## DNS服务初始化 ### 1、安装bind9软件 #### 在hdss7-11服务器上部署 ``` yum -y install wget net-tools telnet tree nmap sysstat lrzsz dos2unix bind-utils -y yum install bind -y ~]# rpm -qa bind bind-9.11.4-26.P2.el7_9.2.x86_64 ``` #### 配置文件修改 ``` [root@hdss7-11 ~]# cat /etc/named.conf // // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // // See the BIND Administrator's Reference Manual (ARM) for details about the // configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html options { listen-on port 53 { 10.4.7.11; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; recursing-file "/var/named/data/named.recursing"; secroots-file "/var/named/data/named.secroots"; allow-query { any; }; forwarders { 10.4.7.1; }; /* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ recursion yes; dnssec-enable no; dnssec-validation no; ``` #### 检查配置 ``` named-checkconf ``` ### 区域配置文件，配置添加的最后面。 ``` vim /etc/named.rfc1912.zones zone "host.com" IN { type master; file "host.com.zone"; allow-update { 10.4.7.11; }; }; zone "od.com" IN { type master; file "od.com.zone"; allow-update { 10.4.7.11; }; }; ``` ### 配置区域数据文件 #### 1、配置主机域数据文件 ``` [root@hdss7-11 conf.d]# cat /var/named/host.com.zone $ORIGIN host.com. $TTL 600 ; 10 minutes @ IN SOA dns.host.com. dnsadmin.host.com. ( 2020111001 ; serial 10800 ; refresh (3 hours) 900 ; retry (15 minutes) 604800 ; expire (1 week) 86400 ; minimum (1 day) ) NS dns.host.com. $TTL 60 ; 1 minute dns A 10.4.7.11 HDSS7-11 A 10.4.7.11 HDSS7-12 A 10.4.7.12 HDSS7-21 A 10.4.7.21 HDSS7-22 A 10.4.7.22 HDSS7-23 A 10.4.7.23 HDSS7-200 A 10.4.7.200 ``` #### 2、配置服务域数据文件 ``` [root@hdss7-11 conf.d]# cat /var/named/od.com.zone $ORIGIN od.com. $TTL 600 ; 10 minutes @ IN SOA dns.od.com. dnsadmin.od.com. ( 2020111007 ; serial 10800 ; refresh (3 hours) 900 ; retry (15 minutes) 604800 ; expire (1 week) 86400 ; minimum (1 day) ) NS dns.od.com. $TTL 60 ; 1 minute dns A 10.4.7.11 harbor A 10.4.7.200 ``` ### 检查服务启动服务 ``` [root@hdss7-11 ~]# named-checkconf [root@hdss7-11 ~]# systemctl start named [root@hdss7-11 ~]# systemctl enable named [root@hdss7-11 ~]# netstat -lnt Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 10.4.7.11:53 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN tcp6 0 0 :::22 :::* LISTEN ``` ### 使用dig验证 ``` [root@hdss7-11 conf.d]# dig -t -A hdss7-12.host.com @10.4.7.11 +short ;; Warning, ignoring invalid type -A 10.4.7.12 ``` ### 网卡文件修改成自建的DNS ``` cat /etc/sysconfig/network-scripts/ifcfg-ens33 DNS1=10.4.7.11 ``` #### DNS短域名 ``` cat /etc/resolv.conf search host.com nameserver 10.4.7.11 ``` #### 验证： ``` [root@hdss7-11 conf.d]# ping hdss7-12 PING HDSS7-12.host.com (10.4.7.12) 56(84) bytes of data. 64 bytes from 10.4.7.12 (10.4.7.12): icmp_seq=1 ttl=64 time=0.243 ms 64 bytes from 10.4.7.12 (10.4.7.12): icmp_seq=2 ttl=64 time=0.212 ms ``` ### 自己的windows电脑可以用域名访问