zoukankan      html  css  js  c++  java

  • 【转】在CentOS 8 / RHEL 8上配置主/从BIND DNS服务器

    转自:

    https://zh.codepre.com/centos-2700.html

    前言

    本指南描述了在CentOS 8 / RHEL 8 Linux上配置BIND DNS服务器所需的步骤。在CentOS8 / RHEL8上设置主/从绑定DNS。域名系统是连接到Internet或专用网络的计算机,服务或其他资源。 (维基百科)。充当Internet电话簿,为与FQDN关联的所有计算机提供地址。

    作为TCP / IP参考模型应用程序层的一部分,DNS在全球计算机的日常操作中非常重要。在CentOS8上安装权威的BIND DNS主机和从机并配置PTR,添加A / AAAA记录等。

    对于Windows用户:在Windows Server 2019上安装和配置DNS服务器

    在CentOS 8 / RHEL 8上安装绑定DNS服务器

    运行以下命令以在CentOS 8 / RHEL 8 Linux服务器上安装绑定DNS服务器软件包。

    $ dnf -y install bind bind-utils vim
CentOS-8 - AppStream                                   1.3 kB/s | 4.3 kB     00:03    
CentOS-8 - Base                                        1.2 kB/s | 3.9 kB     00:03    
CentOS-8 - Extras                                      467  B/s | 1.5 kB     00:03    
Dependencies resolved

    此设置使SELinux处于强制模式。

    $ getenforce
Enforcing
THE REASON FOR THIS IS THAT  (Source: RedHat) 
SELinux helps mitigate the damage made by configuration mistakes. Domain Name System (DNS) servers often replicate information between each other in what is known as a zone transfer. Attackers can use zone transfers to update DNS servers with false information. When running the Berkeley Internet Name Domain (BIND) as a DNS server in Red Hat Enterprise Linux, even if an administrator forgets to limit which servers can perform a zone transfer, the default SELinux policy prevents zone files from being updated using zone transfers, by the BIND named daemon itself, and by other processes  (Source: RedHat).

    在CentOS 8 / RHEL 8上配置BIND DNS授权服务器

    配置BIND DNS授权服务器。打开配置文件/etc/named.conf。

    DNS服务器具有以下设置:

    • computingforgeeks.com 区域(域名)
    • 192.168.154.0 –托管子网
    • 192.168.154.94 从服务器IP
    • 192.168.154.88 –主服务器IP

    named.conf配置文件如下:

    $ sudo vim /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
 
options {
         listen-on port 53 { any; }; ## Listen on any since it is an authoritative DNS Publicly available. 
         listen-on-v6 port 53 { any; }; ## You can also set the same for IPv6
         directory       "/var/named";
         dump-file       "/var/named/data/cache_dump.db";
         statistics-file "/var/named/data/named_stats.txt";
         memstatistics-file "/var/named/data/named_mem_stats.txt";
         secroots-file   "/var/named/data/named.secroots";
         recursing-file  "/var/named/data/named.recursing";
 ## Since this will be an authoritative Nameserver, allow query from any host 
        allow-query     { any; };          
        allow-transfer  {192.168.154.94; };     

/*

- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.                    - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion.       - If your recursive DNS server has a public IP address, you MUST enable access       control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface.
 */     
       recursion no; ## Following Advice from above.     
       dnssec-enable yes;     
       dnssec-validation yes;     
       managed-keys-directory "/var/named/dynamic";     
       pid-file "/run/named/named.pid";     
       session-keyfile "/run/named/session.key";     

/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */     include "/etc/crypto-policies/back-ends/bind.config";
};
 

logging {
         channel default_debug {
                 file "data/named.run";
                 severity dynamic;
         };
};

zone "." IN {
         type hint;
         file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

## Set your ZONE details as shown below for different domains. Set the forward and reverse details. You can set the names of files as you like
 
zone "computingforgeeks.com" IN {
        type master;
        file "computingforgeeks.forward";
        allow-update { none; };
};

