CentOS7 安装配置DNS服务器

一、安装

yum install bind

二、配置

1. /etc/named.conf

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { 0.0.0.0/0; };

/* 
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable 
recursion. 
- If your recursive DNS server has a public IP address, you MUST enable access 
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification 
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface 
*/
recursion yes;

dnssec-enable yes;
dnssec-validation yes;

/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";

managed-keys-directory "/var/named/dynamic";

pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};

logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};

zone "." IN {
type hint;
file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

配置说明

a. 第13行：启动监听地址，默认启动在localhost上，需要修改为监听所有的地址。修改为{ any; }
b. 第19行：允许查询的地址和端口，默认是本地查询，需要修改为允许任意地址。修改为 { 0.0.0.0/0; }
c. 第57行，引出了另外一个配置/etc/named.rfc1912.zones
d. 第15行，引出了一个域名信息配置文件目录/var/named

2. /etc/named.rfc1912.zones

// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package 
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
// 
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};

zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};

zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};

zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};

zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};

//vvtest.com 正向配置
zone "vvtest.com" IN {
type master;
file "named.vvtest.com";
allow-update { none; };
};
//vvtest.com 逆向配置
zone "25.168.192.in-addr.arpa" IN {
type master;
file "192.168.25.arpa";
allow-update { none; };
};

配置说明：

a. 第43~48行，添加域名的正向配置
b. 第50~54行，添加域名的逆向配置
c. 第46行，引出了配置文件named.vvtest.com
d. 第52行，引出了配置文件192.168.25.arpa
e. c和d中的配置文件目录为/var/named（由named.conf配置的）

3. /var/named/named.vvtest.com

$TTL 1D
@    IN SOA    vvtest.com. rname.invalid. (
0    ; serial
1D    ; refresh
1H    ; retry
1W    ; expire
3H )    ; minimum
NS    @
A    127.0.0.1
AAAA    ::1
www IN A 192.168.25.128
mail IN A 192.168.25.128

配置说明：

a. 第2行，是【vvtest.com.】，最后又一个【.】
b. 第11行，配置的是域名www.vvtest.com，服务器地址是192.168.25.128
c. 第12行，配置的是域名mail.vvtest.com，服务器地址是192.168.25.128

4. /var/named/192.168.25.arpa

$TTL 1D
@ IN SOA vvtest.com. rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
AAAA ::1
128 PTR www.vvtest.com.

三、测试

1. 启动systemctl start named或者service named start
2. 配置测试机的DNS1服务器地址为192.168.25.128
3. 从测试机上执行ping www.vvtest.com，如果有收到ping包，恭喜你。

附、一个个人遇到的纠结无比的问题

1. 服务器启动，无法Ping通。
2. 花了大量的时间在反复检查所有的配置文件及选项，确保每一个字符都是一样的。
3. 看了日志才发现是读取配置文件的时候，permission denied。
4. chown -R root.named 权限不对的文件（named.vvtest.com和192.168.25.arpa）
5. 论日志的重要性！没有日志，就是抓虾~