DNS Server Basic Configuration
Bind Details:
Package Name: Bind
Process: Named
Protocol: DNS
Use port: (TCP,UDP)
Related packages:
Bind-chroot: Limits the scope of activity of the named process to the Chroot directory, guaranteeing security.
Bind-devel: Development-related header files and library files (required to compile and install bind)
Bind-libs:bind Common library files that are used by both the server side and the client
Bind-utils:bind Client Tools
Program Files:/usr/sbin/named
Bind permission Related:
After installation named automatically creates user named system user, named process is initiated by administrator, and then switches to run as named system user after boot is completed.
Installation: Yum Install bind
[[email protected] usb]# RPM-QC bind
/etc/logrotate.d/named
/etc/named.conf Master configuration file
/etc/named.iscdlv.key
The/etc/named.rfc1912.zones Zone profile is included in the main configuration file by include
/etc/named.root.key
/etc/rndc.conf
/etc/rndc.key
/etc/sysconfig/named
/var/named/named.ca #bind自动生成的13跟服务器存放文件
/var/named/named.empty
/var/named/named.localhost
/var/named/named.loopback
Zone Resolution library file:/var/named/zone_name.zone
Dig,host,nslookup is the DNS test tool
Here we have four experiments to explain the DNS configuration of four different
Configuring BIND for forward parsing
Configuring a reverse-resolved bind
Configure secondary Bind
Implementing zone transfers between primary and secondary DNS
*1, the configuration forward parsing
"To configure a host to be a forward-resolved DNS step"
Step One: Install DNS using Yum package (BIND)
Step Two: Create or modify a master configuration file (/etc/named.conf)
Step three: Create a Zone data file (/var/named/. Zone)
Fourth step: Use related commands (named-checkconf, named-checkzone) to test the configuration file and zone file for syntax errors
The fifth step: to ensure that the main configuration file and the Zone resolution library file permissions of 640, is the main root, belong to the group named;
Sixth step: Restart the service or reload the configuration file
Seventh Step: Change the settings for iptables and SELinux (you can temporarily turn them off if you are not aware of these two items)
Eighth Step: Use (dig/nslookup) to query DNS related resource records in the Linux/windows host respectively * *
First step: Yum install bind
Step Two: Modify the master configuration file
C + + style syntax, annotations with// //
Options {
Listen-on Port 53 {127.0.0.1;};//specifies that the ports and addresses to be monitored need to be commented out
Listen-on-v6 Port 53 {:: 1;};//specifies that the listening ports and IPv6 addresses need to be commented out
Directory "/var/named"; Indicates the location of the file root directory, the relative path given below is relative to this directory
Dump-file "/var/named/data/cache_dump.db";
Statistics-file "/var/named/data/named_stats.txt";
Memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query {localhost;};//defines access control, which defaults to allowing only native query parsing libraries, commenting out means allowing all host queries
/* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ recursion yes;//是否允许递归查询 dnssec-enable no; //dnssec是dns加上安全组件,为避免测 试结果,这两项应改为no dnssec-validation no; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key";
};
Log configuration section logging{... }:
Logging {
Channel Default_debug {
File "Data/named.run";
Severity dynamic;
};
};
Configuration section zone{... }:
Zone "." in {
Type hint;
File "named.ca";
};
The zone configuration uses the keyword zone, which defines which parsing library files are based on when the specified domain is resolved.
In the master configuration file, only the zone of the root domain is configured by default, and the file under is named.ca. This allows the DNS server to be cached for root.
However, the resolution library files for other domains are uniformly defined in/etc/named.rfc1912.zones. This file is included in the master configuration file:
Include "/etc/named.rfc1912.zones";
A cache server is now configured
Step three: Create a zone configuration file
The resolution library configuration for each domain specifies/etc/named.rfc1912.zones
Zone-defined format:
One "region name" in {
Type Master|slave|forward; Note that each statement ends with a semicolon
File "Zone_name.zone";
}; Note to end with a semicolon
Hint: pointing to the root domain
Master: Primary DNS Server
Slave: From DNS server
Forward: Defining forwarding
We edit the configuration file to create a forward parsing of a reverse resolution
We create the corresponding parsing library file under the/var/named/
Note: The Forward parsing library file does not require PTR records, and the reverse parsing of the library file does not require CNAME and MX records, and we should also note that for example ns.lishuai.com. There's a point in the end that can't be omitted.
The third step is to test the configuration file and parse the library file with or without errors
Inspection Tools
①named-checkconf: Checking the syntax and integrity of the configuration file
②named-checkzone: Check the syntax and integrity of the zone resolution library file
Usage: named-checkzone zonename filename
For example Named-checkzone zone name/var/named/zone_name.zone
* * Step Fourth: Modify Permissions
Chown Root:named/var/named/lishuai.com.zone
Chown Root:named/var/named2.168.192.zone
chmod 640/var/named/lishuai.com.zone
Ch ' Mo ' d 640/var/named/2.168.192.zone
Fifth Step: Restart the service or reread the configuration file
systemctl restart named 或者rndc reload 或者systemctl reload named
Sixth step: Turn off SELinux and iptables
Seventh Step: Test
Test tools
Dig
Common use format: Dig [-t TYPE] [@SERVER] [-X IP_ADDR] FQDN
which
-t Specifies the resource record type of the query (hereinafter);
-X for reverse resolution, specify the IP address to resolve, br/>@ specifies which DNS server to resolve, and default is used without this option.
< p="">
Common format: host [-T TYPE] FQDN [SERVER_IP]
Here we use 192.168.2.29 this host test, our bind service is installed on the 192.16.2.18 host
Linux-dns basic knowledge and simple configuration of BIND-2 (forward parsing and reverse parsing)