CentOS 7 安装DNS server 傻瓜操作指南

2023年12月6日发(作者：)

第一步：安装bind-chroot

[root@localhost named]# yum install –y bind bind-chroot bind-utils

效果如下

[root@localhost ~]# yum install –y bind bind-chroot bind-utils

Loaded plugins: fastestmirror, langpacks

Repodata is over 2 weeks old. Install yum-cron? Or run: yum makecache fast

base | 3.6 kB 00:00:00

extras | 3.4 kB 00:00:00

updates | 3.4 kB 00:00:00

(1/2): extras/7/x86_64/primary_db | 117 kB 00:00:00

(2/2): updates/7/x86_64/primary_db | 4.7 MB 00:00:01

Determining fastest mirrors

* base:

* extras:

* updates:

Resolving Dependencies --> Running transaction check

---> Package bind.x86_64 32:7_1.5 will be installed

--> Processing Dependency: bind-libs = 32:7_1.5 for package: 32:7_1.5.x86_64

---> Package bind-chroot.x86_64 32:7_1.5 will be installed

---> Package bind-utils.x86_64 32:7 will be updated

---> Package bind-utils.x86_64 32:7_1.5 will be an update

--> Running transaction check

---> Package bind-libs.x86_64 32:7 will be updated

---> Package bind-libs.x86_64 32:7_1.5 will be an update

--> Processing Dependency: bind-license = 32:7_1.5 for package: 32:7_1.5.x86_64

--> Running transaction check

---> Package 32:7 will be updated

--> Processing Dependency: bind-license = 32:7 for package: 32:7.x86_64

---> Package 32:7_1.5 will be an update

--> Running transaction check

---> Package bind-libs-lite.x86_64 32:7 will be updated

---> Package bind-libs-lite.x86_64 32:7_1.5 will be an update

--> Finished Dependency Resolution

Dependencies Resolved

=================================================================================================

Package Arch Version Repository Size

=================================================================================================

Installing: bind x86_64 32:7_1.5 updates 1.8 M

bind-chroot x86_64 32:7_1.5 updates 82 k

Updating:

bind-utils x86_64 32:7_1.5 updates 199 k

Updating for dependencies:

bind-libs x86_64 32:7_1.5 updates 1.0 M

bind-libs-lite x86_64 32:7_1.5 updates 713 k

bind-license noarch 32:7_1.5 updates 80 k

Transaction Summary

=================================================================================================

Install 2 Packages

Upgrade 1 Package (+3 Dependent packages)

Total download size: 3.8 M

Is this ok [y/d/N]: y

Downloading packages:

updates/7/x86_64/prestodelta | 297 kB

00:00:05

Delta RPMs reduced 1.7 M of updates to 307 k (82% saved)

(1/6): 7_7_1.5.x86_ | 139 kB 00:00:00

(2/6): 7_7_1.5.x86_ | 168 kB 00:00:00

warning: /var/cache/yum/x86_64/7/updates/packages/7_1.5.x86_: Header V3 RSA/SHA256

Signature, key ID f4a80eb5: NOKEY

Public key for 7_1.5.x86_ is not installed (3/6): 7_1.5.x86_ | 82 kB

00:00:00

(4/6): 7_ | 80 kB

00:00:00

(5/6): 7_1.5.x86_ | 199 kB

00:00:00

(6/6): 7_1.5.x86_ | 1.8 MB

00:00:00

Finishing delta rebuilds of 2 package(s) (1.7 M)

---------------------------------------------------------------------------------------------------------------------

Total 1.6 MB/s | 2.4 MB

00:00:01

Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7

Importing GPG key 0xF4A80EB5:

Userid : "CentOS-7 Key (CentOS 7 Official Signing Key) "

Fingerprint: 6341 ab27 53d7 8a78 a7c2 7bb1 24c6 a8a7 f4a8 0eb5

Package : .2.8.x86_64 (@anaconda)

From : /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7

Is this ok [y/N]: y

Running transaction check

Running transaction test

Transaction test succeeded

Running transaction

Updating : 32:7_

1/10 Updating : 32:7_1.5.x86_64

2/10

Installing : 32:7_1.5.x86_64

3/10

Installing : 32:7_1.5.x86_64

4/10

Updating : 32:7_1.5.x86_64

5/10

Updating : 32:7_1.5.x86_64

6/10

Cleanup : 32:7.x86_64

7/10

Cleanup : 32:7.x86_64

8/10

Cleanup : 32:7.x86_64

9/10

Cleanup : 32:

10/10

Verifying : 32:7_1.5.x86_64

1/10

Verifying : 32:7_1.5.x86_64

2/10

Verifying : 32:7_1.5.x86_64

3/10

Verifying : 32:7_1.5.x86_64 4/10

Verifying : 32:7_1.5.x86_64

5/10

Verifying : 32:7_

6/10

Verifying : 32:

7/10

Verifying : 32:7.x86_64

8/10

Verifying : 32:7.x86_64

9/10

Verifying : 32:7.x86_64

10/10

Installed:

bind.x86_64 32:7_1.5 bind-chroot.x86_64 32:7_1.5

Updated:

bind-utils.x86_64 32:7_1.5

Dependency Updated:

bind-libs.x86_64 32:7_1.5 bind-libs-lite.x86_64 32:7_1.5

32:7_1.5

Complete!

第二步：修改 文件

配置文件是 /etc/文件。

【不是 /var/named/chroot/var/named/文件。】

//

//

//

// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS

// server as a caching only nameserver (as a localhost DNS resolver only).

//

// See /usr/share/doc/bind*/sample/ for example named configuration files.

//

options {

listen-on port 53 { any; };

listen-on-v6 port 53 { any; };

directory "/var/named";

dump-file "/var/named/data/cache_";

statistics-file "/var/named/data/named_";

memstatistics-file "/var/named/data/named_mem_"; allow-query { any; };

/*

- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.

- If you are building a RECURSIVE (caching) DNS server, you need to enable

recursion.

- If your recursive DNS server has a public IP address, you MUST enable access

control to limit queries to your legitimate users. Failing to do so will

cause your server to become part of large scale DNS amplification

attacks. Implementing BCP38 within your network would greatly

reduce such attack surface

*/

recursion yes;

dnssec-enable yes;

dnssec-validation yes;

dnssec-lookaside auto;

/* Path to ISC DLV key */

bindkeys-file "/etc/";

managed-keys-directory "/var/named/dynamic";

pid-file "/run/named/";

session-keyfile "/run/named/"; };

logging {

channel default_debug {

file "data/";

severity dynamic;

};

};

zone "." IN {

type hint;

file "";

};

zone "" IN{

type master;

file "";

};

zone "" IN {

type master;

file "ck

";

};

这部分为我实验的时候增加的内容。

需要注意的是这里涉及了两个文件：

ck

--- 这两个文件位于： /var/named 目录下。

include "/etc/";

include "/etc/";

第三步：增加 Zone 文件，并对zone 文件授权。

ck

实验域名：

网络地

址 : 192.168.5.0/24

在/var/named目录下，有两个文件可供模版进行修改：ost和ost

[root@localhost named]# ll

total 16

drwxr-x---. 7 root named 56 Nov 15 15:36 chroot

drwxrwx---. 2 named named 6 Sep 3 18:35 data

drwxrwx---. 2 named named 6 Sep 3 18:35 dynamic

-rw-r-----. 1 root named 2076 Jan 28 2013

-rw-r-----. 1 root named 152 Dec 15 2009 -rw-r-----. 1 root named 152 Jun 21 2007 ost

-rw-r-----. 1 root named 168 Dec 15 2009 ost

drwxrwx---. 2 named named 6 Sep 3 18:35 slaves

[root@localhost named]#

[root@localhost named]#

[root@localhost named]# ck

【其实，文件可以随意，没有明确的强制要求】

$TTL 1D

@ IN SOA @ d. (

0 ; serial

1D ; refresh

1H ; retry

1W ; expire

3H ) ; minimum

NS @

A 127.0.0.1

AAAA ::1

oa IN A 192.168.63.5

fs IN A 192.168.63.4

ck

$TTL 1D

@ IN SOA @ d. (

0 ; serial

1D ; refresh

1H ; retry 1W ; expire

3H ) ; minimum

NS @

A 127.0.0.1

AAAA ::1

PTR localhost.

5 IN PTR .

4 IN PTR .

关于两个文件的拥有者的修改，在实验的时候，忘了对这两文件的拥有者的修改，一度让我陷入崩溃，系统一直提示找不到该文件。

如果是在图形界面下，操作很简单。

命令行的方式也很容易： chown named:namedzone_file

[root@localhost named]# chownnamed:named *

[root@localhost named]# ls .*

[root@localhost named]# ll -all

total 32

drwxr-x---. 6 root named 4096 Nov 15 16:33 .

drwxr-xr-x. 23 root root 4096 Nov 15 15:36 ..

