CentOS7.5中bind服务搭建和配置

1 基本环境

系统版本	主机名	IP地址	bind软件版本
CentOS7.5	jlks-mysql	192.168.1.11	bind-9.9.4-61.el7.x86_64

2 安装bind

yum -y install bind bind-utils

3 备份和修改配置文件

3.1 修改name.conf文件

cp -p /etc/named.conf{,.ori}

vim /etc/named.conf

//

// named.conf

//

// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS

// server as a caching only nameserver (as a localhost DNS resolver only).

//

// See /usr/share/doc/bind*/sample/ for example named configuration files.

//

// See the BIND Administrator's Reference Manual (ARM) for details about the

// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

 

options {

        listen-on port 53 { any; };   //将127.0.0.1改为any

        // listen-on-v6 port 53 { ::1; };   //将此行注释掉

        directory       "/var/named";

        dump-file       "/var/named/data/cache_dump.db";

        statistics-file "/var/named/data/named_stats.txt";

        memstatistics-file "/var/named/data/named_mem_stats.txt";

        forwarders {119.29.29.29;182.254.116.116;};  //添加此行内容，当内网无法解析时，用外网解析

        allow-query     { any; };  //将localhost改为any

 

        /*

         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.

         - If you are building a RECURSIVE (caching) DNS server, you need to enable

           recursion.

         - If your recursive DNS server has a public IP address, you MUST enable access

           control to limit queries to your legitimate users. Failing to do so will

           cause your server to become part of large scale DNS amplification

           attacks. Implementing BCP38 within your network would greatly

           reduce such attack surface

        */

        recursion yes;

 

        dnssec-enable no;    //将yes改为no

        dnssec-validation no;   //将yes改为no

 

        /* Path to ISC DLV key */

        bindkeys-file "/etc/named.iscdlv.key";

 

        managed-keys-directory "/var/named/dynamic";

 

        pid-file "/run/named/named.pid";

        session-keyfile "/run/named/session.key";

};

 

logging {

        channel default_debug {

                file "data/named.run";

                severity dynamic;

        };

};

 

zone "." IN {

        type hint;

        file "named.ca";

};

 

include "/etc/named.rfc1912.zones";

include "/etc/named.root.key";

3.2 修改named.rfc1912.zones

备份原文件

cp -p /etc/named.rfc1912.zones{,.ori}

修改named.rfc1912.zones文件，添加如下两个顶级域名zone

vim /etc/named.rfc1912.zones

// named.rfc1912.zones:

//

// Provided by Red Hat caching-nameserver package

//

// ISC BIND named zone configuration for zones recommended by

// RFC 1912 section 4.1 : localhost TLDs and address zones

// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt

// (c)2007 R W Franks

//

// See /usr/share/doc/bind*/sample/ for example named configuration files.

//

 

zone "localhost.localdomain" IN {

        type master;

        file "named.localhost";

        allow-update { none; };

};

 

zone "localhost" IN {

        type master;

        file "named.localhost";

        allow-update { none; };

};

 

zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {

        type master;

        file "named.loopback";

        allow-update { none; };

};

 

zone "1.0.0.127.in-addr.arpa" IN {

        type master;

        file "named.loopback";

        allow-update { none; };

};

 

zone "0.in-addr.arpa" IN {

        type master;

        file "named.empty";

        allow-update { none; };

};

 

zone "jt11.com.cn" IN {    

    type master;           

    file "jt11.com.cn.zone";

    allow-update { none; };

};

 

zone "zpkj.com" IN {                                                                               

    type master;                                                                                  

    file "zpkj.com.zone";                                                                            

    allow-update { none; };                                                                         

};

3.3 创建顶级域名zone配置文件

3.3.1 创建jt11.com.cn.zone文件

cp -p /var/named/named.localhost /var/named/jt11.com.cn.zone

vim jt11.com.cn.zone

$TTL 1D

@   IN SOA  @ jt11.top. (

                    30  ; serial

                    1M  ; refresh

                    1M  ; retry

                    1M  ; expire

                    3M )    ; minimum

    IN    NS    ns.jt11.com.cn.

WWW IN A    192.168.1.90   //解析子级域名的IP地址

ns  IN A    192.168.1.90     //解析子级域名的IP地址

api IN A    192.168.1.90     //解析子级域名的IP地址

@   IN A    192.168.1.90   //解析顶级域名的IP地址

3.3.2 创建zpkj.com.zone文件

cp -p /var/named/named.localhost /var/named/zpkj.com.zone

vim zpkj.com.zone

$TTL 1D

@   IN SOA  @ zpkj.top. (

                    30  ; serial

                    1M  ; refresh

                    1M  ; retry

                    1M  ; expire

                    3M )    ; minimum

    IN    NS    ns.zpkj.com.

WWW IN A    192.168.1.106  //解析子级域名的IP地址

ns  IN A    192.168.1.106  //解析子级域名的IP地址

wangning IN A   192.168.1.106  //解析子级域名的IP地址

@   IN A    192.168.1.104  //解析顶级域名的IP地址

3.3.3 检查配置文件是否正确

named-checkconf

named-checkzone jt11.com.cn /var/named/jt11.com.cn.zone

named-checkzone zpkj.com /var/named/zpkj.com.zone

4 启动bind服务

systemctl start named

systemctl enable named

5 重新加载配置

如果修改配置文件，不需要重启bind服务，直接重新加载即可

rndc reload

6 注意事项

再次添加新的域名解析时注意权限问题，因为cp named.localhost时没有加-p选项，导致zpkj.com.zone文件属组为root，因为这个问题卡了我两个多小时

[root@jlks-mysql named]# pwd

/var/named

[root@jlks-mysql named]# ll

total 24

drwxrwx--- 2 named named   75 Aug 19 03:08 data

drwxrwx--- 2 named named   31 Aug 22 18:42 dynamic

-rw-r----- 1 root  named  336 Aug 22 18:44 jt11.com.cn.zone

-rw-r----- 1 root  named 2281 May 22  2017 named.ca

-rw-r----- 1 root  named  152 Dec 15  2009 named.empty

-rw-r----- 1 root  named  152 Jun 21  2007 named.localhost

-rw-r----- 1 root  named  168 Dec 15  2009 named.loopback

drwxrwx--- 2 named named    6 Apr 13 02:48 slaves

-rw-r----- 1 root named  337 Aug 22 18:26 zpkj.com.zone