Configuring the domain Primary DNS server

Source: Internet
Author: User
Tags gpg mx record nameserver

One, the type of DNS server

Primary DNS Server (Master)

A domain's master server holds the zone configuration file for that domain, and all of the configuration and changes are made on that server, and this essay explains how to configure a domain's primary DNS server

Secondary DNS Server (Slave)

Domain slave server is generally used as a redundant load, a domain from the server is the domain from the master server Crawl zone profile, from the server will not make any information changes, zone configuration files can only be modified on the primary DNS server, all modifications have the primary server synchronization

Caching only Server

The DNS cache server does not have any zone profiles and relies solely on caching to serve clients, typically for load balancing and accelerated access operations

Second, install bind

There are many programs available for the DNS server software, but the most extensive DNS server software used so far is the bind (Berkeley Internet Name Domain), originally developed by a student at Berkeley University, and the latest version is now version 9 , which is written and maintained by ISC.

BIND supports all major operating systems currently on the market, including Linux, Windows, Mac OS, etc.

We do not install the BIND software by default on CentOS, so we need to install it manually, and this is done using Yum to install it.

[Email protected] ~]# Yum install-y bind bind-chroot bind-utils 
Loaded Plugins:fastestmirror, Refresh-packagekit, securityloading mirror speeds from cached Hostfile * base:mirrors.stuh Ome.net * extras:mirrors.stuhome.net * updates:mirrors.stuhome.netSetting up Install processresolving dependencies--& Gt Running Transaction Check---> Package bind.x86_64 32:9.8.2-0.17.rc1.el6_4.4 'll be installed--> processing Dependency:bind-libs = 32:9.8.2-0.17.rc1.el6_4.4 for package:32:bind-9.8.2-0.17.rc1.el6_4.4.x86_64---> Package Bind-chroot.x86_64 32:9.8.2-0.17.rc1.el6_4.4 'll be installed---> Package bind-utils.x86_64 32:9.8.2-0.17.rc1.el6 would be updated---> Package bind-utils.x86_64 32:9.8.2-0.17.rc1.el6_4.4 would be a update--> Running transaction che CK---> Package bind-libs.x86_64 32:9.8.2-0.17.rc1.el6 is updated---> Package bind-libs.x86_64 32:9.8.2-0.17. rc1.el6_4.4 'll be a update--> finished Dependency resolutiondependencies resolved=============================== ================================================= Package Arch Version Repository size========================================== ======================================installing:bind x86_64 32:9.8.2-0.17.rc1.el6_4.4 Updates 4.0 M bind-chroot x86_64 32:9.8.2-0.17.rc1.el6_4.4 updates from Kupdating:bind-utils x86_64 32:9.8.2-0.17.rc1.el6_4.4 updates 182 kupdating for Dependencies:bind-libs x86_64 32:9.8.2-0.17.R c1.el6_4.4 Updates 878 ktransaction summary===================================================================== ===========install 2 Package (s) Upgrade 2 package (s) total download size:5.1 mdownloading Packages: (quarter): bind- 9.8.2-0.17.rc1.el6_4.4.x86_64.rpm | 4.0 MB 00:01 (2/4): bind-chroot-9.8.2-0.17.rc1.el6_4.4.x86_64.rpm | 00:00 KB (3/4): bind-libs-9.8.2-0.17.rc1.el6_4.4.x86_64.rpm | 878 KB 00:00 (4/4): bind-utils-9.8.2-0.17.rc1.el6_4.4. x86_64.rpm | 182 KB 00:00--------------------------------------------------------------------------------Total 1.4 Mb/s | 5.1 MB 00:03 warning:rpmts_HdrFromFdno:Header V3 rsa/sha1 Signature, key ID c105b9de:nokeyretrieving key from F Ile:///etc/pki/rpm-gpg/rpm-gpg-key-centos-6importing gpg key 0xc105b9de:userid:centos-6 key (CentOS 6 Official Signing Key) <[email protected]> package:centos-release-6-4.el6.centos.10.x86_64 (@ anaconda-centos-201303020151.x86_64/6.4) from:/etc/pki/rpm-gpg/rpm-gpg-key-centos-6running Rpm_check_ Debugrunning Transaction testtransaction Test succeededrunning Transaction updating:32:bind-libs-9.8.2-0.17.rc1.el6_ 4.4.x86_64 1/6 installing:32:bind-9.8.2-0.17.rc1.el6_4.4.x86_64 2/6 Install ing:32:bind-chroot-9.8.2-0.17.rc1.el6_4.4.x86_64 3/6 updating:32:bind-utils-9.8.2-0.17.rc1.el6_4.4 . x86_64 4/6 cleanup:32:bind-utils-9.8.2-0.17.rc1.el6.x86_64 5/6 cleanup:32:bind-libs-9.8.2 -0.17.rc1.el6.x86_64 6/6 verifying:32:bind-libs-9.8.2-0.17.rc1.el6_4.4.x86_64 1/6 verifying:32:bind-chroot-9.8.2-0.17.rc1.el6_4.4.x86_64 2/6 Verifying:32:bind-9.8.2-0.17.rc1 . el6_4.4.x86_64 3/6 verifying:32:bind-utils-9.8.2-0.17.rc1.el6_4.4.x86_64 4/6 verifying:32:bind-utils-9.8.2-0.17.rc1.el6.x86_64 5/6 verifying:32:bind-libs-9.8.2-0.17.rc 1.el6.x86_64 6/6 Installed:bind.x86_64 32:9.8.2-0.17.rc1.el6_4.4 bind-chroot.x86_64 32:9.8.2-0.17.rc1.el6_4.4 updated:bind-utils.x86_64 32:9.8. 2-0.17.rc1.el6_4.4 Dependency updated:bind-libs.x86_64 32:9.8.2-0.17.rc1.el6_4.4 complete!

