所有的命令与文件的路径都是基于raspberry-pi的Raspbian系统和bind9的安装
uname -a
Linux dns.cqlr.com 5.15.32+ #1538 Thu Mar 31 19:37:58 BST 2022 armv6l GNU/Linux
Linux dns.cqlr.com 5.15.32+ #1538 Thu Mar 31 19:37:58 BST 2022 armv6l GNU/Linux
lsb_release -a
No LSB modules are available.
Distributor ID: Raspbian
Description: Raspbian GNU/Linux 11 (bullseye)
Release: 11
Codename: bullseye
1.apt安装程序包 sudo apt install bind9 bind9-doc dnsutils
2.我的raspberry-pi 开启了dhcp客户端服务,导致配置了静态IP(修改/etc/networ/interface)后,dhcpcd 服务又自动获取了IP,重而让服务器有两个IP,关闭dhcpcd服务使用此命令,sudo systemctl disable dhcpcd,
cat interfaces# interfaces(5) file used by ifup(8) and ifdown(8)
# Include files from /etc/network/interfaces.d:
source /etc/network/interfaces.d/*
auto eth0
iface eth0 inet static
address 192.168.199.100/24
gateway 192.168.199.1
# Include files from /etc/network/interfaces.d:
source /etc/network/interfaces.d/*
auto eth0
iface eth0 inet static
address 192.168.199.100/24
gateway 192.168.199.1
你可以不关闭dhcpcd服务,不修改interfaces,转为修改/etc/dhcpcd.conf 设置如下的参数(这种方法我没有测试过,认为关掉一个服务,设备开销要少一些)
interface eth0
static ip_address=192.168.1.23/24
static routers=192.168.1.1
static domain_name_servers=192.168.1.1
bind9的配置文件如下:
/etc/bind/named.conf
主要的配置文件,没有配置内容只有对named.conf.options named.conf.local named.conf.default-zones的引用
/etc/bind/named.conf.options
bind服务器的配置选项文件,包括侦听端口,forwarders选项等
/etc/bind/named.conf.local
bind服务器的本地区域配置,此区域的数据将不对外转发
/etc/bind/named.conf.default-zones
bind服务器的默认区域
/usr/share/doc/bind9-doc/arm 目录下有详细的管理手册html文档
https://www.cnblogs.com/doherasyang/p/14464999.html 这是一篇中文文档
几个有用的指令
sudo systemctl status bind9 查看当前bind9服务状态
sudo systemctl restart bind9 重启bind服务器
named-checkconf 检查配置文件
named-checkzone 检查配置区域
sudo rndc flush 清除缓存
rndc是在bind运行时进行操作的管理工具,很有用!
关于修改bind启动项:
修改/etc/defaults/named中的OPTIONS="-4 -u bind"数据即可让bind9按指定的参数运行
关于这些参数的作用请参考named -help或手册
我这里的-4是指定使用ipv4
关于启动日志
/var/log/syslog中有详细的启动与停止信息可以查看,非常有用
named.conf包括以下几个配置区段
1.acl
2.controls
3.dlz
4.dnssec-policy
5.dyndb
6.key
7.loggind
8.managed-keys
9.masters
10.options
11.parental-agents
12.plugin
13.primaries
14.server
15.statistics-channels
16.trust-anchors
17.trusted-keys
18.view
19.zone
options 区段必须要配置 directory "拟使用的目录"选项,否则程序启动时会出错退出
日志文件是/var/log/syslog,可以使用tail -f /var/log/syslog实时监控日志文件,对于调试很有帮助。
初期配置,修改/etc/bind/named.conf.options
options {
directory "/var/catch/bind";
dnssec-validation auto;
};
重启bin9
在本机使用以下命令
dig @127.0.0.1 . ns
如果有返回13个根服务器的地址,服务器就基本正常了,否则要查看日志,排查问题
acl 字符串 { 172.16.72.0/24; 192.168.1.0/24; }; 定义acl名称,可以在以下的命令中引用
allow-notify, allow-query, allow-query-on, allow-recursion, blackhole, allow-transfer, match-clientsacl mylan { 192.168.199.0/24; 127.0.0.1; };
https://kb.isc.org/docs/aa-01526 这个地址有一些相关logging的配置示例可以参考
如果你的queries日志没有记录,要使用 rndc querylog on打开开关
这是我的named.conf.options配置,做个记号
cat named.conf.options
acl internal { 192.168.199.0/24; 127.0.0.1; };
options {
directory "/var/cache/bind";
forwarders {
223.5.5.5;
223.6.6.6;
180.76.76.76;
114.114.114.114;
};
allow-query { internal; };
recursion yes;
allow-recursion { internal; };
