系统平台:CentOS 6.6 x86_64
Bind版本:bind-9.10.2
准备工作
下载bind 源码包, 省略……
安装开发工具包, 省略……
安装:
解压bind-9.10.2.tar.gz
#tar xvf bind-9.10.2.tar.gz #cd bind-9.10.2/ #./configure -h
#./configure --prefix=/usr/local/bind --mandir=/usr/share/ --sysconfdir=/etc/named/ --disable-ipv6 --disable-chroot --enable-threads #make -j 2 && make install
#ln -s /usr/local/bind/bin/* /usr/bin/ #ln -s /usr/local/bind/sbin/* /usr/sbin/
#groupadd -r named #useradd -r -g named -M -s /sbin/nologin named #mkdir /usr/local/bind/var/run/named #chown named:named /usr/local/bind/var/run/named #ll -d /usr/local/bind/var/run/named/
#[ -d /etc/named/ ] || mkdir /etc/named #chown named:named /etc/named #[ -d /var/named ] || mkdir /var/named #chown named:named /var/named
开始配置基础zone文件
#dig -t NS . @61.139.2.69 > /var/named/named.ca #cd /var/named/ # vim named.localhost $TTL 1D @ IN SOA @ rname.invalid. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H) ; minimum NS @ A 127.0.0.1 #vim named.loopback $TTL 1D @ IN SOA @ rname.invalid. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H) ; minimum NS @ A 127.0.0.1 PTR localhost. #chown -R named.named /var/named/*
named.conf主配置文件 (bind安装源码文件中有提供named.conf的示例文件,bin/tests/named.conf)
#rndc-confgen -r /dev/urandom > /etc/named/rndc.conf #cd /etc/named/ #touch named.conf #vim rndc.conf 命令模式下 :2,11w >> named.conf #cat named.conf #vim named.conf options { directory "/var/named"; listen-on port 53 {any; }; allow-query {any; }; recursion yes; }; zone "." IN { type hint; file "named.ca"; }; zone "localhost" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "0.0.127.in-addr.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; # Use with the following in named.conf,adjusting the allow list as needed: key"rndc-key" { algorithm hmac-md5; secret "8VWpbjeJ8mochoPghAN5SQ=="; }; # controls{ inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; }; }; #chown -R named.named /etc/named/*
运行named
# named -u named -g # named -u named # netstat -tunpl # tail /var/log/messages 查看日志情况,是否有报错 # iptables -t filter -I INPUT -p udp --dport 53 -j ACCEPT 远程电脑查询下域名,看是否能够正常查询
named 的系统服务脚本
#!/bin/bash # named a network name service. # chkconfig: 345 35 75 # description: a name server [ -r /etc/rc.d/init.d/functions ] && . /etc/rc.d/init.d/functions PidFile=/usr/local/bind/var/run/named/named.pid LockFile=/var/lock/subsys/named named=named start() { [ -x /usr/local/bind/sbin/$named ] || exit 4 if [ -f $LockFile ]; then echo -n "$named is already running..." failure echo exit 5 fi echo -n "Starting $named: " daemon --pidfile "$PidFile" /usr/local/bind/sbin/$named -u named -4 RETVAL=$? echo if [ $RETVAL -eq 0 ]; then touch $LockFile return 0 else rm -f $LockFile $PidFile return 1 fi } stop() { if [ ! -f $LockFile ];then echo "$named is not started." failure fi echo -n "Stopping $named: " killproc $named RETVAL=$? echo [ $RETVAL -eq 0 ] && rm -f $LockFile return 0 } restart() { stop sleep 1 start } reload() { echo -n "Reloading $named: " killproc $named -HUP RETVAL=$? echo return $RETVAL } status() { if pidof $named > /dev/null && [ -f $PidFile ]; then echo "$named is running..." else echo "$named is stopped..." fi } case $1 in start) start ;; stop) stop ;; restart) restart ;; reload) reload ;; status) status ;; *) echo "Usage:named {start|stop|status|reload|restart}" exit 2;; esac
redirect 区域类型
该类型功能是如果在查询不到域名的情况下,重定向返回一个设定IP ,而不是返回空结果。
所以 可以利用该功能做一些额外的服务。
zone "." IN { type redirect; file "redirect.file"; }; $TTL 3600 @ IN SOA ns.EXAMPLE.net. mail.EXAMPLE.net. ( 0 0 0 0 0 ) @ IN NS ns.EXAMPLE.net *. IN A 8.8.8.8
测试
$GENERATE 指令用法
文档的介绍如下:
语法:
$GENERATE range lhs type rhs [ comment ]
$GENERATE 指令是用来生成一个资源记录序列,资源记录彼此之间只有一个重复性的
不同。$GENERATE 指令可以容易地被用来生成一个记录集合来支持RFC2317 中所描述的
sub/24 反向授权:无类的IN-ADDR.ARPA 授权。
$ORIGIN 0.0.192.IN-ADDR.ARPA.
$GENERATE 1-2 0 NS SERVER$.EXAMPLE.
$GENERATE 1-127 $ CNAME $.0
等价于:
0.0.0.192.IN-ADDR.ARPA NS SERVER1.EXAMPLE.
0.0.0.192.IN-ADDR.ARPA NS SERVER2.EXAMPLE.
1.0.0.192.IN-ADDR.ARPA CNAME 1.0.0.0.192.IN-ADDR.ARPA
2.0.0.192.IN-ADDR.ARPA CNAME 2.0.0.0.192.IN-ADDR.ARPA
…
127.0.0.192.IN-ADDR.ARPA CNAME 127.0.0.0.192.IN-ADDR.ARPA
实际测试
$GENERATE 1-6 lh$ 3600 IN CNAME googlehosted.l 等价于: ;lh2 3600 IN CNAME googlehosted.l ;lh3 3600 IN CNAME googlehosted.l ;lh4 3600 IN CNAME googlehosted.l ;lh5 3600 IN CNAME googlehosted.l ;lh6 3600 IN CNAME googlehosted.l ;lh7 3600 IN CNAME googlehosted.l
查询结果
named.conf 中 option选项中的一个参数:
deny-answer-addresses 用法.
语法:
deny-answer-addresses {
address_match_list
} [ except-from { namelist } ];
从字面意思上不难理解,组织一个回答的地址.
比如我们dig 查询一个域名 fscdnuni-vip.115.com
可以看到返回有很多IP .
那么我们如果添加一个IP到 deny 选项中呢 ?
deny-answer-addresses { 58.252.100.82;} ;
我们这里添加了其中一个IP 到deny-answer-addresses 中.
# rndc reload # rndc flushname fscdnuni-vip.115.com
再查询试试:
发现,不予回复了.
deny-answer-addresses { 58.252.100.82;} except-from {"115.com";} ;
添加一个可选参数 except-from (例外)
这就是 deny-answer-addresses 的功能.
address_match_list 的格式可以是单个IP地址, 也可以死CIDR格式的网络地址段.
如果回复的IP地址中有和 address_match_list 中的匹配,哪怕只是一个,那么 named 在向外递归或者转发查询的时候,就不会给客户端返回查询结果了,因为它理解为只要有一个IP不可信,那么改条查询均不可信.
deny-answer-aliases 这个选项理应跟上面的选项功能类似,但是我这里测试好像没效果.
有谁知道怎么用才对么?
原创文章,作者:奋斗,如若转载,请注明出处:https://blog.ytso.com/191795.html