客服微信
作者:泡杯长岛冰茶
虚拟机
操作系统版本
角色
ip 地址
域名
unbound
Redhat 8.4
缓存DNS服务器
172.16.50.194
-
unbound-dns1
Redhat 8.4
权威主DNS主服务器
172.16.50.195
yunbee.net50.16.172.in-addr.arpa
unbound-dns2
Redhat 8.4
权威主DNS备服务器
172.16.50.196
yunbee.net与50.16.172.in-addr.arpa
unbound-dns3
Redhat 8.4
权威主DNS服务器
172.16.50.177
ql.com与zj.yunbee.net
listen-on port 53 { 172.16.50.195; }; 监听在那个IP地址上
allow-query { any; }; 允许客户端访问查询的地址清单
也可以定义访问例表
acl group1 { 172.16.50.0/24; }; office1 假设这个是内外地址
acl group2 { 172.16.20.0/24; group1; }; office2 假设这个是内外地址
acl group3 { 221.0.0.0/8;; }; 假设这个是外地址
你可以定义传输控制 , 下面是语法 (如果你将你的dns服务器放置在公网IP上,一般用slave节点 ,配合acl访问控制)
view "office" {
默认是缩写
补全写法
简写
补全写法
dig
查看www.baidu.com 解析的过程
host
rndc
rndc-confgen
named-checkconf
named-checkzone
dig axfr @classroom.example.com example.com 下载example.com域里的信息 (allow-transfer 放开)
在企业里面一般采用多套bind做权威DNS,客户端采用unbound服务器,笔者环境当前客户端连接也是unbound DNS服务器。
zj.yunbee.net -->172.16.50.177
本篇完
RedHat 搭建BIND DNS服务器
1. 环境 概述
2. 配置网络关掉防火墙
[root@bind-dns1 ~]# ip a s |grep ens192|grep inet
inet 172.16.50.195/24 brd 172.16.50.255 scope global noprefixroute ens192
[root@localhost ~]# hostnamectl set-hostname bind-dns1
[root@bind-dns1 ~]# systemctl disable firewalld --now
sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
[root@bind-dns1 ~]# setenforce 0
setenforce: SELinux is disabled
3. 安装BIND软降包
[root@bind-dns1 ~]# mount /dev/sr0 /mnt/
mount: /mnt: WARNING: device write-protected, mounted read-only.
[root@localhost ~]# cat /etc/yum.repos.d/local_baseos.repo
[local_BaseOS]
name=local_baseOS
baseurl=file:///mnt/BaseOS
gpgcheck=0
[local_AppStream]
name=local_AppStream
baseurl=file:///mnt/AppStream
gpgcheck=0
[root@localhost ~]# yum install bind -y
[root@bind-dns1 ~]# rpm -qc bind
/etc/logrotate.d/named
/etc/named.conf
/etc/named.rfc1912.zones
/etc/named.root.key
/etc/rndc.conf
/etc/rndc.key
/etc/sysconfig/named
/var/named/named.ca
/var/named/named.empty
/var/named/named.localhost
/var/named/named.loopback
4. 配置主配置文件
options {
listen-on port 53 { 172.16.50.195; };
listen-on-v6 port 53 { ::1; };
directory "/var/named"; ##
定义主目录
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { any; };
include "/etc/named.rfc1912.zones"; //see /etc/named.rfc1912.zones
include "/etc/named.root.key";
zone "yunbee.net" IN {
type master; ## 声明为主dns
file "yunbee.net.zone"; ##/var/named/yunbee.net.zone 定义一个正向查询 yunbee.net.zone文件
};
zone "50.16.172.in-addr.arpa" IN {
type master; ## 声明为主dns
file "yunbee.arpa.zone"; ##/var/named/yunbee.arpa.zone 定义一个反向查询 yunbee.net.zone文件
};
match-clients { "group2"; };
zone "." IN {
type hint;
file "named.ca";
};
zone "yunbee.net" IN {
type master;
file "yunbee.net.zone";
allow-transfer { group2; };
};
zone "50.16.172.in-addr.arpa" IN {
type master;
file "yunbee.arpa.zone.";
allow-transfer { group2; };
};
};
view "other-office" {
match-clients { "group3"; };
zone "." IN {
type hint;
file "named.ca";
};
zone "yunbee.net" IN {