-rw-r-----. 1 named named 220 Nov 15 16:33 ck

-rw-r-----. 1 named named 194 Nov 15 16:33

drwxr-x---. 7 root named 56 Nov 15 15:36 chroot

drwxrwx---. 2 named named 6 Sep 3 18:35 data

drwxrwx---. 2 named named 6 Sep 3 18:35 dynamic

-rw-r-----. 1 root named 2076 Jan 28 2013

-rw-r-----. 1 root named 152 Dec 15 2009

-rw-r-----. 1 root named 152 Jun 21 2007 ost

-rw-r-----. 1 root named 168 Dec 15 2009 ck

drwxrwx---. 2 named named 6 Sep 3 18:35 slaves

Chown 使用帮助

chmod [-cfhvR] [--help] [--version] user[:group]

参数 描述

user 新的档案拥有者的使用者 ID

group 新的档案拥有者的使用者群体(group)

-c 若该档案拥有者确实已经更改，才显示其更改动作

-f 若该档案拥有者无法被更改也不要显示错误讯息

-h 只对于连结(link)进行变更，而非该 link 真正指向的档案

-v 显示拥有者变更的详细资料

-R 对目前目录下的所有档案与子目录进行相同的拥有者变更(即以递回的方式逐个变更)

例子

// 将rootfs文件夹及其子录的权限和组均改为root

chown –R root:rootrootfs

// 将目录rootfs文件夹及子目录的所有者和组更改为用 户liufan和组liufan-desktop

chown –R liufan:liufan-desktoprootfs

第四步：设置防火墙

以centos 7 版本的firewall操作为例子

#firewall-cmd --add-port=53/tcp

#firewall-cmd --add-port=53/udp

为防止服务器重启后，防火墙设置丢失，可以使用下面的这个命令--permanent。

[root@localhost named]# firewall-cmd --add-port=53/udp --permanent

success

[root@localhost named]# firewall-cmd --add-port=53/tcp --permanent

success

可以通过# firewall-cmd --list-all 进行验证：

[root@localhost ~]# firewall-cmd --list-all

public (default, active)

interfaces: eno16777736 sources:

services: dhcpv6-client ssh

ports: 53/udp 53/tcp

masquerade: no

forward-ports:

icmp-blocks:

rich rules:

[root@localhost ~]#

第四步：启动、重启、停止named（域名服务）以及简单诊断方式

启动： #systemctl start named

[root@localhost named]# systemctl start named

[root@localhost named]# systemctl status named

e - Berkeley Internet Name Domain (DNS)

Loaded: loaded (/usr/lib/systemd/system/e; disabled)

Active: active (running) since Sun 2015-11-15 16:39:56 CST; 9s ago

Process: 31689 ExecStart=/usr/sbin/named -u named $OPTIONS (code=exited, status=0/SUCCESS)

Process: 31687 ExecStartPre=/usr/sbin/named-checkconf -z /etc/ (code=exited, status=0/SUCCESS) Main PID: 31691 (named)

CGroup: //e

└─31691 /usr/sbin/named -u named

Nov 15 16:39:57 omain named[31691]: error (network unreachable) resolving 'n...53

Nov 15 16:39:57 omain named[31691]: error (network unreachable) resolving 'p...53

Nov 15 16:39:57 omain named[31691]: error (network unreachable) resolving 'n...53

Nov 15 16:39:57 omain named[31691]: error (network unreachable) resolving 'n...53

Nov 15 16:39:57 omain named[31691]: error (network unreachable) resolving 'n...53

Nov 15 16:39:57 omain named[31691]: error (network unreachable) resolving 'p...53

Nov 15 16:39:57 omain named[31691]: error (network unreachable) resolving 'p...53

Nov 15 16:39:57 omain named[31691]: error (network unreachable) resolving 'p...53

Nov 15 16:39:57 omain named[31691]: error (network unreachable) resolving 'p...53

Nov 15 16:39:57 omain named[31691]: error (network unreachable) resolving 'p...53

Hint: Some lines were ellipsized, use -l to show in full.

