这篇文章与 RHEL 7 一样有点过时,现在我们不需要将绑定 DNS 配置文件复制到 chroot 环境中。
参考:使用 bind chroot 配置 DNS 服务器 (CentOS/RHEL 7)
在本文中,将介绍在 RHEL 7 或者 CentOS 7 上配置 DNS 服务器的步骤。
为了演示,我使用的是 Red Hat Enterprise Linux 7.4
我们的目标是分别为正向和反向查找创建一个 A 记录和一个 PTR 记录。
操作步骤
首先安装所需的rpms来配置你的DNS服务器
# yum install bind bind-chroot caching-nameserver
我的设置为:
# hostname onitroad-client.example
我的 IP 地址是 192.168.1.7
# ip address | egrep 'inet.*enp0s3' inet 192.168.1.7/24 brd 192.168.1.255 scope global dynamic enp0s3
由于我们将使用 chroot 环境禁用以下服务
# systemctl stop named # systemctl disable named
接下来复制 chroot 目录中所需的文件。
注意:使用 -p 参数和 cp 命令来保留所有文件和目录的权限和所有权
[root@onitroad-client ~]# cp -rpvf /usr/share/doc/bind-9.9.4/sample/etc/* /var/named/chroot/etc/ ‘/usr/share/doc/bind-9.9.4/sample/etc/named.conf’ -> ‘/var/named/chroot/etc/named.conf’ ‘/usr/share/doc/bind-9.9.4/sample/etc/named.rfc1912.zones’ -> ‘/var/named/chroot/etc/named.rfc1912.zones’
接下来将区域相关文件复制到新位置
[root@onitroad-client ~]# cp -rpvf /usr/share/doc/bind-9.9.4/sample/var/named/* /var/named/chroot/var/named/ ‘/usr/share/doc/bind-9.9.4/sample/var/named/data’ -> ‘/var/named/chroot/var/named/data’ ‘/usr/share/doc/bind-9.9.4/sample/var/named/my.external.zone.db’ -> ‘/var/named/chroot/var/named/my.external.zone.db’ ‘/usr/share/doc/bind-9.9.4/sample/var/named/my.internal.zone.db’ -> ‘/var/named/chroot/var/named/my.internal.zone.db’ ‘/usr/share/doc/bind-9.9.4/sample/var/named/named.ca’ -> ‘/var/named/chroot/var/named/named.ca’ ‘/usr/share/doc/bind-9.9.4/sample/var/named/named.empty’ -> ‘/var/named/chroot/var/named/named.empty’ ‘/usr/share/doc/bind-9.9.4/sample/var/named/named.localhost’ -> ‘/var/named/chroot/var/named/named.localhost’ ‘/usr/share/doc/bind-9.9.4/sample/var/named/named.loopback’ -> ‘/var/named/chroot/var/named/named.loopback’ ‘/usr/share/doc/bind-9.9.4/sample/var/named/slaves’ -> ‘/var/named/chroot/var/named/slaves’ ‘/usr/share/doc/bind-9.9.4/sample/var/named/slaves/my.ddns.internal.zone.db’ -> ‘/var/named/chroot/var/named/slaves/my.ddns.internal.zone.db’ ‘/usr/share/doc/bind-9.9.4/sample/var/named/slaves/my.slave.internal.zone.db’ -> ‘/var/named/chroot/var/named/slaves/my.slave.internal.zone.db’
让我们开始配置我们的主要配置文件
# cd /var/named/chroot/etc/
清除现有的named.conf并粘贴以下内容
[root@onitroad-client etc]# vim named.conf options { listen-on port 53 { 127.0.0.1; any; }; # listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { localhost; any; }; allow-query-cache { localhost; any; }; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; view my_resolver { match-clients { localhost; any; }; recursion yes; include "/etc/named.rfc1912.zones"; };
