1. 声明
- 版本信息:
本文档的最新版本将张贴于: LinuxSir.Org论坛
Debian 发行版讨论区
; - 反馈:
所有评论, 错误报告, 其他信息以及批评, 请邮寄到
[email]etony@tom.com[/email]
;或在LinuxSir.Org论坛Debian发行版讨论区
张贴. - 版权信息:
本文档的版权
(c)2006-2007
归etony C.F.AN
所有.转载请注明源自[url]http://debian.linuxsir.org/[/url]
.
2. DNS 系统基础
2.1 DNS 定义
2.2 DNS的结构
类别名称 代表意思
edu 教育学术单位
org 组织机构
net 网路通讯单位
com 公司企业
gov 政府机关
mil 军事单位
2.3 DNS 查询的工作原理
* 指定的 DNS 域名,规定为完全合格的域名 (FQDN)
* 指定的查询类型,可根据类型指定资源记录,或者指定查询操作的专用类型。
* DNS 域名的指定类别。
* 名称查询从客户端计算机开始,并传输至解析程序即 DNS 客户端服务程序进行解析。
* 不能在本地解析查询时,可根据需要查询 DNS 服务器来解析名称。
2.4 Internet上域名命名的一般规则
域名中只能包含以下字符:
1. 26个英文字母
2. “0,1,2,3,4,5,6,7,8,9”十个数字
3. “-”(英文中的连词号)。
域名中字符的组合规则:
1. 在域名中,不区分英文字母的大小写
2. 对于一个域名的长度是有一定限制的
2.5 常见标准资源记录
- SOA(Start Of Authority)
-
起始授权记录表示一个授权区的开始
- A (Address)
-
将主机名转换为地址。这个字段保存以点分隔的十进制形式的IP地址。任何给定的主机都只能有一个A记录,因为这个记录被认为是授权信息。这个主机的任何附加地址名或地址映射必须用CNAME类型给出
- CNAME (Canonical NAME)
-
给定一个主机的别名,主机的别名记录是在这个主机的A记录中指定的
- MX (Mail eXchanger)
-
建立邮件交换器记录。MX记录告诉邮件传送进程把邮件送到另一个系统,这个系统知道如何将它递送到它的最终目的地
- NS (Name Server)
-
标识一个域的域名服务器。NS资源记录的数据字段包括这个域名服务器的DNS名。我们还需要指定这个名字名字服务器的地址与主机名相匹配的A记录
- PTR (domain name PoinTeR)
-
将地址变换成主机名。主机名必须是规范主机名
3. BIND9 的安装与配置
3.1 bind简介
- 域名服务器 (named)
- DNS解析库函数
- DNS服务器运行调试所用的工具
- v4
-
1998年多数UNIX捆绑的是BIND4,已经被多数厂商抛弃了,除了OpenBSD还在使用。OpenBSD核心人为BIND8过于复杂和不安全,所以继续使用BIND4。这样一来BIND8/9的很多优点都不包括在v4中。
- v8
-
就是如今使用最多最广的版本,其详细内容可以参阅 BIND 8+ 域名服务器安全增强
- v9
-
最新版本的BIND,全部重新写过,免费(但是由商业公司资助),也添加了许多新的功能(但是安全上也可能有更多的问题)。BIND9在2000年十月份推出,现在稳定版本是9.3.2。
3.2 软件的相关资源
3.3 配置环境
环境:GNU/Linux Debian/testing Linux 2.6.8-2-386
版本:bind9 9.3.2-2
测试域名:mydebian.org
测试ip: 192.168.102.47 主域名服务器
192.168.102.48 纯缓存域名服务器
192.168.102.49 辅助域名服务器
192.168.102.49 测试客户机
3.4 配置文件说明
~# aptitude update
~# aptitude install bind9 bind9-host dnsutils
# ls /etc/bind/ -l
total 44
-rw-r--r-- 1 root root 237 Jan 16 2006 db.0
-rw-r--r-- 1 root root 271 Jan 16 2006 db.127
-rw-r--r-- 1 root root 237 Jan 16 2006 db.255
-rw-r--r-- 1 root root 353 Jan 16 2006 db.empty
-rw-r--r-- 1 root root 256 Jan 16 2006 db.local
-rw-r--r-- 1 root root 1507 Jan 16 2006 db.root
-rw-r--r-- 1 root bind 1611 Jan 16 2006 named.conf
-rw-r--r-- 1 root bind 165 Jan 16 2006 named.conf.local
-rw-r--r-- 1 root bind 672 Jan 16 2006 named.conf.options
-rw-r----- 1 bind bind 77 Aug 4 08:41 rndc.key
-rw-r--r-- 1 root root 1317 Jan 16 2006 zones.rfc1918
- named.conf
-
设置一般的named参数,指向该服务器使用的域数据库的信息源
- named.conf.options
-
全局选项
- db.root
-
根服务器指向文件, 由Internet NIC创建和维护, 无需修改, 但是需要定期更新
- db.local
-
localhost正向区文件,用于将名字localhost转换为本地回送IP地址 (127.0.0.1)
- db.127
-
localhost反向区文件,用于将本地回送IP地址(127.0.0.1)转换为名字localhost
命令 用法
acl 定义IP地址的访问控制清单
control 定义ndc使用的控制通道
include 把其他文件包含到配置文件中
key 定义授权的安全密钥
logging 定义日志写什么,写到哪
opitons 定义全局配置选项和缺省值
server 定义远程服务器的特征
trunsted-keys 为服务器定义DNSSEC加密密钥
zone 定义一个区
include "/etc/bind/named.conf.options";
zone "." {
type hint;
file "/etc/bind/db.root";
};
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
include "/etc/bind/named.conf.local";
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you might need to uncomment the query-source
// directive below. Previous versions of BIND always asked
// questions using port 53, but BIND 8.1 and later use an unprivileged
// port by default.
