Linux-dns basic knowledge and simple configuration of BIND-2 (forward parsing and reverse parsing)

Source: Internet
Author: User
Tags dnssec nslookup

DNS Server Basic Configuration

Bind Details:
Package Name: Bind
Process: Named
Protocol: DNS
Use port: (TCP,UDP)
Related packages:
Bind-chroot: Limits the scope of activity of the named process to the Chroot directory, guaranteeing security.
Bind-devel: Development-related header files and library files (required to compile and install bind)
Bind-libs:bind Common library files that are used by both the server side and the client
Bind-utils:bind Client Tools
Program Files:/usr/sbin/named
Bind permission Related:
After installation named automatically creates user named system user, named process is initiated by administrator, and then switches to run as named system user after boot is completed.

Installation: Yum Install bind
[[email protected] usb]# RPM-QC bind
/etc/logrotate.d/named
/etc/named.conf Master configuration file
/etc/named.iscdlv.key
The/etc/named.rfc1912.zones Zone profile is included in the main configuration file by include
/etc/named.root.key
/etc/rndc.conf
/etc/rndc.key
/etc/sysconfig/named
/var/named/named.ca #bind自动生成的13跟服务器存放文件
/var/named/named.empty
/var/named/named.localhost
/var/named/named.loopback
Zone Resolution library file:/var/named/zone_name.zone


Dig,host,nslookup is the DNS test tool

Here we have four experiments to explain the DNS configuration of four different
Configuring BIND for forward parsing
Configuring a reverse-resolved bind
Configure secondary Bind
Implementing zone transfers between primary and secondary DNS

*1, the configuration forward parsing
"To configure a host to be a forward-resolved DNS step"
Step One: Install DNS using Yum package (BIND)
Step Two: Create or modify a master configuration file (/etc/named.conf)
Step three: Create a Zone data file (/var/named/
. Zone)
Fourth step: Use related commands (named-checkconf, named-checkzone) to test the configuration file and zone file for syntax errors
The fifth step: to ensure that the main configuration file and the Zone resolution library file permissions of 640, is the main root, belong to the group named;
Sixth step: Restart the service or reload the configuration file
Seventh Step: Change the settings for iptables and SELinux (you can temporarily turn them off if you are not aware of these two items)
Eighth Step: Use (dig/nslookup) to query DNS related resource records in the Linux/windows host respectively * *

First step: Yum install bind
Step Two: Modify the master configuration file

C + + style syntax, annotations with// //
Options {
Listen-on Port 53 {127.0.0.1;};//specifies that the ports and addresses to be monitored need to be commented out
Listen-on-v6 Port 53 {:: 1;};//specifies that the listening ports and IPv6 addresses need to be commented out
Directory "/var/named"; Indicates the location of the file root directory, the relative path given below is relative to this directory
Dump-file "/var/named/data/cache_dump.db";
Statistics-file "/var/named/data/named_stats.txt";
Memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query {localhost;};//defines access control, which defaults to allowing only native query parsing libraries, commenting out means allowing all host queries

    /*      - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.     - If you are building a RECURSIVE (caching) DNS server, you need to enable        recursion.      - If your recursive DNS server has a public IP address, you MUST enable access        control to limit queries to your legitimate users. Failing to do so will       cause your server to become part of large scale DNS amplification        attacks. Implementing BCP38 within your network would greatly       reduce such attack surface     */    recursion yes;//是否允许递归查询    dnssec-enable no; //dnssec是dns加上安全组件,为避免测   试结果,这两项应改为no    dnssec-validation no;    /* Path to ISC DLV key */    bindkeys-file "/etc/named.iscdlv.key";    managed-keys-directory "/var/named/dynamic";    pid-file "/run/named/named.pid";    session-keyfile "/run/named/session.key";

};

Log configuration section logging{... }:

Logging {
Channel Default_debug {
File "Data/named.run";
Severity dynamic;
};
};
Configuration section zone{... }:
Zone "." in {
Type hint;
File "named.ca";
};

The zone configuration uses the keyword zone, which defines which parsing library files are based on when the specified domain is resolved.
In the master configuration file, only the zone of the root domain is configured by default, and the file under is named.ca. This allows the DNS server to be cached for root.
However, the resolution library files for other domains are uniformly defined in/etc/named.rfc1912.zones. This file is included in the master configuration file:

Include "/etc/named.rfc1912.zones";

A cache server is now configured

Step three: Create a zone configuration file
The resolution library configuration for each domain specifies/etc/named.rfc1912.zones

Zone-defined format:
One "region name" in {
Type Master|slave|forward; Note that each statement ends with a semicolon
File "Zone_name.zone";
}; Note to end with a semicolon

Hint: pointing to the root domain
Master: Primary DNS Server
Slave: From DNS server
Forward: Defining forwarding

We edit the configuration file to create a forward parsing of a reverse resolution

We create the corresponding parsing library file under the/var/named/


Note: The Forward parsing library file does not require PTR records, and the reverse parsing of the library file does not require CNAME and MX records, and we should also note that for example ns.lishuai.com. There's a point in the end that can't be omitted.
The third step is to test the configuration file and parse the library file with or without errors
Inspection Tools
①named-checkconf: Checking the syntax and integrity of the configuration file
②named-checkzone: Check the syntax and integrity of the zone resolution library file
Usage: named-checkzone zonename filename
For example Named-checkzone zone name/var/named/zone_name.zone


* * Step Fourth: Modify Permissions
Chown Root:named/var/named/lishuai.com.zone
Chown Root:named/var/named2.168.192.zone
chmod 640/var/named/lishuai.com.zone
Ch ' Mo ' d 640/var/named/2.168.192.zone

Fifth Step: Restart the service or reread the configuration file

systemctl restart named 或者rndc reload  或者systemctl reload named

Sixth step: Turn off SELinux and iptables
Seventh Step: Test
Test tools
Dig

Common use format: Dig [-t TYPE] [@SERVER] [-X IP_ADDR] FQDN
which
-t Specifies the resource record type of the query (hereinafter);
-X for reverse resolution, specify the IP address to resolve, br/>@ specifies which DNS server to resolve, and default is used without this option.
< p="">

Common format: host [-T TYPE] FQDN [SERVER_IP]

Here we use 192.168.2.29 this host test, our bind service is installed on the 192.16.2.18 host

Linux-dns basic knowledge and simple configuration of BIND-2 (forward parsing and reverse parsing)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.