云网牛站
所在位置:首页 > Linux云服务器 > 在CentOS 8/RHEL 8上安装和配置主/从BIND DNS服务器

在CentOS 8/RHEL 8上安装和配置主/从BIND DNS服务器

2019-11-25 15:10:54作者:高风科稿源:云网牛站

本文将引导您完成在CentOS 8/RHEL 8 Linux操作系统上配置BIND DNS服务器所需的步骤,在CentOS 8/RHEL 8上的主/从绑定DNS设置。我们将在CentOS8上安装权威的BIND DNS主机和从机,并进行配置,例如添加PTR、A/AAAA记录。

 

在CentOS 8/RHEL 8上安装Bind DNS Server

运行以下命令以在CentOS 8/RHEL 8 Linux服务器上安装Bind DNS服务器软件包:

$ dnf -y install bind bind-utils vim

在CentOS 8/RHEL 8上安装和配置主/从BIND DNS服务器

在此设置中,我们将SELinux保持为强制模式:

$ getenforce

Enforcing

THE REASON FOR THIS IS THAT  (Source: RedHat) 

SELinux helps mitigate the damage made by configuration mistakes. Domain Name System (DNS) servers often replicate information between each other in what is known as a zone transfer. Attackers can use zone transfers to update DNS servers with false information. When running the Berkeley Internet Name Domain (BIND) as a DNS server in Red Hat Enterprise Linux, even if an administrator forgets to limit which servers can perform a zone transfer, the default SELinux policy prevents zone files from being updated using zone transfers, by the BIND named daemon itself, and by other processes  (Source: RedHat).

 

在CentOS 8/RHEL 8上配置BIND DNS授权服务器

让我们配置BIND DNS授权服务器,打开配置文件/etc/named.conf。

我们的DNS服务器具有以下设置:

computingforgeeks.com区域(域名)。

192.168.154.0 –托管子网。

从服务器的192.168.154.94 IP。

192.168.154.88 –主服务器的IP。

这是named.conf配置文件:

$ sudo vim /etc/named.conf

//

// named.conf

//

// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS

// server as a caching only nameserver (as a localhost DNS resolver only).

//

// See /usr/share/doc/bind*/sample/ for example named configuration files.

//

options {

listen-on port 53 { any; }; ## Listen on any since it is an authoritative DNS Publicly available. 

listen-on-v6 port 53 { any; }; ## You can also set the same for IPv6

directory       "/var/named";

dump-file       "/var/named/data/cache_dump.db";

statistics-file "/var/named/data/named_stats.txt";

memstatistics-file "/var/named/data/named_mem_stats.txt";

secroots-file   "/var/named/data/named.secroots";

recursing-file  "/var/named/data/named.recursing";

## Since this will be an authoritative Nameserver, allow query from any host 

allow-query     { any; };

allow-transfer  {192.168.154.94; };

/*

- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.- If you are building a RECURSIVE (caching) DNS server, you need to enable recursion.- If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface.

*/

recursion no; ## Following Advice from above.

dnssec-enable yes;

dnssec-validation yes;

managed-keys-directory "/var/named/dynamic";

pid-file "/run/named/named.pid";

session-keyfile "/run/named/session.key";

/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */

include "/etc/crypto-policies/back-ends/bind.config";

};

logging {

channel default_debug {

file "data/named.run";

severity dynamic;

};

};

zone "." IN {

type hint;

file "named.ca";

};

include "/etc/named.rfc1912.zones";

include "/etc/named.root.key";

## Set your ZONE details as shown below for different domains. Set the forward and reverse details. You can set the names of files as you like

zone "computingforgeeks.com" IN {

type master;

file "computingforgeeks.forward";

allow-update { none; };

};

## Make sure you follow the rule for reverse zone (154.168.192.in-addr.arpa). [If your IP is 192.168.10.10, It will be 10.168.192.in-addr.arpa]

zone "154.168.192.in-addr.arpa" IN {

type master;

file "computingforgeeks.reverse";

allow-update { none; };

};

主服务器192.168.154.88。请注意,您的IP应该是公共IP,因为它是权威DNS服务器。

1、创建区域文件

在named.conf中设置文件后,我们必须创建区域文件并将所有您希望添加的记录(例如A/AAAA,MX,PTR等)放置,在/var/named/目录中创建文件:

$ sudo vim /var/named/computingforgeeks.forward

$TTL 86400

@   IN  SOA     dns1.computingforgeeks.com. root.computingforgeeks.com. (

# You can use any numerical values for serial number but it is recommended to use [YYYYMMDDnn]

2019112201  ;Serial

3600        ;Refresh

1800        ;Retry

604800      ;Expire

86400       ;Minimum TTL

)

# Set your Name Servers here

IN  NS      dns1.computingforgeeks.com.

IN  NS      dns2.computingforgeeks.com.

# define Name Server's IP address

IN  A       192.168.154.88

# Set your Mail Exchanger (MX) Server here

IN  MX 10   dns1.computingforgeeks.com.

# Set each IP address of a hostname. Sample A records.

dns1     IN  A       192.168.154.88

dns2     IN  A       192.168.154.94

mail1    IN  A       192.168.154.97

为我们在named.conf配置文件中定义的同一域创建相应的反向记录:

$ sudo vim /var/named/computingforgeeks.reverse

$TTL 86400

@   IN  SOA     dns1.computingforgeeks.com. root.computingforgeeks.com. (

2019112201  ;Serial

3600        ;Refresh

1800        ;Retry

604800      ;Expire

86400       ;Minimum TTL

)

# Set Name Server

IN  NS      dns1.computingforgeeks.com.

