CentOS 5.5下安装Bind9.6
时间:2014-05-18 23:54 来源:linux.it.net.cn 作者:IT网
安装bind前先安装gcc,配置好yum源,yum -y install gcc,如果有run.pid报错,直接rm -rf /var/run/yum.pid (解决yum-updatesd服务正运行的情况)
下载 bind9.6到/root/Desktop,先进至目录里,然后wget ftp://ftp.isc.org/isc/bind9/9.6.0-P1/bind-9.6.0-P1.tar.gz
解压bind-9.6.0-P1.tar.gz
# tar zxvf bind-9.6.0-P1.tar.gz
进入 bind-9.6.0-P1.gz文件夹
# cd bind-9.6.0-P1
创建安装目录,我是安装在 /opt/bind
# mkdir /opt/bind
编译,指定安装目录,开启多线程支持
#./configure --prefix=/opt/bind --enable-threads --disable-openssl-version-check --disable-ipv6
#Make 大约需要几分钟,只要不报错就继续下去。
# make
#Make install 安装
# make install
没有报错,就表示安装成功了。
开始配置bind,接下来的过程是让rndc来管理bind9.6
创建 rndc.conf文件,用bind自带程序生成
进入/opt/bind/etc,将rndc.conf及named.conf生成
# cd /opt/bind/etc
# /opt/bind/sbin/rndc-confgen > /opt/bind/etc/rndc.conf
把rndc.conf 中的key信息输出到 named.conf 中
# tail -10 rndc.conf | head -9 | sed -e s/#\ //g > named.conf
这里强调一下,rndc.conf与named.conf的key值必须完全一样,而且并不需要生成rndc.key,这个问题纠缠了我大约3个小时
# vim named.conf
key "rndc-key" {
algorithm hmac-md5;
secret "WeHHAt0lui+9WihUW6HdsQ==";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
options {
directory "/opt/bind/var/named";
};
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "localhost.zone";
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};
zone "linuxidc.com" IN {
type master;
file "linuxidc.zone";
};
zone "88181.com" IN {
type master;
file "88181.zone";
};
创建named文件夹:
# mkdir /opt/bind/var/named
进入named文件夹
# cd /opt/bind/var/named/
写入以下内容
# vi localhost.zone
写入以下内容:
$TTL 86400
$ORIGIN localhost.
@ 1D IN SOA @ root (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
1D IN NS @
1D IN A 127.0.0.1
将跟服务器的信息导入到/opt/bind/var/named/named.ca文件中
# dig -t NS . >/opt/bind/var/named/named.ca
创建文件named.local
#vi named.local
$TTL 86400
@ IN SOA localhost. root.localhost. (
1997022700 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS localhost.
1 IN PTR localhost.
创建linuxidc.zone
# vi linuxidc.zone
$TTL 86400
@ IN SOA linuxidc.com. root.linuxidc.com. (
57 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS dns.linuxidc.com.
IN MX 5 mail
dns IN A 121.101.211.72
dns1 IN A 121.101.211.72
dns2 IN A 121.101.211.74
www IN A 121.101.211.76
创建88181.zone
#vi 88181.zone
$TTL 86400
@ IN SOA 88181.com. root.88181.com. (
57 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS dns.88181.com.
