下载地址 (HTTP): 下载地址 (FTP): ftp://ftp.isc.org/isc/bind9/9.2.2/bind-9.2.2.tar.gz 版本: 9.2.2 软件包大小: 4.8 MB 估计所需硬盘空间: 38 MB |
Bind软件包提供了DNS服务器和客户端工具。
我们将配置 BIND 以无特权的用户(named)运行在一个 chroot jail(监狱) 中。这样配置的 BIND 比较安全,因为 DNS 顶多破坏 named 用户 $HOME 目录中的少量文件。
首先我们创建几个 BIND 需要的文件和目录:
groupadd -g 200 named && useradd -m -g named -u 200 -s /bin/false named && cd /home/named && mkdir -p dev etc/namedb/slave var/run && mknod /home/named/dev/null c 1 3 && mknod /home/named/dev/random c 1 8 && chmod 666 /home/named/dev/{null,random} && mkdir /home/named/etc/namedb/pz && cp /etc/localtime /home/named/etc |
named.conf, root.hints, 127.0.0, rndc.conf
用下面的命令创建 named.conf 文件:
cat > /home/named/etc/named.conf << "EOF" options { directory "/etc/namedb"; pid-file "/var/run/named.pid"; statistics-file "/var/run/named.stats"; }; controls { inet 127.0.0.1 allow { localhost; } keys { rndc_key; }; }; key "rndc_key" { algorithm hmac-md5; secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K"; }; zone "." { type hint; file "root.hints"; }; zone "0.0.127.in-addr.arpa" { type master; file "pz/127.0.0"; }; EOF |
创建一个 zone 文件:
cat > /home/named/etc/namedb/pz/127.0.0 << "EOF" $TTL 3D @ IN SOA ns.local.domain. hostmaster.local.domain. ( 1 ; Serial 8H ; Refresh 2H ; Retry 4W ; Expire 1D) ; Minimum TTL NS ns.local.domain. 1 PTR localhost. EOF |
用下面的命令创建 root.hints 文件:
注: 必须注意:这个文件中行首不能有空格。
cat > /home/named/etc/namedb/root.hints << "EOF" . 6D IN NS A.ROOT-SERVERS.NET. . 6D IN NS B.ROOT-SERVERS.NET. . 6D IN NS C.ROOT-SERVERS.NET. . 6D IN NS D.ROOT-SERVERS.NET. . 6D IN NS E.ROOT-SERVERS.NET. . 6D IN NS F.ROOT-SERVERS.NET. . 6D IN NS G.ROOT-SERVERS.NET. . 6D IN NS H.ROOT-SERVERS.NET. . 6D IN NS I.ROOT-SERVERS.NET. . 6D IN NS J.ROOT-SERVERS.NET. . 6D IN NS K.ROOT-SERVERS.NET. . 6D IN NS L.ROOT-SERVERS.NET. . 6D IN NS M.ROOT-SERVERS.NET. A.ROOT-SERVERS.NET. 6D IN A 198.41.0.4 B.ROOT-SERVERS.NET. 6D IN A 128.9.0.107 C.ROOT-SERVERS.NET. 6D IN A 192.33.4.12 D.ROOT-SERVERS.NET. 6D IN A 128.8.10.90 E.ROOT-SERVERS.NET. 6D IN A 192.203.230.10 F.ROOT-SERVERS.NET. 6D IN A 192.5.5.241 G.ROOT-SERVERS.NET. 6D IN A 192.112.36.4 H.ROOT-SERVERS.NET. 6D IN A 128.63.2.53 I.ROOT-SERVERS.NET. 6D IN A 192.36.148.17 J.ROOT-SERVERS.NET. 6D IN A 192.58.128.30 K.ROOT-SERVERS.NET. 6D IN A 193.0.14.129 L.ROOT-SERVERS.NET. 6D IN A 198.32.64.12 M.ROOT-SERVERS.NET. 6D IN A 202.12.27.33 EOF |
用下列命令创建 rndc.conf 文件:
