0
点赞
收藏
分享

微信扫一扫

DNS搭建

言午栩 2022-03-16 阅读 90

DNS搭建

前言,网上的有的跟着搭建会有的可能失败,自己弄一个。

两台虚拟机

IP系统说明
172.29.156.212release V10 (SP1) /(Tercel)-x86_64-Build20/20210518DNS 服务器,主机名:demo-node1
172.29.156.213Kylin客户机,主机名:demo-node2

服务器安装

  1. DNS 服务器安装 bind 服务:
yum -y install bind-utils bind bind-devel bind-libs
  1. 关闭防火墙
systemctl stop firewalld.service
  1. 配置主配置文件:/etc/named.conf
options {
    listen-on port 53 { any; };    //改
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        secroots-file   "/var/named/data/named.secroots";
        recursing-file  "/var/named/data/named.recursing";
        allow-query     { any; }; //改

        /* 
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable 
           recursion. 
         - If your recursive DNS server has a public IP address, you MUST enable access 
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification 
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface 
        */
        recursion yes;

        dnssec-enable yes;
        dnssec-validation yes;

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";

        /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
        include "/etc/crypto-policies/back-ends/bind.config";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

  1. 追加域名解析入口配置:/etc/named.rfc1912.zones
zone "kylin.com" IN {           # 测试用的域是 kylin.com
        type master;
        file "kylin.com.zone";  # 配置文件为 kylin.com.zone,该文件目录为 /var/named/ 下
};
  1. 生成上面所需要的kylin.com.zone文件:
cd /var/named/
cp named.localhost kylin.com.zone
chown named.named kylin.com.zone
  1. 修改配置:kylin.com.zone
# 在最后追加,相当于在这台机器上配置了这个指向
www     IN A       172.29.156.213
  1. 启动服务测试:
systemctl start named 
systemctl enable named

查看端口:

netstat -tlunp | grep 53

本机测试解析:

dig @127.0.0.1 www.kylin.com

查看结果:

image-20211206163106658

客户端配置

客户端需要修改/etc/sysconfig/network-scripts/ifcfg-ens32中的dns为服务器的ip, 重启网卡

测试如图:

image-20211206163213770

错误检查的方法

检查主配置文件语法

named-checkconf  /etc/named.conf 

检查地址库文件语法

named-checkzone  ttkp.cn  tedu.cn.zone 
或者
named-checkconf -z "$NAMEDCONF"
named-checkconf  /etc/named.conf 

检查地址库文件语法

named-checkzone  ttkp.cn  tedu.cn.zone 
或者
named-checkconf -z "$NAMEDCONF"
举报

相关推荐

0 条评论