CentOS 7 DNS服务器架设

CentOS 7 DNS服务器部署

项目背景和要求

要保证即能够解析内网域名linuxidc.local的解析，又能解析互联网的域名。

主DNS服务器：ZZYH1.LINUXIDC.LOCAL

辅助DNS服务器：ZZYH2.LINUXIDC.LOCAL

包含以下域的信息：

1、linuxidc.local域的信息：

2、192.168.188.0/24、192.168.189.0/24反向解析域

要求实现chroot功能，以提高安全性

实现到202.102.224.68、202.102.227.68的DNS转发。

防止非授权用户的DNS记录的枚举(防止出现类似上海烟草公司的安全隐患)。仅允许管理员在192.168.188.10上进行操作。

DNS网络配置

除了传统的修改/etc/resolv.conf之外，还有通过在ifcfg文件中添加配置的方式。

Tip: 与Windows在某个网卡中设置DNS服务器的IP地址类似

# vi/etc/sysconfig/network-scripts/ifcfg-eno16777728

# Generated by parse-kickstartIPV6INIT=no

BOOTPROTO=static

DEVICE=eno16777728

ONBOOT=yes

TYPE=Ethernet

DEFROUTE=yes

PEERDNS=yes

PEERROUTES=yes

IPV4_FAILURE_FATAL=no

NAME="System eno16777728"

IPADDR=192.168.188.15

NETMASK=255.255.255.0

GATEWAY=192.168.188.2

DNS1=192.168.188.15DNS2=192.168.188.16

这样，当重新启动network服务时，会生成/etc/resolv.conf中的配置

# servicenetwork restart

Restarting network (via systemctl):                        [  OK  ]

# cat/etc/resolv.conf

# Generated by NetworkManager

search linuxidc.local

nameserver 192.168.188.15nameserver192.168.188.16

配置Yum库

[[email protected] ~]# cd /etc/yum.repos.d/

[[email protected] yum.repos.d]# ls

CentOS-Base.repo  CentOS-Debuginfo.repo  CentOS-Sources.repo  CentOS-Vault.repo

[[email protected] yum.repos.d]#

[[email protected] yum.repos.d]# cpCentOS-Base.repo CentOS-Base.repo.origin

[[email protected] yum.repos.d]# viCentOS-Base.repo

配置内容

[base]

name=CentOS-$releasever - Base

baseurl=file:///media

gpgcheck=1

gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7

安装DNS支持包

#yum -y installbind bind-util bind-chroot    //

[[email protected] ~]# cd /media/Packages/

[[email protected] Packages]# yum -y install bindbind-util bind-chroot

Warning: RPMDB altered outside of yum.

Installing : 32:bind-libs-9.9.4-14.el7.x86_64                            1/3

Installing : 32:bind-9.9.4-14.el7.x86_64                                  2/3

Installing : 32:bind-chroot-9.9.4-14.el7.x86_64                          3/3

Verifying  :32:bind-9.9.4-14.el7.x86_64                                  1/3

Verifying  : 32:bind-libs-9.9.4-14.el7.x86_64                            2/3

Verifying  :32:bind-chroot-9.9.4-14.el7.x86_64                          3/3

Installed:

bind.x86_64 32:9.9.4-14.el7        bind-chroot.x86_64 32:9.9.4-14.el7

Dependency Installed:

bind-libs.x86_6432:9.9.4-14.el7

Complete!

查看bind的生成包

[[email protected] ~]# rpm -qc bind

/etc/logrotate.d/named

/etc/named.conf

/etc/named.iscdlv.key

/etc/named.rfc1912.zones

/etc/named.root.key

/etc/rndc.conf

/etc/rndc.key

/etc/sysconfig/named

/var/named/named.ca

/var/named/named.empty

/var/named/named.localhost

/var/named/named.loopback

配置文件

[[email protected] ~]# cd /etc

[[email protected] etc]# cp named.confnamed.conf.origin

[[email protected] etc]# vi /etc/named.conf

[[email protected] etc]# cat /etc/named.conf、

//listen-on port 53 { 127.0.0.1; };

listen-on port 53 { any; };

//dnssec-enable yes;

//dnssec-validation yes;

dnssec-enable no;

dnssec-validation no;

配置转发地址：

forwarders {202.102.224.68; 202.102.227.68;};

allow-transfer {192.168.188.15; 192.168.188.12;};

查看状态

[[email protected] etc]# rndc status

version: 9.9.4-RedHat-9.9.4-14.el7<id:8f9657aa>

CPUs found: 1

worker threads: 1

UDP listeners per interface: 1

number of zones: 101

debug level: 0

xfers running: 0

xfers deferred: 0

soa queries in progress: 0

query logging is OFF

recursive clients: 0/0/1000

tcp clients: 0/100

server is up and running

测试一下解析

补充一下

#find / -name nslookup

/usr/bin/nslookup

#rpm -qf/usr/bin/nslookup  //查询这个命令依附于那个包bind-utils-9.9.4-14.el7.x86_64.rpm

#nslookup              //如果找不到nslookup那是因为没有安装bind-utils-9.9.4-14.el7.x86_64.rpm

> server 192.168.188.15

Default server: 192.168.188.15

Address: 192.168.188.15#53

> g.cn                                //尝试解析g.cn

Server:        192.168.188.15

Address:        192.168.188.15#53

Non-authoritative answer:

