CentOSç³»ç»å®è£
DNSæå¡å¨æ¹æ³
ããDNS å®è£
é
ç½®
ããå¨ RHEL5ã6 ä¸ DNS é½æ¯ç¨çæ¯ bind 软件å
ï¼èå¨ RHEL/CentOS 7 ç¨çæ¯ unbound å®è£
å
ï¼é
ç½®æ件ä¹æäºæ¹åãæ们æ¥çä¸ä¸ï¼
ãã2.1.å®è£
ï¼
ãã代ç å¦ä¸:
ãã[root@linuxprobe ~]# yum -y install unbound
ããLoaded plugins: langpacks, product-id, subscription-manager
ããThis system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
ããResolving Dependencies
ãã---> Running transaction check
ãã---> Package unbound.x86_64 0:1.4.20-19.el7 will be installed
ãã---> Finished Dependency Resolution
ãã·····
ããå¯å¨æå¡
ãã代ç å¦ä¸:
ãã[root@linuxprobe ~]# systemctl restart unbound //å¯å¨DNSæå¡
ãã[root@linuxprobe ~]# systemctl enable unbound
ããln -s â/usr/lib/systemd/system/unbound.serviceâ â/etc/systemd/system/multi-user.target.wants/unbound.serviceâ
ãã//ä¸æ¬¡ç³»ç»éå¯èªå¨å¯å¨DNSæå¡
ãã2.2.ä¿®æ¹é
ç½®æ件
ããunbound å®è£
好ä¹åï¼ç¼ºçé
ç½®æä»¶å¨ /etc/unbound/unbound.confã
ãã2.2.1.ä¿®æ¹ç«¯å£çå¬å°å
ããç¸å½äº RHEL6 é
ç½®æ件ä¸çï¼listen-on port 53 { any; };
ããæ¥çé»è®¤çå¬å°å
ãã代ç å¦ä¸:
ãã[root@linuxprobe ~]# netstat -tunlp |grep unbound
ããtcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 3333/unbound
ããtcp 0 0 127.0.0.1:8953 0.0.0.0:* LISTEN 3333/unbound
ããtcp6 0 0 ::1:53 :::* LISTEN 3333/unbound
ããtcp6 0 0 ::1:8953 :::* LISTEN 3333/unbound
ããudp 0 0 127.0.0.1:53 0.0.0.0:* 3333/unbound
ããudp6 0 0 ::1:53 :::* 3333/unbound
ãã//é»è®¤çå¬æ¬å°åç¯å°åï¼ä¹å°±æ¯ç°å¨åªæèªå·±è½è®¿é®DNSæå¡ï¼å
¶å®ä¸»æºä¸è½è®¿é®æ¬æºçDNSæå¡
ããä¿®æ¹çå¬å°å代ç å¦ä¸:
ãã[root@linuxprobe ~]# vim /etc/unbound/unbound.conf
ããâ¦â¦
ãã38 # interface: 0.0.0.0
ãã39 interface: 0.0.0.0
ããâ¦â¦
ãã//æ¾å°38è¡ï¼å¤å¶å»æ注éè¡ï¼æå¼çå¬å
¨ç½åè½ã
ããéå¯æå¡æ¥ç
ãã代ç å¦ä¸:
ãã[root@linuxprobe ~]# systemctl restart unbound
ãã[root@linuxprobe ~]# netstat -tunlp |grep unbound
ããtcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 3461/unbound
ããtcp 0 0 127.0.0.1:8953 0.0.0.0:* LISTEN 3461/unbound
ããtcp6 0 0 ::1:8953 :::* LISTEN 3461/unbound
ããudp 0 0 0.0.0.0:53 0.0.0.0:* 3461/unbound
ãã//ç°å¨53å·ç«¯å£çå¬çæ¯0.0.0.0ï¼å³ææç½æ®µé½çå¬ã
ãã2.2.2.ä¿®æ¹å
许æ¥è¯¢çèå´
ããå¨ RHEL6 ä¸ï¼DNS é
ç½®æ件ä¸æè¿æ ·ä¸å¥ï¼allow-query { localhost; };ãæ¤å¥å®ä¹çæ¯å
许åæ¬æºæ¥è¯¢(è¿ä»£ & éå½)ç主æºèå´ï¼localhost 代表åªææ¬æºå¯ä»¥åæ¬æºæ¥è¯¢ãèå¨é