// query-source address * port 53;
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
auth-nxdomain no; # conform to RFC1035
};
3.5 创建主域名服务器
zone "mydebian.org" {
type master; //定义此区为主服务器
file "/etc/bind/db.mydebian"; 指定区资源文件的位置
};
zone "102.168.192.in-addr.arpa" {
type master; //定义此区为主服务器
file "/etc/bind/db.192"; //指定区资源文件的位置
};
;
; BIND data file for local loopback interface
;
$TTL 604800
$ORIGIN mydebian.org.
@ IN SOA mydebian.org. root.mydebian.org. (
2006080401 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
IN NS ns
IN MX 0 mail.mydebian.org.
@ IN A 192.168.102.47
ns IN A 192.168.102.47
www IN A 192.168.102.47
webserver IN CNAME www
mail IN A 192.168.102.47
ftp IN A 192.168.102.48
ns2 IN A 192.168.102.48
ns3 IN A 192.168.102.49
;
; BIND reverse data file for local loopback interface
;
$TTL 604800
@ IN SOA mydebian.org. root.mydebian.org. (
2006080401 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS mydebian.org.
47 IN PTR mail.mydebian.org.
47 IN PTR [url]www.mydebian.org.[/url]
47 IN PTR ns.mydebian.org.
48 IN PTR ftp.mydebian.org.
48 IN PTR ns2.mydebian.org.
49 IN PTR ns3.mydebian.org.
/etc/init.d/bind9 restart
tonybox:~# tail /var/log/syslog
Aug 14 08:36:45 localhost named[2792]: zone 127.in-addr.arpa/IN: loaded serial 1
Aug 14 08:36:45 localhost named[2792]: zone 102.168.192.in-addr.arpa/IN: loaded serial 2006080801
Aug 14 08:36:45 localhost named[2792]: zone 255.in-addr.arpa/IN: loaded serial 1
Aug 14 08:36:45 localhost named[2792]: zone localhost/IN: loaded serial 1
Aug 14 08:36:45 localhost named[2792]: zone mydebian.org/IN: loaded serial 2006080801
Aug 14 08:36:45 localhost named[2792]: running
Aug 14 08:36:45 localhost named[2792]: zone mydebian.org/IN: sending notifies (serial 2006080801)
Aug 14 08:36:45 localhost named[2792]: zone 102.168.192.in-addr.arpa/IN: sending notifies (serial 2006080801)
Aug 14 08:36:45 localhost named[2792]: client 192.168.102.47#1030: received notify for zone 'mydebian.org'
Aug 14 08:36:45 localhost named[2792]: client 192.168.102.47#1030: received notify for zone '102.168.192.in-addr.arpa'
# cat /etc/resolv.conf
search mydebian.org
nameserver 192.168.102.47
tonybox2:~# nslookup
> set type=any
> mydebian.org
Server: 192.168.102.47
Address: 192.168.102.47#53
mydebian.org
origin = mydebian.org
mail addr = root.mydebian.org
serial = 2006080801
refresh = 604800
retry = 86400
expire = 2419200
minimum = 604800
mydebian.org nameserver = ns.mydebian.org.
mydebian.org mail exchanger = 0 mail.mydebian.org.
