1 安装bind9

1 准备工作

1 安装epel源

yum install -y epel-release

2 安装常用工具

yum install -y wget net-tools telnet tree nmap sysstat lrzsz dos2unix bind-utils vim

3 系统优化

vi /etc/security/limits.conf
追加
* soft nofile 65535
* hard nofile 65535

4.在rstx4-201.rongbiz.cn安装Bind

yum install -y bind
 rpm -qa bind

配置bind

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

options {
	listen-on port 53 { 192.168.1.201; };
	directory 	"/var/named";
	dump-file 	"/var/named/data/cache_dump.db";
	statistics-file "/var/named/data/named_stats.txt";
	memstatistics-file "/var/named/data/named_mem_stats.txt";
	recursing-file  "/var/named/data/named.recursing";
	secroots-file   "/var/named/data/named.secroots";
	allow-query     { any; };
        forwarders      { 223.5.5.5; };
	/* 
	 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
	 - If you are building a RECURSIVE (caching) DNS server, you need to enable 
	   recursion. 
	 - If your recursive DNS server has a public IP address, you MUST enable access 
	   control to limit queries to your legitimate users. Failing to do so will
	   cause your server to become part of large scale DNS amplification 
	   attacks. Implementing BCP38 within your network would greatly
	   reduce such attack surface 
	*/
	recursion yes;

	dnssec-enable yes;
	dnssec-validation no;

	/* Path to ISC DLV key */
	bindkeys-file "/etc/named.root.key";

	managed-keys-directory "/var/named/dynamic";

	pid-file "/run/named/named.pid";
	session-keyfile "/run/named/session.key";
};



[root@rstx4-201 ~]# vi /etc/named.conf			# BIND进程的工作属性，区域的定义
13         listen-on port 53 { 192.168.1.111; };	# 监听本机IP
14         listen-on-v6 port 53 { ::1; };		# 删除，不监听IPV6
20         allow-query     { any; };			# 允许所有主机查看
21         forwarders      { 192.168.1.1; };		# 办公网上一级的DNS
33         recursion yes;				# dns采用递归的查询
35         dnssec-enable no;				# 关闭，节省资源（生产可能不需要关闭）
36         dnssec-validation no;			# 关闭，节省资源，不做互联网认证

检查配置文件是否正确

[root@rstx4-201 ~]# named-checkconf
[root@rstx4-201 ~]# echo $?
0

配置区域配置文件
[root@rstx4-201 ~]# vi /etc/named.rfc1912.zones

最后添加

zone "rongbiz.cn" IN {
        type  master;
        file  "rongbiz.cn.zone";
        allow-update { 192.168.1.201; };
};
zone "host.com" IN {
        type  master;
        file  "host.com.zone";
        allow-update { 192.168.1.201; };
};

配置区域数据文件
host.com

cat /var/named/host.com.zone 
$ORIGIN host.com.
$TTL 600	; 10 minutes
@   		IN SOA	dns.host.com. dnsadmin.host.com. (
				2020122801 ; serial
				10800      ; refresh (3 hours)
				900        ; retry (15 minutes)
				604800     ; expire (1 week)
				86400      ; minimum (1 day)
				)
				NS   dns.host.com.
$TTL 60	; 1 minute
dns         A    192.168.1.201
rstx4-201   A    192.168.1.201
rstx4-202   A    192.168.1.202
rstx4-203   A    192.168.1.203
rstx4-204   A    192.168.1.204
rstx4-205   A    192.168.1.205
rstx4-214   A    192.168.1.214
rstx4-240   A    192.168.1.240
rstx4-241   A    192.168.1.241
rstx4-53    A    192.168.1.53

rongbiz.cn

[root@rstx4-201 ~]# vi /var/named/rongbiz.cn.zone
$ORIGIN rongbiz.cn.
$TTL 600	; 10 minutes
@   		IN SOA	dns.rongbiz.cn. dnsadmin.rongbiz.cn. (
				2020071501 ; serial
				10800      ; refresh (3 hours)
				900        ; retry (15 minutes)
				604800     ; expire (1 week)
				86400      ; minimum (1 day)
				)
				NS   dns.rongbiz.cn.
$TTL 60	; 1 minute
dns         A    192.168.1.201
rstx4-201   A    192.168.1.201
rstx4-202   A    192.168.1.202
rstx4-203   A    192.168.1.203
rstx4-204   A    192.168.1.204
rstx4-205   A    192.168.1.205
rstx4-53    A    192.168.1.53

检查配置文件是否正确

[root@rstx4-201 named]# named-checkconf
[root@rstx4-201 named]# echo $?
0
[root@rstx-201 ~]# dig -t A rstx4-214.host.com @192.168.1.201 +short
192.168.1.214

检测区域数据文件

[root@rstx4-201 named]# named-checkzone "rongbiz.cn" /var/named/rongbiz.cn.zone 
zone rongbiz.cn/IN: loaded serial 2020071501
OK

更改文件的属组，权限

[root@rstx4-201 named]# chown root:named /var/named/host.com.zone 
[root@rstx4-201 named]# chown root:named /var/named/rongbiz.cn.zone
[root@rstx4-201 named]# chmod 640 /var/named/host.com.zone 
[root@rstx4-201 named]# chmod 640 /var/named/rongbiz.cn.zone

启动named
[root@rstx4-201 named]# systemctl restart named
[root@rstx4-201 named]# systemctl enable named

查看启动端口
[root@rstx4-201 named]# netstat -luntp | grep 53

验证解析
[root@rstx4-201 named]# dig -t A rstx4-201.rongbiz.cn @192.168.1.201 +short
192.168.1.201
[root@rstx4-201 named]# dig -t A rstx4-205.rongbiz.cn @192.168.1.201 +short
192.168.1.205

更改客户端dns

# vi /etc/sysconfig/network-scripts/ifcfg-eth0
DNS1="192.168.1.201"
[root@rstx4-201 named]# systemctl restart network

[root@moban rpm-gpg]# cat /etc/resolv.conf 
# Generated by NetworkManager
search rongbiz.cn
nameserver 192.168.1.201

[root@rstx4-201 named]# ping rstx4-201.rongbiz.cn

添加主机域search host.com使用短域名
[root@rstx4-201 named]# cat /etc/resolv.conf 
# Generated by NetworkManager
search rongbiz.cn

[root@rstx4-201 named]# ping rstx4-201

更改所有主机的DNS，重启网卡
# vi /etc/sysconfig/network-scripts/ifcfg-eth0
DNS1="192.168.1.201"
# systemctl restart network

将虚拟机的网卡DNS也改成192.168.1.201	IPV4 -- 高级 -- 越点改成20
将本机的网卡DNS也改成192.168.1.201        IPV4 -- 高级 -- 越点改成20