type master;
file "yunbee.net.zone.bak";
allow-transfer { group2; };
};
};
5. 配置zone文件
5.1. 配置正向解析zone文件
[root@bind-dns1 named]# cp -a named.localhost yunbee.net.zone
[root@bind-dns1 named]# ll
total 24
drwxrwx---. 2 named named 6 Feb 15 2021 data
drwxrwx---. 2 named named 6 Feb 15 2021 dynamic
-rw-r-----. 1 root named 2253 Feb 15 2021 named.ca
-rw-r-----. 1 root named 152 Feb 15 2021 named.empty
-rw-r-----. 1 root named 152 Feb 15 2021 named.localhost
-rw-r-----. 1 root named 168 Feb 15 2021 named.loopback
drwxrwx---. 2 named named 6 Feb 15 2021 slaves
-rw-r-----. 1 root named 168 Feb 15 2021 yunbee.arpa.zone
-rw-r-----. 1 root named 152 Feb 15 2021 yunbee.net.zone
cd /var/named;
[root@bind-dns1 named]# vim yunbee.net.zone
$TTL 1D ## 全局 (Time to live)缓存时间
@ IN SOA @ root.yunbee.net. (
0 ; serial ##序号,每次修改时必需更新,且只能加大
1D ; refresh ##刷新时间
1H ; retry ##主从DNS连接失败时,重新尝试建立连接刷新
1W ; expire ##过期时间,重新尝试建立连接刷新到达这个值将不再尝试连接
3H ) ; minimum ## 查询失败的dns缓存
NS @
A 127.0.0.1
www A 172.16.50.30
www0 A 172.16.50.31
ftp CNAME www0
[root@bind-dns1 named]# vim yunbee.net.zone
$TTL 1D
yunbee.net. IN SOA yunbee.net. root.yunbee.net. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
yunbee.net. IN NS yunbee.net.
yunbee.net. IN A 172.16.50.195
www.yunbee.net. IN A 172.16.50.30
www0.yunbee.net. IN A 172.16.50.31
ftp.yunbee.net. IN CNAME www0
5.2. 配置反向解析zone文件
[root@bind-dns1 named]# cp -a named.loopback yunbee.arpa.zone
[root@bind-dns1 named]# vim yunbee.arpa.zone
$TTL 1D
@ IN SOA @ root.yunbee.net. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
A 127.0.0.1
PTR localhost.
30 PTR www.yunbee.net.
31 PTR www0.yunbee.net.
30 PTR ftp.yunbee.net.
$TTL 1D
50.16.172.in-addr.arpa. IN SOA 50.16.172.in-addr.arpa. root.yunbee.net. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
50.16.172.in-addr.arpa. IN NS 50.16.172.in-addr.arpa.
50.16.172.in-addr.arpa. IN A 172.16.50.195
195.50.16.172.in-addr.arpa. IN PTR 50.16.172.in-addr.arpa.
30.50.16.172.in-addr.arpa. IN PTR www.yunbee.net.
31.50.16.172.in-addr.arpa. IN PTR www0.yunbee.net.
30.50.16.172.in-addr.arpa. IN PTR ftp.yunbee.net.
常用写法
$TTL 1D
50.16.172.in-addr.arpa. IN SOA yunbee.net. root.yunbee.net. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
50.16.172.in-addr.arpa. IN NS yunbee.net.
30.50.16.172.in-addr.arpa. IN PTR www.yunbee.net.
31.50.16.172.in-addr.arpa. IN PTR www0.yunbee.net.
30.50.16.172.in-addr.arpa. IN PTR ftp.yunbee.net.
6. 检查主配置文件与zone文件
[root@bind-dns1 named]# named-checkconf /etc/named.conf
[root@bind-dns1 named]# named-checkzone yunbee.net yunbee.net.zone
zone yunbee.net/IN: loaded serial 0 OK [root@bind-dns1 named]
# named-checkzone 50.16.172.in-addr.arpa
yunbee.arpa.zone zone 50.16.172.in-addr.arpa/IN: loaded serial 0 OK
[root@bind-dns1 named]# systemctl enable named --now
Created symlink /etc/systemd/system/multi-user.target.wants/named.service → /usr/lib/systemd/system/named.service.
