Installation and configuration of DNS (BIND) server for Linux operational operations

Source: Internet
Author: User
Tags dnssec file permissions nslookup nslookup command

"The main content of this blog post"

    • Introduction to bind server (including Introduction to Client Tools Dig)
    • Configuring forward parsing DNS servers
    • Configure Reverse resolution DNS server
    • Configuring a secondary DNS server and implementing zone transfers between primary and secondary
First, Bind server introduction:

Bind is a shorthand for Berkeley Internet Name Domain Service, which is an open source software that implements a DNS server. Bind was originally a graduate project offered by DARPA-funded University of Berkeley (Berkeley) and later evolved over the years to become the most widely used DNS server software in the world. More than half of the DNS servers on the Internet are now set up with BIND.

"What is the service" and the features of the service "

1. What is a socket:

Socket sockets , which are simply ip:port (IP address port pairs). take the telephone system as an example, the phone calls the two sides equivalent to each other two processes of communication, the area code is its IP address, a unit in the zone of the switch equivalent to a host, the host assigned to each user's internal number equivalent to the socket number. Any user before the call, the first to use a phone, equivalent to apply for a socket, and to know the other person's number, the equivalent of the other side has a fixed socket. Then dial the call to the other side, the equivalent of making a connection request (if the other party is not in the same area, also dial the other area code, equivalent to the network address). If the other party is present and idle (equivalent to the communication of another host to boot and can receive connection requests), pick up the telephone handset, both sides can formally call, the equivalent of a successful connection. The process of the two sides of the call is the direction of the telephone signal and the other side from the telephone to receive the signal, the equivalent of sending data to the socket and receiving data from the socket. After the call ends, a party hangs up the phone to close the socket and revoke the connection.




Ports less than 1024 are well-known ports; the 0~1023 port in the Linux system only has the right to open shutdown for the root user (the service is started as root and then runs as a system user .) )

For example: The DNS service listens on port 53rd (DNS zone transfer) and UDP port 53rd on TCP, and the Web service listens on port 80 on TCP.

2, the characteristics of the service:

Running in the background, in the listening (listen) state

The principle of monitoring:

As shown,

(1) When the DNS service-side program is installed and started, it first registers a socket with the kernel via the socket () system call, and calls the bind () system call to associate the local socket address (including the local host address and local port) with the created socket number. Once the registration is successful, the daemon named is in a listening state (that is, the named process is in a blocked state, waiting for the client to connect). Note that the server must first start until it finishes executing the socket () call into the wait state before it can accept the client request, and if the client starts first, connect () returns an error code and the connection is unsuccessful.

(2) After that, the DNS request message is sent to the DNS server's NIC, and the NIC is the hardware that can deal with the hardware only the kernel. The TCP/IP stack inside the kernel will request packet unpacking to see its IP header and TCP header (that is, what the socket in the request packet is checked for).

(3) Check the file handle of the FD (Files Deiscriptor) database to verify that the socket is registered with the associated application process. If so, the request message is sent to the process.

Tips: The above is my simple understanding of the process of monitoring, there are inevitably errors, such as the discovery of errors still look at Ah!

3. DNS Server type:
    • Cache server: Not responsible for parsing, only for acceleration, no registration required
    • Primary DNS server: Responsible for resolving local client requests
    • Secondary DNS server: The zone data for the secondary server is replicated from the primary server and its data is read-only

4, bind detailed:

Package Name: Bind

Process: Named

Protocol: DNS

Use port: (TCP,UDP)

Related packages:

Bind-chroot: Limits the scope of activity of the named process to the Chroot directory, guaranteeing security.

