centos6下BIND配置本地DNS
在上一篇 centos6下BIND配置DNS缓存服务 中介绍了搭建本地DNS缓存的方法,通过该篇的配置,可以将本域内的DNS请求转发到外网或通过13台根域进行查询。不过像在域控环境下,我们还可能会伪造一个域名或只在本局域内使用的域名,将相应的域解析到局域网内的主机上 。本篇就总结下如何实现上面的需求,需要指出的是本篇的配置和DNS缓存并不冲突,DNS即可以实现局 域网内的解析,也可以将不在本地正反解析中存在的域名记录转发或递归到外网的其他DNS上进行查询,并将结果返回。并通过dig、host、nslookup的查看测试方法。
一、服务配置
本篇使用的环境承接上一篇中的环境,这里不再列出。安装使用软件同样是bind-libs、bind-utils、bind、bind-chroot四个包。直接yum就好,不再赘述。涉及的 配置文件主要有/etc/named.conf(主配置文件)和 /etc/named.rfc1912.zones(正反区域配置文件)。
1、named.conf主配置文件
主配置文件和上一篇中配置一样,无变化,内容如下:
1# cat /etc/named.conf
2options {
3 listen-on port 53 { any; };
4 //listen-on-v6 port 53 { ::1; };
5 directory "/var/named";
6 dump-file "/var/named/data/cache_dump.db";
7 statistics-file"/var/named/data/named_stats.txt";
8 memstatistics-file "/var/named/data/named_mem_stats.txt";
9 allow-query { any; };
10 recursion yes;
11 dnssec-enable no;
12 dnssec-validation no;
13 dnssec-lookaside no;
14 /* Path to ISC DLV key */
15 /*bindkeys-file "/etc/named.iscdlv.key";
16 managed-keys-directory "/var/named/dynamic";
17 */
18};
19logging {
20 channel default_debug {
21 file"data/named.run";
22 severity dynamic;
23 };
24};
25zone "." IN { //根域配置
26 type hint;
27 file "named.ca";
28};
29include"/etc/named.rfc1912.zones";
30include "/etc/named.root.key";
2、区域主配置文件named.rfc1912.zones
域名规划
1域名:361way.com
2正向区域:361way.com
3反向区域:0.168.192.in-addr.arpa
4正向区域文件:361way.com.zone
5反向区域文件:0.168.192.in-addr.arpa
注:反向区域名称一般为IP前三部分反过来写 + in-addr.arpa 的格式。
对应的在named.rfc1912.zones后面追加以下内容:
1zone "361way.com" IN {
2 type master;
3 file "361way.com.zone"; //zone域文件在/var/named目录下
4};
5zone "0.168.192.in-addr.arpa" IN{
6 type master;
7 file "192.168.0.zone";
8};
二、正反区域解析文件
1、区域解析文件说明
1常见的正解文件 RR 相关信息
2[domain] IN [[RR type] [RR data]]
3主机名. IN A IPv4 的 IP 地址
4主机名. IN AAAA IPv6 的 IP 地址
5区域名. IN NS 管理这个领域名的服务器主机名字.
6区域名. IN SOA 管理这个领域名的七个重要参数(如上说明)
7区域名. IN MX 顺序数字 接收邮件的服务器主机名字
8主机别名. IN CNAME 实际代表这个主机别名的主机名字.
9单位:W=周、D=日、H=小时、M=分钟。
10$TTL 86400 宏定义全局TTL时间
11@ IN SOA ns.oracle.com. root ( # ns.oracle.com. 是DNS服务器的名称
12 0 ; serial (d. adams) 仅作为序列号而已
13 1D ;refresh 服务器的更新时间
14 15M ; retry 重新更新时间间隔
15 1W ; expiry 多久之后宣布失败
16 1H ) ;minimum 相当于缓存记忆时间
2、正向解析文件
1# cat 361way.com.zone
2$TTL 600
3$ORIGIN 361way.com.