We have installed a total of three files, one is the main program of BIND, one is bind-chroot, and the other is bind-utils, these two packages are generally used in the installation of BIND, including the extension of bind and pseudo-root and so on, so we installed it together

The service name of BIND is named, because bind provides the DNS service, and the DNS default protocol is TCP and UDP, so the bind service takes up the two port numbers (Domain) and 953 (MDC) after startup

Third, bind configuration file

After you install BIND, the main configuration file for bind is usually saved in two locations:

/etc/named.conf-bind Service Master configuration file

/var/named/-Domain zone configuration file

But if we install the Bind-chroot this program, BIND's main configuration file location is changed, at this time, the main configuration file of BIND will be encapsulated in a pseudo root directory, at this time the configuration file location is:

/var/named/chroot/etc/named.conf-bind Service Master configuration file

/var/named/chroot/var/named-Domain zone configuration file

Why is the location of the master configuration file of bind changed after Bind-chroot has been installed? Here is the knowledge of a pseudo-root, chroot is by encapsulating the relevant files into a pseudo-root directory, has achieved the purpose of security protection, once the program is compromised, it will only be able to access the contents of the pseudo-root directory, but not the real root directory. We know that the root directory of Linux is/, our service if installed chroot this program, at this time our service configuration file will be installed in our pseudo-root, will be built in the same as the original service of a directory architecture. We know/var/named/chroot this is definitely not our root directory, but if chroot is installed, the root directory of the service will take/var/named/chroot as its own root directory, so that our real root directory can be protected, So it is recommended that you install the network services should be accompanied by the installation of chroot this program, more knowledge about chroot, you can refer to this article Understanding Chroot

Unlike other services, the BIND service will not have a pre-provisioned profile after installation, other services such as Samba, httpd service after the installation of the directory will have some configuration files, and bind service is not, how to do? We usually after installing the bind service, some documents about the service will be saved in/usr/share/doc this directory, in (/USR/SHARE/DOC/BIND-9.8.2/) This directory has our bind configuration file template, We just need to copy it to its pseudo-root directory:

[[email protected] ~]# cd/usr/share/doc/bind-9.8.2/sample/[[email protected] sample]# lsetc  var

We see that in the sample directory there are two folders, etc and Var, we will copy the past can

