bind 使用和配置記錄

1，安裝bind 

yum -y install bind* caching-nameserver

能夠使用 rpm -qa | grep bind 查看bind是否已經安裝

2，配置

配置文件/etc/named.conf

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
#       listen-on port 53 { 127.0.0.1; };   // 只監聽本地的53號端口
        listen-on port 53 { any; };         // 監聽全部的53號端口，此處能夠根據須要設置須要監聽的IP
#       listen-on-v6 port 53 { ::1; };      // for IPv6
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
#       forwarders {202.38.64.1;202.39.64.7;};   // 設置轉發（若是本DNS服務器沒法解析，就轉發其餘DNS服務器）
#       allow-query     { localhost; };　　　　// 只容許本地的查詢　
        allow-query     { any; };　　　　　　　 // 容許全部的查詢
        recursion yes;

        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";     // 根DNS服務器的列表 
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

 

named.ca這個文件在安裝bind會自動生成，也能夠在 ftp://ftp.internic.net/domain 上下載 named.root文件，並修改文件名爲named.ca

使用自帶的name.ca和使用name.root，對同一個域名的查詢獲得結果不同，但彷佛都是對的。

在/etc/name.rfc1912.zones中添加本身的域名測試 

// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

zone "localhost.localdomain" IN {
        type master;
        file "named.localhost";
        allow-update { none; };
};

zone "localhost" IN {
        type master;
        file "named.localhost";
        allow-update { none; };
};

// for IPv6 , you can comment it if you want .
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
        type master;
        file "named.loopback";
        allow-update { none; };
};

zone "1.0.0.127.in-addr.arpa" IN {
        type master;
        file "named.loopback";
        allow-update { none; };
};

zone "0.in-addr.arpa" IN {
        type master;
        file "named.empty";
        allow-update { none; };
};


zone "test.com" IN {
        type master;
        file "test.com.zone";
        allow-update { none; };
};


zone "2.168.192.in-addr.arpa" IN {
        type master;
        file "2.168.192.in-addr.local";
        allow-update { none; };
};

 而後在/var/named目錄下建立test.com.zone和2.168.192.in-addr.local兩個文件分別做正向查詢和反向查詢。這兩個文件的用戶組和改目錄下的named.localhost等文件同樣（通常必須是root:named），不然會出現意想不到的錯誤。

test.com.zone

$TTL    86400
@               IN SOA  tom jerry (                     ; tom & jerry 這兩個參數本應是主機名和郵件地址，這裏隨便填寫，沒有問題
                                        42              ; serial (d. adams)
                                        3H              ; refresh
                                        15M             ; retry
                                        1W              ; expiry
                                        1D )            ; minimum
               IN NS            ns.test.com.            ; notice : don't forget the dot in the end
               IN MX 10         mail.test.com.
www             IN A            192.168.2.80
www             IN A            192.168.2.70
ns              IN A            192.168.2.90
mail            IN A            192.168.2.80
ftp             IN CNAME        www

 

1）注意域名後面的點，表示是一個FQDN（Full Qualified Domain Name），詳見TCP/IP詳解：卷1。若是不加就會出錯，系統認爲是不完整的，會自動補上後綴，報以下錯誤：

zone test.com/IN: NS 'ns.test.com.test.com' has no address records (A or AAAA)

 

2）ns.test.com.不能寫成test.com.，受某些博客誤導，沒有寫全，報以下錯誤：

zone test.com/IN: NS 'test.com' has no address records (A or AAAA)

 

逆向解析文件2.168.192.in-addr.local的寫法與test.com.zone相似

$TTL    86400
@       IN      SOA     ns.test.com. root (
                                      1997022700 ; Serial
                                      28800      ; Refresh
                                      14400      ; Retry
                                      3600000    ; Expire
                                      86400 )    ; Minimum
        IN      NS      ns.test.com.
80      IN      PTR     www.test.com.
70      IN      PTR     www.test.com.
80      IN      PTR     mail.test.com.
90      IN      PTR     ns.test.com.

 配置完成後， /etc/sysconfig/network-scripts/ifcfg-eth0文件中對主機的域名服務器地址修改： 

DNS1=127.0.0.1    //此處若是配置成內網IP，則不能對本身定義的test.com等進行解析，不知爲什麼
DOMAIN=test.com   //默認搜索域，若是要查找的域名不是完整的域名，則將默認搜索域加到待查名以後，如ftp變成ftp.test.com

 嘗試運行以下：

[root@Ivy-centos-32 ~]# /etc/init.d/named restart
Stopping named:                                            [  OK  ]
Starting named:                                            [  OK  ]
[root@Ivy-centos-32 ~]# nslookup www.test.com
Server:         127.0.0.1
Address:        127.0.0.1#53

Name:   www.test.com
Address: 192.168.2.80
Name:   www.test.com
Address: 192.168.2.70

[root@Ivy-centos-32 ~]# nslookup ftp.test.com
Server:         127.0.0.1
Address:        127.0.0.1#53

ftp.test.com    canonical name = www.test.com.
Name:   www.test.com
Address: 192.168.2.70
Name:   www.test.com
Address: 192.168.2.80

[root@Ivy-centos-32 ~]# nslookup 192.168.2.80
Server:         127.0.0.1
Address:        127.0.0.1#53

80.2.168.192.in-addr.arpa       name = www.test.com.
80.2.168.192.in-addr.arpa       name = mail.test.com.

