DNS搭建
前言,网上的有的跟着搭建会有的可能失败,自己弄一个。
两台虚拟机
IP | 系统 | 说明 |
---|---|---|
172.29.156.212 | release V10 (SP1) /(Tercel)-x86_64-Build20/20210518 | DNS 服务器,主机名:demo-node1 |
172.29.156.213 | Kylin | 客户机,主机名:demo-node2 |
服务器安装
- DNS 服务器安装 bind 服务:
yum -y install bind-utils bind bind-devel bind-libs
- 关闭防火墙
systemctl stop firewalld.service
- 配置主配置文件:/etc/named.conf
options {
listen-on port 53 { any; }; //改
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { any; }; //改
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
- 追加域名解析入口配置:/etc/named.rfc1912.zones
zone "kylin.com" IN { # 测试用的域是 kylin.com
type master;
file "kylin.com.zone"; # 配置文件为 kylin.com.zone,该文件目录为 /var/named/ 下
};
- 生成上面所需要的kylin.com.zone文件:
cd /var/named/
cp named.localhost kylin.com.zone
chown named.named kylin.com.zone
- 修改配置:kylin.com.zone
# 在最后追加,相当于在这台机器上配置了这个指向
www IN A 172.29.156.213
- 启动服务测试:
systemctl start named
systemctl enable named
查看端口:
netstat -tlunp | grep 53
本机测试解析:
dig @127.0.0.1 www.kylin.com
查看结果:
客户端配置
客户端需要修改/etc/sysconfig/network-scripts/ifcfg-ens32
中的dns为服务器的ip, 重启网卡
测试如图:
错误检查的方法
检查主配置文件语法
named-checkconf /etc/named.conf
检查地址库文件语法
named-checkzone ttkp.cn tedu.cn.zone
或者
named-checkconf -z "$NAMEDCONF"
named-checkconf /etc/named.conf
检查地址库文件语法
named-checkzone ttkp.cn tedu.cn.zone
或者
named-checkconf -z "$NAMEDCONF"