本文详细描述了如何在Linux系统中配置BINDDNS服务器,包括设置主服务器和从服务器,管理区域文件(如jin.com域),以及使用named-checkconf和named-checkzone工具进行配置检查。
bind从192.168.126
[root@localhost yum.repos.d]# yum -y install bind bind-utils
[root@slavenamed slaves]# which named-checkconf
/usr/sbin/named-checkconf
[root@localhost yum.repos.d]# rpm -qf `which named-checkconf`
bind-9.16.23-14.el9.x86_64
bind从192.168.8.126
[root@slavenamed slaves]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { 127.0.0.1; 192.168.8.126; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { localhost; 192.168.8.0/24; }; #限制客户端的查询
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-validation yes;
managed-keys-directory "/var/named/dynamic";
geoip-directory "/usr/share/GeoIP";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
#zone "jin.com" IN {
# type master;
# file "jin.com.zone";
#};
zone "jin.com" IN { #配置bind高可用
type slave;
file "slaves/jin.com.zone";
masters { 192.168.8.118; };
masterfile-format text;
};
检查区域配置文件
[root@masternamed named]# named-checkzone jin.com jin.com.zone
检查配置文件
[root@masternamed named]# named-checkconf /etc/named.conf
(2)部署bind master
bind主192.168.8.118
[root@localhost yum.repos.d]# yum -y install bind bind-utils
[root@masternamed named]# pwd
/var/named
[root@masternamed named]# touch jin.com.zone
[root@masternamed named]# chown -R named. jin.com.zone
[root@masternamed named]# cat jin.com.zone
$TTL 7200
jin.com. IN SOA jin.com. admin.jin.com. (
2024012302
1H
10M
1W
1D )
jin.com. IN NS ns1.jin.com.
jin.com. IN NS ns2.jin.com.
ns1.jin.com. IN A 192.168.8.118
ns2.jin.com. IN A 192.168.8.126
www.jin.com. IN A 192.168.8.118
www.jin.com. IN A 192.168.8.126
ftp.jin.com. IN A 192.168.8.5
ftp.jin.com. IN A 192.168.8.6
[root@masternamed named]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { 127.0.0.1; 192.168.8.118;};
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { localhost; 192.168.8.0/24; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-validation yes;
managed-keys-directory "/var/named/dynamic";
geoip-directory "/usr/share/GeoIP";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
#zone "jin.com" IN {
# type master;
# file "jin.com.zone";
#};
zone "jin.com" IN {
type master;
file "jin.com.zone"; #配置bind主的配置
also-notify { 192.168.8.126;};
allow-transfer { 192.168.8.126;};
allow-update { none; };
notify yes;
};
修改bind主的区域配置文件
[root@masternamed named]# cat jin.com.zone
$TTL 7200
jin.com. IN SOA jin.com. admin.jin.com. (
2024012303
1H
10M
1W
1D )
jin.com. IN NS ns1.jin.com.
jin.com. IN NS ns2.jin.com.
ns1.jin.com. IN A 192.168.8.118
ns2.jin.com. IN A 192.168.8.126
www.jin.com. IN A 192.168.8.118
www.jin.com. IN A 192.168.8.126
ftp.jin.com. IN A 192.168.8.5
ftp.jin.com. IN A 192.168.8.6
ftp.jin.com. IN A 192.168.8.7
重启服务
[root@masternamed named]# systemctl restart named
查看bind从slaves
[root@slavenamed slaves]# cat jin.com.zone
$ORIGIN .
$TTL 7200 ; 2 hours
jin.com IN SOA jin.com. admin.jin.com. (
2024012303 ; serial
3600 ; refresh (1 hour)
600 ; retry (10 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS ns1.jin.com.
NS ns2.jin.com.
$ORIGIN jin.com.
ftp A 192.168.8.5
A 192.168.8.6
A 192.168.8.7
ns1 A 192.168.8.118
ns2 A 192.168.8.126
www A 192.168.8.118
A 192.168.8.126
[root@slavenamed slaves]# pwd
/var/named/slaves
扫一扫
1507
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
