目录
DNS是互联网基石之一,是信息互联网不可或缺的,DNS的稳定性和可靠性决定了业务系统的可用性,很多企业会自建一台DNS系统来满足自身业务需要。
bind9是常见的开源DNS软件,功能强大。是目前使用最广泛的DNS软件之一。
本文讲述bind9源码方式安装。
准备工作
以各大云主机厂商常用的镜像centos-8.5为例.
# cat /etc/redhat-release
CentOS Linux release 8.5.2111
# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens32: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:6a:c8:d2 brd ff:ff:ff:ff:ff:ff
inet 192.168.3.7/24 brd 192.168.3.255 scope global dynamic noprefixroute ens32
valid_lft 603011sec preferred_lft 603011sec
测试期间,建议先关闭SELINUX和firewall
setenforce 0
sed -i 's/^SELINUX=enforcing$/SELINUX=disabled/' /etc/selinux/config
systemctl disable firewalld
systemctl stop firewalld
基础依赖包安装
基本依赖包
yum -y install pkg-config pkgconfig pkgconf
yum -y install perl
yum -y install gcc make gcc-c++ cmake
yum -y install autoconf automake libtool
yum -y install protobuf-c-compiler
yum -y install libcap libcap-devel
yum -y install protobuf-c protobuf-c-devel
yum -y install fstrm fstrm-devel
yum -y install libxml2 libxml2-devel
yum -y install zlib zlib-devel
yum -y install json-c json-c-devel
yum -y install systemd-devel
yum -y install mysql-devel
liburcu包
wget https://lttng.org/files/urcu/userspace-rcu-0.14.0.tar.bz2
tar xvfj userspace-rcu-0.14.0.tar.bz2
cd userspace-rcu-0.14.0
./configure --prefix=/usr/local/rcu
make
make install
cp -fr /usr/local/rcu/lib/pkgconfig/* /usr/lib64/pkgconfig/
libuv包
yum -y remove libuv
wget https://dist.libuv.org/dist/v1.47.0/libuv-v1.47.0.tar.gz
tar zxvf libuv-v1.47.0.tar.gz
cd libuv-v1.47.0
sh autogen.sh
./configure --prefix=/usr/local/libuv
make
make install
cp /usr/local/libuv/lib/pkgconfig/libuv.pc /usr/lib64/pkgconfig/
libnghttp2包
wget https://github.com/nghttp2/nghttp2/releases/download/v1.58.0/nghttp2-1.58.0.tar.bz2
tar jxvf nghttp2-1.58.0.tar.bz2
cd nghttp2-1.58.0
./configure --prefix=/usr/local/libnghttp2
make
make install
cp /usr/local/libnghttp2/lib/pkgconfig/libnghttp2.pc /usr/lib64/pkgconfig/
bind9源码安装
安装
# wget https://ftp.isc.org/isc/bind9/9.19.23/bind-9.19.23.tar.xz
# tar xfv bind-9.19.23.tar.xz
# cd bind-9.19.23
# more README.md # 查看安装说明
# ./configure --help
# ./configure \
--prefix=/usr/local/bind \
--enable-fixed-rrset \
--enable-dnstap \
--enable-leak-detection \
--enable-singletrace \
--enable-querytrace \
--enable-auto-validation \
--enable-dnsrps-dl \
--enable-dnsrps \
--enable-tracing \
--with-libxml2 \
--with-zlib \
--with-dnsrps-libname \
--with-dnsrps-dir \
--with-libsystemd
# make
# make install
创建软链接
ln -s /usr/local/bind/sbin/rndc /usr/sbin/rndc
ln -s /usr/local/bind/sbin/named /usr/bin/named
ln -s /usr/local/bind/sbin/named-checkconf /usr/bin/named-checkconf
ln -s /usr/local/bind/bin/dig /usr/bin/dig
ln -s /usr/local/bind/bin/nslookup /usr/bin/nslookup
ln -s /usr/local/bind/bin/host /usr/bin/host
配置
创建配置目录及bind9启动用户bind
mkdir -p /usr/local/bind/{etc,var}
useradd -s /sbin/nologin -d /usr/local/bind/var/named bind
mkdir -p /usr/local/bind/var/named/{logs,dynamic,slaves,run}
chown bind:bind -R /usr/local/bind/var/named
rndc配置
/usr/local/bind/sbin/rndc-confgen > /usr/local/bind/etc/rndc.conf
tail -10 /usr/local/bind/etc/rndc.conf | head -9 | sed s/#\ //g > /usr/local/bind/etc/rndc.key
named.ca文件
named.ca是根域的ns记录。
/usr/local/bind/bin/dig @a.root-servers.net . -t ns > /usr/local/bind/etc/named.ca
本地localhost解析
wget https://data.mm-dns.com/dw/named.empty -O /usr/local/bind/etc/named.empty
wget https://data.mm-dns.com/dw/named.localhost -O /usr/local/bind/etc/named.localhost
wget https://data.mm-dns.com/dw/named.loopback -O /usr/local/bind/etc/named.loopback
wget https://data.mm-dns.com/dw/named.rfc1912.zones -O /usr/local/bind/etc/named.rfc1912.zones
named.conf配置
/usr/local/bind/etc/named.conf
acl LAN-user {
10.0.0.0/8;
172.16.0.0/12;
192.168.0.0/16;
any;
};
options {
listen-on port 53 { any; }; // listen any interface
//listen-on-v6 port 53 { ::1; };
//该directory参数定的路径是下面dump-file、statistics-file、memstatistics-file、managed-keys-directory、file等参数的绝对路径。
directory "/usr/local/bind/var/named";
dump-file "/usr/local/bind/var/named/data/cache_dump.db";
statistics-file "/usr/local/bind/var/named/data/named_stats.txt";
memstatistics-file "/usr/local/bind/var/named/data/named_mem_stats.txt";