## Set each IP address of a hostname. Sample PTR records.

88      IN  PTR     dns1.computingforgeeks.com.

94      IN  PTR     dns2.computingforgeeks.com.

97      IN  PTR     mail1.computingforgeeks.com.

2、更改主服务器上的DNS设置

将新的DNS服务器设置为默认名称服务器,打开文件/etc/resolv.conf并添加以下行,确保更换IP以匹配您的环境:

$ sudo vim /etc/resolv.conf  

nameserver 192.168.154.88

3、允许防火墙上的DNS服务

配置防火墙以允许dns服务:

sudo firewall-cmd --add-service=dns --permanent

sudo firewall-cmd --reload

参考:在CentOS 8系统上配置和管理防火墙(Firewall)的方法

检查配置是否正常,启动并启用绑定:

sudo named-checkconf

sudo systemctl start named

sudo systemctl enable named 

我们已经完成了BIND DNS主服务器,让我们继续配置我们的从服务器。

4、配置从DNS服务器– 192.168.154.94

在从属服务器上,安装bind和bind-utils:

sudo dnf -y install bind bind-utils vim

配置从服务器,打开/etc/named.conf并进行相应的编辑:

$ sudo vim /etc/named.conf

//

// named.conf

// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS

// server as a caching only nameserver (as a localhost DNS resolver only).

// See /usr/share/doc/bind*/sample/ for example named configuration files.

// See the BIND Administrator's Reference Manual (ARM) for details about the

// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

options {

listen-on port 53 { any; };

listen-on-v6 port 53 { any; };

directory       "/var/named";

dump-file       "/var/named/data/cache_dump.db";

statistics-file "/var/named/data/named_stats.txt";

memstatistics-file "/var/named/data/named_mem_stats.txt";

recursing-file  "/var/named/data/named.recursing";

secroots-file   "/var/named/data/named.secroots";

allow-query     { any; }; ## Allows hosts to query Slave DNS

allow-transfer { none; }; ## Disable zone transfer

/* 

- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.

- If you are building a RECURSIVE (caching) DNS server, you need to enable recursion.

- If your recursive DNS server has a public IP address, you MUST enable access 

control to limit queries to your legitimate users. Failing to do so will

cause your server to become part of large scale DNS amplification 

attacks. Implementing BCP38 within your network would greatly

reduce such attack surface 

*/

## Since this is a slave, lets allow recursion.

recursion yes;     

dnssec-enable yes;     

dnssec-validation yes;

/* Path to ISC DLV key */

bindkeys-file "/etc/named.root.key";

managed-keys-directory "/var/named/dynamic";     

pid-file "/run/named/named.pid";     

session-keyfile "/run/named/session.key";

};

logging {

channel default_debug {

file "data/named.run";

severity dynamic;

};

};

zone "." IN {

type hint;

file "named.ca";

};

include "/etc/named.rfc1912.zones";

include "/etc/named.root.key";

## Let us create zone definitions for both forward and reverse dns lookups.

# The files will be created automatically on the slave.

zone "computingforgeeks.com" IN {

type slave;

file "slaves/computingforgeeks.forward";

masters { 192.168.154.88; }; ## Master server it is receiving DNS Records from

};

zone  "154.168.192.in-addr.arpa" IN {

type slave;

file "slaves/computingforgeeks.reverse";

masters { 192.168.154.88; }; ## Master server it is receiving DNS Records from

};

5、更改从服务器上的DNS设置

将我们的新DNS服务器(主服务器和从属服务器)设置为默认名称服务器,打开文件/etc/resolv.conf并添加以下行,确保更换IP以匹配您的环境:

$ sudo vim /etc/resolv.conf

nameserver 192.168.154.88

nameserver 192.168.154.94

检查配置是否正常,启动并启用绑定:

sudo named-checkconf

sudo systemctl start named

sudo systemctl enable named

检查/var/named/slaves目录是否已从主服务器传输了区域文件:

$ ll /var/named/slaves/

total 12

-rw-r--r-- 1 named named 480 Nov 23 14:16 computingforgeeks.forward

-rw-r--r-- 1 named named 492 Nov 23 14:45 computingforgeeks.reverse

6、证明我们的DNS有效

测试我们的DNS服务器是否解析,我们将使用Windows计算机测试BIND DNS服务器。

如下所示更改窗口的网络详细信息,让DNS反映您的新DNS服务器:

在CentOS 8/RHEL 8上安装和配置主/从BIND DNS服务器

打开PowerShell或命令提示符,键入nslookup并测试我们的DNS服务:

在CentOS 8/RHEL 8上安装和配置主/从BIND DNS服务器

参考:Ubuntu/Debian/Arch Linux/Fedora/OpenSUSE下安装Powershell的方法

我们的BIND DNS可以使用,如果您使用的是Linux客户端计算机,请编辑/etc/hosts文件以更改DNS配置设置。

 

结论

以上就是在CentOS 8/RHEL 8操作系统上安装和配置主/从BIND DNS服务器的内容,经过上面的操作,我们的BIND DNS主机和从机运行良好。

 

相关主题

使用Prometheus和Grafana监视BIND DNS服务器的方法

精选文章
热门文章