区域相关的内容信息必须添加在/var/named/chroot/etc/named.rfc1912.zones中,添加以下条目。
这里 example.zone 是我们的正向区域文件,而 example.rzone 是我们用于反向查找条目的反向区域文件
重要说明:反向查找区域包含 1.168.192 因为我的主机 IP 是 192.168.1.7
zone "example" IN { type master; file "example.zone"; allow-update { none; }; }; zone "1.168.192.in-addr.arpa" IN { type master; file "example.rzone"; allow-update { none; }; };
区域相关文件在以下路径下可用
# cd /var/named/chroot/var/named/
接下来让我们创建我们的正向和反向区域文件,文件名将与我们在上面的 named.rfc1912.zones 文件中给出的文件名相同,我们已经有了一些我们可以使用的默认模板,如下所示
# cp -p named.localhost example.zone # cp -p named.loopback example.rzone
如我们所见,所有文件和目录的现有权限都归 root 所有
[root@onitroad-client named]# ll total 32 drwxr-xr-x. 2 root root 6 Jan 22 2015 data -rw-r--r--. 1 root root 168 Jan 22 2015 example.rzone -rw-r--r--. 1 root root 152 Jan 22 2015 example.zone -rw-r--r--. 1 root root 56 Jan 22 2015 my.external.zone.db -rw-r--r--. 1 root root 56 Jan 22 2015 my.internal.zone.db -rw-r--r--. 1 root root 2281 Jan 22 2015 named.ca -rw-r--r--. 1 root root 152 Jan 22 2015 named.empty -rw-r--r--. 1 root root 152 Jan 22 2015 named.localhost -rw-r--r--. 1 root root 168 Jan 22 2015 named.loopback drwxr-xr-x. 2 root root 71 Nov 12 21:02 slaves
以root为用户所有者并命名为组所有者,更改此位置下所有文件的权限
# chown root:named *
尽管对于数据分区,用户和组所有者必须“命名”
# chown -R named:named data
# ls -l total 32 drwxr-xr-x. 2 named named 6 Jan 22 2015 data -rw-r--r--. 1 root named 168 Jan 22 2015 example.rzone -rw-r--r--. 1 root named 152 Jan 22 2015 example.zone -rw-r--r--. 1 root named 56 Jan 22 2015 my.external.zone.db -rw-r--r--. 1 root named 56 Jan 22 2015 my.internal.zone.db -rw-r--r--. 1 root named 2281 Jan 22 2015 named.ca -rw-r--r--. 1 root named 152 Jan 22 2015 named.empty -rw-r--r--. 1 root named 152 Jan 22 2015 named.localhost -rw-r--r--. 1 root named 168 Jan 22 2015 named.loopback drwxr-xr-x. 2 root named 71 Nov 12 21:02 slaves
为我们的转发区域文件添加以下内容。
在这里,我们正在为我们的本地主机(onitroad-client)创建一条记录,并为我的一个服务器节点(onitroad-server)创建一条记录
# vim example.zone $TTL 1D @ IN SOA example. root ( 1 ; serial 3H ; refresh 15M ; retry 1W ; expire 1D ) ; minimum IN NS example. IN A 192.168.1.7 onitroad-server IN A 192.168.1.5 onitroad-client IN A 192.169.1.7
为我们的反向区域文件添加以下内容。
在这里,我们正在为我们的本地主机创建 PTR 记录,并为我的服务器节点(onitroad-server)之一创建 PTR 记录
# vim example.rzone $TTL 1D @ IN SOA example. root.example. ( 1997022700 ; serial 28800 ; refresh 14400 ; retry 3600000 ; expire 86400 ) ; minimum IN NS example. 5 IN PTR onitroad-server.example. 7 IN PTR onitroad-client.example.
