Bind的编译安装

用户1456517

发布于 2019-03-05 16:12:53

1.9K0

发布于 2019-03-05 16:12:53

文章被收录于专栏：芝麻实验室芝麻实验室

编译安装具有高度可定制性，非常适用于有特殊需求的场合。这里我们将以Centos 6为例，编译安装bind程序包并从零构建DNS服务器

首先，说明一下笔者的示例环境：

Centos 6
bind 9.11.2.tar.gz

注：如果之前通过yum安装过bind软件，建议备份相关数据后，使用"yum remove bind"卸载相关文件，并手动删除相关文件和用户及组，以达到最佳实验效果。

准备工作

下载bind源码包(官网直通车)

[root@centos6 ~]# wget -O /usr/src/bind-9-11-2.tar.gz https://www.isc.org/downloads/file/bind-9-11-2/

临时关闭SELinxu和防火墙(或通过编辑配置文件永久关闭)

[root@Centos6 ~]# setenforce 0  
[root@Centos6 ~]# service iptables stop

创建bind专用的系统用户和组

[root@centos6 ~]# useradd -r -u 57 -m -d /var/named -s /sbin/nologin na
med
[root@centos6 ~]# id named
uid=57(named) gid=57(named) groups=57(named)

编译安装

安装开发工具组

[root@Centos6 bind-9.11.2]# yum groupinstall "development tools "

解压源码包

[root@Centos6 ~]# cd /usr/src/
[root@Centos6 src]# tar zxf bind-9-11-2.tar.gz
[root@Centos6 src]# cd bind-9.11.2/

编译安装

[root@Centos6 bind-9.11.2]# ./configure --prefix=/usr/local/bind --sysconfdir=/etc/bind --without-openssl
[root@Centos6 bind-9.11.2]# make -j 4
[root@Centos6 bind-9.11.2]# make install

添加PATH及帮助手册

添加named到PATH

[root@Centos6 bind-9.11.2]# cd /usr/local/bind
[root@Centos6 bind]# named --help  #当前named不可用
-bash: named: command not found
[root@Centos6 bind]# pwd
/usr/local/bind
[root@Centos6 bind]# ls
bin  include  lib  sbin  share  var
[root@Centos6 bind]# vim /etc/profile.d/named.sh
[root@Centos6 bind]# cat /etc/profile.d/named.sh
export PATH=/usr/local/bind/bin:/usr/local/bind/sbin:$PATH
[root@Centos6 bind]# source /etc/profile.d/named.sh  #重新读取PATH使其生效
[root@Centos6 bind]# named --help
usage: named [-4|-6] [-c conffile] [-d debuglevel] [-E engine] [-f|-g]
             [-n number_of_cpus] [-p port] [-s] [-S sockets] [-t chrootdir]
             [-u username] [-U listeners] [-m {usage|trace|record|size|mctx}
]
usage: named [-v|-V]
named: unknown option '--'

添加man手册

[root@Centos6 bind]# man named  #当前man不可用
No manual entry for named
[root@Centos6 bind]# ll share/
total 4
drwxr-xr-x 6 root root 4096 Sep 22 19:40 man
[root@Centos6 bind]# cd share/man/
[root@Centos6 man]# pwd
/usr/local/bind/share/man
[root@Centos6 man]# vim /etc/man.config  #添加man路径到man的系统配置文件
    MANPATH /usr/local/bind/share/man 或echo
[root@Centos6 man]# man named  #
NAMED(8)                             BIND9                            NAMED(
8)

NAME
       named - Internet domain name server

SYNOPSIS
       named [-4] [-6] [-c config-file] [-d debug-level] [-D string]
             [-E engine-name] [-f] [-g] [-L logfile] [-M option]
             [-m flag] [-n #cpus] [-p port] [-s] [-S #max-socks]
             [-t directory] [-U #listeners] [-u user] [-v] [-V]
             [-X lock-file] [-x cache-file]

创建相关配置文件

获取全球13个根域地址

[root@Centos6 man]# dig -t NS . > /var/named/named.ca

创建named服务的主配置文件

[root@Centos6 man]# vim /etc/named/named.conf
[root@Centos6 man]# cat /etc/named/named.conf
options {
        directory "/var/named";
};

zone "." IN {
        type hint;
        file "named.ca";
};

zone "zhimajihua.cn" IN {
        type master;
        file "zhimajihua.cn.zone";
};
[root@Centos6 man]# named-checkconf     #语法检查

创建区域解析库文件

[root@Centos6 man]# vim /var/named/zhimajihua.cn.zone
You have mail in /var/spool/mail/root
[root@Centos6 man]# cat /var/named/zhimajihua.cn.zone
$TTL=86400
@ IN SOA ns1 mu.zhimajihua.cn. (
        20170923
        1D
        1H
        1W
        3H
)

        NS      ns1
ns1     A       192.168.1.19
www     A       192.168.1.19
[root@Centos6 man]# named-checkzone 'zhimajihua.cn' /var/named/zhimajihua.cn    #语法检查
.zone
zone zhimajihua.cn/IN: loaded serial 20170923
OK

