| 修订历史 | ||
|---|---|---|
| 修订 1.0 | 2003/1/22 | jiangxin |
| 转换为 DocBook 格式 | ||
| 修订 0.9 | 2000/8 | jiangxin |
| DNS 配置要点 | ||
摘要
DNS 配置示例。
(编译自版本: 271718a,最后更新时间: 2007-06-14)
目录
最著名的 DNS(The Internet Domain Name System) 服务器——BIND(The Berkeley Internet Name Domain)。
安装
$ ./configure --prefix=/usr/local/bind $ make depend $ make $ make install
创建链接
$ mkdir -p /usr/local/bind/var/run $ mkdir -p /usr/local/bind/var/named $ mkdir -p /usr/local/bind/etc $ touch /usr/local/bind/etc/named.conf $ touch /usr/local/bind/etc/rndc.conf $ ln -sf /usr/local/bind/etc/named.conf /etc/named.conf $ ln -sf /usr/local/bind/etc/rndc.conf /etc/rndc.conf $ ln -sf /usr/local/bind/var/named /var/named $ ln -sf /usr/local/bind/sbin/rndc /usr/sbin/rndc $ ln -sf /usr/local/bind/sbin/named /usr/sbin/named
-
创建密钥
$ cd /usr/local/bind $ sbin/dnssec-keygen -a hmac-md5 -b 128 -n HOST worldhello.
为 BIND 提供了一种安全机制——TSIG(Transaction SIGnatures ),使用共享密钥进行安全的DNS通知、更新。
生成的密钥文件
K*****.key,K*****.private。其中*.private文件包含的 Key: ******* 即为共享密钥。 -
创建配置文件:etc/rndc.conf
rndc: 远程域名服务控制器(The remote name daemon control:rndc)。是管理员用来控制域名服务器的应用程序,用于动态加载、停止、配置 DNS服务。它需要的配置文件为
/etc/rndc.conf:key worldhello. {
algorithm "hmac-md5";
secret "nvNpPbfDZixmFzqSUVJn6w==";
};
options {
default-server localhost; 
default-key worldhello. ;
};
server localhost {
key worldhello. ;
};
共享密钥。用于和受控DNS服务器之间完成认证。
管理的DNS主机名称。本例为管理本机。
-
创建配置文件:etc/named.conf
named.conf是域名服务器的主配置文件。zone 是配置文件中的最重要的组成部分,描述了一个授权域名下的域名解析信息。一个复杂的配置例子如下:key worldhello. { algorithm "hmac-md5"; secret "nvNpPbfDZixmFzqSUVJn6w==";
};
controls {
inet 127.0.0.1 allow { localhost; } keys { worldhello.; };
};
acl bogus-nets { 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8;};
acl our-inner-nets { 127.0.0.1/32; 10.0.0.0/8; }; 
acl our-outer-nets { 192.168.0.0/16; }; 
acl transfer-inner-ips { 10.0.0.2; }; 
acl transfer-outer-ips { 192.168.0.2; }; 
options {
version "$Id, worldhello.net";
directory "/var/named";
allow-query { any; };
allow-recursion { our-inner-nets; our-outer-nets; }; 
blackhole { bogus-nets; };
notify yes;
recursion yes;
forward first;
forwarders{
202.106.0.20; 
};
listen-on-v6 { none; };
auth-nxdomain no;
};
view "internal" { 
match-clients { our-inner-nets; };
recursion yes;
zone "0.0.127.in-addr.arpa"{
type master;
file "named.local"; 
notify no;
};
zone "0.0.10.in-addr.arpa"{
type master;
file "named.10.0.0"; 
notify yes;
allow-transfer{ transfer-inner-ips; };
};
zone "worldhello.net"{
type master;
file "named.inner.worldhello.net"; 
allow-query { any; };
allow-transfer{ transfer-inner-ips; };
notify yes;
};
};
view "external" { 
match-clients { any; };
recursion no;
zone "0.0.127.in-addr.arpa"{
type master;
file "named.local";
notify no;
};
zone "0.0.10.in-addr.arpa"{
type master;
file "named.10.0.0";
notify yes;
allow-transfer{ transfer-inner-ips; };
};
zone "worldhello.net"{
type master;
file "named.outer.worldhello.net"; 
allow-query { any; };
allow-transfer{ transfer-outer-ips; };
notify yes;
};
};
共享密钥。只有和改共享密钥匹配的主机,方能管理 DNS 服务器。
非法的网络地址。对于非法地址,拒绝提供服务。
内部网络地址范围。
私有的外部网络地址范围。(示例)
内部的辅DNS服务器地址。用于和辅DNS服务器通讯,同步DNS信息。
外部的辅DNS服务器地址。用于和辅DNS服务器通讯,同步DNS信息。
对于内网地址,和私有的外网地址,提供DNS的递归查询服务。
递归查询时,如果本地的 cache 没有命中,则依次对 forwarders 中的主机进行DNS查询。
view 提供了根据来访的地址范围,提供不同的服务。该 internal 视图为本地提供解析服务。
localhost 的反相解析域
10.0.0 网段的反相解析域
worldhello.net 在内部网的域名解析域
outerview 视图为外部提供解析服务。
