[root@spiderman ~]# uname -a
linux spiderman.com 2.6.18-238.el5 #1 SMP Thu Jan 13 15:51:15 EST 2011 x86_64 x86_64 x86_64 GNU/Linux
[root@spiderman ~]# more /etc/redhat-release
CentOS release 5.6 (Final)
[root@spiderman ~]#
二、所需要的软件包
bind-9.9.0.tar.gz http://www.isc.org/downloads/all
三、安装bind
1.yum 或rpm方式安装
[root@spiderman ~]# yum –y install bind bind-utils bind-libs bind-chroot
2.源码安装
[root@spiderman ~]# tar zxvf bind-9.9.0.tar.gz -C /usr/local/src/
[root@spiderman ~]# cd /usr/local/src/bind-9.9.0/
[root@spiderman bind-9.9.0]# ./configure --prefix=/usr/local/bind-9.9.0 --enable-threads --disable-openssl-version-check --sysconfdir=/etc --with-libtool
.configure参数说明:
--prefix=/usr/local/bind 指定bind9的安装目录,默认是/usr/local
--enable-threads 开启多线程的支持;如果你的系统有多个CPU,那么可以使用这个选项
--disable-openssl-version-check 关闭openssl的检查
--with-openssl=/usr/local/openssl 指定openssl的安装路径
--sysconfdir=/etc/bind 设置named.conf配置文件放置的目录,默认是--prefix选项指定的目录下的/etc下
--localstatdir=/var 设置 run/named.pid 放置的目录,默认是--prefix选项指定的目录下的/var下
--with-libtool 将BIND的库文件编译为动态共享库文件,这个选项默认是未选择的。
如果不选这个选项,那么编译后的named命令会比较大,lib目录中的库文件都是.a后缀的。
如果选上这个选项,那么编译后的named命令会很小,lib目录中的库文件则是.so后缀。
[root@spiderman bind-9.9.0]# make && make install 这个是编译和安装,&&是指在 make执行成功后才会执行make instal
[root@spiderman bind-9.9.0]# ln –sv /usr/local/bind-9.9.0 /usr/local/bind
[root@spiderman bind-9.9.0]# useradd –r named
[root@spiderman bind-9.9.0]# /usr/local/bind/sbin/rndc-confgen > /etc/rndc.conf 生成/etc/rndc.conf
[root@spiderman bind-9.9.0]# tail -10 /etc/rndc.conf|head -9|sed s/# //g >>/etc/named.conf 生成/etc/named.conf
四、配置
1.编辑named.conf文件
[root@spiderman bind-9.9.0]# vi /etc/named.conf 编辑named.conf文件
文件内容:
key "rndc-key" { key文件
algorithm hmac-md5;
secret "9T7II+imYuy9VTB8VNVlzg==";
};
options {
directory "/usr/local/bind/var"; zone文件存放位置
pid-file "/usr/local/bind/var/run/named.pid";
version "I am bind 9.9.0";
allow-query {any;};
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
acl "my lan"{ 定义my lan的范围
127.0.0.0/8;172.16.200.0/24;
};
view "local" { 定义本地视图 视图名称可以自定义
match-clients { "my lan"; }; 仅允许my lan中定义的地址使用本视图
recursion yes;
zone "." IN { 根区域文件
type hint;
file "named.ca";
};
zone "spiderman.com" IN { spiderman.com的区域文件
type master;
file "named.spiderman.com";
};
zone "200.16.172.in-addr.arpa" IN { spiderman.com的反向解析文件 反向解析可不做
type master;
file "named.172.16.200";
};
};
zone "localhost" IN { localhost的区域文件
type master;
file "localhost.zone";
allow-update { none; };
};
zone "0.0.127.in-addr.arpa" IN { localhost的反向解析文件
type master;
file "named.local";
allow-update { none; };
};
};
view "internet" { 定义internet视图 视图名称可以自定义 目的在于让internet访问时解析成公网ip
match-clients { any; };
recursion no;
zone "." IN {
type hint;
file "named.ca";
};
zone "spiderman.com" IN { spiderman.com解析成公网ip
type master;
file "named.spiderman.com.internet";
};
zone "10.199.10.in-addr.arpa" IN { spiderman.com解析成公网ip的反向解析文件 反向解析可不做
type master;
file "named.10.199.10";
};
};
2. named.root 需要到根域上去下载。如下:
[root@spiderman bind-9.9.0]# ftp rs.internic.net
Connected to rs.internic.net.
220-**********************************************************
220-***** *****
220-***** InterNIC Public FTP Server *****
220-***** *****
220-***** Login with username "anonymous" *****
220-***** You may change directories to the following: *****
220-***** *****
220-***** domain - Root Domain Zone Files *****
220-***** *****
220-***** Unauthorized access to this system may *****
220-***** result in criminal prosecution. *****
220-***** *****
220-***** All sessions established with this server are *****
220-***** monitored and logged. Disconnect now if you do *****
220-***** not consent to having your actions monitored *****
220-***** and logged. *****
220-***** *****
220-**********************************************************
220
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (rs.internic.net:root): anonymous
331 Please specify the password.
Password:anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd domain
250 Directory successfully changed.
ftp> get named.root
local: named.root remote: named.root
227 Entering Passive Mode (199,7,52,73,189,56)
150 Opening BINARY mode data connection for named.root (3048 bytes).
226 File send OK.
3048 bytes received in 7.9e-05 seconds (3.8e+04 Kbytes/s)
ftp> bye
[root@spiderman bind-9.9.0]# mv named.root /usr/local/bind/var
[root@spiderman bind-9.9.0]# cd /usr/local/bind/var
3.新建各区域文件
[root@spiderman var]# vim localhost.zone
内容如下:
$TTL 86400
@ IN SOA @ root (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS @
IN A 127.0.0.1
IN AAAA ::1 ipv6
[root@spiderman var]# vim named.local
内容如下:
$TTL 86400
@ IN SOA localhost. root.localhost. (
1997022700 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS localhost.