Bind-devel: Development-related header files and library files (required to compile and install bind)

Bind-libs:bind Common library files that are used by both the server side and the client

Bind-utils:bind Client Tools

Program Files:/usr/sbin/named

Bind permission Related:

Named will automatically create user named system user after installation

Tips: Early Linux services are started and run with root privileges, and as technology advances, services become more complex, resulting in more bugs and vulnerabilities. Hackers exploit the vulnerability of the service to invade the system, and gain root privileges to control the entire system. To mitigate the negative impact of this attack, server software is now typically designed to start with root, and then the server process discards root itself and runs the process with a low-privileged system account (named). The advantage of this approach is that when the service is compromised by an attacker, the access rights of the attacker are based on this lower privilege because of the low process permissions.

"Configuration file":

[Email protected] ~]# RPM-QC bind/etc/logrotate.d/named/etc/named.conf   #主配置文件/etc/named.rfc1912.zones    # The Zone profile (included with the include directive in the Master profile)/etc/named.root.key         #根区域的key文件以实现事务签名;/etc/rndc.conf                  #rndc (remote name server Controller) configuration file/ Etc/rndc.key                   #rndc加密密钥/etc/sysconfig/named  /var/named/      #13个根服务器存放文件/var/named/named.empty  /var/named/named.localhost/var/named/named.loopback

Focus only on the main configuration file:

Master profile : named.conf, each statement is terminated with a semicolon, and its functions are as follows:

    • Defining areas
    • Define global configurations for each zone
    • Defining views
    • Defining logs

"Bind Client Tool"

[Email protected] ~]# rpm-ql bind-utils/usr/bin/dig #最常用的DNS服务器测试工具/usr/bin/host #一款轻量级DNS测试工具/usr/bin/nslookup # DNS query tools are implemented on many platforms (also available on Windows)/usr/bin/nsupdate #更新工具/usr/share/man/man1/dig.1.gz/usr/share/man/man1/host.1.gz/ Usr/share/man/man1/nslookup.1.gz/usr/share/man/man1/nsupdate.1.gz

Dig command:

Syntax: dig-t resource record type name @server-ip

Working mechanism:

Do not add "@server-ip": According to the/etc/resolv.conf configuration of the parse file to query

For example:


(1) Add "@server-ip": Resolves according to the specified DNS server, bypassing the DNS servers set in the local resolution library.

(2) Notice mark:

Note: The dig command does not check the cache, but directly checks the server

For example:

Common options:

dig-x IP @server-ip: Query Reverse parsing

dig-t resource record type name +trace: Trace parsing process

[[email protected] ~]# dig-t A +trace; <<>> DiG 9.8.2rc1-redhat-9.8.2-0.23.rc1.el6_5.1 <<>>-t A +trace;;            Global options: +cmd# first find the root.            480984 in NS            480984 in NS            480984 in NS            480984 in NS            480984 in NS            480984 in NS            480984 in NS            480984 in NS            480984 in NS            480984 in NS            480984 in NS            480984 in NS 480984 in NS;            Received 496 bytes from ( in 1654 ms# then find. comcom.  172800 in NS 172800 in NS            172800 in NS            172800 in NS            172800 in NS            172800 in NS            172800 in NS            172800 in NS            172800 in NS            172800 in NS            172800 in NS            172800 in NS 172800 in NS;        Received 491 bytes from ( in 921 ms# then find        172800 in NS        172800 in NS        172800 in NS 172800 in NS 172800 in NS;        Received 201 bytes from ( in 402 ms# finally found the final result        The in the CNAME. in NS. in NS. in NS. in NS. In NS; Received 228 bytes from ( in Bayi ms

dig-t AXFR Zone : Verifying full zone transfer

Host command:

Syntax:host-t resource record type name

For example:

Second, the configuration of the DNS (BIND) server:

Following the introduction of the bind service above, we will configure the bind service ha in detail below. Our configuration is divided into four:

    • Configuring BIND for forward parsing
    • Configuring a reverse-resolved bind
    • Configure secondary Bind
    • Implementing zone transfers between primary and secondary DNS
"Experimental Environmental Planning"

