怎样安装BIND DNS服务器

2016年11月17日 | 分类: 【技术】

【介绍】

BIND是一种开源的DNS(Domain Name System)协议的实现,包含对域名的查询和响应所需的所有软件。

BIND是互联网上最广泛使用的一种DNS服务器,对于类UNIX系统来说,已经成为事实上的标准。

以下介绍利用BIND来实现主从dns,高速缓存DNS下次学习。

【参考】

参考:https://www.centos.bz/2011/07/centos-install-bind-dns-server/

参考:http://jingyan.baidu.com/article/67508eb4ee1ed59cca1ce416
参考:http://blog.csdn.net/chenfei_5201213/article/details/7866231
参考:http://www.cnblogs.com/shineshqw/articles/1807031

参考:http://www.bind.com/?path=dns
参考:http://wiki.ubuntu.com.cn/Bind9%E5%AE%89%E8%A3%85%E8%AE%BE%E7%BD%AE%E6%8C%87%E5%8D%97
参考:BIND9中文手册 https://www.centos.bz/manual/BIND9-CHS.pdf

【安装】

yum安装Bind:

最近版本:bind 9.9.4-29

yum install bind

会安装 bind 9.9.4-29 和依赖包 bind-libs 9.9.4-29 。

编译安装Bind:

最新版本:bind 9.11.0-P1

下载:http://www.isc.org/software/bind
文档:http://ftp.isc.org/isc/bind9/9.11.0-P1/RELEASE-NOTES-bind-9.11.0-P1.pdf

安装依赖:

yum install gcc openssl-devel

开始安装bind:

wget ftp://ftp.isc.org/isc/bind9/9.11.0-P1/bind-9.11.0-P1.tar.gz && tar xzf bind-9.11.0-P1.tar.gz && cd bind-9.11.0-P1
./configure --prefix=/usr/local/bind
make && make install

bind已经安装到了/usr/local/bind 。

默认配置,会输出:

...
Configuration summary:
-------------------------------------------------------------------------------
Optional features enabled:
    Multiprocessing support (--enable-threads)
    GSS-API (--with-gssapi)
    ECDSA algorithm support (--with-ecdsa)
    Print backtrace on crash (--enable-backtrace)
    Use symbol table for backtrace, named only (--enable-symtable)
    Dynamically loadable zone (DLZ) drivers:
        None

Features disabled or unavailable on this platform:
    Large-system tuning (--with-tuning)
    Allow 'dnstap' packet logging (--enable-dnstap)
    GeoIP access control (--with-geoip)
    Allow 'fixed' rrset-order (--enable-fixed-rrset)
    PKCS#11/Cryptoki support (--with-pkcs11)
    Native PKCS#11/Cryptoki support (--enable-native-pkcs11)
    GOST algorithm support (--with-gost)
    Use libseccomp system call filtering (--enable-seccomp)
    Very verbose query trace logging (--enable-querytrace)
    Use GNU libtool (--with-libtool)
    Automated Testing Framework (--with-atf)
    Python tools (--with-python)
    JSON statistics (--with-libjson)
    LMDB database to store configuration for 'addzone' zones (--with-lmdb)
-------------------------------------------------------------------------------
For more detail, use --enable-full-report.
===============================================================================

完整的配置参考:

输入:

./configure --help

输出:

`configure' configures BIND 9.11 to adapt to many kinds of systems.

Usage: ./configure [OPTION]... [VAR=VALUE]...

To assign environment variables (e.g., CC, CFLAGS...), specify them as
VAR=VALUE.  See below for descriptions of some of the useful variables.

Defaults for the options are specified in brackets.

Configuration:
  -h, --help              display this help and exit
      --help=short        display options specific to this package
      --help=recursive    display the short help of all the included packages
  -V, --version           display version information and exit
  -q, --quiet, --silent   do not print `checking ...' messages
      --cache-file=FILE   cache test results in FILE [disabled]
  -C, --config-cache      alias for `--cache-file=config.cache'
  -n, --no-create         do not create output files
      --srcdir=DIR        find the sources in DIR [configure dir or `..']

Installation directories:
  --prefix=PREFIX         install architecture-independent files in PREFIX
                          [/usr/local]
  --exec-prefix=EPREFIX   install architecture-dependent files in EPREFIX
                          [PREFIX]

By default, `make install' will install all the files in
`/usr/local/bin', `/usr/local/lib' etc.  You can specify
an installation prefix other than `/usr/local' using `--prefix',
for instance `--prefix=$HOME'.

