虚拟机centos7 DNS服务器搭建

服务器端：

前期工作：

切换到NAT模式

（1）关闭防火墙以及SeLinux.

防火墙相关设置：

systemctl stop firewalld  //临时关闭防火墙

systemctl disable firewalld  //禁止开机启动防火墙

 

selinux相关设置：

SeLinux配置文件，/etc/selinux/config

设置 SELINUX=disabled

 

（2）安装相应的软件包

yum -y install bind

yum -y install bind-utils  //bind-utils提供DNS查询工具，如dig、host、nslookup

 

安装完后，检测有没有安装

[root@localhost ~]# rpm -qa | grep bind

rpcbind-0.2.0-42.el7.x86_64

bind-libs-9.9.4-61.el7.x86_64

bind-libs-lite-9.9.4-61.el7.x86_64

bind-license-9.9.4-61.el7.noarch

bind-9.9.4-61.el7.x86_64

bind-utils-9.9.4-61.el7.x86_64

 

切换到OnlyHost模式

 

（3）修改配置文件

配置文件路径： /etc/named.conf

示例配置文件：

See /usr/share/doc/bind*/sample/  for example named configuration files.

拷贝示例配置文件到tmp文件夹下

cp /usr/share/doc/bind-9.9.4/sample/etc/named.conf  /tmp

 

（4）重启服务

systemctl restart named

systemctl enable named  //开机启动DNS服务

 

 

 

 

 

客户端：

切换到NAT模式下：

yum -y install bind-utils

切换到OnlyHost模式下：

配置文件 ：/etc/resolv.conf

添加如下：

nameserver 192.168.59.128(DNS IP地址)

 

 

注意问题：

（1）格式问题 （紧靠左边，'.'）

（2）权限问题（copy named.empty（默认权限640） 来编写正反向解析文件，记得chmod 644 正向解析文件，chmod 644 反向解析文件，如果自己新建正反向解析文件，那么不存在解析问题）

 

出错处理：

 

1.服务启动后报错信息

2.如果服务没有报错信息，但是没有出现指定效果，tail -30 /var/log/messages

3.google/baidu  相关错误信息

 

 

课堂案例项目：

搭建fqnu.org网站域名系统

域名	IP地址
dns.fqnu.org	192.168.59.128
dxxy.fqnu.org	192.168.59.120
jgxy.fqnu.org	192.168.59.121
wfxy.fqnu.org	192.168.59.123

 

 

运行效果图：

客户端运行效果：

[root@localhost ~]# host wfxy.fqnu.org

wfxy.fqnu.org has address 192.168.59.123

[root@localhost ~]# host 192.168.59.123

123.59.168.192.in-addr.arpa domain name pointer wfxy.fqnu.org.

[root@localhost ~]# host 192.168.59.120

120.59.168.192.in-addr.arpa domain name pointer dxxy.fqnu.org.

[root@localhost ~]# host 192.168.59.121

121.59.168.192.in-addr.arpa domain name pointer jgxy.fqnu.org.

[root@localhost ~]# host jgxy.fqnu.org

jgxy.fqnu.org has address 192.168.59.121

[root@localhost ~]# host 192.168.59.128

128.59.168.192.in-addr.arpa domain name pointer dns.fqnu.org.

[root@localhost ~]# host 192.168.59.129

Host 129.59.168.192.in-addr.arpa. not found: 3(NXDOMAIN)

[root@localhost ~]# host tyxy.fqnu.org

Host tyxy.fqnu.org.localdomain not found: 2(SERVFAIL)

[root@localhost ~]#

 

 

 

 

 

 

课堂案例项目 DNS配置文件如下：

路径： /etc/named.conf

//

// named.conf

//

// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS

// server as a caching only nameserver (as a localhost DNS resolver only).

//

// See /usr/share/doc/bind*/sample/ for example named configuration files.

//

// See the BIND Administrator's Reference Manual (ARM) for details about the

// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

 

options {

directory "/var/named";

dump-file "/var/named/data/cache_dump.db";

statistics-file "/var/named/data/named_stats.txt";

 

};

 

zone "fqnu.org" {

type master;

file "fqnu.org";

};

 

zone "59.168.192.in-addr.arpa" {

type master;

file "59.168.192";

};

 

正向解析文件如下：

/var/named/fqnu.org

$TTL 86400

fqnu.org. IN SOA dns.fqnu.org. root.fqnu.org (

20180511 ; serial

1H ; refresh

15M ; retry

1W ; expire

1D ) ; minimum

fqnu.org. IN NS dns.fqnu.org.

dns         IN A 192.168.59.128

dxxy IN A 192.168.59.120

jgxy IN A 192.168.59.121

wfxy IN A 192.168.59.123

 

反向解析文件：

$TTL 86400

@ IN SOA 59.168.192.in-addr.arpa. root.fqnu.org (

20180511 ; serial

1H ; refresh

15M ; retry

1W ; expire

1D ) ; minimum

@ IN NS dns.fqnu.org.

128 IN PTR dns.fqnu.org.

120 IN PTR dxxy.fqnu.org.

121 IN PTR jgxy.fqnu.org.

123 IN PTR wfxy.fqnu.org.

 

 

 

 

 

 

 

 

 

 

 

DNS示例配置文件如下：

/*

 Sample named.conf BIND DNS server 'named' configuration file

 for the Red Hat BIND distribution.