[root@Ivy-centos-32 ~]# nslookup www.sina.com
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
www.sina.com    canonical name = us.sina.com.cn.
us.sina.com.cn  canonical name = news.sina.com.cn.
news.sina.com.cn        canonical name = jupiter.sina.com.cn.
jupiter.sina.com.cn     canonical name = auriga.sina.com.cn.
Name:   auriga.sina.com.cn
Address: 61.172.201.195
Name:   auriga.sina.com.cn
Address: 61.172.201.194

 

將子網內的其餘機器的域名服務器地址改爲該域名服務器的子網IP地址（例如：192.168.2.90），便可使用Ivy-centos-32爲其完成域名解析服務。若是該域名服務器不能爲子網提供域名解析服務出現以下錯誤：

[root@lab-webserver ~]# nslookup www.baidu.com
;; connection timed out; trying next origin
;; connection timed out; no servers could be reached

檢查/etc/named.conf中對listen-on和allow-query兩項的配置是否正確，確認無誤後，若是仍是不行，則多是域名服務器的防火牆的問題。

 

在/var/named目錄下建立和修改的文件會被複制到 /var/named/chroot/var/named目錄下，可能和chroot有關係，有待研究. 

[root@Ivy-centos-32 named]# pwd
/var/named
[root@Ivy-centos-32 named]# ls -p
2.168.192.in-addr.local  chroot/  data/  dynamic/  named.ca  named.ca.bk  named.empty  named.localhost  named.loopback  named.root  slaves/  test.com.zone

 運行named後，/var/named/chroot/var/named目錄下的內如以下： 

[root@Ivy-centos-32 named]# pwd
/var/named/chroot/var/named
[root@Ivy-centos-32 named]# ls -p
2.168.192.in-addr.local  chroot/  data/  dynamic/  named.ca  named.ca.bk  named.empty  named.localhost  named.loopback  named.root  slaves/  test.com.zone

 

3，bind view 

驗證bind view 的智能DNS解析，就是將不一樣IP地址段發來的查詢響應到不一樣的DNS解析 。

這裏咱們假設127.0.0.1和192.168.2.80是Telecom的IP，192.168.2.245是Unicom的IP，其餘的IP統一爲Others全部，咱們在Telecom.test.com.zone、Unicom.test.com.zone、Others.test.com.zone三個文件中對www.test.com作不一樣的地址解析：分別是Telecom-88.88.88.88\Unicom-99.99.99.99\Others-77.77.77.77，配置的方法和上文相同。

修改/etc/name.conf，由於在使用view時，全部的zone都必須定義在view語句裏面，因此作以下的添加和修改：

acl Telecomacl {
        127.0.0.1;
        192.168.2.80;
};

acl Unicomacl {
        192.168.2.245;
};

acl Othersacl {
        any;
};

view "Telecom" {
        match-clients {"Telecomacl";};
        zone "test.com" IN {
                type master;
                file "Telecom.test.com.zone";
        };
        zone "." IN {
                type hint;
                file "named.ca";
        };
include "/etc/named.rfc1912.zones";
};

view "Unicom" {
        match-clients {"Unicomacl";};
        zone "test.com" IN {
                type master;
                file "Unicom.test.com.zone";
        };
        zone "." IN {
                type hint;
                file "named.ca";
        };
include "/etc/named.rfc1912.zones";
};

view "Others" {
        match-clients {"Othersacl";};
        zone "test.com" IN {
                type master;
                file "Others.test.com.zone";
        };
        zone "." IN {
                type hint;
                file "named.ca";
        };
include "/etc/named.rfc1912.zones";
};

實驗結果以下：

server-80

[root@80-server ~]# nslookup www.test.com
Server:         192.168.2.90
Address:        192.168.2.90#53

Name:   www.test.com
Address: 88.88.88.88
Name:   www.test.com
Address: 192.168.2.70

server-245

[root@245-server ~]# nslookup www.test.com
Server:         192.168.2.90
Address:        192.168.2.90#53

Name:   www.test.com
Address: 99.99.99.99
Name:   www.test.com
Address: 192.168.2.70

server-70

[root@70-server ~]# nslookup www.test.com
Server:         192.168.2.90
Address:        192.168.2.90#53

Name:   www.test.com
Address: 77.77.77.77
Name:   www.test.com
Address: 192.168.2.70

 4，清除DNS緩存

清除BIND服務器上的DNS緩存，能夠使用以下命令：

[root@Ivy-centos-32 ~]# rndc flush

 

 參考文獻：

http://hi.baidu.com/yum_install/item/edd01b306402bbd56d15e9a4（主要參考）

http://mark.koli.ch/2010/03/howto-setting-up-your-own-local-dns-server.html

http://jingyan.baidu.com/article/fcb5aff7e3cc75edaa4a71e4.html

http://jingyan.baidu.com/article/67508eb4ee1ed59cca1ce416.html

http://www.linuxquestions.org/questions/linux-networking-3/dns-error-%3B%3B-connection-timed-out-%3B-no-servers-could-be-reached-760598/ （ Connection timed out ; no servers could be reached）

http://space.itpub.net/23071790/viewspace-714483（參數解釋）

http://man.lupaworld.com/content/manage/DNS-bind.html（參數解釋）

http://yuanbin.blog.51cto.com/363003/108572  （DNS配置詳解）

http://yuanbin.blog.51cto.com/363003/108578

http://yuanbin.blog.51cto.com/363003/108583

http://www.mike.org.cn/articles/how-to-clear-dns-cache/（如何清空DNS緩存）

http://dl528888.blog.51cto.com/2382721/1249311（master & slave）

http://dl528888.blog.51cto.com/2382721/1279643（bind view 智能DNS）

http://os.51cto.com/art/201111/305114.htm（bind-dlz 智能DNS）