cat > /etc/rndc.conf << "EOF" key rndc_key { algorithm "hmac-md5"; secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K"; }; options { default-server localhost; default-key rndc_key; }; EOF |
用下面的命令创建或修改 resolv.conf,以使用新的名称服务器:
注: 把 yourdomain.com 换成你自己的正确域名。
cp /etc/resolv.conf /etc/resolv.conf.bak cat > /etc/resolv.conf << "EOF" search yourdomain.com nameserver 127.0.0.1 EOF |
用下列命令设置 chroot jail 的权限:
chown -R named.named /home/named |
创建 BIND 的启动脚本:
cat > /etc/rc.d/init.d/bind << "EOF" #!/bin/bash # Begin $rc_base/init.d/bind # Based on sysklogd script from LFS-3.1 和 earlier. # Rewritten by Gerard Beekmans - [email protected] source /etc/sysconfig/rc source $rc_functions case "$1" in start) echo "Starting named..." loadproc /usr/sbin/named -u named -t /home/named -c \ /etc/named.conf ;; stop) echo "Stopping named..." killproc /usr/sbin/named ;; restart) $0 stop sleep 1 $0 start ;; reload) echo "Reloading named..." /usr/sbin/rndc -c /etc/rndc.conf reload ;; status) statusproc /usr/sbin/named ;; *) echo "Usage: $0 {start|stop|restart|status}" exit 1 ;; esac # End $rc_base/init.d/bind EOF |
增加运行级链接:
chmod 754 /etc/rc.d/init.d/bind && ln -s /etc/rc.d/init.d/bind /etc/rc.d/rc0.d/K49bind && ln -s /etc/rc.d/init.d/bind /etc/rc.d/rc1.d/K49bind && ln -s /etc/rc.d/init.d/bind /etc/rc.d/rc2.d/K49bind && ln -s /etc/rc.d/init.d/bind /etc/rc.d/rc3.d/S22bind && ln -s /etc/rc.d/init.d/bind /etc/rc.d/rc4.d/S22bind && ln -s /etc/rc.d/init.d/bind /etc/rc.d/rc5.d/S22bind && ln -s /etc/rc.d/init.d/bind /etc/rc.d/rc6.d/K49bind |
用新的启动脚本启动 BIND 服务:
/etc/rc.d/init.d/bind start |
groupadd -g 200 named useradd -m -g named -u 200 -s /bin/false named cd /home/named mkdir -p dev etc/namedb/slave var/run mknod /home/named/dev/null c 1 3 mknod /home/named/dev/random c 1 8 chmod 666 /home/named/dev/{null,random} mkdir /home/named/etc/namedb/pz cp /etc/localtime /home/named/etc : |
cat > /home/named/etc/named.conf << "EOF" : 创建 BIND 的配置文件,named 将从这个文件里读出地区文件的位置,根名称服务器和安全 DNS keys.
cat > /home/named/etc/namedb/pz/127.0.0 << "EOF" : 创建一个单独的地区文件.
cat > /home/named/etc/namedb/root.hints << "EOF" : root.hints 文件是一个根名称服务器的列表。这个文件必须用 dig 工具定期更新。查阅 BIND 9 管理员参考手册,可以知道更多。
cat > /etc/rndc.conf << "EOF" : rndc.conf 文件包含用 rndc 工具控制 named 操作的信息。
cat > /etc/resolv.conf << "EOF" : resolv.conf 文件将把本地主机(127.0.0.1)设置为名称服务器。
cat > /etc/rc.d/init.d/bind << "EOF" : 创建 BIND 9 的启动脚本,用来开始和停止名称服务器守护进程 named.
BIND软件包中包含 dig, host, rndc, rndc-confgen, named-checkconf, named-checkzone, lwresd, named, dnssec-signzone, dnssec-signkey, dnssec-keygen, dnssec-makekeyset以及 nsupdate.