Name: mydebian.org
Address: 192.168.102.47
tonybox2:~# dig @192.168.102.47 mydebian.org
; <<>> DiG 9.3.2 <<>> @192.168.102.47 mydebian.org
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41793
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;mydebian.org. IN A
;; ANSWER SECTION:
mydebian.org. 604800 IN A 192.168.102.47
;; AUTHORITY SECTION:
mydebian.org. 604800 IN NS ns.mydebian.org.
;; ADDITIONAL SECTION:
ns.mydebian.org. 604800 IN A 192.168.102.47
;; Query time: 31 msec
;; SERVER: 192.168.102.47#53(192.168.102.47)
;; WHEN: Mon Aug 14 09:16:27 2006
;; MSG SIZE rcvd: 79
tonybox2:~# dig @192.168.102.47 ftp.mydebian.org
; <<>> DiG 9.3.2 <<>> @192.168.102.47 ftp.mydebian.org
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63890
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;ftp.mydebian.org. IN A
;; ANSWER SECTION:
ftp.mydebian.org. 604800 IN A 192.168.102.48
;; AUTHORITY SECTION:
mydebian.org. 604800 IN NS ns.mydebian.org.
;; ADDITIONAL SECTION:
ns.mydebian.org. 604800 IN A 192.168.102.47
;; Query time: 22 msec
;; SERVER: 192.168.102.47#53(192.168.102.47)
;; WHEN: Mon Aug 14 09:16:41 2006
;; MSG SIZE rcvd: 83
tonybox2:~# dig @192.168.102.47 -x 192.168.102.47
; <<>> DiG 9.3.2 <<>> @192.168.102.47 -x 192.168.102.47
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21885
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;47.102.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
47.102.168.192.in-addr.arpa. 604800 IN PTR [url]www.mydebian.org.[/url]
47.102.168.192.in-addr.arpa. 604800 IN PTR mail.mydebian.org.
47.102.168.192.in-addr.arpa. 604800 IN PTR mydebian.org.
;; AUTHORITY SECTION:
102.168.192.in-addr.arpa. 604800 IN NS mydebian.org.
;; ADDITIONAL SECTION:
mydebian.org. 604800 IN A 192.168.102.47
;; Query time: 33 msec
;; SERVER: 192.168.102.47#53(192.168.102.47)
;; WHEN: Mon Aug 14 09:17:00 2006
;; MSG SIZE rcvd: 138
3.6 纯缓存域名服务器
tonybox2:/etc/bind# dig @192.168.102.48 [url]www.mydebian.org[/url]
; <<>> DiG 9.3.2 <<>> @192.168.102.48 [url]www.mydebian.org[/url]
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 34137
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;[url]www.mydebian.org.[/url] IN A
;; Query time: 1844 msec
;; SERVER: 192.168.102.48#53(192.168.102.48)
;; WHEN: Tue Aug 8 12:05:17 2006
;; MSG SIZE rcvd: 34
tonybox2:/etc/bind# cat named.conf.options
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you might need to uncomment the query-source
// directive below. Previous versions of BIND always asked
// questions using port 53, but BIND 8.1 and later use an unprivileged
// port by default.
// query-source address * port 53;
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
forwarders {
192.168.102.47; //主域名服务器的IP地址
};
auth-nxdomain no; # conform to RFC1035
};
tonybox2:/etc/bind# dig @192.168.102.48 [url]www.mydebian.org[/url]
; <<>> DiG 9.3.2 <<>> @192.168.102.48 [url]www.mydebian.org[/url]
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54332
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;[url]www.mydebian.org.[/url] IN A
;; ANSWER SECTION:
[url]www.mydebian.org.[/url] 604800 IN A 192.168.102.47
;; AUTHORITY SECTION:
mydebian.org. 604800 IN NS mydebian.org.
;; ADDITIONAL SECTION:
mydebian.org. 604800 IN A 192.168.102.47
;; Query time: 44 msec
;; SERVER: 192.168.102.48#53(192.168.102.48)
;; WHEN: Tue Aug 8 12:05:47 2006
;; MSG SIZE rcvd: 80
/var/named/named.ca
dig @a.root-servers.net . ns > /var/named/named.ca
3.7 辅助域名服务器
zone "mydebian.org" {
type slave;
file "/etc/bind/slaves/db.mydebian";
masters {192.168.102.47;};
};
zone "102.168.192.in-addr.arpa" {
type slave;
file "/etc/bind/slaves/db.192";
masters {192.168.102.47;};
};
masters {ip1;ip2;ip3;};
tonybox2:/etc/bind# mkdir slaves
tonybox2:/etc/bind# chown bind.bind slaves
tonybox2:/etc/bind/slaves# /etc/init.d/bind9 restart
tonybox2:/etc/bind/slaves# ls -l
total 8
-rw-r--r-- 1 bind bind 410 2006-08-08 12:23 db.192
-rw-r--r-- 1 bind bind 430 2006-08-08 12:23 db.mydebian
tonybox:~# tail /var/log/syslog
Aug 8 12:30:09 tonybox2 named[3849]: zone mydebian.org/IN: Transfer started.