dnssec-validation no;
max-cache-size 85%;
};
logging {
channel default_log {
file "/var/log/named/default.log" versions 3 size 20m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
channel default_syslog {
print-time yes;
print-category yes;
print-severity yes;
syslog daemon;
severity info;
};
channel default_debug {
print-time yes;
print-category yes;
print-severity yes;
file "named.run";
severity dynamic;
};
channel queries_log {
file "/var/log/named/query.log" versions 9 size 20m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
channel auth_servers_log {
file "/var/log/named/auth_servers.log" versions 9 size 20m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
channel client_security_log {
file "/var/log/named/client_security.log" versions 3 size 20m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
category default { default_syslog; default_debug; default_log; };
category config { default_syslog; default_debug; default_log; };
category dispatch { default_syslog; default_debug; default_log; };
category network { default_syslog; default_debug; default_log; };
category general { default_syslog; default_debug; default_log; };
category queries { queries_log; };
category resolver { auth_servers_log; default_debug; };
category cname { auth_servers_log; default_debug; };
category delegation-only { auth_servers_log; default_debug; };
category lame-servers { auth_servers_log; default_debug; };
category edns-disabled { auth_servers_log; default_debug; };
category client{ client_security_log; default_debug; };
category security { client_security_log; default_debug; };
};
这是我的named.conf.local配置
//include "/etc/bind/zones.rfc1918";
zone "cqlr.com" {
type master;
file "/etc/bind/db.cqlr.com";
allow-update { internal; }; //同意内网电脑更新
};
zone "199.168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.199.168.192";
allow-update { internal; }; //同意内网电脑更新
};
这是我的db.cqlr.com的配置
$ORIGIN .
$TTL 604800 ; 1 week
cqlr.com IN SOA ns.cqlr.com. root.cqlr.com. (
6 ; serial
604800 ; refresh (1 week)
86400 ; retry (1 day)
2419200 ; expire (4 weeks)
604800 ; minimum (1 week)
)
NS ns.cqlr.com.
A 192.168.199.100
$ORIGIN cqlr.com.
dns A 192.168.199.100
ns A 192.168.199.100
$TTL 1200 ; 20 minutes
winent A 192.168.199.120 //这是我的win7自动更新的记录
$TTL 604800 ; 1 week
wzl A 192.168.199.161
这是我的db.199.168.192的配置
$ORIGIN .
$TTL 604800 ; 1 week
199.168.192.in-addr.arpa IN SOA ns.cqlr.com. root.cqlr.com. (
3 ; serial
604800 ; refresh (1 week)
86400 ; retry (1 day)
2419200 ; expire (4 weeks)
604800 ; minimum (1 week)
)
NS ns.cqlr.com.
$ORIGIN 199.168.192.in-addr.arpa.
100 PTR ns.cqlr.com.
PTR dns.cqlr.com.
$TTL 1200 ; 20 minutes
120 PTR winent.cqlr.com. //这是我的win7自动更新的记录
$TTL 604800 ; 1 week
161 PTR wzl.cqlr.com.
这是/etc/bind的目录权限,先前因为bind用户没有w权限,不能生成.jnl的文件导致客户端自动更新失败
ls -l /etc |grep bind
drwxrwsr-x 2 root bind 4096 May 27 14:43 bind
我的cqlr.com使用了动态更新,当手动修改了zone文件后并reload后并不生效,可以使用下面的方法:
sudo rndc freeze cqlr.com
edit zone 文件
sudo rndc thaw cqlr.com
这样你新增的主机就会刷新并有效了
没有评论:
发表评论