Name:  g.cn

Address: 203.208.36.17

Name:  g.cn

Address: 203.208.36.18

Name:  g.cn

Address: 203.208.36.16

Name:  g.cn

Address: 203.208.36.20

Name:  g.cn

Address: 203.208.36.19

//解析成功

添加自定义zone

自定义，修改配置文件

[[email protected]~]# vi /etc/named.conf

在最后添加

zone "linuxidc.local" IN {

type mester;

file "linuxidc.local.zone";

}

zone "188.168.192.in-addr.arpa"IN {

type master;

file "192.168.188.zone";

}

zone "189.168.192.in-addr.arpa"IN {

type master;

file "192.168.189.zone";

}

include"/etc/named.rfc1912.zones";

include "/etc/named.root.key";

[[email protected]]# cp named.empty linuxidc.local.zone  //修改前备份一下

[[email protected] named]# ls

linuxidc.local.zone  data    named.ca    named.localhost  slaves

chroot              dynamic  named.empty named.loopback

配置文件

[[email protected]]# vi  linuxidc.local.zone

$TTL 3H

@      IN SOA  zzyh1.linuxidc.local.  chenzhou312.blog.51cto.com (

0      ; serial

1D      ; refresh

1H      ; retry

1W      ; expire

3H)    ; minimum

IN      NS          zzyh1.linuxidc.local.

IN      NS          zzyh2.linuxidc.local.

zzyh1                IN      A            192.168.188.15

zzyh2                IN      A            192.168.188.16

ftp                  IN      A            192.168.188.15

mailyh1              IN      A            192.168.188.22

smtp                  IN      CNAME        mailyh1.linuxidc.local.

pop3                  IN      CNAME        mailyh1.linuxidc.local.

www                  IN      A            192.168.188.15

crm                  IN      A            192.168.188.15

#vi192.168.188.zone

$TTL 3H

@      IN SOA  zzyh1.linuxidc.local.  chenzhou312.blog.51cto.com (

0      ; serial

1D      ; refresh

1H      ; retry

1W      ; expiredgG

3H)    ; minimum

IN        NS          zzyh1.linuxidc.local.

IN        NS          zzyh2.linuxidc.local.

15      IN        PTR          zzyh1.linuxidc.local.

15      IN        PTR          ftp.linuxidc.local.

16      IN        PTR          zzyh2.linuxidc.local.

16      IN        PTR          mailyh1.linuxidc.local.

#vi192.168.189.zone

$TTL 3H

@      IN SOA zzyh1.linuxidc.local. chenzhou312.blog.51cto.com (

0      ; serial

1D      ; refresh

1H      ; retry

1W      ; expire

3H)    ; minimum

IN    NS                  zzyh1.linuxidc.local.

IN    NS                  zzyh2.linuxidc.local.

www    IN    NS                  192.168.188.15

重启服务

[[email protected] named]# systemctl restartnamed.service

[[email protected] named]# service named restart

Redirecting to /bin/systemctl restart  named.service

[[email protected] named]# rndc status

version: 9.9.4-RedHat-9.9.4-14.el7<id:8f9657aa>

CPUs found: 1

worker threads: 1

UDP listeners per interface: 1

number of zones: 104

debug level: 0

xfers running: 0

xfers deferred: 0

soa queries in progress: 0

query logging is OFF

recursive clients: 0/0/1000

tcp clients: 0/100

server is up and running

设置为自动启动

# systemctl enable named

[[email protected] named]# systemctl status named

named.service - Berkeley Internet NameDomain (DNS)

Loaded: loaded (/usr/lib/systemd/system/named.service; enabled)

Active: active (running) since Mon 2014-08-25 00:36:59 CST; 3min 47s ago

MainPID: 2807 (named)

CGroup: /system.slice/named.service

a””a”2807 /usr/sbin/named -u named

Aug 25 00:36:59 zzyh1.linuxidc.localnamed[2807]: zone 189.168.192.in-addr.ar...

Aug 25 00:36:59 zzyh1.linuxidc.localnamed[2807]: zone 189.168.192.in-addr.ar...

Aug 25 00:36:59 zzyh1.linuxidc.localnamed[2807]: zone 1.0.0.127.in-addr.arpa...

Aug 25 00:36:59 zzyh1.linuxidc.localnamed[2807]: zone 1.0.0.0.0.0.0.0.0.0.0....

Aug 25 00:36:59 zzyh1.linuxidc.localnamed[2807]: all zones loaded

Aug 25 00:36:59 zzyh1.linuxidc.localnamed[2807]: running

Aug 25 00:36:59 zzyh1.linuxidc.localnamed[2807]: zone 188.168.192.in-addr.ar...

Aug 25 00:36:59 zzyh1.linuxidc.localnamed[2807]: zone 189.168.192.in-addr.ar...

