福和思

foxhello

0%

CentOS-7下搭建DNS服务器

发表于 更新于 分类于 阅读次数:

搭建步骤

  1. 安装 bind 服务(DNS 服务器)
    yum -y install bind*
  2. 查看所有服务,设置开机运行 named 服务
  • 查看所有服务
    systemctl list-unit-files
  • 设置开机运行 named 服务
    systemctl enable named.service
  1. 修改配置文件
    vim /etc/named.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51

options {
        listen-on port 53 { any; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file  "/var/named/data/named.recursing";
        secroots-file   "/var/named/data/named.secroots";
        allow-query     { any; };

        /*
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable
           recursion.
         - If your recursive DNS server has a public IP address, you MUST enable access
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface
        */
        recursion yes;

        dnssec-enable no;
        dnssec-validation no;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.root.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

  1. 重启 named 服务
    systemctl restart named.service

  2. 设置防火墙规划,开放 53 端口

1
2
3
4
5
6
7
8
9
10
11
12
13
>systemctl stop firewalld.service  #关闭firewalld防火墙

>yum install iptables-services   #安装iptables防火墙

>iptables -I INPUT -p tcp --dport 53 -j ACCEPT  #放行TCP协议的53端口

>iptables -I INPUT -p udp --dport 53 -j ACCEPT  #放行UDP协议的53端口

>systemctl enable iptables  #允许防火墙开机运行

//查看规划是否生效

>iptables -L

显示已生效,然后保存防火墙配置,使其以后都生效:

>/sbin/service iptables save

  1. 查看 DNS 的配置文件目录
    rpm -lq bind
  • /etc/named.conf DNS 服务器属性
  • /etc/named.rfc1912.zones 区域属性
  • /var/named/data 存放区域文件的目录,用于定义域名对应的内网 IP 和相关配置
  1. 修改域名配置文件
    vi /etc/named.rfc1912.zones
    在尾部添加 test.com 的域名
1
2
3
4
5
6
7
8

zone "test.com" IN {
        type master;
        file "test.com.zone";
        allow-update { none; };
};


  1. 添加 DNS 解析配置文件
    vi /var/named/test.com.zone
    文件内容如下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
$TTL 1D
@       IN SOA  test.com. rname.invalid. (
                                        0       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
        NS      @
        A       127.0.0.1
        AAAA    ::1
        NS      ns.test.com.
ns      IN A    192.168.92.82
www     IN A    192.168.92.82
email   IN A    192.168.92.82 # 服务器地址

检查配置是否有错误:
named-checkzone oa.com /var/named/test.com.zone

如图提示无错误,重启 DNS 服务器
systemctl restart named.service

  1. 测试

参考地址