bind-chroot介绍
DNS是一种将域名解析为IP地址的服务.
BIND是linux的DNS服务器程序.
bind-chroot是bind的一个功能,使bind可以在一个chroot的模式下运行.也就是说,bind运行时的/(根)目录,并不是系统真正的/(根)目录,只是系统中的一个子目录而已.这样做的目的是为了提高安全性.因为在chroot的模式下,bind可以访问的范围仅限于这个子目录的范围里,无法进一步提升,进入到系统的其他目录中.
准备工作
环境centos7
安装bind-chroot
yum install bind-chroot bind -y
修改主机名
centos7 可以直接设置静态主机名,不需要重启
hostnamectl --static set-hostname WH-DNS-00.JP
关闭防火墙
最简单的方法就是关闭,也可以放行指定端口
systemctl stop firewalld #关闭防火墙
systemctl disable firewalld.service #禁止firewall开机启动
配置named
拷贝bind相关文件,准备bind chroot 环境
cp -R /usr/share/doc/bind-9.9.4/sample/var/named/* /var/named/chroot/var/named/
在bind chroot 的目录中创建相关文件
touch /var/named/chroot/var/named/data/cache_dump.db
touch /var/named/chroot/var/named/data/named_stats.txt
touch /var/named/chroot/var/named/data/named_mem_stats.txt
touch /var/named/chroot/var/named/data/named.run
mkdir /var/named/chroot/var/named/dynamic
touch /var/named/chroot/var/named/dynamic/managed-keys.bind
将 Bind 锁定文件设置为可写
chmod -R 777 /var/named/chroot/var/named/data
chmod -R 777 /var/named/chroot/var/named/dynamic
将 /etc/named.conf 拷贝到 bind chroot目录
cp -p /etc/named.conf /var/named/chroot/etc/named.conf
在/etc/named.conf中对 bind 进行配置
vim /var/named/chroot/etc/named.conf
参考配置如下
没有ipv6就禁用listen-on-v6 port 53 { ::1; },不然会影响查询时间
主DNS
options {
listen-on port 53 { any; };
#listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
allow-query-cache { any; };
notify yes;
also-notify { 192.168.16.144; };
forwarders {
202.103.24.68;
114.114.114.114;
};
recursion yes;
dnssec-enable no;
dnssec-validation no;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
#xxxxx.org
zone "xxxxx.org" IN {
type master;
file "named.xxxxx.org";
allow-transfer { 192.168.16.144; };
allow-query { any; };
};
#定义反向解析的
zone "0.0.127.in-addr.arpa" IN {
type master; #类型属于master、属于自己的
file "named.loopback"; #指定的文件
allow-transfer { none; };#不允许任何人传送的
};
zone "168.192.in-addr.arpa" IN {
type master; #类型属于master、属于自己的
file "named.arpa"; #指定的文件
allow-update { none; };
allow-transfer { 192.168.16.144; };
};
备DNS
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
allow-query-cache { any; };
forwarders {
202.103.24.68;
114.114.114.114;
};
recursion yes;
dnssec-enable no;
dnssec-validation no;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
#xxxxx.org
zone "xxxxx.org" IN {
type slave;
masters { 192.168.16.68; };
file "slaves/named.xxxxx.org";
allow-transfer { none; };
};
#定义反向解析的
zone "0.0.127.in-addr.arpa" IN {
type master; #类型属于master、属于自己的
file "named.loopback"; #指定的文件
allow-transfer { none; };#不允许任何人传送的
};
zone "168.192.in-addr.arpa" IN {
type slave; #类型属于slave、属于自己的
file "named.arpa"; #指定的文件
masters { 192.168.16.68; };
allow-transfer { none; };
};
创建ZONE文件
ZONE文件是DNS上保存域名配置的文件,对BIND来说 一个域名对应一个ZONE文件,
vim /var/named/chroot/var/named/vim named.xxxxx.org
$TTL 86400 ; 1 day
xxxxx.com IN SOA WH-DNS-01.JP. lanpang.xxxxx.com. (
124 ; serial
86400 ; refresh (1 day)
3600 ; retry (1 hour)
604800 ; expire (1 week)
10800 ; minimum (3 hours)
)
NS WH-DNS-01.JP.
NS WH-DNS-02.JP.
WH-DNS-01.JP. A 192.168.16.68
WH-DNS-02.JP. A 192.168.16.144
$ORIGIN xxxxx.com.
* A 192.168.16.37
upload A 106.75.131.201
名词解释:
SOA记录:权威记录从这里开始,它定义了3-8行这些重要的参数。
A记录:记录域名到IP之间的关联。
CAME记录:让张三住到李四家里,这时张三李四是同一个地址。
MX记录:定义了发往XXX@ABC.COM邮箱的邮件服务器地址。
TXT记录:这个记录的内容是文本格式如126.COM的TXT为"v=spf1 include:spf.163.com -all",TXT通常用于邮件服务器来标识自己的身份避免被认
为是垃圾邮件服务器。
最后
-
权限问题
如果全部配置完成,发现各种起不来,或者无法解析,请检查权限。最简单的方法:
chown -R named:named /var/named/ -
启动命令
systemctl enable named-chroot systemctl start named-chroot