【介绍】
BIND是一种开源的DNS(Domain Name System)协议的实现,包含对域名的查询和响应所需的所有软件。
BIND是互联网上最广泛使用的一种DNS服务器,对于类UNIX系统来说,已经成为事实上的标准。
以下介绍利用BIND来实现主从dns,高速缓存DNS下次学习。
【参考】
参考:https://www.centos.bz/2011/07/centos-install-bind-dns-server/
参考:http://jingyan.baidu.com/article/67508eb4ee1ed59cca1ce416
参考:http://blog.csdn.net/chenfei_5201213/article/details/7866231
参考:http://www.cnblogs.com/shineshqw/articles/1807031
参考:http://www.bind.com/?path=dns
参考:http://wiki.ubuntu.com.cn/Bind9%E5%AE%89%E8%A3%85%E8%AE%BE%E7%BD%AE%E6%8C%87%E5%8D%97
参考:BIND9中文手册 https://www.centos.bz/manual/BIND9-CHS.pdf
【安装】
yum安装Bind:
最近版本:bind 9.9.4-29
yum install bind
会安装 bind 9.9.4-29 和依赖包 bind-libs 9.9.4-29 。
编译安装Bind:
最新版本:bind 9.11.0-P1
下载:http://www.isc.org/software/bind
文档:http://ftp.isc.org/isc/bind9/9.11.0-P1/RELEASE-NOTES-bind-9.11.0-P1.pdf
安装依赖:
yum install gcc openssl-devel
开始安装bind:
wget ftp://ftp.isc.org/isc/bind9/9.11.0-P1/bind-9.11.0-P1.tar.gz && tar xzf bind-9.11.0-P1.tar.gz && cd bind-9.11.0-P1 ./configure --prefix=/usr/local/bind make && make install
bind已经安装到了/usr/local/bind 。
默认配置,会输出:
...
Configuration summary:
-------------------------------------------------------------------------------
Optional features enabled:
Multiprocessing support (--enable-threads)
GSS-API (--with-gssapi)
ECDSA algorithm support (--with-ecdsa)
Print backtrace on crash (--enable-backtrace)
Use symbol table for backtrace, named only (--enable-symtable)
Dynamically loadable zone (DLZ) drivers:
None
Features disabled or unavailable on this platform:
Large-system tuning (--with-tuning)
Allow 'dnstap' packet logging (--enable-dnstap)
GeoIP access control (--with-geoip)
Allow 'fixed' rrset-order (--enable-fixed-rrset)
PKCS#11/Cryptoki support (--with-pkcs11)
Native PKCS#11/Cryptoki support (--enable-native-pkcs11)
GOST algorithm support (--with-gost)
Use libseccomp system call filtering (--enable-seccomp)
Very verbose query trace logging (--enable-querytrace)
Use GNU libtool (--with-libtool)
Automated Testing Framework (--with-atf)
Python tools (--with-python)
JSON statistics (--with-libjson)
LMDB database to store configuration for 'addzone' zones (--with-lmdb)
-------------------------------------------------------------------------------
For more detail, use --enable-full-report.
===============================================================================
完整的配置参考:
输入:
./configure --help
输出:
`configure' configures BIND 9.11 to adapt to many kinds of systems.
Usage: ./configure [OPTION]... [VAR=VALUE]...
To assign environment variables (e.g., CC, CFLAGS...), specify them as
VAR=VALUE. See below for descriptions of some of the useful variables.
Defaults for the options are specified in brackets.
Configuration:
-h, --help display this help and exit
--help=short display options specific to this package
--help=recursive display the short help of all the included packages
-V, --version display version information and exit
-q, --quiet, --silent do not print `checking ...' messages
--cache-file=FILE cache test results in FILE [disabled]
-C, --config-cache alias for `--cache-file=config.cache'
-n, --no-create do not create output files
--srcdir=DIR find the sources in DIR [configure dir or `..']
