特殊:Badtitle/NS100:BIND9ServerHowto:修订间差异

来自Ubuntu中文
跳到导航跳到搜索
Oneleaf留言 | 贡献
New page: {{From|https://help.ubuntu.com/community/BIND9ServerHowto}} {{Languages|php5}} This HOWTO is aimed to at people looking to learn how to configure and maintain a DNS server, such as for a ...
 
Oneleaf留言 | 贡献
无编辑摘要
第16行: 第16行:
<pre><nowiki>
<pre><nowiki>
$ sudo apt-get install bind9
$ sudo apt-get install bind9
</nowiki></code>
</nowiki></pre>


Useful Tools (For Testing)
Useful Tools (For Testing)
第22行: 第22行:
<pre><nowiki>
<pre><nowiki>
$ sudo apt-get install bind9-host dnsutils
$ sudo apt-get install bind9-host dnsutils
</nowiki></code>
</nowiki></pre>


Documentation (Optional)
Documentation (Optional)
第28行: 第28行:
<pre><nowiki>
<pre><nowiki>
$ sudo apt-get install bind9-doc
$ sudo apt-get install bind9-doc
</nowiki></code>
</nowiki></pre>


=== BIND9 Scenarios ===
=== BIND9 Scenarios ===
第83行: 第83行:
www      IN    A      1.2.3.4
www      IN    A      1.2.3.4


</nowiki></code>
</nowiki></pre>


==== Alias Records ====
==== Alias Records ====
第94行: 第94行:
www      IN    A      1.2.3.4
www      IN    A      1.2.3.4


</nowiki></code>
</nowiki></pre>


==== Mail Exchange Records ====
==== Mail Exchange Records ====
第108行: 第108行:
mail    IN    A      1.2.3.4
mail    IN    A      1.2.3.4


</nowiki></code>
</nowiki></pre>


==== Name Server Records ====
==== Name Server Records ====
第124行: 第124行:
ns      IN    A      1.2.3.4
ns      IN    A      1.2.3.4


</nowiki></code>
</nowiki></pre>


=== Configuring BIND9 ===
=== Configuring BIND9 ===
第132行: 第132行:
<pre><nowiki>
<pre><nowiki>
/etc/bind/
/etc/bind/
</nowiki></code>  
</nowiki></pre>  




第141行: 第141行:
/etc/bind/named.conf.options
/etc/bind/named.conf.options
/etc/bind/named.conf.local
/etc/bind/named.conf.local
</nowiki></code>
</nowiki></pre>


==== Caching Server ====
==== Caching Server ====
第163行: 第163行:


         [...]
         [...]
</nowiki></code>
</nowiki></pre>


(where 1.2.3.4 and 5.6.7.8 are the IP numbers of your ISP's DNS servers)
(where 1.2.3.4 and 5.6.7.8 are the IP numbers of your ISP's DNS servers)
第184行: 第184行:
         [...]
         [...]


</nowiki></code>
</nowiki></pre>


Now use an existing zone file as a template
Now use an existing zone file as a template
第190行: 第190行:
<pre><nowiki>
<pre><nowiki>
$ sudo cp /etc/bind/db.local /etc/bind/db.example.com
$ sudo cp /etc/bind/db.local /etc/bind/db.example.com
</nowiki></code>
</nowiki></pre>


Now, to edit our zone
Now, to edit our zone
第211行: 第211行:
@      IN      NS      localhost.
@      IN      NS      localhost.
@      IN      A      127.0.0.1
@      IN      A      127.0.0.1
</nowiki></code>
</nowiki></pre>


Edit <code><nowiki>localhost.</nowiki></code> to the FQDN of your server, with an additional "." at the end.
Edit <code><nowiki>localhost.</nowiki></code> to the FQDN of your server, with an additional "." at the end.
第235行: 第235行:
@      IN      A      127.0.0.1
@      IN      A      127.0.0.1


</nowiki></code>
</nowiki></pre>


Edit <code><nowiki>root.localhost</nowiki></code> to be your email address, but with a "." instead of the "@", and another "." at the end.
Edit <code><nowiki>root.localhost</nowiki></code> to be your email address, but with a "." instead of the "@", and another "." at the end.
第269行: 第269行:
         [...]
         [...]