[root@bind-dns1 named]# netstat -tupnl |grep 53
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 3527/named
tcp 0 0 172.16.50.195:53 0.0.0.0:* LISTEN 3527/named
tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 1892/dnsmasq
tcp6 0 0 ::1:953 :::* LISTEN 3527/named
tcp6 0 0 ::1:53 :::* LISTEN 3527/named
7. 检测dns主机资源是否生效
dig查询DNS服务器。
dig -t A www.baidu.com +trace
host是一个DNS查找工具。
rndc控制BIND的操作。
rndc-confgen生成rndc.conf文件
named-checkconf检查named.conf文件的语法。
named-checkzone检查区域文件的合法性。
host -l example.com 下载example.com域里的信息 (allow-transfer 放开)
[root@bind-dns1 named]# dig www.yunbee.net @172.16.50.195
; <<>> DiG 9.11.26-RedHat-9.11.26-3.el8 <<>> www.yunbee.net @172.16.50.195
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14301
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 90796274012a6bfe8721ebd5613db035692b46030af15e94 (good)
;; QUESTION SECTION:
;www.yunbee.net. IN A
;; ANSWER SECTION:
www.yunbee.net. 86400 IN A 172.16.50.30
;; AUTHORITY SECTION:
yunbee.net. 86400 IN NS yunbee.net.
;; ADDITIONAL SECTION:
yunbee.net. 86400 IN A 172.16.50.195
;; Query time: 0 msec
;; SERVER: 172.16.50.195#53(172.16.50.195)
;; WHEN: Sun Sep 12 15:45:57 CST 2021
;; MSG SIZE rcvd: 117
[root@bind-dns1 named]# dig -x 172.16.50.30
; <<>> DiG 9.11.26-RedHat-9.11.26-3.el8 <<>> -x 172.16.50.30
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14845
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 62f62f6fe747fd806770e97a613db08a5c92c7680172ae74 (good)
;; QUESTION SECTION:
;30.50.16.172.in-addr.arpa. IN PTR
;; ANSWER SECTION:
30.50.16.172.in-addr.arpa. 86400 IN PTR www.yunbee.net.
30.50.16.172.in-addr.arpa. 86400 IN PTR ftp.yunbee.net.
;; AUTHORITY SECTION:
50.16.172.in-addr.arpa. 86400 IN NS yunbee.net.
;; ADDITIONAL SECTION:
yunbee.net. 86400 IN A 172.16.50.195
;; Query time: 0 msec
;; SERVER: 172.16.50.195#53(172.16.50.195)
;; WHEN: Sun Sep 12 15:47:22 CST 2021
;; MSG SIZE rcvd: 158
[root@bind-dns1 named]# host -l yunbee.net
yunbee.net name server yunbee.net.
yunbee.net has address 172.16.50.195
www.yunbee.net has address 172.16.50.30
www0.yunbee.net has address 172.16.50.31
[root@bind-dns1 named]# dig axfr @172.16.50.195 yunbee.net
; <<>> DiG 9.11.26-RedHat-9.11.26-3.el8 <<>> axfr @172.16.50.195 yunbee.net
; (1 server found) ;; global options: +cmd yunbee.net.
86400 IN SOA yunbee.net. root.yunbee.net.
0 86400 3600 604800 10800 yunbee.net.
86400 IN NS yunbee.net. yunbee.net. 86400 IN A 172.16.50.195 ftp.yunbee.net. 86400 IN CNAME www0.yunbee.net. www.yunbee.net. 86400 IN A 172.16.50.30 www0.yunbee.net. 86400 IN A 172.16.50.31 yunbee.net. 86400 IN SOA yunbee.net. root.yunbee.net. 0 86400 3600 604800 10800 ;; Query time: 0 msec ;; SERVER: 172.16.50.195#53(172.16.50.195) ;; WHEN: Sun Sep 12 15:52:36 CST 2021 ;; XFR size: 7 records (messages 1, bytes 233)
8. 搭建一个从DNS服务器
8.1. 安装BIND软件
[root@localhost ~]# mount /dev/sr0 /mnt/
mount: /mnt: WARNING: device write-protected, mounted read-only.