Installation directories:
--prefix=PREFIX install architecture-independent files in PREFIX
[/usr/local]
--exec-prefix=EPREFIX install architecture-dependent files in EPREFIX
[PREFIX]
By default, `make install' will install all the files in
`/usr/local/bin', `/usr/local/lib' etc. You can specify
an installation prefix other than `/usr/local' using `--prefix',
for instance `--prefix=$HOME'.
For better control, use the options below.
Fine tuning of the installation directories:
--bindir=DIR user executables [EPREFIX/bin]
--sbindir=DIR system admin executables [EPREFIX/sbin]
--libexecdir=DIR program executables [EPREFIX/libexec]
--sysconfdir=DIR read-only single-machine data [PREFIX/etc]
--sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com]
--localstatedir=DIR modifiable single-machine data [PREFIX/var]
--libdir=DIR object code libraries [EPREFIX/lib]
--includedir=DIR C header files [PREFIX/include]
--oldincludedir=DIR C header files for non-gcc [/usr/include]
--datarootdir=DIR read-only arch.-independent data root [PREFIX/share]
--datadir=DIR read-only architecture-independent data [DATAROOTDIR]
--infodir=DIR info documentation [DATAROOTDIR/info]
--localedir=DIR locale-dependent data [DATAROOTDIR/locale]
--mandir=DIR man documentation [DATAROOTDIR/man]
--docdir=DIR documentation root [DATAROOTDIR/doc/bind]
--htmldir=DIR html documentation [DOCDIR]
--dvidir=DIR dvi documentation [DOCDIR]
--pdfdir=DIR pdf documentation [DOCDIR]
--psdir=DIR ps documentation [DOCDIR]
NOTE: If PREFIX is not set, then the default values for --sysconfdir
and --localstatedir are /etc and /var, respectively.
System types:
--build=BUILD configure for building on BUILD [guessed]
--host=HOST cross-compile to build programs to run on HOST [BUILD]
Optional Features:
--disable-option-checking ignore unrecognized --enable/--with options
--disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no)
--enable-FEATURE[=ARG] include FEATURE [ARG=yes]
--enable-shared[=PKGS] build shared libraries [default=yes]
--enable-static[=PKGS] build static libraries [default=yes]
--enable-fast-install[=PKGS]
optimize for fast installation [default=yes]
--disable-libtool-lock avoid locking (might break parallel builds)
--enable-libbind deprecated
--enable-warn-shadow turn on -Wshadow when compiling
--enable-warn-error turn on -Werror when compiling
--enable-developer enable developer build settings
--enable-afl enable American Fuzzy Lop test harness [default=no]
--enable-seccomp enable support for libseccomp system call filtering
[default=no]
--enable-kqueue use BSD kqueue when available [default=yes]
--enable-epoll use Linux epoll when available [default=auto]
--enable-devpoll use /dev/poll when available [default=yes]
--enable-threads enable multithreading
--enable-native-pkcs11 use native PKCS11 for all crypto [default=no]
--enable-openssl-hash use OpenSSL for hash functions [default=no]
--enable-openssl-version-check
check OpenSSL version [default=yes]
--enable-largefile 64-bit file support
--enable-backtrace log stack backtrace on abort [default=yes]
--enable-symtable use internal symbol table for backtrace
[all|minimal(default)|none]
--enable-ipv6 use IPv6 default=autodetect
--enable-getifaddrs enable the use of getifaddrs() [yes|no].
--disable-isc-spnego use SPNEGO from GSSAPI library
--disable-chroot disable chroot
--disable-linux-caps disable linux capabilities
--enable-atomic enable machine specific atomic operations
[default=autodetect]
--enable-fixed-rrset enable fixed rrset ordering [default=no]
--disable-rpz-nsip disable rpz-nsip rules [default=enabled]
--disable-rpz-nsdname disable rpz-nsdname rules [default=enabled]
--enable-filter-aaaa enable filtering of AAAA records [default=no]
--enable-dnstap enable dnstap support (requires fstrm, protobuf-c)
--enable-querytrace enable very verbose query trace logging [default=no]
--enable-full-report report values of all configure options
Optional Packages:
--with-PACKAGE[=ARG] use PACKAGE [ARG=yes]
--without-PACKAGE do not use PACKAGE (same as --with-PACKAGE=no)
--with-pic[=PKGS] try to use only PIC/non-PIC objects [default=use
both]
--with-gnu-ld assume the C compiler uses GNU ld [default=no]
--with-sysroot=DIR Search for dependent libraries within DIR
(or the compiler's sysroot if not specified).