修改文件权限

[root@Centos6 man]# chgrp named /var/named/* /etc/bind/*
[root@Centos6 man]# ll /var/named/ /etc/bind
/etc/bind:
total 8
-rw-r--r-- 1 root named 3923 Sep 22 23:16 bind.keys
-rw-r--r-- 1 root named  158 Sep 23 00:18 named.conf

/var/named/:
total 8
-rw-r--r-- 1 root named 109 Sep 22 23:40 named.ca
-rw-r--r-- 1 root named 128 Sep 23 00:11 zhimajihua.cn.zone

运行named服务。具体的参数请参考man named或named --help

[root@Centos6 man]# named -u named -f -g -d 3

在客户机测试bind主机能否正确解析。如dig命令回显所示，可以正常工作。

[root@Centos7 ~]# dig www.zhimajihua.cn @192.168.1.19

; <<>> DiG 9.9.9-P1 <<>> www.zhimajihua.cn @192.168.1.19
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58094
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.zhimajihua.cn.             IN      A

;; ANSWER SECTION:
www.zhimajihua.cn.      86400   IN      A       192.168.1.19

;; AUTHORITY SECTION:
zhimajihua.cn.          86400   IN      NS      ns1.zhimajihua.cn.

;; ADDITIONAL SECTION:
ns1.zhimajihua.cn.      86400   IN      A       192.168.1.19

;; Query time: 1 msec
;; SERVER: 192.168.1.19#53(192.168.1.19)
;; WHEN: Sat Sep 23 19:30:36 DST 2017
;; MSG SIZE  rcvd: 96

配置rndc管理工具

编译安装bind时，将同时安装rndc，但是rndc的运行依赖于key身份认证机制，如果直接运行将收到如下提示，因此我们需要生成key来运行rndc

[root@Centos6 man]# rndc status
rndc: neither /etc/bind/rndc.conf nor /etc/bind/rndc.key was found

根据提示，需要rndc.conf或rndc.key文件，我们以前者为例，其实质都是通过key来认证身份。

[root@Centos6 man]# rndc-confgen -r /dev/urandom > /etc/bind/rndc.conf
[root@Centos6 man]# cd /etc/bind
[root@Centos6 bind]# ll
total 12
-rw-r--r-- 1 root named 3923 Sep 23 08:58 bind.keys
-rw-r--r-- 1 root named  158 Sep 23 19:20 named.conf
-rw-r--r-- 1 root root   479 Sep 23 19:36 rndc.conf
[root@Centos6 bind]# cat rndc.conf
# Start of rndc.conf
key "rndc-key" {
        algorithm hmac-md5;
        secret "91Fwof/7rR3QoV52tyyxaw==";
};

options {
        default-key "rndc-key";
        default-server 127.0.0.1;
        default-port 953;
};
# End of rndc.conf

# Use with the following in named.conf, adjusting the allow list as needed:
# key "rndc-key" {
#       algorithm hmac-md5;
#       secret "91Fwof/7rR3QoV52tyyxaw==";
# };
#
# controls {
#       inet 127.0.0.1 port 953
#               allow { 127.0.0.1; } keys { "rndc-key"; };
# };
# End of named.conf

我们需要将注释部分的密钥信息导入到named.conf中来完成key的身份认证

[root@Centos6 bind]# vim named.conf
[root@Centos6 bind]# cat named.conf
options {
        directory "/var/named";
};

zone "." IN {
        type hint;
        file "named.ca";
};

zone "zhimajihua.cn" IN {
        type master;
        file "zhimajihua.cn.zone";
};

# Use with the following in named.conf, adjusting the allow list as needed:
 key "rndc-key" {
        algorithm hmac-md5;
        secret "91Fwof/7rR3QoV52tyyxaw==";
 };

 controls {
        inet 127.0.0.1 port 953
        allow { 127.0.0.1; } keys { "rndc-key"; };
 };

现在我们使用rndc status会提示连接被拒绝，我们需要重新运行named及rndc

[root@Centos6 bind]# named -u named -d 3 -f -g
[root@Centos6 ~]# ss -tulnp |grep 953  #下面的953端口及rndc使用的端口
tcp    LISTEN     0      128            127.0.0.1:953                   *:*
     users:(("named",2705,25))

现在rndc已经可以正常运行。你可以参考rndc --help及man rndc来获得更多rndc的帮助信息。

[root@Centos6 ~]# rndc status
version: BIND 9.11.2 <id:0a2b929>
running on Centos6: Linux x86_64 2.6.32-696.el6.x86_64 #1 SMP Tue Mar 21 19:
29:05 UTC 2017
boot time: Sat, 23 Sep 2017 19:47:16 GMT
last configured: Sat, 23 Sep 2017 19:47:16 GMT
configuration file: /etc/bind/named.conf
CPUs found: 4
worker threads: 4
UDP listeners per interface: 3
number of zones: 100 (98 automatic)
debug level: 3
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/900/1000
tcp clients: 0/150
server is up and running

本文参与腾讯云自媒体分享计划，分享自作者个人站点/博客。

原始发表：2017/09/23，如有侵权请联系 cloudcommunity@tencent.com 删除

打包