IN MX 5 mail
dns IN A 121.101.211.72
dns1 IN A 121.101.211.72
dns2 IN A 121.101.211.74
www IN A 192.168.1.179
特别注意:bind的配置文档是区分大小写的。
下面就可以启动bind来测试安装是否成功了
# /opt/bind/sbin/named –gc /opt/bind/etc/named.conf &
加 –gc 参数,可以显示出启动日志,以便出错排查。
如果运行结果最后一行显示
Running
表明安装并启动成功。
测试rndc命令 /opt/bind/sbin/rndc status,正确的话应该有状态提示,我一般是直接编辑vim /root/.bashrc加进一个alias rndc9='/opt/bind/sbin/rndc'
把named 添加到启动项,随操作系统一起启动。
# cd /etc/rc.d
# vim rc.local
在最后添加以下内容
/opt/bind/sbin/named /opt/bind/etc/named.conf &
退出保存。
可以尝试重启服务器,然后用命令nslookup及dig测试,或用pa axu | grep named,结束此服务用命令killall named
附加从DNS配置文件:
key "rndc-key" {
algorithm hmac-md5;
secret "c97aVpbK9mWdlbefliG7qg==";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
options {
directory "/opt/bind/var/named";
};
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "localhost.zone";
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};
zone "linuxidc.com" IN {
type slave;
file "slaves/linuxidc.salve";
masters{192.168.1.179;};
};
zone "88181.com" IN {
type slave;
file "slaves/88181.salve";
masters{192.168.1.179;};
附加防火墙策略
[root@linuxidc opt]# vi vivabj069.sh
#! /bin/bash
#start iptables services
service iptables restart
#Flush all the policy
iptables -F
# setting the default policy
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#allow access 22,80 from LAN by tcp
iptables -A INPUT -p tcp -m tcp -s 0/0 --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 20020:20030 -j ACCEPT
iptables -A INPUT -p tcp --dport 20020:20030 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 20 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 21 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 20 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 8080 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -p tcp -m tcp --dport 953 -j ACCEPT
iptables -A INPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -p tcp -m tcp --sport 953 -j ACCEPT
iptables -A INPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -p udp -m udp --sport 953 -j ACCEPT
iptables -A INPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -p udp -m udp --dport 953 -j ACCEPT
iptables -A OUTPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -p tcp -m tcp --dport 953 -j ACCEPT
iptables -A OUTPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -p tcp -m tcp --sport 953 -j ACCEPT
iptables -A OUTPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -p udp -m udp --sport 953 -j ACCEPT
iptables -A OUTPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -p udp -m udp --dport 953 -j ACCEPT
iptables -A INPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -p tcp -m tcp --dport 53 -j ACCEPT
iptables -A INPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -p tcp -m tcp --sport 53 -j ACCEPT
iptables -A INPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -p udp -m udp --dport 53 -j ACCEPT
iptables -A INPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -p udp -m udp --sport 53 -j ACCEPT
iptables -A OUTPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -p tcp -m tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -p tcp -m tcp --sport 53 -j ACCEPT
iptables -A OUTPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -p udp -m udp --sport 53 -j ACCEPT
iptables -A OUTPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -p udp -m udp --dport 53 -j ACCEPT
执行防火墙:
附CNAME 解析记录
# sh vivabj069.sh
# vi linuxidc.zone
$TTL 86400
@ IN SOA it.net.cn. root.it.net.cn. (
57 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS dns.it.net.cn.
IN MX 5 mail
dns IN A 121.101.211.72
dns1 IN A 121.101.211.72
dns2 IN A 121.101.211.74
www IN A 121.101.211.76
wwww IN CNAME www.it.net.cn.