ç½®ä¸ï¼ç»å¸¸æ¹ localhost 为 anyï¼è®©ææ主æºè½å¤åæ¬æºæ¥è¯¢ DNSãæ以ï¼å¨ RHEL7 ä¸ï¼ä¹è¦åè¿æ ·çä¿®æ¹ï¼åªä¸è¿ä¿®æ¹å
容ä¸åèå·²ï¼å¦ä¸ï¼
ãã代ç å¦ä¸:
ãã[root@linuxprobe ~]# vim /etc/unbound/unbound.conf
ããâ¦â¦
ãã177 # access-control: 0.0.0.0/0 refuse
ãã178 access-control: 0.0.0.0/0 allow
ãã179 # access-control: 127.0.0.0/8 allow
ããâ¦â¦
ããæ¾å°é
ç½®æ件/etc/unbound/unbound.confç第177è¡ï¼ç¼ºç为注éè¡ï¼æå
容æ¹ä¸ºå
许访é®ï¼ç¶åä¿åéåºï¼éå¯æå¡å³å¯ã
ãã2.2.3.å建解ææ件
ããRHEL/CentOS 5ã6ç³»ç»ä¸ï¼DNS ç解ææ件åæ£åååå两个解ææ件ï¼å¹¶ä¸æ解ææ件ç模æ¿æ件ãä½æ¯å¨ RHEL7ä¸ï¼æ£åå解ææ件å并为ä¸ä¸ªï¼å¹¶ä¸æ 模æ¿æ件ï¼éèªå·±å建ï¼è·¯å¾å¯ä»¥å¨ä¸»é
ç½®æ件ä¸æ¥çï¼
ãã代ç å¦ä¸:
ãã[root@linuxprobe ~]# vim /etc/unbound/unbound.conf
ããâ¦â¦
ãã453 # You can add locally served data with
ãã454 # local-zone: "local." static
ãã455 # local-data: "mycomputer.local. IN A 192.0.2.51"
ãã//æ£å解æå¯åèè¯æ³
ãã456 # local-data: âmytext.local TXT "content of text record"â
ãã457 #
ãã458 # You can override certain queries with
ãã459 # local-data: "adserver.example.com A 127.0.0.1"
ãã460 #
ãã461 # You can redirect a domain to a fixed address with
ãã462 # (this makes example.com,
www.example.com, etc, all go to 192.0.2.3)
ãã463 # local-zone: "example.com" redirect
ãã464 # local-data: "example.com A 192.0.2.3"
ãã465 #
ãã# Shorthand to make PTR records, "IPv4 name" or "IPv6 name".
ãã467 # You can also add PTR records using local-data directly, but then
ãã468 # you need to do the reverse notation yourself.
ãã469 # local-data-ptr: "192.0.2.3
www.example.com"
ãã//åå解æåèè¯æ³
ãã470
ãã471 include: /etc/unbound/local.d/*.conf
ãã472
ãã473 # service clients over SSL (on the TCP sockets), with plain DNS inside
ããâ¦â¦
ããæ¥çæ¬æºFQDN
ãã代ç å¦ä¸:
ãã[root@linuxprobe ~]# hostname
ããlinuxprobe.example.com
ãã//ç±æ¤å¯ç¥ï¼åå为example.com
ããå建解ææ件代ç å¦ä¸:
ãã[root@linuxprobe ~]# vim /etc/unbound/local.d/example.conf
ããlocal-zone: "example.com." static
ããlocal-data: "example.com. 86400 IN SOA ns.example.com. root 1 1D 1H 1W 1H"
ããlocal-data: "ns.example.com. IN A 192.168.10.10"
ããlocal-data: "linuxprobe.example.com. IN A 192.168.10.10"
ããlocal-data-ptr: "192.168.10.10 ns.example.com."
ããlocal-data-ptr: "192.168.10.10 linuxprobe.example.com."
