bind 配置
此篇文档为生产系统K8S环境迁移服务,在全部文档中编号为1,为前置服务dns配置。
安装
yum -y install bind bind-utils
修改主配置文件
- 准备工作目录
mkdir /server/named
chown -R root:named /server/named
- 备份主配置文件
/etc/named.conf
cp /etc/named.conf /etc/named.conf.bak
- 修改主配置文件
options {
listen-on port 53 { 172.27.10.10; };
listen-on-v6 port 53 { ::1; };
directory "/server/named";
dump-file "/server/named/data/cache_dump.db";
statistics-file "/server/named/data/named_stats.txt";
memstatistics-file "/server/named/data/named_mem_stats.txt";
recursing-file "/server/named/data/named.recursing";
secroots-file "/server/named/data/named.secroots";
allow-query { any; };
recursion yes;
dnssec-enable no;
dnssec-validation no;
bindkeys-file "/etc/named.root.key";
managed-keys-directory "/server/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
forward first;
forwarders {
223.5.5.5;
223.6.6.6;
8.8.8.8;
8.8.4.4;
};
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
- 区域配置文件
vim /etc/named.rfc1912.zones
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};
zone "ylls.com" IN{
type master;
file "ylls.com.zone";
allow-update { 172.27.10.10; };
};
#配置区域数据文件
vim /server/named/ylls.com.zone
$ORIGIN ylls.com.
$TTL 600 ;10 minutes
@ IN SOA dns.ylls.com. admin.ylls.com. (
2022090801 ; serial
10800 ; refresh
900 ; retry
604800 ; expire
86400 ; minimum
)
@ NS dns
$TTL 60
dns IN A 172.27.10.10
- 测试配置并启动
named-checkconf -z
systemctl start named
systemctl enable named
使用rndc管理bind
rndc是BIND安装包提供的一种控制域名服务运行的工具,可以实现在不重启BIND的情况下对zone及解析记录等配置进行更新。
- 生成密钥
rndc-confgen -r /dev/urandom > /etc/rndc.conf
- 配置文件/etc/rndc.conf
key "rndc-key" {
algorithm hmac-md5;
secret "JjMnAPTBGSJOwVKhLXDosw==";
};
options {
default-key "rndc-key";
default-server 172.27.10.10;
default-port 953;
};
- 更改named.conf
将以下内容加入named.conf
key "rndc-key" {
algorithm hmac-md5;
secret "JjMnAPTBGSJOwVKhLXDosw==";
};
controls {
inet 172.27.10.10 port 953
allow { 172.27.10.10; } keys { "rndc-key"; };
};
- 重启bind
systemctl restart named
- 通过rndc刷新ylls.com.zone
rndc freeze ylls.com
rndc thaw ylls.com
注意, 直接用rndc reload ylls.com会报错
- rndc基本命令
status #显示bind服务器的工作状态
reload #重新加载配置文件和区域文件
reload zone_name #重新加载指定区域
reconfig #重读配置文件并加载新增的区域
querylog #关闭或开启查询日志
dumpdb #将高速缓存转储到转储文件 (named_dump.db)
freeze #暂停更新所有动态zone
freeze zone [class [view]]#暂停更新一个动态zone
thaw #启用动态区域的更新并重新加载区域文件
flush [view] #刷新服务器的所有高速缓存
flushname name #为某一视图刷新服务器的高速缓存
stats #将服务器统计信息写入统计文件中
stop #将暂挂更新保存到主文件并停止服务器
halt #停止服务器,但不保存暂挂更新
trace #打开debug, debug有级别的概念,每执行一次提升一次级别
trace LEVEL #指定 debug 的级别, trace 0 表示关闭debug
notrace #将调试级别设置为 0
addzone zone [class [view]] { zone-options } #增加一个zone
delzone zone [class [view]] #删除一个zone
tsig-delete keyname [view]#删除一个TSIG key
tsig-list #查询当前有效的TSIG列表
validation newstate [view]#开启/关闭dnssec