Aug 8 12:30:09 tonybox2 named[3849]: transfer of 'mydebian.org/IN' from 192.168.102.47#53: connected using 192.168.102.15#1075
Aug 8 12:30:09 tonybox2 named[3849]: dumping master file: /etc/bind/tmp-VHTxU6CT5n: open: permission denied
Aug 8 12:30:09 tonybox2 named[3849]: transfer of 'mydebian.org/IN' from 192.168.102.47#53: failed while receiving responses: permission denied
Aug 8 12:30:09 tonybox2 named[3849]: transfer of 'mydebian.org/IN' from 192.168.102.47#53: end of transfer
Aug 8 12:30:10 tonybox2 named[3849]: zone 102.168.192.in-addr.arpa/IN: Transfer started.
Aug 8 12:30:10 tonybox2 named[3849]: transfer of '102.168.192.in-addr.arpa/IN' from 192.168.102.47#53: connected using 192.168.102.15#1076
Aug 8 12:30:10 tonybox2 named[3849]: dumping master file: /etc/bind/tmp-dxbiD1JtTK: open: permission denied
Aug 8 12:30:10 tonybox2 named[3849]: transfer of '102.168.192.in-addr.arpa/IN' from 192.168.102.47#53: failed while receiving responses: permission denied
Aug 8 12:30:10 tonybox2 named[3849]: transfer of '102.168.192.in-addr.arpa/IN' from 192.168.102.47#53: end of transfer
4. 安全设置:
4.1 版本信息
在named.conf.options配置文件中加入: version "None of your business";
当别人要探测我们DNS服务器的版本时,对方得到的将是None of your business :)4.2 地址监听
在named.conf.options配置文件中加入: Listen-on{192.168.102.47;};
如果DNS服务运行在有多个网卡的服务器上,那么默认的它会在所有网卡接口上监听服务,这个选项告诉它只在指定的借口上进行服务监听。4.3 访问控制列表
首先定义访问控制列表在/etc/bind/named.conf文件的最上部添加如下内容: include "/etc/bind/named.conf.acls";
创建/etc/bind/named.conf.acls文件,内容如下: acl denied {
192.168.0.0/24;
};
acl intra-net {
192.168.102.0/24;
};
acl slave {
192.168.102.49;
}
如果不想让192.168.0.0/24网段使用DNS服务器,则可以在 named.conf.options 文件的options内部加入: blackhole {denied;};
如果只想相让192.168.102.0/24;网段使用DNS服务器,则可以在 named.conf.options 文件的options内部加入: allow-query { intra-net; };
如果只想对某个区资源作限制,也可将blackhole/allow-query指令加入到named.conf的对应zone中去。比如: zone "mydebian.org" {
type master;
file "/etc/bind/db.mydebian";
allow-query { intra-net; };
};
4.4 传送控制
使用的是allow-transfer指令,用于设定允许从主域名服务器更新资源文件的辅助域名服务器的ip地址使用方法,如: allow-query{ slave;};
根据需求可以加在/etc/bind/named.conf的对应zone中去,对某个区资源做限制, 或加入到/etc/bind/named.conf.options文件中,多所有的区资源文件作限制。
下一篇:我的友情链接
提问和评论都可以,用心的回复会被更多人看到
评论
发布评论
相关文章
-
-
-
-
-
-
-
DNS服务器的搭建与配置
试验视频地址http://you.video.sina.com.cn/m/1060156357
LINUX
职场
DNS
休闲
-
DNS服务器搭建与配置
Dns服务器搭建
DNS
Linux
-
配置与管理DNS服务器
配置与管理DNS服务器 &nb
配置
DNS服务器
管理
-
-
-
-
-
×××服务器的配置与应用
很实用
VPN服务器的配置与应用
-
-
-
dns服务器的配置与管理
dns服务器的配置与管理 &
网络
职场
服务
休闲
-
-
-
举报文章
请选择举报类型
内容侵权
涉嫌营销
内容抄袭
违法信息
其他
补充说明
0/200
上传截图
格式支持JPEG/PNG/JPG,图片不超过1.9M
如有误判或任何疑问,可联系 「小助手微信:cto51cto」申诉及反馈。
我知道了