[安装]
:yum install bind bind-utils bind-chroot -y
[配置]
:/etc/named.conf # 主配置文件
:/etc/named/zone # 文件
[bind-chroot - /var/named/chroot/etc/named.conf]
$ cp -R /usr/share/doc/bind-9.9.4/sample/var/named/* /var/named/chroot/var/named/
$ touch /var/named/chroot/var/named/data/cache_dump.db
$ touch /var/named/chroot/var/named/data/named_stats.txt
$ touch /var/named/chroot/var/named/data/named_mem_stats.txt
$ touch /var/named/chroot/var/named/data/named.run
$ mkdir /var/named/chroot/var/named/dynamic
$ touch /var/named/chroot/var/named/dynamic/managed-keys.bind
$ chmod -R 777 /var/named/chroot/var/named/data
$ chmod -R 777 /var/named/chroot/var/named/dynamic
$ cp -R /etc/named* /var/named/chroot/etc/
$ chown -R root.named /var/named/chroot/
[DNS服务配置 - vim /var/named/chroot/etc/named.conf]
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
listen-on port 53 { any; }; ## 修改成any
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; }; ## 修改成any
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes; # 不用修改,启动递归服务
dnssec-enable yes; # 不用修改
dnssec-validation yes; # 不用修改
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
[域空间配置文件 vim /var/named/chroot/etc/named.rfc1912.zones]
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};
// 新增配置项目
zone "jiyuan.com" IN { ## jiyuan 自定义域名
type master; ## DNS服务类型,默认为master,这里我们是搭建的第一个DNS服务器,则就定为主服务器,即默认的master
file "creatson.com.zone"; ## 域名配置文件名, 这个文件名会在 /var/named/chroot/var/named/ 这个目录下去寻找
};
[为新增配置项目, 创建这个域的配置文件]
// ## 已named.localhost为基础模板,复制一份并改为上一步配置的名称
cp /var/named/chroot/var/named/named.localhost /var/named/chroot/var/named/jiyuan.com.zone
vim /var/named/chroot/var/named/jiyuan.com.zone ## 编辑
$TTL 1D
@ IN SOA @ rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
A 127.0.0.1
AAAA ::1
sinoxx IN A 192.168.9.89 ## 配置子域名,也就是主机名,对应的IP地址, A记录就是对应 IPV4 地址, IN 表示 internel 网络
jenkins IN A 192.168.9.90
gitlab IN A 192.168.9.55
## TTL 就是修改配置的生效时间,本质上就是这个域的DNS信息在别的DNS服务器的缓存中存在多久,默认为一天
serial ## 这个是配置的编号,每次修改完配置后这个编号变化一下,通常是直接+1,这样从服务器就能知道有修改并更新配置
refresh ## 从服务器刷新时间,默认一天刷新一次
retry ## 如果刷新失败,默认1小时重试一次
expire ## 缓存过期时间,一周
// systemctl start named
systemctl start named-chroot ## 启动服务,如何使用了bind-chroot 则启动 named-chroot 否则启动 named
systemctl enable named-chroot ## 设为开机启动
firewall-cmd --add-service=dns --permanent
firewall-cmd --reload