</nowiki></code>
</nowiki></pre>


On the slave, you have to proceed to the same installation that was done on the master. Then edit the <code><nowiki>/etc/bind/named.conf.local</nowiki></code> and add the following declaration for the zone:
On the slave, you have to proceed to the same installation that was done on the master. Then edit the <code><nowiki>/etc/bind/named.conf.local</nowiki></code> and add the following declaration for the zone:
第285行: 第285行:
         [...]
         [...]


</nowiki></code>
</nowiki></pre>


Restart the server, you should see in <code><nowiki>/var/log/syslog</nowiki></code> something like:
Restart the server, you should see in <code><nowiki>/var/log/syslog</nowiki></code> something like:
第291行: 第291行:
syslog.5.gz:May 14 23:33:53 smith named[5064]: zone example.com/IN: transferred serial 2006051401
syslog.5.gz:May 14 23:33:53 smith named[5064]: zone example.com/IN: transferred serial 2006051401
syslog.5.gz:May 14 23:33:53 smith named[5064]: transfer of 'example.com/IN' from 10.0.0.202#53: end of transfer
syslog.5.gz:May 14 23:33:53 smith named[5064]: transfer of 'example.com/IN' from 10.0.0.202#53: end of transfer
</nowiki></code>
</nowiki></pre>


=== Chrooting BIND9 ===
=== Chrooting BIND9 ===
第308行: 第308行:
$ cd /chroot/named
$ cd /chroot/named
$ sudo mkdir -p dev etc/namedb/slave var/run
$ sudo mkdir -p dev etc/namedb/slave var/run
</nowiki></code>
</nowiki></pre>


Set permissions for chroot environment  
Set permissions for chroot environment  
第317行: 第317行:
$ sudo chown bind:bind /chroot/named
$ sudo chown bind:bind /chroot/named
$ sudo chmod 700 /chroot/named
$ sudo chmod 700 /chroot/named
</nowiki></code>
</nowiki></pre>


Create or move the bind configuration file.
Create or move the bind configuration file.
第323行: 第323行:
<pre><nowiki>
<pre><nowiki>
$ sudo touch /chroot/named/etc/named.conf
$ sudo touch /chroot/named/etc/named.conf
</nowiki></code>
</nowiki></pre>


or
or
第329行: 第329行:
<pre><nowiki>
<pre><nowiki>
$ sudo cp /etc/named.conf /chroot/named/etc
$ sudo cp /etc/named.conf /chroot/named/etc
</nowiki></code>
</nowiki></pre>


Give write permissions to the user bind for /chroot/named/etc/namedb/slave directory.
Give write permissions to the user bind for /chroot/named/etc/namedb/slave directory.
<pre><nowiki>
<pre><nowiki>
$ sudo chown bind:bind /chroot/named/etc/namedb/slave
$ sudo chown bind:bind /chroot/named/etc/namedb/slave
</nowiki></code>
</nowiki></pre>


This is where the files for all slave zones will be kept.  This increases security, by stopping the ability of an attacker to edit any of your master zone files if they do gain access as the bind user.  Accordingly, all slave file names in the /chroot/named/etc/named.conf file will need to have directory names that designate the slave directory.  An example zone definition is listed below.
This is where the files for all slave zones will be kept.  This increases security, by stopping the ability of an attacker to edit any of your master zone files if they do gain access as the bind user.  Accordingly, all slave file names in the /chroot/named/etc/named.conf file will need to have directory names that designate the slave directory.  An example zone definition is listed below.
第346行: 第346行:
};
};
};
};
</nowiki></code>
</nowiki></pre>


Create the devices BIND9 requires
Create the devices BIND9 requires
第353行: 第353行:
$ sudo mknod /chroot/named/dev/null c 1 3
$ sudo mknod /chroot/named/dev/null c 1 3
$ sudo mknod /chroot/named/dev/random c 1 8
$ sudo mknod /chroot/named/dev/random c 1 8
</nowiki></code>
</nowiki></pre>