--with-python=PATH specify path to python interpreter
--with-geoip=PATH Build with GeoIP support (yes|no|path)
--with-gssapi=[PATH|[/path/]krb5-config] Specify path for system-supplied GSSAPI [default=yes]
--with-randomdev=PATH Specify path for random device
--with-locktype=ARG Specify mutex lock type (adaptive or standard)
--with-libtool use GNU libtool
--with-openssl=PATH Build with OpenSSL yes|no|path.
(Crypto is required for DNSSEC)
--with-pkcs11=PATH Build with PKCS11 support yes|no|path
(PATH is for the PKCS11 provider)
--with-ecdsa Crypto ECDSA
--with-gost Crypto GOST yes|no|raw|asn1.
--with-aes Crypto AES
--with-cc-alg=ALG choose the algorithm for Client Cookie [aes|sha1|sha256 ]
--with-lmdb=PATH build with LMDB library yes|no|path
--with-libxml2=PATH build with libxml2 library yes|no|path
--with-libjson=PATH build with libjson0 library yes|no|path
--with-zlib=PATH build with zlib for HTTP compression [default=yes]
--with-purify=PATH use Rational purify
--with-gperftools-profiler use gperftools CPU profiler
--with-kame=PATH use Kame IPv6 default path /usr/local/v6
--with-readline=LIBSPEC specify readline library default auto
--with-protobuf-c=path Path where protobuf-c is installed, for dnstap
--with-libfstrm=path Path where libfstrm is installed, for dnstap
--with-docbook-xsl=PATH specify path for Docbook-XSL stylesheets
--with-idn=MPREFIX enable IDN support using idnkit default PREFIX
--with-libiconv=IPREFIX GNU libiconv are in IPREFIX default PREFIX
--with-iconv=LIBSPEC specify iconv library default -liconv
--with-idnlib=ARG specify libidnkit
--with-atf=ARG support Automated Test Framework
--with-tuning=ARG Specify server tuning (large or default)
--with-dlopen=ARG support dynamically loadable DLZ drivers
--with-dlz-postgres=PATH Build with Postgres DLZ driver yes|no|path.
(Required to use Postgres with DLZ)
--with-dlz-mysql=PATH Build with MySQL DLZ driver yes|no|path.
(Required to use MySQL with DLZ)
--with-dlz-bdb=PATH Build with Berkeley DB DLZ driver yes|no|path.
(Required to use Berkeley DB with DLZ)
--with-dlz-filesystem=ARG Build with filesystem DLZ driver yes|no.
(Required to use file system driver with DLZ)
--with-dlz-ldap=PATH Build with LDAP DLZ driver yes|no|path.
(Required to use LDAP with DLZ)
--with-dlz-odbc=PATH Build with ODBC DLZ driver yes|no|path.
(Required to use ODBC with DLZ)
--with-dlz-stub=ARG Build with stub DLZ driver yes|no.
(Required to use stub driver with DLZ)
--with-make-clean run "make clean" at end of configure [yes|no]
Some influential environment variables:
CC C compiler command
CFLAGS C compiler flags
LDFLAGS linker flags, e.g. -L<lib dir> if you have libraries in a
nonstandard directory <lib dir>
LIBS libraries to pass to the linker, e.g. -l<library>
CPPFLAGS (Objective) C/C++ preprocessor flags, e.g. -I<include dir> if
you have headers in a nonstandard directory <include dir>
CPP C preprocessor
Use these variables to override the choices made by `configure' or to help
it to find libraries and programs with nonstandard names/locations.
Professional support for BIND is provided by Internet Systems Consortium,
Inc. Information about paid support and training options is available at
https://www.isc.org/support.