For better control, use the options below.

Fine tuning of the installation directories:
  --bindir=DIR            user executables [EPREFIX/bin]
  --sbindir=DIR           system admin executables [EPREFIX/sbin]
  --libexecdir=DIR        program executables [EPREFIX/libexec]
  --sysconfdir=DIR        read-only single-machine data [PREFIX/etc]
  --sharedstatedir=DIR    modifiable architecture-independent data [PREFIX/com]
  --localstatedir=DIR     modifiable single-machine data [PREFIX/var]
  --libdir=DIR            object code libraries [EPREFIX/lib]
  --includedir=DIR        C header files [PREFIX/include]
  --oldincludedir=DIR     C header files for non-gcc [/usr/include]
  --datarootdir=DIR       read-only arch.-independent data root [PREFIX/share]
  --datadir=DIR           read-only architecture-independent data [DATAROOTDIR]
  --infodir=DIR           info documentation [DATAROOTDIR/info]
  --localedir=DIR         locale-dependent data [DATAROOTDIR/locale]
  --mandir=DIR            man documentation [DATAROOTDIR/man]
  --docdir=DIR            documentation root [DATAROOTDIR/doc/bind]
  --htmldir=DIR           html documentation [DOCDIR]
  --dvidir=DIR            dvi documentation [DOCDIR]
  --pdfdir=DIR            pdf documentation [DOCDIR]
  --psdir=DIR             ps documentation [DOCDIR]

  NOTE: If PREFIX is not set, then the default values for --sysconfdir
  and --localstatedir are /etc and /var, respectively.

System types:
  --build=BUILD     configure for building on BUILD [guessed]
  --host=HOST       cross-compile to build programs to run on HOST [BUILD]

Optional Features:
  --disable-option-checking  ignore unrecognized --enable/--with options
  --disable-FEATURE       do not include FEATURE (same as --enable-FEATURE=no)
  --enable-FEATURE[=ARG]  include FEATURE [ARG=yes]
  --enable-shared[=PKGS]  build shared libraries [default=yes]
  --enable-static[=PKGS]  build static libraries [default=yes]
  --enable-fast-install[=PKGS]
                          optimize for fast installation [default=yes]
  --disable-libtool-lock  avoid locking (might break parallel builds)
  --enable-libbind        deprecated
  --enable-warn-shadow    turn on -Wshadow when compiling
  --enable-warn-error     turn on -Werror when compiling
  --enable-developer      enable developer build settings
  --enable-afl            enable American Fuzzy Lop test harness [default=no]
  --enable-seccomp        enable support for libseccomp system call filtering
                          [default=no]
  --enable-kqueue         use BSD kqueue when available [default=yes]
  --enable-epoll          use Linux epoll when available [default=auto]
  --enable-devpoll        use /dev/poll when available [default=yes]
  --enable-threads        enable multithreading
  --enable-native-pkcs11  use native PKCS11 for all crypto [default=no]
  --enable-openssl-hash   use OpenSSL for hash functions [default=no]
  --enable-openssl-version-check
                          check OpenSSL version [default=yes]
  --enable-largefile      64-bit file support
  --enable-backtrace      log stack backtrace on abort [default=yes]
  --enable-symtable       use internal symbol table for backtrace
                          [all|minimal(default)|none]
  --enable-ipv6           use IPv6 default=autodetect
  --enable-getifaddrs     enable the use of getifaddrs() [yes|no].
  --disable-isc-spnego    use SPNEGO from GSSAPI library
  --disable-chroot        disable chroot
  --disable-linux-caps    disable linux capabilities
  --enable-atomic         enable machine specific atomic operations
                          [default=autodetect]
  --enable-fixed-rrset    enable fixed rrset ordering [default=no]
  --disable-rpz-nsip      disable rpz-nsip rules [default=enabled]
  --disable-rpz-nsdname   disable rpz-nsdname rules [default=enabled]
  --enable-filter-aaaa    enable filtering of AAAA records [default=no]
  --enable-dnstap         enable dnstap support (requires fstrm, protobuf-c)
  --enable-querytrace     enable very verbose query trace logging [default=no]
  --enable-full-report    report values of all configure options