 

 See the BIND Administrator's Reference Manual (ARM) for details about the

 configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

*/

 

options

{

// Put files that named is allowed to write in the data/ directory:

directory "/var/named"; // "Working" directory

dump-file "data/cache_dump.db";

        statistics-file "data/named_stats.txt";

        memstatistics-file "data/named_mem_stats.txt";

 

 

/*

  Specify listenning interfaces. You can use list of addresses (';' is

  delimiter) or keywords "any"/"none"

*/

//listen-on port 53 { any; };

listen-on port 53 { 127.0.0.1; };

 

//listen-on-v6 port 53 { any; };

listen-on-v6 port 53 { ::1; };

 

/*

  Access restrictions

 

  There are two important options:

    allow-query { argument; };

      - allow queries for authoritative data

 

    allow-query-cache { argument; };

      - allow queries for non-authoritative data (mostly cached data)

 

  You can use address, network address or keywords "any"/"localhost"/"none" as argument

  Examples:

    allow-query { localhost; 10.0.0.1; 192.168.1.0/8; };

    allow-query-cache { ::1; fe80::5c63:a8ff:fe2f:4526; 10.0.0.1; };

*/

 

allow-query { localhost; };

allow-query-cache { localhost; };

 

/* Enable/disable recursion - recursion yes/no;

 

 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.

 - If you are building a RECURSIVE (caching) DNS server, you need to enable

   recursion.

 - If your recursive DNS server has a public IP address, you MUST enable access

   control to limit queries to your legitimate users. Failing to do so will

   cause your server to become part of large scale DNS amplification

   attacks. Implementing BCP38 within your network would greatly

   reduce such attack surface

 */

recursion yes;

 

/* DNSSEC related options. See information about keys ("Trusted keys", bellow) */

 

/* Enable serving of DNSSEC related data - enable on both authoritative

     and recursive servers DNSSEC aware servers */

dnssec-enable yes;

 

/* Enable DNSSEC validation on recursive servers */

dnssec-validation yes;

 

/* In RHEL-7 we use /run/named instead of default /var/run/named

   so we have to configure paths properly. */

pid-file "/run/named/named.pid";

session-keyfile "/run/named/session.key";

 

managed-keys-directory "/var/named/dynamic";

};

 

logging

{

/*      If you want to enable debugging, eg. using the 'rndc trace' command,

 *      named will try to write the 'named.run' file in the $directory (/var/named).

 *      By default, SELinux policy does not allow named to modify the /var/named directory,

 *      so put the default debug log file in data/ :

 */

        channel default_debug {

                file "data/named.run";

                severity dynamic;

        };

};

 

/*

 Views let a name server answer a DNS query differently depending on who is asking.

 

 By default, if named.conf contains no "view" clauses, all zones are in the

 "default" view, which matches all clients.

 

 Views are processed sequentially. The first match is used so the last view should

 match "any" - it's fallback and the most restricted view.

 

 If named.conf contains any "view" clause, then all zones MUST be in a view.

*/

 

view "localhost_resolver"

{

/* This view sets up named to be a localhost resolver ( caching only nameserver ).

 * If all you want is a caching-only nameserver, then you need only define this view:

 */

match-clients { localhost; };

recursion yes;

 

# all views must contain the root hints zone:

zone "." IN {

        type hint;

        file "/var/named/named.ca";

};

 

        /* these are zones that contain definitions for all the localhost

         * names and addresses, as recommended in RFC1912 - these names should

 * not leak to the other nameservers:

 */

include "/etc/named.rfc1912.zones";

};

view "internal"

{

/* This view will contain zones you want to serve only to "internal" clients

   that connect via your directly attached LAN interfaces - "localnets" .

 */

match-clients { localnets; };

recursion yes;

 

zone "." IN {

        type hint;

        file "/var/named/named.ca";

};

 

        /* these are zones that contain definitions for all the localhost

         * names and addresses, as recommended in RFC1912 - these names should

 * not leak to the other nameservers:

 */

include "/etc/named.rfc1912.zones";

 

// These are your "authoritative" internal zones, and would probably

// also be included in the "localhost_resolver" view above :

 

/*

  NOTE for dynamic DNS zones and secondary zones:

 

  DO NOT USE SAME FILES IN MULTIPLE VIEWS!

 

  If you are using views and DDNS/secondary zones it is strongly

  recommended to read FAQ on ISC site (www.isc.org), section

  "Configuration and Setup Questions", questions

  "How do I share a dynamic zone between multiple views?" and

  "How can I make a server a slave for both an internal and an external

   view at the same time?"

*/

 

zone "my.internal.zone" {

type master;

file "my.internal.zone.db";

};

zone "my.slave.internal.zone" {

type slave;

file "slaves/my.slave.internal.zone.db";

masters { /* put master nameserver IPs here */ 127.0.0.1; } ;

// put slave zones in the slaves/ directory so named can update them

};

zone "my.ddns.internal.zone" {

type master;

allow-update { key ddns_key; };

file "dynamic/my.ddns.internal.zone.db";

// put dynamically updateable zones in the slaves/ directory so named can update them

};

};

 

key ddns_key

{

algorithm hmac-md5;

secret "use /usr/sbin/dnssec-keygen to generate TSIG keys";

};

 

view "external"

{

/* This view will contain zones you want to serve only to "external" clients

 * that have addresses that are not match any above view:

 */

match-clients { any; };

 

zone "." IN {

        type hint;

        file "/var/named/named.ca";

};

 

recursion no;

// you'd probably want to deny recursion to external clients, so you don't

        // end up providing free DNS service to all takers

 

// These are your "authoritative" external zones, and would probably

        // contain entries for just your web and mail servers:

 

zone "my.external.zone" {

type master;

file "my.external.zone.db";

};

};