VMware Station 10

Bind server: Two CentOS 6.4 Virtual machines Master Secondary DNS

A Windows server2008 R2 does the secondary DNS

A Windows 7 client



Auxiliary (implemented on Windows R2)

Web host:


MX mail server:

1. Configuration forward parsing

"To configure a host to be a forward-resolved DNS step"

Step One: Install DNS using Yum package (BIND)

Step Two: Create or modify a master configuration file (/etc/named.conf)

Step three: Create a Zone Data file (/var/named/***.zone)

Fourth step: Use related commands (named-checkconf, named-checkzone) to test the configuration file and zone file for syntax errors

The fifth step: to ensure that the main configuration file and the Zone resolution library file permissions of 640, is the main root, belong to the group named;

Sixth step: Restart the service or reload the configuration file

Seventh Step: Change the settings for iptables and SELinux (you can temporarily turn them off if you are not aware of these two items)

Eighth Step: Use (dig/nslookup) to query DNS related resource records in Linux/windows host respectively

The specific configuration process is as follows:

First step: Install bind via yum:

[[email protected] ~]# yum install-y bindloaded plugins:fastestmirror, securityloading mirror speeds from cached ho Stfilesetting up Install processresolving dependencies--> Running Transaction Check---> Package bind.x86_64 32:9.8.2-0.17.rc1.el6 'll be installed--> processing dependency:portreserve for package:32: bind-9.8.2-0.17.rc1.el6.x86_64--> Running Transaction Check---> Package portreserve.x86_64 0:0.0.4-9.el6 would be Installed--> finished Dependency Resolution Dependencies resolved=============================================== ===========================================package Arch Version Repository size=================================== =======================================================installing:bind x86_64 32:9.8.2-0.17.RC1.EL6 CDROM 4.0 Minstalling for Dependencies:portreserve x86_64 0.0.4-9.el6 cdrom k Transaction summary============================= ============================================================install 2 package (s)
Total download size:4.0 minstalled size:7.3 mdownloading Packages:-------------------------------------------------- ----------------------------------------Total, MB/s | 4.0 MB 00:00running rpm_check_debugrunning Transaction testtransaction Test succeededrunning transactioninstalling: portreserve-0.0.4-9.el6.x86_64 1/2installing:32:bind-9.8.2-0.17.rc1.el6.x86_64 2/2verifying:32: bind-9.8.2-0.17.rc1.el6.x86_64 1/2verifying:portreserve-0.0.4-9.el6.x86_64 2/2installed:bind.x86_64 32:9.8.2-0.17.rc1.el6dependency Installed:portreserve.x86_64 0:0.0.4-9.el6complete!


Step Two: Create or modify the Master profile Yourself (/etc/named.conf)

First, let's take a look at the contents of the main configuration file ha:

[[email protected] ~]# cat/etc/named.conf//C + + style syntax, annotation with////////*///named.conf////provided by the Red Hat bind package To configure the ISC BIND named (8) dns//Server as a caching only nameserver (as a localhost DNS resolver only).////See /usr/share/doc/bind*/sample/for example named configuration files.//options {listen-on port 53 {;}; Listen-on-v6 Port 53 {:: 1;}; Directory "/var/named"; Indicates the file root directory of the storage area, the relative path given below is relative to this directory Dump-file "/var/named/data/cache_dump.db"; Statistics-file "/var/named/data/named_ Stats.txt "; Memstatistics-file"/var/named/data/named_mem_stats.txt "; allow-query {localhost;}; Which hosts are allowed to query recursion yes; Whether to allow recursive queries dnssec-enable yes;dnssec-validation yes;dnssec-lookaside auto;/* Path to ISC DLV key */bindkeys-file "/etc/ Named.iscdlv.key "; Managed-keys-directory"/var/named/dynamic ";}; Logging {//define log channel Default_debug {file "Data/"; severity dynamic;};}; Zone "." In {//define root zone file name type Hint;file "";//Use relative path, default stored in/var/named/};//put two otherFiles are also included as part of the main configuration file including "/etc/named.rfc1912.zones"; Define the Zone profile include "/etc/named.root.key"; Key file for the root zone, related to transaction signing


Note the following three lines:

Listen-on Port 53 {;};

Listen-on-v6 Port 53 {:: 1;};

allow-query {localhost;};

To start the named service:

Verify that the named service is started:

To configure boot boot:

At this point, a cache DNS server is configured!

