bind-chroot介绍

DNS是一种将域名解析为IP地址的服务.

BIND是linux的DNS服务器程序.

bind-chroot是bind的一个功能,使bind可以在一个chroot的模式下运行.也就是说,bind运行时的/(根)目录,并不是系统真正的/(根)目录,只是系统中的一个子目录而已.这样做的目的是为了提高安全性.因为在chroot的模式下,bind可以访问的范围仅限于这个子目录的范围里,无法进一步提升,进入到系统的其他目录中.

准备工作

环境centos7

安装bind-chroot

yum install bind-chroot bind -y

修改主机名

centos7 可以直接设置静态主机名,不需要重启 hostnamectl --static set-hostname WH-DNS-00.JP

关闭防火墙

最简单的方法就是关闭,也可以放行指定端口

systemctl stop firewalld                    #关闭防火墙
systemctl disable firewalld.service         #禁止firewall开机启动

配置named

拷贝bind相关文件,准备bind chroot 环境 cp -R /usr/share/doc/bind-9.9.4/sample/var/named/* /var/named/chroot/var/named/

在bind chroot 的目录中创建相关文件

touch /var/named/chroot/var/named/data/cache_dump.db
touch /var/named/chroot/var/named/data/named_stats.txt
touch /var/named/chroot/var/named/data/named_mem_stats.txt
touch /var/named/chroot/var/named/data/named.run
mkdir /var/named/chroot/var/named/dynamic
touch /var/named/chroot/var/named/dynamic/managed-keys.bind

将 Bind 锁定文件设置为可写

chmod -R 777 /var/named/chroot/var/named/data
chmod -R 777 /var/named/chroot/var/named/dynamic

将 /etc/named.conf 拷贝到 bind chroot目录

cp -p /etc/named.conf /var/named/chroot/etc/named.conf

在/etc/named.conf中对 bind 进行配置

vim /var/named/chroot/etc/named.conf

参考配置如下

没有ipv6就禁用listen-on-v6 port 53 { ::1; },不然会影响查询时间

主DNS

options {
    listen-on port 53 { any; };
    #listen-on-v6 port 53 { ::1; };
    directory   "/var/named";
    dump-file   "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";
    memstatistics-file "/var/named/data/named_mem_stats.txt";
    allow-query     { any; };
    allow-query-cache   { any; };
    notify yes;
    also-notify { 192.168.16.144; };
    forwarders  {
        202.103.24.68;
        114.114.114.114;
};
    recursion yes;
    dnssec-enable no;
    dnssec-validation no;
    /* Path to ISC DLV key */
    bindkeys-file "/etc/named.iscdlv.key";
    managed-keys-directory "/var/named/dynamic";
    pid-file "/run/named/named.pid";
    session-keyfile "/run/named/session.key";
};
logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};
zone "." IN {
    type hint;
    file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
#xxxxx.org
zone "xxxxx.org" IN {
    type master;
    file "named.xxxxx.org";
    allow-transfer { 192.168.16.144; };
    allow-query { any; };
};

#定义反向解析的
zone "0.0.127.in-addr.arpa" IN {
        type master;            #类型属于master、属于自己的
        file "named.loopback";    #指定的文件
        allow-transfer { none; };#不允许任何人传送的
};
zone "168.192.in-addr.arpa" IN {
        type master;            #类型属于master、属于自己的
        file "named.arpa";    #指定的文件
        allow-update { none; };
        allow-transfer { 192.168.16.144; };
};

备DNS

options {
    listen-on port 53 { any; };
    listen-on-v6 port 53 { ::1; };
    directory   "/var/named";
    dump-file   "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";
    memstatistics-file "/var/named/data/named_mem_stats.txt";
    allow-query     { any; };
    allow-query-cache   { any; };
    forwarders  {
        202.103.24.68;
        114.114.114.114;
};
    recursion yes;
    dnssec-enable no;
    dnssec-validation no;
    /* Path to ISC DLV key */
    bindkeys-file "/etc/named.iscdlv.key";
    managed-keys-directory "/var/named/dynamic";
    pid-file "/run/named/named.pid";
    session-keyfile "/run/named/session.key";
};
logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};
zone "." IN {
    type hint;
    file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
#xxxxx.org
zone "xxxxx.org" IN {
    type slave;
    masters { 192.168.16.68; };
    file "slaves/named.xxxxx.org";
    allow-transfer { none; };
};

#定义反向解析的
zone "0.0.127.in-addr.arpa" IN {
        type master;            #类型属于master、属于自己的
        file "named.loopback";    #指定的文件
        allow-transfer { none; };#不允许任何人传送的
};
zone "168.192.in-addr.arpa" IN {
        type slave;            #类型属于slave、属于自己的
        file "named.arpa";    #指定的文件
        masters { 192.168.16.68; };
    allow-transfer { none; };
};

创建ZONE文件

ZONE文件是DNS上保存域名配置的文件,对BIND来说 一个域名对应一个ZONE文件,vim /var/named/chroot/var/named/vim named.xxxxx.org

$TTL 86400  ; 1 day
xxxxx.com       IN SOA  WH-DNS-01.JP. lanpang.xxxxx.com. (
                124        ; serial
                86400      ; refresh (1 day)
                3600       ; retry (1 hour)
                604800     ; expire (1 week)
                10800      ; minimum (3 hours)
                )
            NS  WH-DNS-01.JP.
            NS  WH-DNS-02.JP.
WH-DNS-01.JP.       A   192.168.16.68
WH-DNS-02.JP.       A   192.168.16.144
$ORIGIN xxxxx.com.
*           A   192.168.16.37
upload          A   106.75.131.201
名词解释:
SOA记录:权威记录从这里开始,它定义了3-8行这些重要的参数。
A记录:记录域名到IP之间的关联。
CAME记录:让张三住到李四家里,这时张三李四是同一个地址。
MX记录:定义了发往XXX@ABC.COM邮箱的邮件服务器地址。
TXT记录:这个记录的内容是文本格式如126.COM的TXT为"v=spf1 include:spf.163.com -all",TXT通常用于邮件服务器来标识自己的身份避免被认
为是垃圾邮件服务器。

最后

  • 权限问题

    如果全部配置完成,发现各种起不来,或者无法解析,请检查权限。最简单的方法:chown -R named:named /var/named/

  • 启动命令

    systemctl enable named-chroot
      systemctl start named-chroot