一、环境准备
1、CentOS7最小化安装后使用yum完成以下软件安装。
yum -y install net-tools
yum -y install iptables-services
yum -y install vim
yum -y install gcc*
yum -y install tcpdump
yum -y install cmake
yum -y install bind-utils
yum -y install zlib-devel bzip2-devel openssl-devel ncurses-devel sqlite-devel readline-devel tk-devel gdbm-devel db4-devel libpcap-devel xz-devel
yum -y install libffi-devel -y
yum -y install libxml*
yum -y install git
yum -y install wget
yum -y install libtool
2、在https://www.isc.org/download/ 下载最新stable版本bind,本文以bind-9.17.22.tar.xz为例。将软件传到/usr/src目录下。
3、执行pip install ply安装ply,安装前要确保此时setuptools和pip已经安装,如果未安装则需要单独安装。如果不安装ply模块,bind在编译时会报错如下。
configure: error: Python >= 2.7 or >= 3.2 and the PLY package are required for dnssec-keymgr and other Python-based tools.
PLY may be available from your OS package manager as python-ply or python3-ply; it can also be installed via
4、执行以下命令安装libuv。最新版本要求安装libuv>=1.x.x版本。
yum install -y epel-release
yum install libuv*
如果不安装libuv则在bind编译时会报错如下:
checking for libuv... checking for libuv >= 1.0.0... no
configure: error: libuv not found
5、执行以下命令安装ibnghttp2
yum install libnghttp2*
如果不安装libnghttp2,则编译bind时会报错如下:
checking for libnghttp2 >= 1.6.0... no
configure: error: DoH requested, but libnghttp2 not found
6、如果bind编译过程中出现以下报错,说明libtool没有安装,请用yum安装libtool。
yum install libcap*
configure: error: sys/capability.h header is required for Linux capabilities support. Either install libcap or use --disable-linux-caps.
二、bind安装
1、解压
[root@DNS-XUEXI-xuexiji ~]# cd /usr/src/
[root@dns-xuexi-xuexiji src]# tar -xvf bind-9.17.22.tar.xz
2、安装
[root@dns-xuexi-xuexiji src]# cd bind-9.17.22/
[root@dns-xuexi-xuexiji bind-9.17.22]# ./configure --prefix=/usr/local/bind9
[root@dns-xuexi-xuexiji bind-9.17.22]# make -j5 && make install
--prefix=/opt/data/bind9:指定编译存放的路径
--sysconfdir=/etc/named:指定配置文件存放路径
注:–enable-threads enable multithreading参数已经在9.14及后续不再单独设置,9.11之前需要指定。9.14版本开始默认使用了SO_REUSEPORT特性(后期文档详细介绍)
三、bind初始化配置
编译安装named什么都得自己创建、用户也没有的、所以我们得给他创建一个用户先、而且用户是系统用户、要加-r、系统用户不会给他创建家目录的:
1、先创建用户组:
[root@DNS-XUEXI-xuexiji ~]# groupadd -g 53 -r named
[root@DNS-XUEXI-xuexiji ~]# useradd -g named -r named
2、先去创建named的工作目录、然后创建named.ca这个文件:
[root@DNS-XUEXI-xuexiji ~]# mkdir /usr/local/bind9/var/named
3、这里@后面的IP是能访问互联网的服务器、生成的数据存在到/usr/local/bind9/var/named/named.ca中去(使用"yum -y install bind-utils"命令安装dig命令)
[root@DNS-XUEXI-xuexiji ~]# dig -t NS . @8.8.8.8 > /usr/local/bind9/var/named/named.ca ////这一步很关键,一定要保证能解析,否则无法forward转发那些NS(223.5.5.5或者8.8.8.8等)的解析,比如最后无法ping通www.baidu.com
[root@DNS-XUEXI-xuexiji ~]# cat /var/named/named.ca ////确保named.ca文件里有"...IN NS"解析记录
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.8 <<>> -t NS . @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12348
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;. IN NS
;; ANSWER SECTION:
. 49439 IN NS m.root-servers.net.
. 49439 IN NS b.root-servers.net.
. 49439 IN NS c.root-servers.net.
. 49439 IN NS d.root-servers.net.
. 49439 IN NS e.root-servers.net.
. 49439 IN NS f.root-servers.net.
. 49439 IN NS g.root-servers.net.
. 49439 IN NS h.root-servers.net.
. 49439 IN NS a.root-servers.net.
. 49439 IN NS i.root-servers.net.
. 49439 IN NS j.root-servers.net.
. 49439 IN NS k.root-servers.net.
. 49439 IN NS l.root-servers.net.