[Email protected] ~]# cp-rv/usr/share/doc/bind-9.8.2/sample/etc/*/var/named/chroot/etc/'/usr/share/doc/ Bind-9.8.2/sample/etc/named.conf '/var/named/chroot/etc/named.conf '/usr/share/doc/bind-9.8.2/sample/etc/ Named.rfc1912.zones '/var/named/chroot/etc/named.rfc1912.zones '
[[email protected] ~]# cp-rv/usr/share/doc/bind-9.8.2/sample/var/*/var/named/chroot/var/'/usr/share/doc/ Bind-9.8.2/sample/var/named/named.loopback '/var/named/chroot/var/named/named.loopback '/usr/share/doc/ bind-9.8.2/sample/var/named/named.ca '/var/named/chroot/var/named/named.ca '/usr/share/doc/bind-9.8.2/ Sample/var/named/named.empty '/var/named/chroot/var/named/named.empty '/usr/share/doc/bind-9.8.2/sample/ Var/named/slaves '/var/named/chroot/var/named/slaves '/usr/share/doc/bind-9.8.2/sample/var/named/slaves/ My.slave.internal.zone.db '/var/named/chroot/var/named/slaves/my.slave.internal.zone.db '/usr/share/doc/ Bind-9.8.2/sample/var/named/slaves/my.ddns.internal.zone.db ' and '/var/named/chroot/var/named/slaves/ My.ddns.internal.zone.db '/usr/share/doc/bind-9.8.2/sample/var/named/named.localhost '/var/named/chroot/ Var/named/named.localhost '/usr/share/doc/bind-9.8.2/sample/var/named/my.internal.zone.db '/var/named/ Chroot/var/naMed/my.internal.zone.db '/usr/share/doc/bind-9.8.2/sample/var/named/my.external.zone.db '/var/named/ Chroot/var/named/my.external.zone.db '/usr/share/doc/bind-9.8.2/sample/var/named/data '/var/named/chroot/ Var/named/data '

This time we have a profile template in the root directory, we first look at the content of the main configuration file named.conf, the number of lines in the code is very many Ah, because the template file will be all the situation is listed in the inside, but we actually do not use so many things, Here we only need to keep the most basic lines, we named.conf the minimum configuration file as follows:

[[email protected] etc]# vim named.conf/* Sample named.conf BIND DNS server ' named ' configuration file for the Red Hat BIN D distribution. See the BIND Administrator ' s Reference Manual (ARM) for details, in:   file:///usr/share/doc/bind-{version}/arm/ Bv9arm.html Also See the BIND Configuration GUI:/usr/bin/system-config-bind  and its manual.*/options{        //Put fil Es that named was allowed to write in the data/directory:        directory               "/var/named";           "Working" directory        //listen-on Port     : {any;};        listen-on port       127.0.0.1;};        LISTEN-ON-V6 Port: (any  ;};        LISTEN-ON-V6 Port    : {: 1;};};

This is our named.conf minimized configuration, specifying the named working directory, specifying IPV4, IPV6 port, and IP address

Iv. Configuring the domain primary DNS server

After knowing some of the configuration files and working directories of the BIND service, we will begin to configure our own domain Master DNS server.

A domain's primary server (master) is the authoritative server for information about this domain, and all information for that domain is controlled by the domain's primary server, which typically requires the following steps to configure a primary server for a domain:

(For example, I'm now going to configure a primary DNS server for the cnblogs.com domain)

① Add the definition of the domain in the main configuration file of bind

First, we need to add the definition of this field to the named.conf file, and we need to add a zone definition for the field below the named.conf file cnblogs.com:

Zone "cnblogs.com" {type master;
File "Cnblogs.com.zone";
}; The number must be added.
[[email protected] etc]# vim named.conf/* Sample named.conf BIND DNS server ' named ' configuration file for the Red Hat BIN D distribution. See the BIND Administrator ' s Reference Manual (ARM) for details, in:   file:///usr/share/doc/bind-{version}/arm/ Bv9arm.html Also See the BIND Configuration GUI:/usr/bin/system-config-bind  and its manual.*/options{    //Put fil Es that named was allowed to write in the data/directory:    directory         "/var/named";        "Working" directory    //listen-on Port    : {any;};    listen-on port    127.0.0.1;};    LISTEN-ON-V6 Port: (any    ;};    LISTEN-ON-V6 Port    : {: 1;};};  Zone "cnblogs.com"//Inside Write the domain name {type Master, which we want to configure    ;  Specifies that we want to configure the domain master DNS server    file "Cnblogs.com.zone"; The zone file for the specified domain is named Cnblogs.com.zone, which is usually the domain name. Zone name};

So our named.conf inside defines the information of the cnblogs.com domain.