[root@localhost ~]# yum install bind -y
8.2. 配置网络与防火墙
[root@bind-dns1 ~]# ip a s |grep ens192|grep inet
inet 172.16.50.196/24 brd 172.16.50.255 scope global noprefixroute ens192
[root@localhost ~]# hostnamectl set-hostname bind-dns2
[root@bind-dns1 ~]# systemctl disable firewalld --now
sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
[root@bind-dns1 ~]# setenforce 0
setenforce: SELinux is disabled
8.3. 主DNS配置[root@localhost ~]# vim /etc/named.conf
[root@localhost ~]# vim /etc/named.conf
zone "yunbee.net" IN {
type master;
file "yunbee.net.zone";
allow-transfer { 172.16.50.196; }; ### 添加一行
also-notify { 172.16.50.196; }; ### 添加一行
};
zone "50.16.172.in-addr.arpa" IN {
type master;
file "yunbee.arpa.zone";
allow-transfer { 172.16.50.196; }; ### 添加一行
also-notify { 172.16.50.196; }; ### 添加一行
};
8.4. 从DNS配置
[root@localhost ~]# sed -i 's/127.0.0.1;/172.16.50.196;/' /etc/named.conf
[root@localhost ~]# sed -i 's/localhost;/any;/' /etc/named.conf
[root@localhost ~]# vim /etc/named.conf
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
zone "yunbee.net" IN {
type slave;
file "yunbee.net.zone";
masters { 172.16.50.195; };
also-notify { 172.16.50.195; };
};
zone "50.16.172.in-addr.arpa" IN {
type slave;
file "yunbee.arpa.zone";
masters { 172.16.50.195; };
also-notify { 172.16.50.195; };
};
systemctl enable named --now
[root@localhost ~]# netstat -tunpl |grep :53
tcp 0 0 172.16.50.196:53 0.0.0.0:* LISTEN 32966/named
tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 1897/dnsmasq
udp 0 0 172.16.50.196:53 0.0.0.0:* 32966/named
udp 0 0 192.168.122.1:53 0.0.0.0:* 1897/dnsmasq
udp 0 0 0.0.0.0:5353 0.0.0.0:* 1009/avahi-daemon:
[root@bind-dns2 ~]# cd /var/named/
[root@bind-dns2 named]# ll
total 24
drwxrwx--- 2 named named 23 Sep 12 16:11 data
drwxrwx--- 2 named named 60 Sep 12 16:11 dynamic
-rw-r----- 1 root named 2253 Feb 15 2021 named.ca
-rw-r----- 1 root named 152 Feb 15 2021 named.empty
-rw-r----- 1 root named 152 Feb 15 2021 named.localhost
-rw-r----- 1 root named 168 Feb 15 2021 named.loopback
drwxrwx--- 2 named named 6 Feb 15 2021 slaves
-rw-r--r-- 1 named named 326 Sep 12 16:11 yunbee.arpa.zone
-rw-r--r-- 1 named named 331 Sep 12 16:11 yunbee.net.zone
[root@bind-dns2 named]# nslookup www.yunbee.net
Server: 172.16.50.196
Address: 172.16.50.196#53
Name: www.yunbee.net
Address: 172.16.50.30
10. 配置unbound服务转发到bind服务器
[root@cache-dns ~]# cat /etc/unbound/conf.d/yunbee.com.conf
server:
interface: 172.16.50.194
access-control: 0.0.0.0/0 allow
domain-insecure: "com."
domain-insecure: "cn."
domain-insecure: "net."
forward-zone:
name: "."
forward-addr: 172.16.50.196
11. 客户测试
C:\Users\Administrator>ping www.baidu.com
正在 Ping www.a.shifen.com [14.215.177.39] 具有 32 字节的数据:
来自 14.215.177.39 的回复: 字节=32 时间=26ms TTL=51
来自 14.215.177.39 的回复: 字节=32 时间=26ms TTL=51
来自 14.215.177.39 的回复: 字节=32 时间=26ms TTL=51
14.215.177.39 的 Ping 统计信息:
数据包: 已发送 = 3,已接收 = 3,丢失 = 0 (0% 丢失),
往返行程的估计时间(以毫秒为单位):
最短 = 26ms,最长 = 26ms,平均 = 26ms
C:\Users\Administrator>nslookup www0.yunbee.net
服务器: UnKnown
Address: 172.16.50.194
非权威应答:
名称: www0.yunbee.net
Address: 172.16.50.31172
12. 指定转发ql.com域
vim /etc/named.conf
zone "yunbee.net" IN {
type master;
file "yunbee.net.zone";
allow-transfer { 172.16.50.196; };
also-notify { 172.16.50.196; };
};
zone "50.16.172.in-addr.arpa" IN {
type master;
file "yunbee.arpa.zone";
allow-transfer { 172.16.50.196; };
also-notify { 172.16.50.196; };
};
/////////////////////// 可以将ql.com 这个域的查询转发到 172.16.50.177