## Make sure you follow the rule for reverse zone (154.168.192.in-addr.arpa). [If your IP is 192.168.10.10, It will be 10.168.192.in-addr.arpa]
 
zone "154.168.192.in-addr.arpa" IN {
        type master;
        file "computingforgeeks.reverse";
        allow-update { none; };
};

    主服务器192.168.154.88。请注意,这是一台权威的DNS服务器,因此IP必须是公用IP。

    创建区域文件

    在named.conf中设置文件后,您需要创建一个区域文件并将所有其他记录(如A / AAAA,MX,PTR等)放置。在/ var / named /目录中创建文件

    $ sudo vim /var/named/computingforgeeks.forward

$TTL 86400
 @   IN  SOA     dns1.computingforgeeks.com. root.computingforgeeks.com. (
 # You can use any numerical values for serial number but it is recommended to use [YYYYMMDDnn]
         2019112201  ;Serial
         3600        ;Refresh
         1800        ;Retry
         604800      ;Expire
         86400       ;Minimum TTL
)
         # Set your Name Servers here
         IN  NS      dns1.computingforgeeks.com.
         IN  NS      dns2.computingforgeeks.com.
         # define Name Server's IP address
         IN  A       192.168.154.88
         # Set your Mail Exchanger (MX) Server here
         IN  MX 10   dns1.computingforgeeks.com.

# Set each IP address of a hostname. Sample A records.
dns1     IN  A       192.168.154.88
dns2     IN  A       192.168.154.94
mail1    IN  A       192.168.154.97

    创建与named.conf配置文件中定义的相同域对应的反向记录。

    $ sudo vim /var/named/computingforgeeks.reverse

$TTL 86400
 @   IN  SOA     dns1.computingforgeeks.com. root.computingforgeeks.com. (
         2019112201  ;Serial
         3600        ;Refresh
         1800        ;Retry
         604800      ;Expire
         86400       ;Minimum TTL
 )
         # Set Name Server
         IN  NS      dns1.computingforgeeks.com.
## Set each IP address of a hostname. Sample PTR records.
88      IN  PTR     dns1.computingforgeeks.com.
94      IN  PTR     dns2.computingforgeeks.com.
97      IN  PTR     mail1.computingforgeeks.com.

    更改主服务器的DNS设置

    创建一个新的DNS服务器作为默认名称服务器。打开文件/etc/resolv.conf并添加以下行:根据环境更换IP。

    $ sudo vim /etc/resolv.conf  
nameserver 192.168.154.88

    允许防火墙上的DNS服务

    配置防火墙以允许DNS服务。

    sudo firewall-cmd --add-service=dns --permanent
sudo firewall-cmd --reload

    检查设置是否正确,然后启动并激活绑定。

    sudo named-checkconf
sudo systemctl start named
sudo systemctl enable named

    BIND主DNS服务器上的工作已完成。让我们继续配置从属服务器。

    从DNS服务器配置-192.168.154.94

    在从属服务器上,安装bind和bind-utils。

    sudo dnf -y install bind bind-utils vim

    配置从服务器。打开/etc/named.conf并进行相应的编辑

    $ sudo vim /etc/named.conf
//
// named.conf
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
// See /usr/share/doc/bind*/sample/ for example named configuration files.
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

options {
         listen-on port 53 { any; };
         listen-on-v6 port 53 { any; };
         directory       "/var/named";
         dump-file       "/var/named/data/cache_dump.db";
         statistics-file "/var/named/data/named_stats.txt";
         memstatistics-file "/var/named/data/named_mem_stats.txt";
         recursing-file  "/var/named/data/named.recursing";
         secroots-file   "/var/named/data/named.secroots";
         allow-query     { any; }; ## Allows hosts to query Slave DNS
         allow-transfer { none; }; ## Disable zone transfer
          