注意域名后面必须跟“.”;
(责任编辑:IT)
安装bind前先安装gcc,配置好yum源,yum -y install gcc,如果有run.pid报错,直接rm -rf /var/run/yum.pid (解决yum-updatesd服务正运行的情况) 下载 bind9.6到/root/Desktop,先进至目录里,然后wget ftp://ftp.isc.org/isc/bind9/9.6.0-P1/bind-9.6.0-P1.tar.gz 解压bind-9.6.0-P1.tar.gz # tar zxvf bind-9.6.0-P1.tar.gz 进入 bind-9.6.0-P1.gz文件夹 # cd bind-9.6.0-P1 创建安装目录,我是安装在 /opt/bind # mkdir /opt/bind 编译,指定安装目录,开启多线程支持 #./configure --prefix=/opt/bind --enable-threads --disable-openssl-version-check --disable-ipv6 #Make 大约需要几分钟,只要不报错就继续下去。 # make #Make install 安装 # make install 没有报错,就表示安装成功了。 开始配置bind,接下来的过程是让rndc来管理bind9.6 创建 rndc.conf文件,用bind自带程序生成 进入/opt/bind/etc,将rndc.conf及named.conf生成 # cd /opt/bind/etc # /opt/bind/sbin/rndc-confgen > /opt/bind/etc/rndc.conf 把rndc.conf 中的key信息输出到 named.conf 中 # tail -10 rndc.conf | head -9 | sed -e s/#\ //g > named.conf 这里强调一下,rndc.conf与named.conf的key值必须完全一样,而且并不需要生成rndc.key,这个问题纠缠了我大约3个小时 # vim named.conf key "rndc-key" { algorithm hmac-md5; secret "WeHHAt0lui+9WihUW6HdsQ=="; }; controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; }; }; options { directory "/opt/bind/var/named"; }; zone "." IN { type hint; file "named.ca"; }; zone "localhost" IN { type master; file "localhost.zone"; }; zone "0.0.127.in-addr.arpa" IN { type master; file "named.local"; allow-update { none; }; }; zone "linuxidc.com" IN { type master; file "linuxidc.zone"; }; zone "88181.com" IN { type master; file "88181.zone"; }; 创建named文件夹: # mkdir /opt/bind/var/named 进入named文件夹 # cd /opt/bind/var/named/ 写入以下内容 # vi localhost.zone 写入以下内容: $TTL 86400 $ORIGIN localhost. @ 1D IN SOA @ root ( 42 ; serial (d. adams) 3H ; refresh 15M ; retry 1W ; expiry 1D ) ; minimum 1D IN NS @ 1D IN A 127.0.0.1 将跟服务器的信息导入到/opt/bind/var/named/named.ca文件中 # dig -t NS . >/opt/bind/var/named/named.ca 创建文件named.local #vi named.local $TTL 86400 @ IN SOA localhost. root.localhost. ( 1997022700 ; Serial 28800 ; Refresh 14400 ; Retry 3600000 ; Expire 86400 ) ; Minimum IN NS localhost. 1 IN PTR localhost. 创建linuxidc.zone # vi linuxidc.zone $TTL 86400 @ IN SOA linuxidc.com. root.linuxidc.com. ( 57 ; serial (d. adams) 3H ; refresh 15M ; retry 1W ; expiry 1D ) ; minimum IN NS dns.linuxidc.com. IN MX 5 mail dns IN A 121.101.211.72 dns1 IN A 121.101.211.72 dns2 IN A 121.101.211.74 www IN A 121.101.211.76 创建88181.zone #vi 88181.zone $TTL 86400 @ IN SOA 88181.com. root.88181.com. ( 57 ; serial (d. adams) 3H ; refresh 15M ; retry 1W ; expiry 1D ) ; minimum IN NS dns.88181.com. IN MX 5 mail dns IN A 121.101.211.72 dns1 IN A 121.101.211.72 dns2 IN A 121.101.211.74 www IN A 192.168.1.179 特别注意:bind的配置文档是区分大小写的。 下面就可以启动bind来测试安装是否成功了 # /opt/bind/sbin/named –gc /opt/bind/etc/named.conf & 加 –gc 参数,可以显示出启动日志,以便出错排查。 如果运行结果最后一行显示 Running 表明安装并启动成功。 测试rndc命令 /opt/bind/sbin/rndc status,正确的话应该有状态提示,我一般是直接编辑vim /root/.bashrc加进一个alias rndc9='/opt/bind/sbin/rndc' 把named 添加到启动项,随操作系统一起启动。 # cd /etc/rc.d # vim rc.local 在最后添加以下内容 /opt/bind/sbin/named /opt/bind/etc/named.conf & 退出保存。 可以尝试重启服务器,然后用命令nslookup及dig测试,或用pa axu | grep named,结束此服务用命令killall named 附加从DNS配置文件: key "rndc-key" { algorithm hmac-md5; secret "c97aVpbK9mWdlbefliG7qg=="; }; controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; }; }; options { directory "/opt/bind/var/named"; }; zone "." IN { type hint; file "named.ca"; }; zone "localhost" IN { type master; file "localhost.zone"; }; zone "0.0.127.in-addr.arpa" IN { type master; file "named.local"; allow-update { none; }; }; zone "linuxidc.com" IN { type slave; file "slaves/linuxidc.salve"; masters{192.168.1.179;}; }; zone "88181.com" IN { type slave; file "slaves/88181.salve"; masters{192.168.1.179;};
附加防火墙策略
#! /bin/bash
|