Give the user bind access to the /chroot/named/var/run directory that will be used to strore PID and statistical data.
Give the user bind access to the /chroot/named/var/run directory that will be used to strore PID and statistical data.
第359行: 第359行:
<pre><nowiki>
<pre><nowiki>
$ sudo chown bind:bind /chroot/named/var/run
$ sudo chown bind:bind /chroot/named/var/run
</nowiki></code>
</nowiki></pre>


==== BIND9's Configuration ====
==== BIND9's Configuration ====
第369行: 第369行:


OPTIONS=”-u bind”
OPTIONS=”-u bind”
</nowiki></code>
</nowiki></pre>


So that it reads
So that it reads
第378行: 第378行:


OPTIONS="-u bind -t /var/named -t /chroot/named -c /etc/named.conf"
OPTIONS="-u bind -t /var/named -t /chroot/named -c /etc/named.conf"
</nowiki></code>
</nowiki></pre>


The -t option changes the root directory from which bind operates to be /chroot/named.  The -c option tells Bind that the configuration file is located at /etc/named.conf.  Remember that this path is relative to the root set by -t.
The -t option changes the root directory from which bind operates to be /chroot/named.  The -c option tells Bind that the configuration file is located at /etc/named.conf.  Remember that this path is relative to the root set by -t.
第393行: 第393行:
     statistics-file "/var/run/named.stats";
     statistics-file "/var/run/named.stats";
};
};
</nowiki></code>
</nowiki></pre>


==== Ubuntu's syslod Daemon Configuration ====
==== Ubuntu's syslod Daemon Configuration ====
第406行: 第406行:


         [...]
         [...]
</nowiki></code>
</nowiki></pre>


(Author Note: Check this config)
(Author Note: Check this config)
第416行: 第416行:
$ sudo /etc/init.d/sysklogd restart
$ sudo /etc/init.d/sysklogd restart
$ sudo /etc/init.d/bind9 restart
$ sudo /etc/init.d/bind9 restart
</nowiki></code>
</nowiki></pre>


At this point you should check /var/log/messages for any errors that may have been thrown by bind.
At this point you should check /var/log/messages for any errors that may have been thrown by bind.
第426行: 第426行:
<pre><nowiki>
<pre><nowiki>
$ sudo /etc/init.d/bind9 start
$ sudo /etc/init.d/bind9 start
</nowiki></code>
</nowiki></pre>


To stop it, use :
To stop it, use :
第432行: 第432行:
<pre><nowiki>
<pre><nowiki>
$ sudo /etc/init.d/bind9 stop
$ sudo /etc/init.d/bind9 stop
</nowiki></code>
</nowiki></pre>


Finally, to restart it, run
Finally, to restart it, run
第438行: 第438行:
<pre><nowiki>
<pre><nowiki>
$ sudo /etc/init.d/bind9 restart
$ sudo /etc/init.d/bind9 restart
</nowiki></code>
</nowiki></pre>


==== Status ====
==== Status ====
第446行: 第446行:
<pre><nowiki>
<pre><nowiki>
$ host $record localhost
$ host $record localhost
</nowiki></code>
</nowiki></pre>


or
or
第452行: 第452行:
<pre><nowiki>
<pre><nowiki>
$ dig $record @localhost
$ dig $record @localhost
</nowiki></code>
</nowiki></pre>


(where localhost is the system you are setting BIND9 up on. If not localhost, use the appropriate IP number.)
(where localhost is the system you are setting BIND9 up on. If not localhost, use the appropriate IP number.)

2007年5月13日 (日) 12:35的版本

{{#ifexist: :BIND9ServerHowto/zh | | {{#ifexist: BIND9ServerHowto/zh | | {{#ifeq: {{#titleparts:BIND9ServerHowto|1|-1|}} | zh | | }} }} }} {{#ifeq: {{#titleparts:BIND9ServerHowto|1|-1|}} | zh | | }}


This HOWTO is aimed to at people looking to learn how to configure and maintain a DNS server, such as for a network or to serve DNS zones for a domain name.