          /* 
          - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
          - If you are building a RECURSIVE (caching) DNS server, you need to enable 
            recursion.
          - If your recursive DNS server has a public IP address, you MUST enable access 
            control to limit queries to your legitimate users. Failing to do so will
            cause your server to become part of large scale DNS amplification 
            attacks. Implementing BCP38 within your network would greatly
            reduce such attack surface 
         */
## Since this is a slave, lets allow recursion.
    recursion yes;     
    dnssec-enable yes;     
    dnssec-validation yes;
/* Path to ISC DLV key */
     bindkeys-file "/etc/named.root.key";
    managed-keys-directory "/var/named/dynamic";     
    pid-file "/run/named/named.pid";     
    session-keyfile "/run/named/session.key";
};

logging {
         channel default_debug {
                 file "data/named.run";
                 severity dynamic;
         };
};

zone "." IN {
         type hint;
         file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

## Let us create zone definitions for both forward and reverse dns lookups.
# The files will be created automatically on the slave.

zone "computingforgeeks.com" IN {
         type slave;
         file "slaves/computingforgeeks.forward";
         masters { 192.168.154.88; }; ## Master server it is receiving DNS Records from
};

zone  "154.168.192.in-addr.arpa" IN {
         type slave;
         file "slaves/computingforgeeks.reverse";
         masters { 192.168.154.88; }; ## Master server it is receiving DNS Records from
};

    更改从属服务器的DNS设置

    创建一个新的DNS服务器(主服务器和从服务器)作为默认名称服务器。打开文件/etc/resolv.conf并添加以下行:根据您的环境替换IP

    $ sudo vim /etc/resolv.conf
nameserver 192.168.154.88
nameserver 192.168.154.94

    检查设置是否正确,然后启动并激活绑定。

    sudo named-checkconf
sudo systemctl start named
sudo systemctl enable named

    确保/ var / named / slaves目录正在从主目录传输区域文件

    $ ll /var/named/slaves/
total 12
-rw-r--r-- 1 named named 480 Nov 23 14:16 computingforgeeks.forward
-rw-r--r-- 1 named named 492 Nov 23 14:45 computingforgeeks.reverse

    DNS有效的证明

    测试DNS服务器是否解析。使用Windows计算机测试BIND DNS服务器。

    如下所示,在窗口中更改网络详细信息。在DNS中反映新的DNS服务器。

    打开PowerShell或命令提示符,然后键入nslookup以测试DNS服务。

    在CentOS 8 / RHEL 8上配置主/从BIND DNS服务器

    和绑定DNS的作品!如果您在Linux客户端计算机上运行,​​请编辑/ etc / hosts文件以更改DNS配置设置。

    结论

    您的BIND DNS主服务器和从服务器现在正在工作。我希望本指南对您来说是全面而有用的。感谢您阅读这份引人入胜的指南。
  • 相关阅读:
    JavaCV入门指南之快速上手篇:快速上手视频拉流、推流、录制文件、录屏、截图和编解码复用解复用等常用音视频处理操作
    javacv开发详解补充篇:如何将rgb/bgr像素数据优雅高效的转换为BufferedImage
    JavaCV开发详解之21:如何使用JavaCV接入gb28181的ps流并推流到流媒体服务和接入海康大华sdk回调h264/hevc裸流
    javacv开发详解补充篇:解决转流后视频画面快进慢放,时间跳动过大,监控视频时间戳重新计算pts和dts
    为啥你写的文章没人看?关于内容创作的两大玄学分析:认真写的没人看,随便写的火的一塌糊涂
    JavaCV进阶opencv图像检测识别:ffmpeg视频图像画面人脸检测
    JavaCV进阶opencv图像检测识别:摄像头图像人脸检测
    「Elasticsearch」ES重建索引怎么才能做到数据无缝迁移呢?
    【手记】让Fiddler捕获到SQLCLR中的网络请求
    .Net程序连接SQL Server默认会话选项备查
  • 原文地址:https://www.cnblogs.com/wangshuyang/p/13323510.html
Copyright © 2011-2022 走看看