worldhello.net 在外部网的域名解析域
-
/var/named/named.local
$TTL 3600 @ IN SOA localhost. root.localhost. ( 2001030801 ; serial 28800 ; refresh 14400 ; retry 3600000 ; expire 86400 ; default_ttl ) @ IN NS localhost. 1 IN PTR localhost. ; End of File -
/var/named/named.10.0.0
$TTL 3600 @ IN SOA ns1.worldhello.net. johnson.worldhello.net. ( 2001030801 ; serial 600 ; refresh 600 ; retry 3600000 ; expire 3400 ; default_ttl ) @ IN NS ns1.worldhello.net. @ IN NS ns2.worldhello.net. 1 IN PTR ns1.worldhello.net. 2 IN PTR ns2.worldhello.net. 10 IN PTR johnson.worldhello.net. ; End of File -
/var/named/named.inner.worldhello.net
$TTL 3600 @ IN SOA ns1.worldhello.net. johnson.worldhello.net. ( 2001021802 ; serial 300 ; refresh 300 ; retry 7200000 ; expire 3600 ; default_ttl ) @ IN NS ns1.worldhello.net. @ IN NS ns2.worldhello.net. @ IN MX 5 mail.worldhello.net. @ IN MX 10 mail2.worldhello.net. @ IN A 10.0.0.1 localhost IN A 127.0.0.1 ns1 IN A 10.0.0.1 ns2 IN A 10.0.0.2 johnson IN A 10.0.0.10 www IN A 10.0.0.1 mail IN A 10.0.0.2 mail2 IN A 10.0.0.3 * IN CNAME johnson -
/var/named/named.outer.worldhello.net
$TTL 3600 @ IN SOA ns1.worldhello.net. johnson.worldhello.net. ( 2001021802 ; serial 300 ; refresh 300 ; retry 7200000 ; expire 3600 ; default_ttl ) @ IN NS ns1.worldhello.net. @ IN NS ns2.worldhello.net. @ IN MX 5 mail.worldhello.net. @ IN MX 10 mail2.worldhello.net. @ IN A 192.169.0.100 localhost IN A 127.0.0.1 ns1 IN A 192.168.0.1 ns2 IN A 192.168.0.2 www IN A 192.168.0.1 johnson IN A 192.168.0.10 mail IN A 192.168.0.2 mail2 IN A 192.168.0.3 -
/var/named/named.192.168.0
$TTL 3600 @ IN SOA ns1.worldhello.net. johnson.worldhello.net. ( 2001030801 ; serial 600 ; refresh 600 ; retry 3600000 ; expire 3400 ; default_ttl ) @ IN NS ns2.worldhello.net. @ IN NS ns1.worldhello.net. 1 IN PTR ns1.worldhello.net. 2 IN PTR ns2.worldhello.net. 10 IN PTR johnson.worldhello.net. ; End of File
创建启动文件 /etc/rc.d/inet.d/named
#!/bin/sh
#
# named This shell script takes care of starting and stopping
# named (BIND DNS server).
#
# chkconfig: 345 55 45
# description: named (BIND) is a Domain Name Server (DNS) \
# that is used to resolve host names to IP addresses.
# probe: true
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0
[ -f /usr/sbin/named ] || exit 0
[ -f /etc/named.conf ] || exit 0
# See how we were called.
case "$1" in
start)
# Start daemons.
echo -n "Starting named: "
daemon named
echo
touch /var/lock/subsys/named
;;
stop)
# Stop daemons.
echo -n "Shutting down named: "
killproc named
rm -f /var/lock/subsys/named
echo
;;
status)
/usr/sbin/rndc status
exit $?
;;
restart)
/usr/sbin/rndc restart
exit $?
;;
reload)
/usr/sbin/rndc reload
exit $?
;;
probe)
# named knows how to reload intelligently; we don't want linuxconf
# to offer to restart every time
/usr/sbin/rndc reload >/dev/null 2>&1 || echo start
exit 0
;;
*)
echo "Usage: named {start|stop|status|restart}"
exit 1
esac
exit 0
创建 symbollink
$ ln -s /etc/rc.d/init.d/named /etc/rc.d/rc0.d/K45named $ ln -s /etc/rc.d/init.d/named /etc/rc.d/rc1.d/K45named $ ln -s /etc/rc.d/init.d/named /etc/rc.d/rc2.d/K45named $ ln -s /etc/rc.d/init.d/named /etc/rc.d/rc3.d/S55named $ ln -s /etc/rc.d/init.d/named /etc/rc.d/rc4.d/S55named $ ln -s /etc/rc.d/init.d/named /etc/rc.d/rc5.d/S55named $ ln -s /etc/rc.d/init.d/named /etc/rc.d/rc6.d/K45named
启动
$ tail -f /var/log/message & $ /etc/rc.d/init.d/named start