ããæ¥çRHEL6ä¸è§£ææ件以ä½å¯¹æ¯
ãã代ç å¦ä¸:
ãã[root@linuxprobe ~]# vim /var/named/named.localhost
ãã$TTL 1D
ãã@ IN SOA @ rname.invalid. (
ãã0 ; serial
ãã1D ; refresh
ãã1H ; retry
ãã1W ; expire
ãã3H ) ; minimum
ããNS @
ããA 127.0.0.1
ããAAAA ::1
ãã2.3.ç¦ç¨æå¡ç¨æ·
ããæ¯ä¸ªæå¡é½æ¯æå
¶ä¸ç¨çæå¡ç¨æ·ï¼DNS çæå¡ç¨æ·ä¸º unboundï¼å®é
æ
åµä¸æå¡ç¨æ·çå¯ç¨æå¯è½æå®å
¨éæ£ï¼è¿éè¦ç¦ç¨æå¡ç¨æ·ã
ãã代ç å¦ä¸:
ãã[root@linuxprobe ~]# vim /etc/unbound/unbound.conf
ãã······
ãã211 # if given, user privileges are dropped (after binding port),
ãã212 # and the given username is assumed. Default is user "unbound".
ãã213 # If you give "" no privileges are dropped.
ãã214 #username: "unbound"
ãã215 username: " "
ãã216
ãã217 # the working directory. The relative files in this config
ãã······
ããå¦ä¸ï¼æ¾å°é
ç½®æ件ç第214è¡ï¼å é¤unboundå³å¯ï¼å é¤å为ï¼username â âã
ãã2.4.éªè¯
ãã代ç å¦ä¸:
ãã[root@linuxprobe ~]# unbound-checkconf
ããunbound-checkconf: no errors in /etc/unbound/unbound.conf
ããéªè¯æ é
ç½®é®é¢ï¼å³å¯éå¯æå¡
ããå¤å¶ä»£ç 代ç å¦ä¸:
ãã[root@linuxprobe ~]# systemctl restart unbound
ããdnséªè¯ï¼
ããä¿®æ¹æ¬æºDNS
ãã代ç å¦ä¸:
ãã[root@linuxprobe ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0
ããHWADDR=00:0C:29:70:····
ããTYPE=Ethernet
ãã····
ããIPADDR="192.168.10.10"
ããPREFIX="24"
ãã···
ããDNS1=192.168.10.10
ããNAME=eth0
ããONBOOT=no
ãã[root@linuxprobe ~]# systemctl restart network
ããnslookupéªè¯
ãã代ç å¦ä¸:
ãã[root@linuxprobe ~]# nslookup
ããlinuxprobe.example.com.
ãã192.168.10.10
ããok dns设置æå
ããPSï¼å
³éé²ç«å¢
ããå¨æ¬æ¬¡å®éªä¸æ们å
³éäº linux ç3大é²ç«å¢ãå½æ²¡æå
³éé²ç«å¢æ¶ï¼è¿ç¨ä¸»æºéªè¯å¯è½åºç°æ
éï¼è¿æ¶éè¦å¨ DNS æå¡å¨é²ç«å¢ä¸å¼æ¾ DNS æå¡ãæ们以 firewall é²ç«å¢ä¸ºä¾ï¼ä¿®æ¹ä¸ä¸ï¼
ãã代ç å¦ä¸:
ãã[root@linuxprobe ~]# systemctl stop iptables
ãã[root@linuxprobe ~]# systemctl stop ebtables
ãã[root@linuxprobe ~]# systemctl disable iptables
ãã[root@linuxprobe ~]# systemctl disable ebtables
ãã[root@linuxprobe ~]# firewall-cmd --add-service=dns --permanent
ããsuccess
ãã[root@linuxprobe ~]# firewall-cmd --reload
ããsuccess
ãã[root@linuxprobe ~]# firewall-cmd --list-all
ããpublic (default, active)
ããinterfaces: eth0
ããsources:
ããservices: dhcpv6-client dns ssh
ããports:
ããmasquerade: no
ããforward-ports:
ããicmp-blocks:
ããrich rules:
ãã//DNSæå¡å¨ä¸Firewallå¼æ¾DNS访é®ok