192.168.30.20:53 0.0.0.0:* 26012/named udp 0 0 127.0.0.1:53 0.0.0.0:* 26012/named
5、提供rndc
# rndc-confgen -r /dev/urandom > /etc/named/rndc.conf
# chown root:named /etc/named/rndc.conf
# chmod 440 /etc/named/rndc.conf
把rndc.conf中的后半段复制到named.conf中,并启用之;
[[email protected] named]# rndc-confgen -r /dev/urandom > /etc/named/rndc.conf [[email protected] named]# cat /etc/named/rndc.conf #将rndc.conf文件的后半段复制到主配置文件中 # Start of rndc.conf key "rndc-key" { algorithm hmac-md5; secret "eEXSM8DqS/OBa32LYZB0WA=="; }; options { default-key "rndc-key"; default-server 127.0.0.1; default-port 953; }; # End of rndc.conf # Use with the following in named.conf, adjusting the allow list as needed: # key "rndc-key" { # algorithm hmac-md5; # secret "eEXSM8DqS/OBa32LYZB0WA=="; # }; # # controls { # inet 127.0.0.1 port 953 # allow { 127.0.0.1; } keys { "rndc-key"; }; # }; # End of named.conf [[email protected] named]# chgrp named /etc/named/rndc.conf [[email protected] named]# chmod 640 /etc/named/rndc.conf [[email protected] named]# vim /etc/named/named.conf options { directory "/var/named"; recursion yes; }; key "rndc-key" { algorithm hmac-md5; secret "eEXSM8DqS/OBa32LYZB0WA=="; }; controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; }; }; ... [[email protected] named]# killall -HUP named #重读配置文件而无需重启进程 [[email protected] named]# rndc status #rndc已经可以使用 version: 9.9.5 <id:f9b8a50e> CPUs found: 2 worker threads: 2 UDP listeners per interface: 2 number of zones: 101 debug level: 0 xfers running: 0 xfers deferred: 0 soa queries in progress: 0 query logging is OFF recursive clients: 0/0/1000 tcp clients: 0/100 server is up and running
6、提供服务脚本(略)
二、性能测试
queryperf:bind源码包自带的一款性能测试工具
# cd bind-9.9.5/contrib/queryperf
# ./configure
# make
# cp queryperf /usr/bin
queryperf工具的用法:
queryperf -d input_file -s server
queryperf -h:查看帮助
说明:最好不要直接在服务器上测试,实际环境中客户端和服务器之间会有网络延迟,在其它客户端上测试结果会更准确。
[[email protected] ~]# cd bind-9.9.5/contrib/queryperf/ [[email protected] queryperf]# ls config.h.in configure configure.in input Makefile.in missing queryperf.c README utils [[email protected] queryperf]# ./configure [[email protected] queryperf]# make gcc -DHAVE_CONFIG_H -c queryperf.c gcc -DHAVE_CONFIG_H queryperf.o -lnsl -lresolv -lm -o queryperf [[email protected] queryperf]# ls #编译后会生成一个名为queryperf的二进制可执行文件 config.h config.h.in config.log config.status configure configure.in input Makefile Makefile.in missing queryperf queryperf.c queryperf.o README utils [[email protected] queryperf]# cp queryperf /usr/bin #将这个可执行文件复制到常见的二进制程序目录下 [[email protected] queryperf]# cd [[email protected] ~]# vim testdns.txt #创建一个可供queryperf读取的数据文件,格式如下: www.inception.com A ns.inception.com A web.inception.com A inception.com NS inception.com MX ... ... [[email protected] ~]# wc -l testdns.txt 725760 testdns.txt [[email protected] ~]# queryperf -d testdns.txt -s 192.168.30.20 #压力测试 DNS Query Performance Testing Tool Version: $Id: queryperf.c,v 1.12 2007/09/05 07:36:04 marka Exp $ [Status] Processing input data [Status] Sending queries (beginning with 192.168.30.20) [Status] Testing complete Statistics: Parse input file: once Ended due to: reaching end of file Queries sent: 725760 queries #发出的查询数 Queries completed: 725760 queries #处理的查询数 Queries lost: 0 queries Queries delayed(?): 0 queries RTT max: 0.011384 sec #处理一个查询的最长时间 RTT min: 0.000028 sec RTT average: 0.000356 sec RTT std deviation: 0.000101 sec RTT out of range: 0 queries Percentage completed: 100.00% Percentage lost: 0.00% Started at: Mon Nov 16 06:37:21 2015 Finished at: Mon Nov 16 06:37:34 2015 Ran for: 13.171889 seconds #处理完所有请求的总时长 Queries per second: 55099.158519 qps #每秒处理的请求数 [[email protected] ~]# rndc querylog on #开启查询日志 [[email protected] ~]# queryperf -d testdns.txt -s 192.168.30.20 DNS Query Performance Testing Tool Version: $Id: queryperf.c,v 1.12 2007/09/05 07:36:04 marka Exp $ [Status] Processing input data [Status] Sending queries (beginning with 192.168.30.20) [Status] Testing complete Statistics: Parse input file: once Ended due to: reaching end of file Queries sent: 725760 queries Queries completed: 725760 queries Queries lost: 0 queries Queries delayed(?): 0 queries RTT max: 0.006453 sec RTT min: 0.000070 sec RTT average: 0.000742 sec RTT std deviation: 0.000147 sec RTT out of range: 0 queries Percentage completed: 100.00% Percentage lost: 0.00% Started at: Mon Nov 16 06:38:40 2015 Finished at: Mon Nov 16 06:39:07 2015 Ran for: 27.172071 seconds Queries per second: 26709.778581 qps #可以看到,开启查询日志功能后,DNS响应性能明显降低 [[email protected] ~]# scp /usr/bin/queryperf 192.168.30.10:/usr/bin #复制该工具到其它节点上测试 The authenticity of host ‘192.168.30.10 (192.168.30.10)‘ can‘t be established. RSA key fingerprint is a3:d3:a0:9d:f0:3b:3e:53:4e:ee:61:87:b9:3a:1c:8c. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added ‘192.168.30.10‘ (RSA) to the list of known hosts. [email protected]‘s password: queryperf 100% 45KB 45.0KB/s 00:00 [[email protected] ~]# scp testdns.txt 192.168.30.10:/root/ [email protected]‘s password: testdns.txt 100% 13MB 12.9MB/s 00:01
[[email protected] ~]# queryperf -d testdns.txt -s 192.168.30.20 DNS Query Performance Testing Tool Version: $Id: queryperf.c,v 1.12 2007/09/05 07:36:04 marka Exp $ [Status] Processing input data [Status] Sending queries (beginning with 192.168.30.20) [Status] Testing complete Statistics: Parse input file: once Ended due to: reaching end of file Queries sent: 725760 queries Queries completed: 725760 queries Queries lost: 0 queries Queries delayed(?): 0 queries RTT max: 0.378395 sec RTT min: 0.000026 sec RTT average: 0.001469 sec RTT std deviation: 0.001698 sec RTT out of range: 0 queries Percentage completed: 100.00% Percentage lost: 0.00% Started at: Tue Dec 8 11:52:19 2015 Finished at: Tue Dec 8 11:53:21 2015 Ran for: 62.030005 seconds Queries per second: 11700.144148 qps #由于客户端与服务器端之间的网络延迟,在其它客户端上测得的性能当然要低于直接在服务器上测得的性能