在启动 named-chroot 服务之前,我们将验证区域文件配置
[root@onitroad-client named]# named-checkzone onitroad-client.example example.zone zone onitroad-client.example/IN: loaded serial 1 OK [root@onitroad-client named]# named-checkzone onitroad-client.example example.rzone zone onitroad-client.example/IN: loaded serial 1997022700 OK
一切正常,请使用以下命令检查配置文件
[root@onitroad-client named]# named-checkconf -t /var/named/chroot//etc/named.conf
所以我们的命令执行成功
[root@onitroad-client named]# echo $? 0
重要说明:对于我的设置,SELinux 处于许可模式
# getenforce Permissive
一切看起来都很好,是时候启动我们的命名 chroot 服务了
[root@onitroad-client named]# systemctl restart named-chroot
[root@onitroad-client named]# systemctl status named-chroot ● named-chroot.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named-chroot.service; disabled; vendor preset: disabled) Active: active (running) since Mon 2015-02-12 21:53:23 IST; 19s ago Process: 5236 ExecStop=/bin/sh -c /usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID (code=exited, status=0/SUCCESS) Process: 5327 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} -t /var/named/chroot $OPTIONS (code=exited, status=0/SUCCESS) Process: 5325 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS) Main PID: 5330 (named) CGroup: /system.slice/named-chroot.service └─5330 /usr/sbin/named -u named -c /etc/named.conf -t /var/named/chroot Nov 12 21:53:23 onitroad-client.example named[5330]: managed-keys-zone/my_resolver: loaded serial 0 Nov 12 21:53:23 onitroad-client.example named[5330]: zone 0.in-addr.arpa/IN/my_resolver: loaded serial 0 Nov 12 21:53:23 onitroad-client.example named[5330]: zone 1.0.0.127.in-addr.arpa/IN/my_resolver: loaded serial 0 Nov 12 21:53:23 onitroad-client.example named[5330]: zone 1.168.192.in-addr.arpa/IN/my_resolver: loaded serial 1997022700 Nov 12 21:53:23 onitroad-client.example named[5330]: zone example/IN/my_resolver: loaded serial 1 Nov 12 21:53:23 onitroad-client.example named[5330]: zone localhost/IN/my_resolver: loaded serial 0 Nov 12 21:53:23 onitroad-client.example named[5330]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN/my_resolver: loaded serial 0 Nov 12 21:53:23 onitroad-client.example named[5330]: zone localhost.localdomain/IN/my_resolver: loaded serial 0 Nov 12 21:53:23 onitroad-client.example named[5330]: all zones loaded Nov 12 21:53:23 onitroad-client.example named[5330]: running
确保 resolv.conf 包含我们设置的 IP,以便它可以充当 DNS 服务器
# cat /etc/resolv.conf search example nameserver 192.168.1.7
让我们使用 dig 为反向区域文件验证我们的 DNS 服务器
[root@onitroad-client named]# dig -x 192.168.1.5 ; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7 <<>> -x 192.168.1.5 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40331 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;5.1.168.192.in-addr.arpa. IN PTR ;; ANSWER SECTION: 5.1.168.192.in-addr.arpa. 86400 IN PTR onitroad-server.example. ;; AUTHORITY SECTION: 1.168.192.in-addr.arpa. 86400 IN NS example. ;; ADDITIONAL SECTION: example. 86400 IN A 192.168.1.7 ;; Query time: 1 msec ;; SERVER: 192.168.1.7#53(192.168.1.7) ;; WHEN: Mon Nov 12 22:13:17 IST 2015 ;; MSG SIZE rcvd: 122
如我们所见,我们确实得到了对 QUERY 的 ANSWER 的积极响应
[root@onitroad-client named]# dig -x 192.168.1.7 ; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7 <<>> -x 192.168.1.7 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55804 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;7.1.168.192.in-addr.arpa. IN PTR ;; ANSWER SECTION: 7.1.168.192.in-addr.arpa. 86400 IN PTR onitroad-client.example. ;; AUTHORITY SECTION: 1.168.192.in-addr.arpa. 86400 IN NS example. ;; ADDITIONAL SECTION: example. 86400 IN A 192.168.1.7 ;; Query time: 1 msec ;; SERVER: 192.168.1.7#53(192.168.1.7) ;; WHEN: Mon Nov 12 22:12:54 IST 2015 ;; MSG SIZE rcvd: 122
同样,我们可以验证我们的前向区域文件
[root@onitroad-client named]# nslookup onitroad-client.example Server: 192.168.1.7 Address: 192.168.1.7#53 Name: onitroad-client.example Address: 192.169.1.7
[root@onitroad-client named]# nslookup onitroad-server.example Server: 192.168.1.7 Address: 192.168.1.7#53 Name: onitroad-server.example Address: 192.168.1.5