Optional Packages:
  --with-PACKAGE[=ARG]    use PACKAGE [ARG=yes]
  --without-PACKAGE       do not use PACKAGE (same as --with-PACKAGE=no)
  --with-pic[=PKGS]       try to use only PIC/non-PIC objects [default=use
                          both]
  --with-gnu-ld           assume the C compiler uses GNU ld [default=no]
  --with-sysroot=DIR Search for dependent libraries within DIR
                        (or the compiler's sysroot if not specified).
  --with-python=PATH      specify path to python interpreter
  --with-geoip=PATH       Build with GeoIP support (yes|no|path)
  --with-gssapi=[PATH|[/path/]krb5-config]      Specify path for system-supplied                                                                                                                      GSSAPI [default=yes]
  --with-randomdev=PATH   Specify path for random device
  --with-locktype=ARG     Specify mutex lock type (adaptive or standard)
  --with-libtool          use GNU libtool
  --with-openssl=PATH     Build with OpenSSL yes|no|path.
                          (Crypto is required for DNSSEC)
  --with-pkcs11=PATH      Build with PKCS11 support yes|no|path
                          (PATH is for the PKCS11 provider)
  --with-ecdsa            Crypto ECDSA
  --with-gost             Crypto GOST yes|no|raw|asn1.
  --with-aes              Crypto AES
  --with-cc-alg=ALG      choose the algorithm for Client Cookie [aes|sha1|sha256                                                                                                                     ]
  --with-lmdb=PATH        build with LMDB library yes|no|path
  --with-libxml2=PATH     build with libxml2 library yes|no|path
  --with-libjson=PATH     build with libjson0 library yes|no|path
  --with-zlib=PATH        build with zlib for HTTP compression [default=yes]
  --with-purify=PATH      use Rational purify
  --with-gperftools-profiler  use gperftools CPU profiler
  --with-kame=PATH        use Kame IPv6 default path /usr/local/v6
  --with-readline=LIBSPEC    specify readline library default auto

  --with-protobuf-c=path  Path where protobuf-c is installed, for dnstap
  --with-libfstrm=path    Path where libfstrm is installed, for dnstap
  --with-docbook-xsl=PATH specify path for Docbook-XSL stylesheets
  --with-idn=MPREFIX      enable IDN support using idnkit default PREFIX
  --with-libiconv=IPREFIX GNU libiconv are in IPREFIX default PREFIX
  --with-iconv=LIBSPEC    specify iconv library default -liconv
  --with-idnlib=ARG       specify libidnkit
  --with-atf=ARG          support Automated Test Framework
  --with-tuning=ARG       Specify server tuning (large or default)
  --with-dlopen=ARG       support dynamically loadable DLZ drivers
  --with-dlz-postgres=PATH   Build with Postgres DLZ driver yes|no|path.
                               (Required to use Postgres with DLZ)
  --with-dlz-mysql=PATH   Build with MySQL DLZ driver yes|no|path.
                               (Required to use MySQL with DLZ)
  --with-dlz-bdb=PATH   Build with Berkeley DB DLZ driver yes|no|path.
                               (Required to use Berkeley DB with DLZ)
  --with-dlz-filesystem=ARG    Build with filesystem DLZ driver yes|no.
                               (Required to use file system driver with DLZ)
  --with-dlz-ldap=PATH   Build with LDAP DLZ driver yes|no|path.
                               (Required to use LDAP with DLZ)
  --with-dlz-odbc=PATH   Build with ODBC DLZ driver yes|no|path.
                               (Required to use ODBC with DLZ)
  --with-dlz-stub=ARG    Build with stub DLZ driver yes|no.
                               (Required to use stub driver with DLZ)
  --with-make-clean       run "make clean" at end of configure [yes|no]

Some influential environment variables:
  CC          C compiler command
  CFLAGS      C compiler flags
  LDFLAGS     linker flags, e.g. -L<lib dir> if you have libraries in a
              nonstandard directory <lib dir>
  LIBS        libraries to pass to the linker, e.g. -l<library>
  CPPFLAGS    (Objective) C/C++ preprocessor flags, e.g. -I<include dir> if
              you have headers in a nonstandard directory <include dir>
  CPP         C preprocessor

Use these variables to override the choices made by `configure' or to help
it to find libraries and programs with nonstandard names/locations.

