BIND9私有DNS服務器小環境搭建實驗
1. 服務器基本配置
1) 主根服務器 192.168.56.101
2) 從根服務器 192.168.56.102
3) COM服務器 192.168.56.103
4) 解析服務器 192.168.56.104
2. 編譯及安裝BI11:01 2013-8-22ND9
1) # tar xvf bind-9.6.1.tar.gz
# cd bind-9.6.1
# ./configure --prefix=/usr/local/named --enable-threads
//開啟多線程處理能力
# make && make install
2) 從rndc.conf文件中提取named.conf用的key
# cd /usr/local/named
# sbin/rndc-confgen > etc/rndc.conf
#cd etc/
# tail -10 rndc.conf | head -9 | sed s/#\//g > named.conf
# cat named.conf
[plain]
key "rndc-key" {
algorithm hmac-md5;
secret "wk7NzsvLaCobiCFxHB2LXQ==";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
以上環境安裝設置在每台服務器上是一樣的。
3. 配置主根服務器 在IP為192.168.56.101的服務器上
1) 打開named.conf, 添加如下內容
# vi named.conf
[plain]
key "rndc-key" {
algorithm hmac-md5;
secret "wk7NzsvLaCobiCFxHB2LXQ==";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
options {
directory "/var/named/";
pid-file "/var/named/named.pid";
recursion no;
};
zone "." IN {
type master;
file "db.root";
allow-transfer {192.168.56.102;};
};
其中: recursion no; 關閉遞歸查詢。
allow-transfer {192.168.56.102;}; 允許區域傳送,且僅對給出的IP地址的服務器
有效。 這裡192.168.56.102是我們的從根服務器
2) 創建區配置文件
# cd /var
# mkdir named
# cd named
# touch db.root
# vi db.root
[plain]
$TTL 86400
@ IN SOA @ root (
12169
1m
1m
1m
1m )
. IN NS root.ns.
root.ns. IN A 192.168.56.101
com. IN NS ns.com.
ns.com. IN A 192.168.56.103
其中: com. IN NS ns.com. 這裡必須要授權出去, 否則遞歸解析時,將找不到類似
My.com 所對應的地址
3) 啟動BIND 並測試
# cd /usr/local/named
# sbin/named -g &
# dig @192.168.56.101 . NS
[plain]
root@simba-1:/var/named# dig @192.168.56.101 . NS
; <<>> DiG 9.9.2-P1 <<>> @192.168.56.101 . NS
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10193
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;. IN NS
;; ANSWER SECTION:
. 86400 IN NS root.ns.
;; ADDITIONAL SECTION:
root.ns. 86400 IN A 192.168.56.101
;; Query time: 19 msec
;; SERVER: 192.168.56.101#53(192.168.56.101)
;; WHEN: Wed Aug 21 07:15:38 2013
;; MSG SIZE rcvd: 64
# dig @192.168.56.101 com. NS
[plain]
root@simba-1:/var/named# dig @192.168.56.101 com. NS
; <<>> DiG 9.9.2-P1 <<>> @192.168.56.101 com. NS
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20443
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 2
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;com. IN NS
;; AUTHORITY SECTION:
com. 86400 IN NS ns.com.
;; ADDITIONAL SECTION:
ns.com. 86400 IN A 192.168.56.103
;; Query time: 17 msec
;; SERVER: 192.168.56.101#53(192.168.56.101)
;; WHEN: Wed Aug 21 07:18:16 2013
;; MSG SIZE rcvd: 65
4. 配置從根服務器 在IP為192.168.56.102上
1) 打開named.conf, 添加如下內容
# vi named.conf
[plain]
key "rndc-key" {
algorithm hmac-md5;
secret "JaHjteR5sZxVrMWWcOne9g==";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
options {
directory "/var/named";
pid-file "/var/run/named/named.pid";
transfer-format many-answers;
recursion no;
};
zone "." IN {
type slave;
file "db.root";
masters { 192.168.56.101; };
};
其中: recursion no; 關閉遞歸查詢。
masters {192.168.56.101;}; 指明主服務器地址,這樣就可以根據SOA中指定
的刷新時間去與主根同步
2) 創建區配置文件
# cd /var
# mkdir named
從服務器不需要手動建立 區域文件。因為從服務器會自動向主服務器更新。
3) 啟動BIND 並測試
# cd /usr/local/named
# sbin/named -g &
等待一段時間,確定已經獲取到了區文件
# ls /var/named/
db.root
# dig @192.168.56.102 . NS
[plain]
; <<>> DiG 9.9.2-P1 <<>> @192.168.56.102 . NS
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18918
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;. IN NS
;; ANSWER SECTION:
. 86400 IN NS root.ns.
;; ADDITIONAL SECTION:
root.ns. 86400 IN A 192.168.56.101
;; Query time: 12 msec
;; SERVER: 192.168.56.102#53(192.168.56.102)
;; WHEN: Wed Aug 21 07:27:18 2013
;; MSG SIZE rcvd: 64
# dig @192.168.56.102 com. NS
[plain]
root@simba-2:/usr/local/named/etc# dig @192.168.56.102 com. NS
; <<>> DiG 9.9.2-P1 <<>> @192.168.56.102 com. NS
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17412
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 2
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;com. IN NS
;; AUTHORITY SECTION:
com. 86400 IN NS ns.com.