Help can also often be found on the BIND Users mailing list
(https://lists.isc.org/mailman/listinfo/bind-users) or in the #bind
channel of the Freenode IRC service.
Report bugs to <[email protected]>.
BIND home page: <https://www.isc.org/downloads/BIND/>.
配置主DNS服务器:
配置bind主要是两种文件,一是主配置文件named.conf,二是区域文件zone(包括正解析,反解析)。
在下面的配置中,我们的主dns服务器是ns1.qbtop.com 23.19.81.191,从dns服务器是ns2.qbtop.com 23.19.81.194(这两个dns都已经在godaddy注册好了)。
下面操作仅在主dns服务器23.19.81.191执行。
主配置文件named.conf
首先执行rndc-confgen -a生成/etc/rndc.key密钥文件。
/usr/local/bind/sbin/rndc-confgen -a
编辑 /usr/local/bind/etc/named.conf:
写入如下内容:
include "/usr/local/bind/etc/rndc.key";
controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndckey"; }; };
logging {
channel default_syslog { syslog local2; severity notice; };
channel audit_log { file "/var/log/bind.log"; severity notice; print-time yes; };
category default { default_syslog; };
category general { default_syslog; };
category security { audit_log; default_syslog; };
category config { default_syslog; };
category resolver { audit_log; };
category xfer-in { audit_log; };
category xfer-out { audit_log; };
category notify { audit_log; };
category client { audit_log; };
category network { audit_log; };
category update { audit_log; };
category queries { audit_log; };
category lame-servers { audit_log; };
};
options {
directory "/usr/local/bind/etc";
pid-file "/usr/local/bind/var/run/bind.pid";
transfer-format many-answers;
interface-interval 0;
allow-query { any; };
};
zone "qbtop.com" {
type master;
file "qbtop.com.zone";
allow-transfer { 23.19.81.194; };
};
zone "81.19.23.in-addr.arpa" {
type master;
file "81.19.23.in-addr.arpa";
allow-transfer { 23.19.81.194; };
};
named.conf文件说明:
上面的named.conf文件包括三部分:key,controls,logging,options,zone。
logging:设置日志服务器和日志信息的发送。
options:控制服务器的全局配置选项和为其它语句设置默认值
zone:定义一个域,比如正解析域和反解析域。
logging是定义日志的,不需要深究,主要是options和zone。
在options中:
directory “/usr/local/bind/etc”:定义bind的工作目录为/usr/local/bind/etc,配置文件中所有使用的相对路径,指的都是在这里配置的目录下。
pid-file “/usr/local/bind/var/run/bind.pid”:把bind程序运行的pid写入文件bind.pid。
transfer-format many-answers:使用更加有效的域传输格式many-answers。
allow-query { any; }:允许所有用户查询dns。
在zone中:
这里定义了两个zone,一个是正解析zone qbtop.com,一个是反解析zone 81.19.23.in-addr.arpa。
他们的参数基本相同:
type master:定义dns服务器为主dns。
file “qbtop.com.zone”:定义此zone的文件名。
allow-transfer { 23.19.81.194; }:允许向从dns 23.19.81.194传输dns数据。
唯一不同的是zone名称的定义,正解析zone名称的定义是受权的域名,可以是顶级域名,也可以是二级域名,或多级。
反解析zone名称定义规定前部分ip倒着写。如ip 192.168.1.2,名称定义为1.168.192.in-addr.arpa。
正解析qbtop.com.zone
编辑/usr/local/bind/etc/qbtop.com.zone
写入如下内容:
$TTL 3600
@ IN SOA ns1.qbtop.com. hostmaster.qbtop.com. (
2012022301 ; Serial
3600 ; Refresh
900 ; Retry
3600000 ; Expire
3600 ) ; Minimum
@ IN NS ns1.qbtop.com.