Professional support for BIND is provided by Internet Systems Consortium,
Inc.  Information about paid support and training options is available at
Technical support for open source BIND 9 DNS, Kea DHCP and ISC DHCP software
Help can also often be found on the BIND Users mailing list (https://lists.isc.org/mailman/listinfo/bind-users) or in the #bind channel of the Freenode IRC service. Report bugs to <bind9-bugs@isc.org>. BIND home page: <https://www.isc.org/downloads/BIND/>.

配置主DNS服务器:

配置bind主要是两种文件,一是主配置文件named.conf,二是区域文件zone(包括正解析,反解析)。

在下面的配置中,我们的主dns服务器是ns1.qbtop.com 23.19.81.191,从dns服务器是ns2.qbtop.com 23.19.81.194(这两个dns都已经在godaddy注册好了)。

下面操作仅在主dns服务器23.19.81.191执行。

主配置文件named.conf

首先执行rndc-confgen -a生成/etc/rndc.key密钥文件。

/usr/local/bind/sbin/rndc-confgen -a

编辑 /usr/local/bind/etc/named.conf:

写入如下内容:

    include "/usr/local/bind/etc/rndc.key";
    controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndckey"; }; };
    logging {
    channel default_syslog { syslog local2; severity notice; };
    channel audit_log { file "/var/log/bind.log"; severity notice; print-time yes; };
    category default { default_syslog; };
    category general { default_syslog; };
    category security { audit_log; default_syslog; };
    category config { default_syslog; };
    category resolver { audit_log; };
    category xfer-in { audit_log; };
    category xfer-out { audit_log; };
    category notify { audit_log; };
    category client { audit_log; };
    category network { audit_log; };
    category update { audit_log; };
    category queries { audit_log; };
    category lame-servers { audit_log; };
    };
    options {
        directory "/usr/local/bind/etc";
    pid-file "/usr/local/bind/var/run/bind.pid";
    transfer-format many-answers;
    interface-interval 0;
    allow-query { any; };
    };
    zone "qbtop.com" {
    type master;
    file "qbtop.com.zone";
    allow-transfer { 23.19.81.194; };
    };
    zone "81.19.23.in-addr.arpa" {
    type master;
    file "81.19.23.in-addr.arpa";
    allow-transfer { 23.19.81.194; };
    };

named.conf文件说明:

上面的named.conf文件包括三部分:key,controls,logging,options,zone。

logging:设置日志服务器和日志信息的发送。

options:控制服务器的全局配置选项和为其它语句设置默认值

zone:定义一个域,比如正解析域和反解析域。

logging是定义日志的,不需要深究,主要是options和zone。

在options中:
directory “/usr/local/bind/etc”:定义bind的工作目录为/usr/local/bind/etc,配置文件中所有使用的相对路径,指的都是在这里配置的目录下。
pid-file “/usr/local/bind/var/run/bind.pid”:把bind程序运行的pid写入文件bind.pid。
transfer-format many-answers:使用更加有效的域传输格式many-answers。
allow-query { any; }:允许所有用户查询dns。

在zone中:
这里定义了两个zone,一个是正解析zone qbtop.com,一个是反解析zone 81.19.23.in-addr.arpa。
他们的参数基本相同:
type master:定义dns服务器为主dns。
file “qbtop.com.zone”:定义此zone的文件名。
allow-transfer { 23.19.81.194; }:允许向从dns 23.19.81.194传输dns数据。
唯一不同的是zone名称的定义,正解析zone名称的定义是受权的域名,可以是顶级域名,也可以是二级域名,或多级。

反解析zone名称定义规定前部分ip倒着写。如ip 192.168.1.2,名称定义为1.168.192.in-addr.arpa。

正解析qbtop.com.zone

编辑/usr/local/bind/etc/qbtop.com.zone

写入如下内容:

    $TTL 3600
    @ IN SOA ns1.qbtop.com. hostmaster.qbtop.com. (
    2012022301  ; Serial
    3600 ; Refresh
    900 ; Retry
    3600000 ; Expire
    3600 ) ; Minimum
    @ IN NS ns1.qbtop.com.
    @ IN NS ns2.qbtop.com.
    ns1 IN A 23.19.81.191
    ns2 IN A 23.19.81.194
    aaa IN A 23.19.81.191
    bbb IN A 23.19.81.191

