BIND (简体中文)
伯克利互联网名称服务 Berkeley Internet Name Daemon (BIND) 是 DNS 协议的一个参考实现。
Contents
安装
启动 named 守护进程。
缓存 DNS 服务器
BIND 的默认配置即为缓存 DNS 服务器,可以直接使用。
你可以编辑 /etc/named.conf
并且在 options 中加上下面的这一行,来只允许来自 localhost 的查询。
listen-on { 127.0.0.1; };
如果你想开放外网的查询,你需要编译 /etc/named.conf
并且将
allow-recursion { 127.0.0.1; };
修改为
allow-recursion { any; };
你可以编辑 /etc/resolv.conf
让其使用本机作为 DNS 服务器。
nameserver 127.0.0.1
重启 named 守护进程。
权威 DNS 服务器
下面是一个如何设置自己的权威域的简单教程,假设我们要用的权威域为 "domain.tld" (请替换成自己真实的域)
更详尽的教程参见 Two-in-one DNS server with BIND9.
1. 设置一个 zone 文件
# nano /var/named/domain.tld.zone
$TTL 7200 ; domain.tld @ IN SOA ns01.domain.tld. postmaster.domain.tld. ( 2007011601 ; Serial 28800 ; Refresh 1800 ; Retry 604800 ; Expire - 1 week 86400 ) ; Minimum IN NS ns01 IN NS ns02 ns01 IN A 0.0.0.0 ns02 IN A 0.0.0.0 localhost IN A 127.0.0.1 @ IN MX 10 mail imap IN CNAME mail smtp IN CNAME mail @ IN A 0.0.0.0 www IN A 0.0.0.0 mail IN A 0.0.0.0 @ IN TXT "v=spf1 mx"
$TTL 定义了这个文件里面的记录在未指定情况下默认的 TTL, 单位是秒。在这个例子中,默认 TTL 为2小时
每次修改 zone 文件的时候,都需要将 Serial 加一,然后再重启 named, 否则 BIND 主服务器不会将 zone 文件的变更发送给从服务器。让主服务器将变更发送给从服务器的条件是主服务器上的 zone 文件的 Serial 比从服务器的大。
2. 配置主服务器
将你的 zone 文件加到 /etc/named.conf
:
zone "domain.tld" IN { type master; file "domain.tld.zone"; allow-update { none; }; notify no; };
如果你想让 BIND 仅仅作为权威服务器使用,不做递归查询,你可以在 /etc/named.conf
的 "options" 中关掉递归查询:
recursion no;
重启 "named"
3. 配置从服务器
TODO
仅转发 DNS 服务器
If you have problems with, for example, VPN connections, they can sometimes be solved by setting-up a forwarding DNS server. This is very simple with BIND. Add these lines to /etc/named.conf
, and change IP address according to your setup.
listen-on { 192.168.66.1; }; forwarders { 8.8.8.8; 8.8.4.4; };
Don't forget to restart the service!
Running BIND in a chrooted environment
Running in a chroot environment is not required but improves security. See BIND (chroot) for how to do this.
Configuring BIND to serve DNSSEC signed zones
See DNSSEC#BIND (serving signed DNS zones)
Automatically listen on new interfaces without chroot and root privileges
Add
interface-interval <rescan-timeout-in-minutes>;
parameter into named.conf
options. Then you should modify rc-script:
stat_busy "Starting DNS" - [ -z "$PID" ] && /usr/sbin/named ${NAMED_ARGS} + setcap cap_net_bind_service=eip /usr/sbin/named + NAMED_ARGS=`echo ${NAMED_ARGS} | sed 's#-u [[:alnum:]]*##'` + [ -z "$PID" ] && sudo -u named /usr/sbin/named ${NAMED_ARGS}
So your /etc/rc.d/named
should look like this:
stat_busy "Starting DNS" setcap cap_net_bind_service=eip /usr/sbin/named NAMED_ARGS=`echo ${NAMED_ARGS} | sed 's#-u [[:alnum:]]*##'` [ -z "$PID" ] && sudo -u named /usr/sbin/named ${NAMED_ARGS}
Change user name in last line (with "... sudo -u named ...") if your named user is not 'named'.