1 IN PTR localhost.
[root@spiderman var]# vim named.spiderman.com
内容如下:
[root@spiderman var]# vim named.172.16.200
内容如下:
[root@spiderman var]# vim named.spiderman.com.internet
内容如下:
[root@spiderman var]# vim named.10.199.10
内容如下:
4.测试配置文件是否正确
检查主配置文件是否正确,如果没有提示说明你的配置文件没有配置的语法错误
[root@spiderman var]# /usr/local/bind/sbin/named-checkconf /etc/named.conf
检查区域文件是否正确返回下列内容正确,中间的localhost是你在nmaed.conf文件指定的区域
[root@spiderman var]# /usr/local/bind/sbin/named-checkzone localhost /usr/local/bind/var/localhost.zone
zone localhost/IN: loaded serial 2012051502
OK
[root@spiderman var]#
检查自定义的域是否配置正确,中间的spiderman.com也是你在named.conf文件中指定的区域
[root@spiderman var]# /usr/local/bind/sbin/named-checkzone spiderman.com /usr/local/bind/var/named.spiderman.com
zone spiderman.com/IN: loaded serial 2012051502
OK
[root@spiderman var]# mkdir /usr/local/bind/var/run
[root@spiderman var]# chown named /usr/local/bind/var/run
[root@spiderman var]# /usr/local/bind/sbin/named -C /etc/named.conf -u root& // 启动 dns服务器
[root@spiderman var]# netstat –tlnp | grep 53
完成bind的安装与配置。
五、测试连接
#使用nslook host 或dig。
[root@spiderman var]# /usr/local/bind/bin/dig @127.0.0.1 spiderman.com A
; <<>> DiG 9.9.0 <<>> @127.0.0.1 spiderman.com A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36479
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;spiderman.com. IN A
;; ANSWER SECTION:
spiderman.com. 86400 IN A 172.16.200.225
;; AUTHORITY SECTION:
spiderman.com. 86400 IN NS spiderman.com.
;; Query time: 3 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue May 15 15:40:59 2012
;; MSG SIZE rcvd: 67
[root@spiderman var]#
六、使用服务器进程启动dns
1.新建named 服务器进程
[root@spiderman var]# cd
[root@spiderman ~]# vim /etc/init.d/named
#!/bin/bash
# named a network name service.
# chkconfig: 345 35 75
# description: a name server
if [ `id -u` -ne 0 ]
then
echo "ERROR:For bind to port 53,must run as root."
exit 1
fi
case "$1" in
start)
if [ -x /usr/local/bind/sbin/named ]; then
/usr/local/bind/sbin/named -c /etc/named.conf -u named && echo . && echo 'BIND9 server started'
fi
;;
stop)
kill `cat /usr/local/bind/var/run/named.pid` && echo . && echo 'BIND9 server stopped'
;;
restart)
echo .
echo "Restart BIND9 server"
$0 stop
sleep 10
$0 start
;;
reload)
/usr/local/bind/sbin/rndc reload
;;
status)
/usr/local/bind/sbin/rndc status
;;
*)
echo "$0 start | stop | restart |reload |status"
;;
esac
2.启动 dns
[root@spiderman ~]#chmod +x /etc/init.d/named
[root@spiderman ~]#services named start
3. 加入开机自动启动
[root@spiderman ~]#chkconfig –add named
4. 查看服务端口状态
[root@spiderman ~]#netstart -tlnp | grep named 如果有53 说明服务启动成功
七、使用chroot提高DNS的安全性
前面我们在配置文件里也增加了对DNS的保护,如 view 的设置 和acl的设置,本此节中 我们使用chroot 功能更一步加强DNS的安全性
要开启chroot功能,在rpm安装DNS时 要安装bind-chroot包,源码安装时会默认开启此功能,(如果在编辑时加上 --disable-chroot 将会关闭chroot功能)
1.新建chroot的各个文件
[root@spiderman ~]# mkdir -pv /var/named/chroot/etc /var/named/chroot/dev /var/named/chroot/var/ 建立chroot相关的文件夹
[root@spiderman ~]# cd /var/named/chroot/
[root@spiderman chroot]# chown –R named.named /var/named
[root@spiderman chroot]# cp /usr/local/bind/var/* /var/named/chroot/var/
[root@spiderman chroot]# cp /etc/named.conf /var/named/chroot/etc
[root@spiderman chroot]# cd /var/named/chroot/dev
[root@spiderman dev]# mknod random c 1 8
[root@spiderman dev]# mknod zero c 1 5
[root@spiderman dev]# mknod null c 1 3
[root@spiderman dev]# cd ..
2.修改主配置文件
[root@spiderman chroot]# vi /var/named/chroot/etc/named.conf
[root@spiderman chroot]#
3.测试chroot功能
[root@spiderman chroot]# /usr/local/bind/sbin/named -t /var/named/chroot -u named 测试named能不能起来,如果可以起来 说明成功 再确认一下端口
[root@spiderman chroot]# netstat -tlnp | grep named
tcp 0 0 192.168.19.64:53 0.0.0.0:* LISTEN 22928/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 22928/named
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 22928/named
[root@spiderman chroot]#
4.使用服务器进程启动服务
[root@spiderman chroot]#
[root@spiderman chroot]# more /etc/init.d/named
[root@spiderman chroot]# chkconfig --del named
[root@spiderman chroot]# chkconfig --add named
[root@spiderman chroot]# service named start
[root@spiderman chroot]# netstat –ntlp | grep named
完成dns的安装配置。