## DNS服務初始化 ### 1、安裝bind9軟件 #### 在hdss7-11服務器上部署 ``` yum -y install wget net-tools telnet tree nmap sysstat lrzsz dos2unix bind-utils -y yum install bind -y ~]# rpm -qa bind bind-9.11.4-26.P2.el7_9.2.x86_64 ``` #### 配置文件修改 ``` [root@hdss7-11 ~]# cat /etc/named.conf // // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // // See the BIND Administrator's Reference Manual (ARM) for details about the // configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html options { listen-on port 53 { 10.4.7.11; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; recursing-file "/var/named/data/named.recursing"; secroots-file "/var/named/data/named.secroots"; allow-query { any; }; forwarders { 10.4.7.1; }; /* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ recursion yes; dnssec-enable no; dnssec-validation no; ``` #### 檢查配置 ``` named-checkconf ``` ### 區域配置文件，配置添加的最后面。 ``` vim /etc/named.rfc1912.zones zone "host.com" IN { type master; file "host.com.zone"; allow-update { 10.4.7.11; }; }; zone "od.com" IN { type master; file "od.com.zone"; allow-update { 10.4.7.11; }; }; ``` ### 配置區域數據文件 #### 1、配置主機域數據文件 ``` [root@hdss7-11 conf.d]# cat /var/named/host.com.zone $ORIGIN host.com. $TTL 600 ; 10 minutes @ IN SOA dns.host.com. dnsadmin.host.com. ( 2020111001 ; serial 10800 ; refresh (3 hours) 900 ; retry (15 minutes) 604800 ; expire (1 week) 86400 ; minimum (1 day) ) NS dns.host.com. $TTL 60 ; 1 minute dns A 10.4.7.11 HDSS7-11 A 10.4.7.11 HDSS7-12 A 10.4.7.12 HDSS7-21 A 10.4.7.21 HDSS7-22 A 10.4.7.22 HDSS7-23 A 10.4.7.23 HDSS7-200 A 10.4.7.200 ``` #### 2、配置服務域數據文件 ``` [root@hdss7-11 conf.d]# cat /var/named/od.com.zone $ORIGIN od.com. $TTL 600 ; 10 minutes @ IN SOA dns.od.com. dnsadmin.od.com. ( 2020111007 ; serial 10800 ; refresh (3 hours) 900 ; retry (15 minutes) 604800 ; expire (1 week) 86400 ; minimum (1 day) ) NS dns.od.com. $TTL 60 ; 1 minute dns A 10.4.7.11 harbor A 10.4.7.200 ``` ### 檢查服務啟動服務 ``` [root@hdss7-11 ~]# named-checkconf [root@hdss7-11 ~]# systemctl start named [root@hdss7-11 ~]# systemctl enable named [root@hdss7-11 ~]# netstat -lnt Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 10.4.7.11:53 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN tcp6 0 0 :::22 :::* LISTEN ``` ### 使用dig驗證 ``` [root@hdss7-11 conf.d]# dig -t -A hdss7-12.host.com @10.4.7.11 +short ;; Warning, ignoring invalid type -A 10.4.7.12 ``` ### 網卡文件修改成自建的DNS ``` cat /etc/sysconfig/network-scripts/ifcfg-ens33 DNS1=10.4.7.11 ``` #### DNS短域名 ``` cat /etc/resolv.conf search host.com nameserver 10.4.7.11 ``` #### 驗證： ``` [root@hdss7-11 conf.d]# ping hdss7-12 PING HDSS7-12.host.com (10.4.7.12) 56(84) bytes of data. 64 bytes from 10.4.7.12 (10.4.7.12): icmp_seq=1 ttl=64 time=0.243 ms 64 bytes from 10.4.7.12 (10.4.7.12): icmp_seq=2 ttl=64 time=0.212 ms ``` ### 自己的windows電腦可以用域名訪問