zone "ql.com" IN {
type forward;
forwarders { 172.16.50.177; };
};
[root@bind-dns3 named]# vim /etc/named.conf
zone "ql.com" IN {
type master;
file "ql.com.zone";
};
zone "20.16.172.in-addr.arpa" IN {
type master;
file "ql.arpa.zone";
};
zone "50.16.172.in-addr.arpa" IN {
type master;
file "ql.arpa.50.zone";
};
[root@bind-dns3 named]# cat ql.com.zone
$TTL 1D
@ IN SOA @ root.ql.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
A 127.0.0.1
vcenter A 172.16.20.210
www A 172.16.20.200
www0 A 172.16.20.199
host1 A 172.16.50.50
host2 A 172.16.50.51
host3 A 172.16.50.52
[root@bind-dns1 ~]# hostname
bind-dns1
[root@bind-dns1 ~]# nslookup www.ql.com
Server: 172.16.50.195
Address: 172.16.50.195#53
Non-authoritative answer:
Name: www.ql.com
Address: 172.16.20.200
[root@bind-dns1 ~]# nslookup host1.ql.com
Server: 172.16.50.195
Address: 172.16.50.195#53
Non-authoritative answer:
Name: host1.ql.com
Address: 172.16.50.50
13. 受权子域
[root@bind-dns3 named]# hostname
bind-dns3
[root@bind-dns3 named]# ip a s |grep ens192|grep inet
inet 172.16.50.177/24 brd 172.16.50.255 scope global noprefixroute ens192
[root@bind-dns3 named]#
[root@bind-dns3 named]# tail -30 /etc/named.conf
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
zone "zj.yunbee.net" IN {
type master;
file "zj.yunbee.net.zone";
};
[root@bind-dns3 named]# cat zj.yunbee.net.zone
$TTL 1D
@ IN SOA @ root.zj.yunbee.net. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
A 172.16.50.177
qlhost1 A 172.16.20.10
qlhost2 A 172.16.20.11
qlhost3 A 172.16.20.99
[root@bind-dns1 named]# hostname
bind-dns1
[root@bind-dns1 named]# ip a s |grep ens192|grep inet
inet 172.16.50.195/24 brd 172.16.50.255 scope
[root@bind-dns1 named]# cat yunbee.net.zone
$TTL 1D
yunbee.net. IN SOA yunbee.net. root.yunbee.net. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
yunbee.net. IN NS yunbee.net.
yunbee.net. IN A 172.16.50.195
www.yunbee.net. IN A 172.16.50.30
www0.yunbee.net. IN A 172.16.50.31
ftp.yunbee.net. IN CNAME www0
zj.yunbee.net. IN NS zj.yunbee.net.
zj.yunbee.net. IN A 172.16.50.177
[root@bind-dns1 named]# hostname
bind-dns1
[root@bind-dns1 named]# ip a s |grep ens192|grep inet
inet 172.16.50.195/24 brd 172.16.50.255 scope global noprefixroute ens192
[root@bind-dns1 named]#
[root@bind-dns1 named]# cat yunbee.net.zone
$TTL 1D
yunbee.net. IN SOA yunbee.net. root.yunbee.net. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
yunbee.net. IN NS yunbee.net.
yunbee.net. IN A 172.16.50.195
www.yunbee.net. IN A 172.16.50.30
www0.yunbee.net. IN A 172.16.50.31
ftp.yunbee.net. IN CNAME www0
zj.yunbee.net. IN NS zj.yunbee.net.
zj.yunbee.net. IN A 172.16.50.177
[root@bind-dns1 named]# nslookup qlhost1.zj.yunbee.net
Server: 172.16.50.195
Address: 172.16.50.195#53
Non-authoritative answer:
Name: qlhost1.zj.yunbee.net
Address: 172.16.20.10
[root@bind-dns1 named]# dig -t A qlhost1.zj.yunbee.net @172.16.50.195
; <<>> DiG 9.11.26-RedHat-9.11.26-3.el8 <<>> -t A qlhost1.zj.yunbee.net @172.16.50.195
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9141
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: bb7387e025885a188f05e654613ec6dc7b348ab522ba7c99 (good)
;; QUESTION SECTION:
;qlhost1.zj.yunbee.net. IN A
;; ANSWER SECTION:
qlhost1.zj.yunbee.net. 85890 IN A 172.16.20.10
;; AUTHORITY SECTION:
zj.yunbee.net. 86400 IN NS zj.yunbee.net.
;; Query time: 0 msec
;; SERVER: 172.16.50.195#53(172.16.50.195)
;; WHEN: Mon Sep 13 11:34:52 CST 2021
;; MSG SIZE rcvd: 108