"Edit Zone Profile/etc/named.rfc1912.zones"

Create a new area inside the format as follows:

Zone "zone name" in {     type master|slave|forward;  Note that each statement should end with a semicolon     file "";     };  Note to end with a semicolon

The new areas we have here are as follows:

Step three: Create a Zone Data file (/var/named/***.zone)

Create a "" file under/var/named, usually containing only macro definitions and resource records, and the first record must be an SOA record (in the format below);

$TTL 600; Name  [TTL]  in  rr_type  value



Note: The above resource records of the wording and meaning in the last blog post has been discussed in detail (, here no longer repeat the ha!

Fourth step: Use related commands (named-checkconf, named-checkzone) to test the configuration file and zone file for syntax errors

The fifth step: to ensure that the main configuration file and the Zone resolution library file permissions of 640, is the main root, belong to the group named;

(1) Check the permissions of the master configuration file:

(2) Check the permissions of the Zone resolution library file/var/named/

To change permissions:

Sixth step: Restart the service or reload the configuration file:

Seventh Step: Change the settings for iptables and SELinux (you can temporarily turn them off if you are not aware of these two items)

Eighth Step: Use (dig/nslookup) to query DNS related resource records in Linux/windows host respectively

(1) Use the DIG command to query DNS resources on the Linux host:

(2) Use the nslookup command to test DNS-related resource records under the Windows System platform:

At this point, a can be resolved by the BIND server is configured ha!

2. Configure the reverse parsing of the BIND server:

Forward parsing and reverse parsing each adopt different analytic libraries, one DNS server can only forward parsing library or only reverse parse library, can also provide forward/reverse parsing.

Region name format of the reverse zone:

For example, if the network address is then the rule is named

Here my local intranet IP is, so write

First step: Modify the configuration file/etc/named.conf, add the reverse resolution Zone profile

Step Two: Create a reverse zone resolution file

Step three: Check for syntax errors

Fourth Step: Set permissions

Fifth Step: Reload the configuration file

Sixth step: Parsing with Windows Client authentication:

At this point, we have the main BIND server configured ha (both forward parsing and can be reverse parsing)

third, the relevant knowledge of RNDC: 1. What is RNDC:

Remote Name Domain controller

RNDC communicates with the name server via a TCP connection and sends a digitally signed command. In the current version of RNDC and named, the only supported authentication algorithm is HMAC-MD5, which uses shared keys on both ends of the connection. It provides the TSIG type of authentication for the command request and the name server's response. All commands sent through the channel must be signed by a key_id known to the server.

Listening Port: 953/tcp


RNDC [-B address] [-c config] [-s server] [-P port][-k Key-file] [-y key] [-V] Commandcommand is one of the Following:rel Oad Reload configuration file and zones. #重新加载配置文件和区域文件reconfig Reload configuration file and new zones only. #重新加载配置文件和新的区域文件freeze Suspend updates to all dynamic Zones.stats Write Server statistics to the statistics file. #将服务器统计信息写入统计文件中stop Save pending updates to master files and stop the Server.halt stop the server without saving pending Updates.flush flushes all of the server ' s caches. #清空DNS缓存status Display Status of the server. #显示bind服务器的工作状态
2, RNDC Debug and log:

Debug: Displays detailed information in program run (I/O, which is normally recommended to close)

Debug Level: 0,1,2,3 ...