4@ IN SOA ns.361way.com. root.361way.com. (
5 2014121001 ;serial
6 1D ;refresh
7 5M ;retry
8 1W ;expiry
9 1H) ;minimum
10@ IN NS ns.361way.com.
11 IN MX 5 mail.361way.com.
12ns IN A 192.168.0.103
13@ IN A 192.168.0.102
14www IN A 192.168.0.103
15mail IN A 192.168.0.109
16pop3 IN A 192.168.0.103
17iamp4 IN A 192.168.0.103
3、反向区域配置
1# cat 192.168.0.zone
2$TTL 600
3$ORIGIN 0.168.192.in-addr.arpa.
4@ IN SOA ns.361way.com. root.361way.com. (
5 2014121001 ;serial
6 1D ;refresh
7 5M ;retry
8 1W ;expiry
9 1H) ;minimum
10@ IN NS ns.361way.com.
11 IN MX 5 mail.361way.com.
12103 IN PTR ns.361way.com.
13103 IN PTR www.361way.com.
14102 IN PTR 361way.com.
15109 IN PTR mail.361way.com.
16103 IN PTR pop3.361way.com.
17103 IN PTR iamp4.361way.com.
需要注意的是,上面的103、102、109是对应的IP地址最后一位的数字。
4、测试配置文件
系统为我们提供了named-checkconf和named-checkzone两个命令用于检测主配置文件和区域配置文件的语法正确情。
1主配置文件检查
2# named-checkconf -z
3zone localhost.localdomain/IN: loaded serial 0
4zone localhost/IN: loaded serial 0
5zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
6zone 0.in-addr.arpa/IN: loaded serial 0
7zone 361way.com/IN: loaded serial 2014121001
8zone 0.168.192.in-addr.arpa/IN: loaded serial 2014121001
9正向区域文件检查
10# named-checkzone '361way.com' 361way.com.zone
11zone 361way.com/IN: loaded serial 2014121001
12OK
13反向区域文件检查
14# named-checkzone "0.168.192.in-addr.arpa" 192.168.0.zone
15zone 0.168.192.in-addr.arpa/IN: 0.168.192.in-addr.arpa/MX 'mail.361way.com' (out of zone) has no addresses records (A or AAAA)
16zone 0.168.192.in-addr.arpa/IN: loaded serial 2014121001
17OK
最后确认,上面的正反区域两个文件在/var/named下对于named用户有读的权限,当然也可以直接chown named filename的方法更改属主。
三、服务启动相关
1、确认禁用了selinux
2、配置iptable中开放了udp与tcp的53端口
3、启动服务
1# service named restart
4、在其他主机的网口配置文件中ifcfg-ethx中增加或在/etc/resolv.conf中增加相关配置
1# ifcfg-ethX中增加如下
2DNS=192.168.0.103
3# resolv.conf中增加的配置为
4nameserver 192.168.0.103
四、dig、host、nslookup测试
1、dig测试
1正向查询
2# dig -t SOA 361way.com @192.168.0.103
3; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7 <<>> -t SOA 361way.com @192.168.0.103
4;; global options: +cmd
5;; Got answer:
6;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15082
7;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
8;; OPT PSEUDOSECTION:
9; EDNS: version: 0, flags:; udp: 4096
10;; QUESTION SECTION:
11;361way.com. IN SOA
12;; ANSWER SECTION:
13361way.com. 600 IN SOA ns.361way.com. root.361way.com. 2014121001 86400 300 604800 3600
14;; AUTHORITY SECTION:
15361way.com. 600 IN NS ns.361way.com.