② Create a zone file for this domain in/var/named/chroot/var/named

Because the format of the zone file is very complex, contains some information that is synchronized with the domain from the server and the resource record, so we can write it easily by hand, so we usually use the default named.localhost this file as a template for the zone file. We only need to copy such a file to:

[Email protected] etc]# cd/var/named/chroot/var/named/[[email protected] named]# lsdata                 my.internal.zone.db   named.empty      named.loopbackmy.external.zone.db  named.ca             named.localhost  slaves[[email Protected] named]# CP named.localhost cnblogs.com.zone[[email protected] named]# lscnblogs.com.zone  My.external.zone.db  named.ca     named.localhost  slavesdata              my.internal.zone.db  Named.empty  Named.loopback

In this way, we have a file called Cnblogs.com.zone in the named directory, and the name of the file must be the same as the file name specified in the previous step.

③ Edit zone file to add the information we need

At this point we can edit the Cnblogs.com.zone file and add the information we need.

$TTL 1d@ in       SOA  @ rname.invalid. (                                        0       ; serial                                        1D      ; refresh                                        1H      ; retry                                        1W      ; expire                                        3H)    minimum        NS      @        A       127.0.0.1        AAAA    :: 1        in      MX      ten      mail.cnblogs.com. Add a message record, the message record to follow the domain name, it will recursively resolve the domain name, so the resource record of the domain must have, behind. Be sure to write the     www       in a 192.168.1.111//Add a WWW resource record IP address of 192.168.1.111 mail in      a       192.168.1.222//Added a mail resource record with IP address of 192.168.1.222

" Note:" TheMX record must define the first of the resource records, otherwise it will not be resolved successfully, MX after the domain name must be written intact. Also write

After we've configured it, make sure that the configuration file has r permissions,

[Email protected] named]# ls-ltotal 36-rw-r--r--. 1 root root  228 June  6 01:10 cnblogs.com.zonedrwxr-xr-x. 2 root root 4096 June  6 00:11 data-rw-r--r--. 1 root ro OT   00:11 June  6 my.external.zone.db-rw-r--r--. 1 root root  6 00:11 My.internal.zone.db-rw-r--r--. 1 root root 1892 June  6 00:11 named.ca-rw-r--r--. 1 root root  June  6 00:11 Named.empty-rw-r--r--. 1 root root  6 00:11 named.localhost-rw-r--r--. 1 root root  168 June  6 0 0:11 Named.loopbackdrwxr-xr-x. 2 root root 4096 June  6 00:11 Slaves

Because the DNS service is a network service, previously mentioned in the SELinux, the CentOS default is the target strategy, that is, all the target (network) process restrictions, so we here for convenience, set it to permissive

[[email protected] named]# getenforce enforcing[[email protected] named]# setenforce 0[[email protected] named]# getenfor Ce Permissive

④ start our bind service or refresh our bind service with the reload command

[Email protected] named]# service named Startgenerating/etc/rndc.key:                                  [  OK  ]starting named:                                            [  OK  ]

Without any error message, it means that our bind service is up and running.

This time we can test to verify that our DNS master server is configured successfully, if it is another machine, we just need to point its DNS address to my host address, here I am on this machine to experiment, modify the/etc/resolv.conf file, Point NameServer to the current host:

[Email protected] named]# vim/etc/resolv.conf# Generated by Networkmanager#domain localdomain#search localdomain com# NameServer 192.168.198.2nameserver 127.0.0.1