;; Query time: 66 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: 二 2月 22 15:18:24 CST 2022
;; MSG SIZE rcvd: 239
4、rndc是一个远程管理bind的工具,通过这个工具可以在本地或者远程了解当前服务器的运行状况,也可以对服务器进行关闭、重载、刷新缓存、增加删除zone等操作,后期文档详细介绍
[root@DNS-XUEXI-xuexiji ~]# /usr/local/bind9/sbin/rndc-confgen > /usr/local/bind9/etc/rndc.conf
[root@DNS-XUEXI-xuexiji ~]# more /usr/local/bind9/etc/rndc.conf
# Start of rndc.conf
key "rndc-key" {
algorithm hmac-sha256;
secret "cXFW/OVHdGXhA/88/hdyjXgR4Yu8mVCzt5d591dp91c=";
};
options {
default-key "rndc-key";
default-server 127.0.0.1;
default-port 953;
};
# End of rndc.conf
# Use with the following in named.conf, adjusting the allow list as needed:
# key "rndc-key" {
# algorithm hmac-sha256;
# secret "cXFW/OVHdGXhA/88/hdyjXgR4Yu8mVCzt5d591dp91c=";
# };
#
# controls {
# inet 127.0.0.1 port 953
# allow { 127.0.0.1; } keys { "rndc-key"; };
# };
# End of named.conf
--------------------------------------------------------------------
[root@DNS-XUEXI-xuexiji etc]# cd /usr/local/bind9/etc/
[root@DNS-XUEXI-xuexiji etc]# tail -10 rndc.conf | head -9 | sed s/#\ //g > named.conf
[root@DNS-XUEXI-xuexiji etc]# more named.conf
key "rndc-key" {
algorithm hmac-sha256;
secret "cXFW/OVHdGXhA/88/hdyjXgR4Yu8mVCzt5d591dp91c=";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
4、然后再去编辑/usr/local/bind9/etc/named.conf的配置文件,在当前文件的最后增加全局options配置如下:
[root@DNS-XUEXI-xuexiji ~]# vim /etc/named/named.conf
key "rndc-key" {
algorithm hmac-sha256;
secret "DQoZGxai0+VCE9RKnFnAekSBCEDhXb11NVZef0tDOTM=";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
options {
listen-on port 53 { any; }; //默认是any,表示允许所有网段的主机。可以改成自己所在的内网网段
listen-on-v6 port 53 { ::1; };
directory "/var/named"; //定义named的固定工作路径
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; }; //表示接收所有网段
recursion yes;
forward first; //下面这两行配置很重要,这个配置后,当客户端采用我们自己配置的内网DNS的NS服务器后,当访问别的网站,内网NS解析不了的就转发给8.8.8.8的DS服务器解析,保证能正常上网。
forwarders {
223.5.5.5; //阿里云的DNS服务器
223.6.6.6;
8.8.8.8;
8.8.4.4;
};
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." {
type hint;
file "named.ca";
};
zone "wangshibo.cn" { //定义一个统一的域名后缀。正向解析的区域。此处可以加后面IN,也可以不加IN
type master; //类型属于master、属于自己的
file "wangshibo.cn_zone"; //指定正向解析的文件
allow-transfer {192.168.1.28;}; //允许192.168.1.28(从DNS服务器)传送
};
zone "1.168.192.in-addr.arpa" { //定义反向解析的区域,注意写法。此处可以在后面加IN,也可以不加IN
type master;
file "192.168.1.zone"; //指定正向解析的文件
allow-transfer {192.168.1.28;};
zone "33.168.192.in-addr.arpa" {
type master;
file "192.168.33.zone";
allow-transfer {192.168.1.28;};
};
zone "34.168.192.in-addr.arpa" {
type master;
file "192.168.34.zone";
allow-transfer {192.168.1.28;};
};
zone "64.168.192.in-addr.arpa" {
type master;
file "192.168.64.zone";
allow-transfer {192.168.1.28;};
};
这里注意一下:
如果是多个网段的反向解析,这里就定义多个反向解析区域。
5、给named.conf和rndc.conf修改属主属组和权限:
[root@DNS-XUEXI-xuexiji etc]# chown -R named:named /usr/local/bind9/
四、运行bind
1、执行如下命令启动bind
[root@DNS-XUEXI-xuexiji etc]# /usr/local/bind9/sbin/named -u named -c /usr/local/bind9/etc/named.conf
2、测试能正常解析
[root@DNS-XUEXI-xuexiji etc]# ps -ef|grep named
named 32292 1 0 17:53 ? 00:00:00 /usr/local/bind9/sbin/named -u named -c /usr/local/bind9/etc/named.conf
root 32296 7543 0 17:53 pts/0 00:00:00 grep --color=auto named
[root@DNS-XUEXI-xuexiji etc]# netstat -anp|grep 53
tcp 0 0 10.0.0.101:53 0.0.0.0:* LISTEN 32292/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 32292/named
tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 7405/dnsmasq
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 32292/named
tcp6 0 0 ::1:53 :::* LISTEN 32292/named
tcp6 0 0 fe80::3a60:77cc:54ff:53 :::* LISTEN 32292/named
udp 0 0 192.168.122.1:53 0.0.0.0:* 32292/named
udp 0 0 10.0.0.101:53 0.0.0.0:* 32292/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 32292/named
udp 0 0 192.168.122.1:53 0.0.0.0:* 7405/dnsmasq
udp 0 0 0.0.0.0:5353 0.0.0.0:* 6684/avahi-daemon:
udp6 0 0 ::1:53 :::* 32292/named
udp6 0 0 fe80::3a60:77cc:54ff:53 :::* 32292/named
unix 2 [ ] DGRAM 45380 7405/dnsmasq
unix 3 [ ] STREAM CONNECTED 45153 7350/master
unix 3 [ ] DGRAM 22753 2948/systemd-udevd
[root@DNS-XUEXI-xuexiji etc]# dig @127.0.0.1 www.baidu.com
; <<>> DiG 9.9.4-RedHat-9.9.4-72.el7 <<>> @127.0.0.1 www.baidu.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22009
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.baidu.com. IN A
;; ANSWER SECTION:
www.baidu.com. 1200 IN CNAME www.a.shifen.com.
www.a.shifen.com. 300 IN A 39.156.66.14
www.a.shifen.com. 300 IN A 39.156.66.18
;; Query time: 1758 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: 二 2月 22 17:56:45 CST 2022
;; MSG SIZE rcvd: 104