To raise the debug level:

RNDC Trace

RNDC Trace Level

RNDC Notrace

Open Query log: Record query action (increase disk I/O)

RNDC QueryLog

For example:

Iv. configuration of the secondary DNS server

Note : secondary DNS is for zones, and if you have multiple DNS servers, you must establish an NS record for each DNS server, or the primary DNS will not send notifications to it;

The principle of zone transfer between primary and secondary DNS has been discussed in detail in the last blog post. What you want to know is a blog post

1, the definition of the region:
Zone "zone name" in {type slave; #区域类型为辅助file "Slaves/"; #区域文件必须保存在slaves目录下, put in another directory without permission masters {#指出主服务器是谁, Note: There should be a space before and after the curly braces master_dns_ip; Master_dns2_ip;};};
2. Configuration of secondary DNS and zone transfers:

First step: Create a secondary DNS (implemented in Linuxslave and win2008 virtual hosts, respectively)

(1) Install the BIND service on the Linuxslave host and make the corresponding configuration: Edit/etc/named.rfc1912.zones, add the following record:

Check for syntax errors:

(2) Add the corresponding records in the zone files/var/named/ and/var/named/ on the Linuxmaster host where the primary DNS server resides:

Check for syntax errors, reread the configuration file:

On the primary DNS server, check with the dig command to see if the newly added records appear:

"Configure secondary DNS on Windows Server R2"

Preparation: Configure the network so that the win2008 virtual machine can ping the primary DNS server and install the DNS-related components.

Open the DNS Administration tool and create the secondary zone:

When the right-click Refresh is completed, the zone is synchronized from the primary DNS:

Just click on a few resource records to look at, found all gray can not edit ha (secondary DNS data from the primary DNS, generally read-only)

Review the logs on the primary DNS server to verify zone transfers between primary and secondary DNS:

Step two: Implement a full synchronization of the zone data files from the primary DNS server and view the log files to verify that the secondary server is completing the synchronization:

Description: The following experiment did not involve Windows secondary DNS, so the corresponding NS record and a record were manually deleted by me ha!

Detects if the data can be synchronized from the primary DNS server (full zone transfer) with the Dig command on the secondary DNS server

See if the corresponding zone file is already available on the secondary DNS server:

Take a look at the contents of these zone files on the secondary DNS:

To view logs:

Step three: Add a resource record on the primary DNS server and view the log file, and then go to the secondary DNS service to see if the log completes the incremental zone data synchronization

View Log/var/log/messages found, because I forgot to add 1 serial number, so the error said the serial number has not changed, synchronization to the secondary DNS failed

Add 1 after the serial number and then look at the log:

To view log conditions on a secondary DNS server:

To view zone files on a secondary DNS server:

Everything OK ha!

Fourth step: The Windows client uses the nslookup command to verify the configuration of the secondary DNS:

Everything OK ha!

the basic configuration of the DNS server is so Doha, here's a brief summary:

1, each DNS server must have a corresponding NS resource record;

2, when creating slave, its configuration file type must be type slve; The IP address of the primary server must be specified;

3, can use dig-t AXFR @server_IP pull all the Analytic Library resource records from the primary DNS server;

4, the main auxiliary synchronization is completed, will automatically generate a zone file in the slaves/directory on the slave server, these zone files are synchronized from the primary DNS, generally read-only, do not recommend changing the slave zone file;

5, when modifying the zone file on the primary DNS, the serial of the SOA record must be added 1 because slave is determined by the serial value (automatic completion on the Windows system);

6, the DNS log is all saved in the/var/log/messege file by default;

7, the DNS resolution depends on the parsing library, so that the configuration of the content is completely non-existent can also be resolved (and forward parsing and reverse parsing of the analytic libraries are independent). It is important to note that there is no PTR record in the forward parsing, and the A, MX, and CNAME records are not required in the reverse parsing library.

Installation and configuration of DNS (BIND) server for Linux operational operations

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.