⑤ using host or dig command to detect if DNS is configured successfully

Query the IP address of the www.cnblogs.com [[email protected] named]# dig www.cnblogs.com; <<>> DiG 9.8.2rc1-redhat-9.8.2-0.17.rc1.el6_4.4 <<>> www.cnblogs.com; Global options: +cmd;; Got answer:;; ->>header<<-opcode:query, Status:noerror, id:47531; FLAGS:QR AA Rd RA; Query:1, Answer:1, Authority:1, Additional:2;        QUESTION section:;www.cnblogs.com. in A;;    ANSWER SECTION:www.cnblogs.com. 86400 in A 192.168.1.111//We have just defined our own IP;;        Authority SECTION:cnblogs.com. 86400 in NS cnblogs.com.;        ADDITIONAL SECTION:cnblogs.com.        86400 in A 127.0.0.1cnblogs.com. 86400 in AAAA:: 1;; Query time:1 msec;; server:127.0.0.1#53 (127.0.0.1); When:thu June 6 01:21:05 2013;; MSG SIZE rcvd:107//Query cnblogs.com The mail records for this domain [[email protected] named]# dig-t mx cnblogs.com; <<>> DiG 9.8.2rc1-redhat-9.8.2-0.17.rc1.el6_4.4 <<>>-t mx cnblogs.com;; Global options: +cmd;; Got answer:;; ->>header<<-opcode:query, Status:noerror, id:37707; FLAGS:QR AA Rd RA; Query:1, Answer:1, Authority:1, Additional:3;            QUESTION section:;cnblogs.com. in MX;;        ANSWER SECTION:cnblogs.com.  86400 in MX ten mail.cnblogs.com. Our own definition of mail MX records;;        Authority SECTION:cnblogs.com. 86400 in NS cnblogs.com.;    ADDITIONAL SECTION:mail.cnblogs.com.        86400 in A 192.168.1.222//The IP address of the mail host that resolves the MX record of the message cnblogs.com.        86400 in A 127.0.0.1cnblogs.com. 86400 in AAAA:: 1;; Query Time:2 msec;; server:127.0.0.1#53 (127.0.0.1); When:thu June 6 01:27:33 2013;; MSG SIZE rcvd:124//Query the IP address of the mail.cnblogs.com [[email protected] named]# dig mail.cnblogs.com; <<>> DiG 9.8.2rc1-redhat-9.8.2-0.17.rc1.el6_4.4 <<>> mail.cnblogs.com; Global options: +cmd;; Got answer:;; ->>header<<-opcode:query, Status:noerror, id:11360; FLAGS:QR AA Rd RA; Query:1, Answer:1, AUTHOrity:1, Additional:2;        QUESTION section:;mail.cnblogs.com. in A;;    ANSWER SECTION:mail.cnblogs.com. 86400 in A 192.168.1.222//Our own defined mail server host IP address;;        Authority SECTION:cnblogs.com. 86400 in NS cnblogs.com.;        ADDITIONAL SECTION:cnblogs.com.        86400 in A 127.0.0.1cnblogs.com. 86400 in AAAA:: 1;; Query time:1 msec;; server:127.0.0.1#53 (127.0.0.1); When:thu June 6 01:34:42 2013;; MSG SIZE rcvd:108

We see at this time our DNS master server and configuration succeeded, because we just said/etc/resolv.conf in the nameserver point to the current host, rather than the authoritative DNS server of the public network, so at this time only according to the local DNS server to be responsible for processing, As long as there are related resource records on the current DNS server, we will return the relevant information

Five, error troubleshooting

Because the main profile of the bind service named.conf and our zone profile is very complex and obscure, it is inevitable that configuration errors will occur, so bind also provides two very good commands to our named.conf in order to facilitate our troubleshooting. and zone file for error checking

The ① command named-checkconf can view the errors of the main configuration file for bind:

[Email protected] named]# named-checkconf/var/named/chroot/etc/named.conf

② command named-checkzone can view the Zone profile error:

[Email protected] named]# Named-checkzone cnblogs.com.zone/var/named/chroot/var/named/cnblogs.com.zone Zone cnblogs.com.zone/in:loaded Serial 0OK

Through these two commands we can configure the bind master configuration file and the zone file after the file is checked, if there is no return information, it means that the configuration is not a problem

At this point, the writing of this essay is over, blink of an eye to find it is almost 2 o'clock in the morning, it is time to sleep!!!!!!!!!!!!

This essay explains in detail the common DNS service software for bind and how to configure our DNS domain Master server ....

Configuring the domain Primary DNS server

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.