;; ADDITIONAL SECTION:
ns.com. 86400 IN A 192.168.56.103
;; Query time: 19 msec
;; SERVER: 192.168.56.102#53(192.168.56.102)
;; WHEN: Wed Aug 21 07:35:10 2013
;; MSG SIZE rcvd: 65
5. 配置COM服務器 在服務器192.168.56.103上
1) 打開named.conf, 添加如下內容
# vi named.conf
[plain]
key "rndc-key" {
algorithm hmac-md5;
secret "kMOStrdGYC5WmE1obk7LJg==";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
options {
directory "/var/named";
pid-file "/var/run/named/named.pid";
allow-query {any;};
recursion no;
};
zone "." IN {
type hint;
file "db.root";
};
zone "com." IN {
type master;
file "db.com";
};
其中: recursion no; 關閉遞歸查詢。
2) 創建區配置文件
# cd /var
# mkdir named
# cd named
# touch db.root
# vi db.root
[plain]
$TTL 86000
@ IN SOA @ root (
1
1m
1m
1m
1m
)
. IN NS root.ns.
root.ns. IN A 192.168.56.101
com. IN NS ns.com.
ns.com. IN A 192.168.56.103
其中: com. IN NS ns.com. 這裡必須要授權出去, 否則遞歸解析時,將找不到類似
My.com 所對應的地址
該文件和主服務器上的db.root一樣
# vi db.com
[plain]
$TTL 86400
@ IN SOA @ root (
2
1m
1m
1m
1m
)
com. IN NS ns.com.
ns.com. IN A 192.168.56.103
my.com. IN A 192.168.56.201
3) 啟動BIND 並測試
# cd /usr/local/named
# sbin/named -g &
# dig @192.168.56.103 com. NS
[plain]
root@simba-2:/usr/local/named/etc# dig @192.168.56.103 com. NS
; <<>> DiG 9.9.2-P1 <<>> @192.168.56.103 com. NS
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19097
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;com. IN NS
;; ANSWER SECTION:
com. 86400 IN NS ns.com.
;; ADDITIONAL SECTION:
ns.com. 86400 IN A 192.168.56.103
;; Query time: 21 msec
;; SERVER: 192.168.56.103#53(192.168.56.103)
;; WHEN: Wed Aug 21 07:45:15 2013
;; MSG SIZE rcvd: 65
# dig @192.168.56.103 my.com. A
[plain]
root@simba-2:/usr/local/named/etc# dig @192.168.56.103 my.com. A
; <<>> DiG 9.9.2-P1 <<>> @192.168.56.103 my.com. A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23466
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;my.com. IN A
;; ANSWER SECTION:
my.com. 86400 IN A 192.168.56.201
;; AUTHORITY SECTION:
com. 86400 IN NS ns.com.
;; ADDITIONAL SECTION:
ns.com. 86400 IN A 192.168.56.103
;; Query time: 17 msec
;; SERVER: 192.168.56.103#53(192.168.56.103)
;; WHEN: Wed Aug 21 07:46:41 2013
;; MSG SIZE rcvd: 84
6. 配置解析服務器 在服務器 192.168.56.104上
1) 打開named.conf, 添加如下內容
# vi named.conf
[plain]
key "rndc-key" {
algorithm hmac-md5;
secret "kMOStrdGYC5WmE1obk7LJg==";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
options {
directory "/var/named";
pid-file "/var/run/named/named.pid";
allow-query {any;};
recursion yes;
allow-recursion {any;};
};
zone "." IN {
type hint;
file "db.root";
};
其中: recursion yes; 打開遞歸查詢。
allow-recursion {any;}; 也是打開遞歸查詢的另一個方法,具體區別再次不表。
2) 創建區配置文件
# cd /var
# mkdir named
# cd named
# touch db.root
# vi db.root
[plain]
$TTL 8600
@ IN SOA @ root (
1
1m
1m
1m
1m
)
. IN NS root.ns.
root.ns. IN A 192.168.56.101
其中: 這裡只需給出根 的NS 和A 記錄即可
3) 啟動BIND 並測試
# cd /usr/local/named
# sbin/named -g &
Dig 默認是發送遞歸查詢
# dig @192.168.56.104 com. SOA
[plain]
root@simba-2:/usr/local/named/etc# dig @192.168.56.104 com. SOA
; <<>> DiG 9.9.2-P1 <<>> @192.168.56.104 com. SOA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44824
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;com. IN SOA
;; ANSWER SECTION:
com. 86358 IN SOA com. root.com. 2 60 60 60 60
;; AUTHORITY SECTION:
com. 86354 IN NS ns.com.
;; ADDITIONAL SECTION:
ns.com. 86354 IN A 192.168.56.103
;; Query time: 16 msec
;; SERVER: 192.168.56.104#53(192.168.56.104)
;; WHEN: Wed Aug 21 07:52:46 2013
;; MSG SIZE rcvd: 106
可以看出 ;; flags: qr rd ra; 此處沒有aa, 表明是非 權威查詢
# dig @192.168.56.104 my.com. A
[plain]
root@simba-2:/usr/local/named/etc# dig @192.168.56.104 my.com. A
; <<>> DiG 9.9.2-P1 <<>> @192.168.56.104 my.com. A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21228
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;my.com. IN A
;; ANSWER SECTION:
my.com. 86286 IN A 192.168.56.201
;; AUTHORITY SECTION:
com. 86259 IN NS ns.com.
;; ADDITIONAL SECTION:
ns.com. 86259 IN A 192.168.56.103
;; Query time: 15 msec
;; SERVER: 192.168.56.104#53(192.168.56.104)
;; WHEN: Wed Aug 21 07:54:21 2013
;; MSG SIZE rcvd: 84