文件说明:

$TTL 3600:指示为每个没有特殊TTL设置的RR给出了一个默认的TTL。
@ IN SOA ns1.qbtop.com. hostmaster.qbtop.com. (
2012022301 ; Serial
3600 ; Refresh
900 ; Retry
3600000 ; Expire
3600 ) ; Minimum

定义SOA记录,包括Zone的名字,一个技术联系人和各种不同的超时值。
@ IN NS ns1.qbtop.com.
@ IN NS ns2.qbtop.com.
设置两个ns记录ns1.qbtop.com和ns2.qbtop.com。
ns1 IN A 23.19.81.191
ns2 IN A 23.19.81.194
aaa IN A 23.19.81.191
bbb IN A 23.19.81.191
设置主机为ns1,ns2,aaa和bbb的A记录。
反解析文件81.19.23.in-addr.arpa

反解析zone可以不设置。

编辑 /usr/local/bind/etc/81.19.23.in-addr.arpa :

写入如下内容:

    $TTL 3600
    @ IN SOA ns1.qbtop.com. hostmaster.qbtop.com. (
    2012022301  ; Serial
    3600 ; Refresh
    900 ; Retry
    3600000 ; Expire
    3600 ) ; Minimum
    @       IN      NS      ns1.qbtop.com.
    @       IN      NS      ns2.qbtop.com.
    191 IN PTR ns1.qbtop.com.
    194 IN PTR ns2.qbtop.com.

说明:

上部分是定义SOA记录,下部分是设置IP反解析。
如设置IP 23.19.81.191反解析成ns1.qbtop.com,23.19.81.194反解析成ns2.qbtop.com。

配置从DNS服务器

下面我们来配置从DNS服务器。配置从DNS服务器只需要配置主配置文件named.conf,zone文件不需配置,因为这是从主DNS服务器获取的。
首先建立目录slaves用来存放从主dns获取的zone文件。

mkdir /usr/local/bind/etc/slaves

写入如下内容:

    logging {
    channel default_syslog { syslog local2; severity notice; };
    channel audit_log { file "/var/log/bind.log"; severity notice; print-time yes; };
    category default { default_syslog; };
    category general { default_syslog; };
    category security { audit_log; default_syslog; };
    category config { default_syslog; };
    category resolver { audit_log; };
    category xfer-in { audit_log; };
    category xfer-out { audit_log; };
    category notify { audit_log; };
    category client { audit_log; };
    category network { audit_log; };
    category update { audit_log; };
    category queries { audit_log; };
    category lame-servers { audit_log; };
    };
    options {
        directory "/usr/local/bind/etc";
    pid-file "/usr/local/bind/var/run/bind.pid";
    transfer-format many-answers;
    interface-interval 0;
    allow-query { any; };
    };
    zone "qbtop.com" {
    type slave;
    file "slaves/qbtop.com.zone";
    masters { 23.19.81.191; };
    };
    zone "81.19.23.in-addr.arpa" {
    type slave;
    file "slaves/81.19.23.in-addr.arpa";
    masters { 23.19.81.191; };
    };

文件说明:

从dns跟主dns主要的区别是zone的定义,type slave定义此dns服务器为从dns,masters { 23.19.81.191; }定义主dns的IP。

启动BIND

1、在启动BIND之前,我们需要执行/usr/local/bind/sbin/named-checkconf检查named.conf配置文件,和执行/usr/local/bind/sbin/named-checkzone zone名称 zone文件名,如/usr/local/bind/sbin/named-checkzone qbtop.com /usr/local/bind/etc/qbtop.com.zone。
然后调试模式启动bind,/usr/local/bind/sbin/named -g,g参数的意思是前台执行bind,这会输出启动的信息,发现没有严重的错误后,再把g参数删除重新以/usr/local/bind/sbin/named方式后台启动bind。
2、设置开机启动,在/etc/rc.d/rc.local中加入/usr/local/bind/sbin/named。
手动添加记录

1、直接添加删除或修改zone文件里的记录
2、执行rndc reload zone名称重载,如rndc reload qbtop.com
注意

1、主从同步的两台机器要在同一个时区,时间相差不要太大。
2、主的dns服务器在修改了正向解析文件跟反向分解析文件时,要修改相应的 serial(通常是加数值,这个值必须主的要大于从的,要不同步不了)