16;; ADDITIONAL SECTION:
17ns.361way.com. 600 IN A 192.168.0.103
18;; Query time: 1 msec
19;; SERVER: 192.168.0.103#53(192.168.0.103)
20;; WHEN: Wed Nov 11 23:29:47 CST 2015
21;; MSG SIZE rcvd: 113
22反向查询
23# dig -x 192.168.0.103 @192.168.0.103 //@后面的是DNS服务器地址,前面的是要反向查询的IP
24; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7 <<>> -x 192.168.0.103 @192.168.0.103
25;; global options: +cmd
26;; Got answer:
27;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49453
28;; flags: qr aa rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 1, ADDITIONAL: 2
29;; OPT PSEUDOSECTION:
30; EDNS: version: 0, flags:; udp: 4096
31;; QUESTION SECTION:
32;103.0.168.192.in-addr.arpa. IN PTR
33;; ANSWER SECTION:
34103.0.168.192.in-addr.arpa. 600 IN PTR iamp4.361way.com.
35103.0.168.192.in-addr.arpa. 600 IN PTR ns.361way.com.
36103.0.168.192.in-addr.arpa. 600 IN PTR www.361way.com.
37103.0.168.192.in-addr.arpa. 600 IN PTR pop3.361way.com.
38;; AUTHORITY SECTION:
390.168.192.in-addr.arpa. 600 IN NS ns.361way.com.
40;; ADDITIONAL SECTION:
41ns.361way.com. 600 IN A 192.168.0.103
42;; Query time: 0 msec
43;; SERVER: 192.168.0.103#53(192.168.0.103)
44;; WHEN: Wed Nov 11 23:08:19 CST 2015
45;; MSG SIZE rcvd: 169
2、host命令测试
1正向查询
2# host -t A www.361way.com 192.168.0.103
3Using domain server:
4Name: 192.168.0.103
5Address: 192.168.0.103#53
6Aliases:
7www.361way.com has address 192.168.0.103
8或者
9# host -i www.361way.com
10www.361way.com has address 192.168.0.103
11反向查询
12# host -t ptr 192.168.0.103 192.168.0.103
13Using domain server:
14Name: 192.168.0.103
15Address: 192.168.0.103#53
16Aliases:
17103.0.168.192.in-addr.arpa domain name pointer pop3.361way.com.
18103.0.168.192.in-addr.arpa domain name pointer iamp4.361way.com.
19103.0.168.192.in-addr.arpa domain name pointer ns.361way.com.
20103.0.168.192.in-addr.arpa domain name pointer www.361way.com.
21# host -t ptr 192.168.0.102 192.168.0.103
22Using domain server:
23Name: 192.168.0.103
24Address: 192.168.0.103#53
25Aliases:
26102.0.168.192.in-addr.arpa domain name pointer 361way.com.
3、nslookup测试
1正向查询
2# nslookup www.361way.com
3Server: 192.168.0.103
4Address: 192.168.0.103#53
5Name: www.361way.com
6Address: 192.168.0.103
7反向查询
8# nslookup
9> set q=ptr
10> 192.168.0.102
11Server: 192.168.0.103
12Address: 192.168.0.103#53
13102.0.168.192.in-addr.arpa name = 361way.com.
14> 192.168.0.103
15Server: 192.168.0.103
16Address: 192.168.0.103#53
17103.0.168.192.in-addr.arpa name = ns.361way.com.
18103.0.168.192.in-addr.arpa name = www.361way.com.
19103.0.168.192.in-addr.arpa name = pop3.361way.com.
20103.0.168.192.in-addr.arpa name = iamp4.361way.com.
21>
22或者直接使用
23# nslookup -q=ptr 192.168.0.102 //windows下使用的是nslookup -qt=ptr 192.168.0.102
24Server: 192.168.0.103
25Address: 192.168.0.103#53
26102.0.168.192.in-addr.arpa name = 361way.com.
其中不论是linux下的-q或window下的-qt其都是-querytype的缩写。
捐赠本站(Donate)
如您感觉文章有用,可扫码捐赠本站!(If the article useful, you can scan the QR code to donate))
- Author: shisekong
- Link: https://blog.361way.com/bind-dns/4807.html
- License: This work is under a 知识共享署名-非商业性使用-禁止演绎 4.0 国际许可协议. Kindly fulfill the requirements of the aforementioned License when adapting or creating a derivative of this work.