本文共 3569 字,大约阅读时间需要 11 分钟。
0)下载bind软件包
1) 解压缩
tar -zxvf bind-9.3.P2.tar.gz –C /tmp (tar -xvf bind-9.3.P2.tar –C /tmp)
cd /tmp/bind-9.3.P2
2) 配置
./configure --prefix=/usr/local/webserver/bind
其他编译参数看自己需求
--with-openssl=no
--prefix:指定安装目录
--sysconfdir:设置named.conf配置文件放置的目录
--localstatdir:设置 run/named.pid 放置的目录
--with-libtool:将BIND的库文件编译为动态共享库文件,这个选项默认是未选择的。
--enable-threads:如果系统有多个CPU,那么可以使用这个选项打开线程支持以提高服务器性能
3) 编译安装
make;make install
4) 新建named用户
useradd -r named (-r是新建系统账户)
5) 添加环境变量
vim ~/.bash_profile
PATH=$PATH:$HOME/bin:/usr/local/webserver/bind/sbin:/usr/local/webserver/bind/bin
source ~/.bash_profile
6) 建立配置文件
cd /usr/local/webserver/bind
生成rndc控制命令的key文件(用于生成rndc使用的认证秘钥) 用BIND自带的rndc-confgen工具即可
/usr/local/webserver/bind/sbin/rndc-confgen > /usr/local/webserver/bind/etc/rndc.conf
# Start of rndc.conf
key "rndc-key” {
algorithm hmac-md5;
secret "grepF25jC4215m41WQsqKQ==“;
};
options {
default-key "rndc-key”;
default-server 127.0.0.1;
default-port 953;
};
# End of rndc.conf
# Use with the following in named.conf, adjusting the allow list as needed:
# key "rndc-key" {
# algorithm hmac-md5;
# secret "grepF25jC4215m41WQsqKQ==";
# };
#
# controls {
# inet 127.0.0.1 port 953
# allow { 127.0.0.1; } keys { "rndc-key"; };
# };
# End of named.conf
7) 从rndc.conf中提取named.conf用的key
#tail -10 /usr/local/webserver/bind/etc/rndc.conf | head -9 | sed s/#\ //g > /usr/local/webserver/bind/etc/named.conf
最终得到如下信息:
key "rndc-key" {
algorithm hmac-md5;
secret "grepF25jC4215m41WQsqKQ==";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
8) 配置named.conf加如下代码
vi /usr/local/webserver/bind/etc/named.conf(复制时候注意标点符号的中英文输入法)
添加如下信息:
options {
directory "/usr/local/webserver/bind/zone";
pid-file "named.pid";
};
zone "." IN {
type hint;
file "named.root";
};
//本地正向解析
zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};
//本地反向解析
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};
//本地test域解析
zone "test.com" IN {
type master;
file "test.zone";
allow-update { none; };
};
9) 配置zone文件
mkdir /usr/local/webserver/bind/zone && cd /usr/local/webserver/bind/zone
用dig命令直接生成named.root文件:
dig @a.root-servers.net > named.root
vim /usr/local/webserver/bind/zone/localhost.zone
$TTL 86400
$ORIGIN localhost.
@ 1D IN SOA @ root (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
1D IN NS @
1D IN A 127.0.0.1
vim /usr/local/webserver/bind/zone/named.local
$TTL 86400
@ IN SOA localhost. root.localhost. (
1997022700 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS localhost.
1 IN PTR localhost.
vim /usr/local/webserver/bind/zone/test.zone
$ttl 1D
@ IN SOA test.com. root.test.com. (
1053891162 ; Serial
3H; Refresh
15M;Retry
1W ; Expire
1D ); Minimum
IN NS ns.test.com.
IN MX 5 test.com.
IN A 3.3.3.3
ns IN A 1.2.3.4
www IN A 220.202.19.82
10) 目录文件权限
/usr/local/webserver/bind/*
【755的权限】【named用户和组】
11) 特殊文件配置权限
/usr/local/webserver/bind/zone/* /usr/local/webserver/bind/etc/*
【640的权限】【named用户和组】
因为是将秘钥(也就是密码)放在named.conf和rndc.conf中,所以要确保无权控制名称服务器的用户都无法读取这两个文件
12)验证配置文件和zone文件(这两条命令都没有错的时候就是Ok了)
/usr/local/webserver/bind/sbin/named-checkconf /usr/local/webserver/bind/etc/named.conf
/usr/local/webserver/bind/sbin/named-checkzone test.com /usr/local/webserver/bind/zone/test.zone
13) 启动bind
/usr/local/webserver/bind/sbin/named -g(可以查看错误)
/usr/local/webserver/bind/sbin/named -c /usr/local/webserver/bind/etc/named.conf & -u named
14) 验证域名解析是否成功
dig @127.0.0.1