secroots-file "/usr/local/bind/var/named/data/named.secroots";
recursing-file "/usr/local/bind/var/named/data/named.recursing";
//转发
allow-query { localhost; LAN-user; };
//递归查找
recursion yes;
//在bind9-v9.19.18中,dnssec-validation必须配置为auto
dnssec-validation auto;
managed-keys-directory "/usr/local/bind/var/named/dynamic";
//本地找不到时,转发到外部DNS
forwarders {
8.8.8.8;
223.6.6.6;
};
//named进程,文件会自动产生
pid-file "/usr/local/bind/var/named/run/named.pid";
session-keyfile "/usr/local/bind/var/named/run/session.key";
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
// 如下文件来自于crypto-policies包(yum -y install crypto-policies)
include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
channel default_debug {
file "logs/named.run";
severity dynamic;
};
};
include "/usr/local/bind/etc/rndc.key";
// DNS Root
zone "." IN {
type hint;
file "/usr/local/bind/etc/named.ca";
};
include "/usr/local/bind/etc/named.rfc1912.zones";
自启配置
# cat > /usr/lib/systemd/system/named.service << 'EOF'
[Unit]
Description=Berkeley Internet Name Domain (DNS)
Wants=nss-lookup.target
Before=nss-lookup.target
After=network.target network-online.target
After=syslog.target
After=mysqld.service
[Service]
Type=forking
PIDFile=/usr/local/bind/var/named/run/named.pid
ExecStart=/bin/sh -c '/usr/local/bind/sbin/named -c /usr/local/bind/etc/named.conf -u bind > /dev/null 2>&1'
ExecReload=/bin/sh -c '/usr/local/bind/sbin/rndc -c /usr/local/bind/etc/rndc.conf reload > /dev/null 2>&1'
ExecStop=/bin/sh -c '/usr/local/bind/sbin/rndc -c /usr/local/bind/etc/rndc.conf stop > /dev/null 2>&1'
PrivateTmp=true
[Install]
WantedBy=multi-user.target
EOF
# systemctl enable named.service
# systemctl start named.service
测试
# rndc status
WARNING: key file (/usr/local/bind/etc/rndc.key) exists, but using default configuration file (/usr/local/bind/etc/rndc.conf)
version: BIND 9.19.23 (Development Release) <id:3c0eaff>
running on localhost: Linux x86_64 4.18.0-348.el8.x86_64 #1 SMP Tue Oct 19 15:14:17 UTC 2021
boot time: Sun, 28 Jul 2024 05:35:11 GMT
last configured: Sun, 28 Jul 2024 05:35:12 GMT
configuration file: /usr/local/bind/etc/named.conf
CPUs found: 2
worker threads: 2
number of zones: 107 (98 automatic)
debug level: 0
xfers running: 0
xfers deferred: 0
xfers first refresh: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/900/1000
tcp clients: 0/150
TCP high-water: 0
server is up and running
# nslookup -type=soa baidu.com 192.168.3.7
Server: 192.168.3.7
Address: 192.168.3.7#53
Non-authoritative answer:
baidu.com
origin = dns.baidu.com
mail addr = sa.baidu.com
serial = 2012148480
refresh = 300
retry = 300
expire = 2592000
minimum = 7200
Authoritative answers can be found from:
# nslookup -type=a www.baidu.com 192.168.3.7
Server: 192.168.3.7
Address: 192.168.3.7#53
Non-authoritative answer:
www.baidu.com canonical name = www.a.shifen.com.
Name: www.a.shifen.com
Address: 183.2.172.42
Name: www.a.shifen.com
Address: 183.2.172.185
添加zone及测试
# cat > /usr/local/bind/etc/test.com.zone << 'EOF'
$TTL 86400
$ORIGIN test.com.
@ IN SOA ns.test.com. root.mail.test.com. (
2004010101 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
@ IN NS ns.test.com.
ns IN A 192.168.3.52
www IN A 192.168.3.110
EOF
# cat >> /usr/local/bind/etc/named.conf << 'EOF'
zone "test.com." IN {
type master;
file "/usr/local/bind/etc/data/test.com.zone";
allow-update { none;};
};
EOF
# nslookup -type=ns test.com 192.168.3.7
Server: 192.168.3.7
Address: 192.168.3.7#53
test.com nameserver = ns.test.com.
# nslookup -type=soa test.com 192.168.3.7
Server: 192.168.3.7
Address: 192.168.3.7#53
test.com
origin = ns.test.com
mail addr = root.mail.test.com
serial = 2004010101
refresh = 28800
retry = 14400
expire = 3600000
minimum = 86400
# nslookup -type=a www.test.com 192.168.3.7
Server: 192.168.3.7
Address: 192.168.3.7#53
Name: www.test.com
Address: 192.168.3.110
从上面测试来看,bind9源码安装是正常的。
bind webadmin
在配置bind的zone时,bind9支持从文本文件中直接读取,也支持从数据库(如常见的mysql)中读取。不管是哪一种方式,配置bind9的zone都一样麻烦一点点,最近推出一款bind webadmin免费软件,可以很好的解决这一问题,感兴的同学可以体现一下。
github: https://github.com/guofusheng007/bindwebadmin.git
website: https://bind-webadmin.com
demo: https://mm-dns.com
扫一扫
1235
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