@ IN NS ns2.qbtop.com.
ns1 IN A 23.19.81.191
ns2 IN A 23.19.81.194
aaa IN A 23.19.81.191
bbb IN A 23.19.81.191
文件说明:
$TTL 3600:指示为每个没有特殊TTL设置的RR给出了一个默认的TTL。
@ IN SOA ns1.qbtop.com. hostmaster.qbtop.com. (
2012022301 ; Serial
3600 ; Refresh
900 ; Retry
3600000 ; Expire
3600 ) ; Minimum
定义SOA记录,包括Zone的名字,一个技术联系人和各种不同的超时值。
@ IN NS ns1.qbtop.com.
@ IN NS ns2.qbtop.com.
设置两个ns记录ns1.qbtop.com和ns2.qbtop.com。
ns1 IN A 23.19.81.191
ns2 IN A 23.19.81.194
aaa IN A 23.19.81.191
bbb IN A 23.19.81.191
设置主机为ns1,ns2,aaa和bbb的A记录。
反解析文件81.19.23.in-addr.arpa
反解析zone可以不设置。
编辑 /usr/local/bind/etc/81.19.23.in-addr.arpa :
写入如下内容:
$TTL 3600
@ IN SOA ns1.qbtop.com. hostmaster.qbtop.com. (
2012022301 ; Serial
3600 ; Refresh
900 ; Retry
3600000 ; Expire
3600 ) ; Minimum
@ IN NS ns1.qbtop.com.
@ IN NS ns2.qbtop.com.
191 IN PTR ns1.qbtop.com.
194 IN PTR ns2.qbtop.com.
说明:
上部分是定义SOA记录,下部分是设置IP反解析。
如设置IP 23.19.81.191反解析成ns1.qbtop.com,23.19.81.194反解析成ns2.qbtop.com。
配置从DNS服务器
下面我们来配置从DNS服务器。配置从DNS服务器只需要配置主配置文件named.conf,zone文件不需配置,因为这是从主DNS服务器获取的。
首先建立目录slaves用来存放从主dns获取的zone文件。
mkdir /usr/local/bind/etc/slaves
写入如下内容:
logging {
channel default_syslog { syslog local2; severity notice; };
channel audit_log { file "/var/log/bind.log"; severity notice; print-time yes; };
category default { default_syslog; };
category general { default_syslog; };
category security { audit_log; default_syslog; };
category config { default_syslog; };
category resolver { audit_log; };
category xfer-in { audit_log; };
category xfer-out { audit_log; };
category notify { audit_log; };
category client { audit_log; };
category network { audit_log; };
category update { audit_log; };
category queries { audit_log; };
category lame-servers { audit_log; };
};
options {
directory "/usr/local/bind/etc";
pid-file "/usr/local/bind/var/run/bind.pid";
transfer-format many-answers;
interface-interval 0;
allow-query { any; };
};
zone "qbtop.com" {
type slave;
file "slaves/qbtop.com.zone";
masters { 23.19.81.191; };
};
zone "81.19.23.in-addr.arpa" {
type slave;
file "slaves/81.19.23.in-addr.arpa";
masters { 23.19.81.191; };
};
文件说明:
从dns跟主dns主要的区别是zone的定义,type slave定义此dns服务器为从dns,masters { 23.19.81.191; }定义主dns的IP。
启动BIND
1、在启动BIND之前,我们需要执行/usr/local/bind/sbin/named-checkconf检查named.conf配置文件,和执行/usr/local/bind/sbin/named-checkzone zone名称 zone文件名,如/usr/local/bind/sbin/named-checkzone qbtop.com /usr/local/bind/etc/qbtop.com.zone。
然后调试模式启动bind,/usr/local/bind/sbin/named -g,g参数的意思是前台执行bind,这会输出启动的信息,发现没有严重的错误后,再把g参数删除重新以/usr/local/bind/sbin/named方式后台启动bind。
2、设置开机启动,在/etc/rc.d/rc.local中加入/usr/local/bind/sbin/named。
手动添加记录
1、直接添加删除或修改zone文件里的记录
2、执行rndc reload zone名称重载,如rndc reload qbtop.com
注意
1、主从同步的两台机器要在同一个时区,时间相差不要太大。
2、主的dns服务器在修改了正向解析文件跟反向分解析文件时,要修改相应的 serial(通常是加数值,这个值必须主的要大于从的,要不同步不了)