Aug 25 00:36:59 zzyh1.linuxidc.localsystemd[1]: Started Berkeley Internet N....

Aug 25 00:37:00 zzyh1.linuxidc.localnamed[2807]: managed-keys-zone: No DNSKE...

Hint: Some lines were ellipsized, use -l toshow in full.

# nslookup

> server192.168.188.15

Default server: 192.168.188.15

Address: 192.168.188.15#53

>www.linuxidc.local.

Server:        192.168.188.15

Address:      192.168.188.15#53

Name:  www.linuxidc.local

Address: 192.168.188.15

>smtp.linuxidc.local.

Server:        192.168.188.15

Address:      192.168.188.15#53

smtp.linuxidc.local    canonical name = mailyh1.linuxidc.local.

Name:  mailyh1.linuxidc.local

Address: 192.168.188.22

>192.168.188.15

Server:        192.168.188.15

Address:      192.168.188.15#53

15.188.168.192.in-addr.arpa    name = ftp.linuxidc.local.

15.188.168.192.in-addr.arpa    name = zzsrv1.linuxidc.local.

> exit

zzyh2上的DNS配置

安装BIND

与zzyh1上的主DNS配安装一样。

操作略。

配置

Cache Only Server

与zzyh1上的主DNS配安装一样。

操作略。

添加辅助Zone

# vi /etc/named.conf

添加如下zone信息

zone "linuxidc.local" IN {

type slave;

masters {192.168.188.15; };

file "linuxidc.local.zone";

};

zone "188.168.192.in-addr.arpa"IN {

type slave;

masters {192.168.188.15; };

file "192.168.188.zone";

};

zone "189.168.192.in-addr.arpa"IN {

type slave;

masters {192.168.188.15; };

file "192.168.189.zone";

};

修改目录权限

[[email protected] named]# ll /var/named/ -d

drwxr-x--- 6 root named 133 Aug 15 14:06/var/named/

[[email protected] named]# chmod g+w /var/named/

[[email protected] named]# ll /var/named/ -d

drwxrwx--- 6 root named 133 Aug 15 14:06/var/named/

启动服务

[[email protected] ~]# systemctl startnamed.service

Redirecting to /bin/systemctl restart  named.service

设置为自动启动

[[email protected] ~]# systemctl enable named

ln -s‘/usr/lib/systemd/system/named.service‘‘/etc/systemd/system/multi-user.target.wants/named.service‘

查看日志，检查是否有报错信息。（建议在启动时，就在另外一个会话时就打开）

# tail -f /var/log/messages

测试BIND

在zzyh1上生成了相应的zone文件

[[email protected] ~]# ll /var/named/

total 28

-rw-r--r-- 1 named named  451 Aug 15 14:58 192.168.188.zone

-rw-r--r-- 1 named named  254 Aug 15 15:05 192.168.189.zone

-rw-r--r-- 1 named named  647 Aug 15 15:16 linuxidc.local.zone

drwxr-x--- 7 root  named  56 Aug 15 14:06 chroot

drwxrwx--- 2 named named  22 Aug 15 14:19 data

drwxrwx--- 2 named named  58 Aug 15 16:20 dynamic

-rw-r----- 1 root  named 2076 Jan 28  2013 named.ca

-rw-r----- 1 root  named 152 Dec 15  2009 named.empty

-rw-r----- 1 root  named 152 Jun 21  2007 named.localhost

-rw-r----- 1 root  named 168 Dec 15  2009 named.loopback

drwxrwx--- 2 named named    6 Jun 10 16:13 slaves

[[email protected] ~]# vi /var/named/linuxidc.local.zone

添加一个A记录

test    IN A 10.0.0.1

并且将，zone的序列号增大

[[email protected] ~]# rndc reload

server reload successful

在zzyh1的日志中会看到

zone linuxidc.local/IN: sending notifiesrial 15)

client 192.168.188.16#41658 (linuxidc.loc:transfer of ‘linuxidc.local/IN‘: AXFR-style IXFR started

client 192.168.188.16#41658 (linuxidc.loc:transfer of ‘linuxidc.local/IN‘: AXFR-style IXFR ended

在zzyh2的日志中会看到

client 192.168.188.15#33856: received notifyfor zone ‘linuxidc.local‘

zone linuxidc.local/IN: Transfer started.

transfer of ‘linuxidc.local/IN‘ from192.168.188.15#53: connected using 192.168.188.16#41658

zone linuxidc.local/IN: transferred serial15

transfer of ‘linuxidc.local/IN‘ from192.168.188.15#53: Transfer completed: 1 messages, 13 records, 339 bytes, 0.005secs (67800 bytes/sec)

zone linuxidc.local/IN: sending notifies(serial 15)

测试

# nslookup

> server 192.168.188.16

Default server: 192.168.188.16

Address: 192.168.188.16#53

> test.linuxidc.local.

Server:        192.168.188.16

Address:        192.168.188.16#53

Name:  test.linuxidc.local

Address: 10.0.0.1

> exit

• 本文来自：爱好Linux技术网
• 本文链接：http://www.ahlinux.com/centos/8659.html