[root@localhost named]#

停止： #systemctl stop named

重启： #systemctl restart named

简单诊断方式：

1 #systemctlstatu named

named如果无法启动，就会有提示启动失败，这个命令可以查询失败的原因。

[root@localhost ~]# systemctl status named

e - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/e; enabled)

Active: active (running) since Sun 2015-11-15 14:10:07 CST; 2h 4min ago

Process: 14597 ExecReload=/bin/sh -c /usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID (code=exited,

status=0/SUCCESS)

Process: 1828 ExecStart=/usr/sbin/named -u named $OPTIONS (code=exited, status=0/SUCCESS)

Process: 1374 ExecStartPre=/usr/sbin/named-checkconf -z /etc/ (code=exited, status=0/SUCCESS)

Main PID: 1844 (named)

CGroup: //e

└─1844 /usr/sbin/named -u named

Nov 15 16:10:07 omainnamed[1844]: error (

Nov 15 16:10:07 omainnamed[1844]: error (

Nov 15 16:10:07 omainnamed[1844]: error (

Nov 15 16:10:07 omainnamed[1844]: error (

Nov 15 16:10:07 omainnamed[1844]: error (

Nov 15 16:10:07 omainnamed[1844]: error (

Nov 15 16:10:08 omainnamed[1844]: error (

Nov 15 16:10:08 omainnamed[1844]: error (

Nov 15 16:10:09 omainnamed[1844]: error (

Nov 15 16:10:09 omainnamed[1844]: error (

Hint: Some lines were ellipsized, use -l to show in full.

2 #netstat -atulpn

查询端口是否开发，DNS 的端口是53.

[root@localhost ~]# netstat -atulpn

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name

tcp 0 0 192.168.1.113:53 0.0.0.0:* LISTEN 1844/named

tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 1844/named

tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1369/sshd

tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 13631/cupsd

tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2461/master

tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 1844/named

tcp6 0 0 :::53 :::* LISTEN 1844/named

tcp6 0 0 :::22 :::* LISTEN 1369/sshd

tcp6 0 0 ::1:631 :::* LISTEN 13631/cupsd

tcp6 0 0 ::1:25 :::* LISTEN 2461/master

tcp6 0 0 ::1:953 :::* LISTEN 1844/named

udp 0 0 192.168.1.113:53 0.0.0.0:* 1844/named

udp 0 0 127.0.0.1:53 0.0.0.0:* 1844/named

udp 0 0 0.0.0.0:68 0.0.0.0:* 14556/dhclient

udp 0 0 0.0.0.0:123 0.0.0.0:* 764/chronyd

udp 0 0 0.0.0.0:55425 0.0.0.0:* 14556/dhclient

udp 0 0 0.0.0.0:5353 0.0.0.0:* 760/avahi-daemon: r

udp 0 0 127.0.0.1:323 0.0.0.0:* 764/chronyd

udp 0 0 0.0.0.0:41330 0.0.0.0:* 760/avahi-daemon: r

udp6 0 0 :::53 :::* 1844/named

udp6 0 0 :::123 :::* 764/chronyd udp6 0 0 ::1:323 :::* 764/chronyd

udp6 0 0 :::62031 :::* 14556/dhclient

第五步：测试(linux上用dig测试；windows客户端nslookup

Dig 使用帮助

# dig 最基本的用法

dig @server

# 用 dig 查看 zone 数据传输

dig @server AXFR

# 用 dig 查看 zone 数据的增量传输

dig @server IXFR=N

# 用 dig 查看反向解析

dig -x 124.42.102.203 @server

# 查找一个域的授权dns服务器

dig +nssearch

# 从根服务器开始追踪一个域名的解析过程

测试） dig +trace

# 查看您使用的是哪个 F root dns server

dig +norec @ CHAOS TXT

# 查看 bind 的版本号

dig @bind_dns_server CHAOS TXT

实际使用效果：

[root@localhost named]# dig @192.168.63.5

; <<>>DiG 7_1.5 <<>> @192.168.63.5

; (1 server found)

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29362

;; flags: qr aa rdra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 3

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 4096

;; QUESTION SECTION:

;. IN A

;; ANSWER SECTION:

. 86400 IN A 192.168.63.4

;; AUTHORITY SECTION: . 86400 IN NS .

;; ADDITIONAL SECTION:

. 86400 IN A 127.0.0.1

. 86400 IN AAAA ::1

;; Query time: 1 msec

;; SERVER: 192.168.63.5#53(192.168.63.5)

;; WHEN: Sun Nov 15 16:58:41 CST 2015

;; MSG SIZE rcvd: 118

[root@localhost named]#

在linux 上测试，如果采用DHCP的方式或者地址的话，修改 是没有用的，所以最简单的办法用一台 windows xp/7

系统最简单。

添加域名服务器地址

用nslookup测试：

第六步：开机自动启动 named

# systemctl enable named