ubuntu部署dns服务器
环境:ubuntu16.04
dns-server:172.30.21.117
zabbix-server:172.30.21.105
nexus-server: 172.30.21.112
安装步骤
1、安装软件包
apt-get update -y && apt-get install bind9 -y
2、关闭防火墙
ufw disable
3、在/etc/bind/named.conf.default-zones添加需要解析的域,以onap.cmcc为例
cat /etc/bind/named.conf.default-zones
zone "onap.cmcc" {
type master;
file "/etc/bind/db.onap.cmcc";
};
4、添加域记录文件
;
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA onap.cmcc. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.
onap.cmcc IN NS 172.30.21.117
zabbix IN A 172.30.21.105
nexus IN A 172.30.21.112
5、编辑named.conf.options文件,为局域网其他机器提供dns服务(修改option的listen-on语句)
acl goodclients {
172.30.0.0/24;
localhost;
localnets;
};
options {
directory "/var/cache/bind";
//recursion yes; # 启用递归寻址
//allow-recursion { trusted; }; # 允许“trusted”列表前来递归寻址
listen-on port 53 {127.0.0.1;192.168.1.108; }; # 此处填写ns1的内网IP地址。仅在内网监听
allow-transfer { none; }; # 默认禁用zone transfer
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
forwarders {
202.106.0.20;
8.8.8.8;
};
allow-query { goodclients;};
};
6、重启dns服务器
service bind9 restart
7、客户端配置dns服务器地址,测试解析效果
echo "nameserver 172.30.21.117" >>resolv.conf
nslookup zabbix.onap.cmcc
8、rndc 管理bind
Bind 9之后提供新的功能为”rndc”(remote name daemon control),可视为Bind旧版ndc的延伸,它可使系统管理者利用rndc command远端或本端(localhost)控制管理Bind,
并以加密方式來传送资料,以防止其他非授权使用者控制Bind。
rndcflush 清空本地DNS缓存
rndcflushname name刷新指定域名的缓存
rndcreload重载DNS服务器
rndc status 查看目前DNS服务器状态
rndc stop 停止DNS服务器
rndc restart 重新启动DNS服务器
rndc stats 生成DNS统计报表到statistics-file
rndc dumpdb 将所有缓存输入文件named_dump.db,以查看DNS缓存,DNS缓存是在内存中的
success:成功查询的次数
referral:就是非recursion的查询次数
nxrrset:有这个域名,但找不到解析记录
nxdomain:就是域名都找不到
recursion:递归查询 failure:除上面那些之外的查询失败响应次数