Repositories

BIND9 is available in the core Ubuntu repository. No additional repository needs to be enabled for BIND9.

Before we begin, you should be familiar with RootSudo.

Installing BIND9

The Server

$ sudo apt-get install bind9

Useful Tools (For Testing)

$ sudo apt-get install bind9-host dnsutils

Documentation (Optional)

$ sudo apt-get install bind9-doc

BIND9 Scenarios

There are many setups BIND9 may be configured.


The most useful setups are:

Caching Server

This can be useful for a broadband connection to a host or small network. By caching DNS queries, you reduce the bandwidth used and (hopefully) reducing your bandwidth used (and hopefully even your broadband bill!).

Master Server

BIND9 can be used to serve DNS records (groups of records are referred to as zones) for a registered domain name or an imaginary one (but only if used on a restricted network)


Slave Server

A slave DNS server is used to complement a Master DNS server by serving a copy of the zone(s) configured on the Master server. Slave servers are recommended in larger setups (larger networks or on the internet) if you intend to power a registered domain name, since they ensure that your DNS zone is still available, even if your Master server is not online.

Hybrids

You can even configure BIND9 to be a Caching and Master DNS server simultaneously, a Caching and a Slave server or even a Caching, Master and Slave server. All that is required is simply combining the differnet configuration examples from this document.


Stealth Servers

There are also two other common DNS server setups (used when working with zones for registered domain names), Stealth Master and Stealth Slave. These are effectively the same as Master and Slave DNS servers, but with a slight organisational difference.


For example, you have 3 DNS servers; A, B and C.


A is the Master, B and C are slaves.


If you configure your registered domain to use A and B as your domain's DNS servers, then C is a Stealth Slave. It's still a slave, but it's not going to be asked about the zone you are serving to the internet from A and B


If you configure your registerd domain to use B and C as your domain's DNS servers, then A is a stealth master. Any additional records or edits to the zone are done on A, but computers on the internet will only ever ask B and C about the zone.

DNS Record Types

There are lots of different DNS record types, but for a someone reading this document, you need only deal with these record types

Address Records

The most commonly used type of record.


www      IN    A      1.2.3.4

Alias Records

Used to create an alias from an existing A record. You cannot create a CNAME record pointing to another CNAME record.


mail     IN    CNAME  www
www      IN    A      1.2.3.4

Mail Exchange Records

Used to define where email should be sent to. Must point to an A record, not a CNAME.

 
        IN    MX      mail.example.com.

        [...]

mail    IN    A       1.2.3.4

Name Server Records

Used to define which servers serve copies of this zone. It must point to an A record, not a CNAME.


This is where Master and Slave servers are definied. Stealth servers are intentionally omitted.

        IN    NS     ns.example.com.

        [...]

ns      IN    A      1.2.3.4

Configuring BIND9

BIND9 Configuration files are stored in

/etc/bind/


The main configuration is stored in the following files

/etc/bind/named.conf
/etc/bind/named.conf.options
/etc/bind/named.conf.local

Caching Server

The default configuration is setup to act as a caching server by default.

All that is required is simply adding the IP numbers of your ISP's DNS servers.

Simply uncomment and edit the following:

named.conf.options:


        [...]

        forwarders {
             1.2.3.4;
             5.6.7.8;
        };

        [...]

(where 1.2.3.4 and 5.6.7.8 are the IP numbers of your ISP's DNS servers)

Master Server

To add a DNS zone to BIND9, turning BIND9 into a Master server, all you simply have to do is:

named.conf.local:


        [...]

        zone "example.com" {
             type master;
             file "/etc/bind/db.example.com";
        };

        [...]

Now use an existing zone file as a template

$ sudo cp /etc/bind/db.local /etc/bind/db.example.com

Now, to edit our zone

db.example.com:


;
; BIND data file for local loopback interface
;
$TTL    604800
@       IN      SOA     localhost. root.localhost. (
                              1         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
@       IN      NS      localhost.
@       IN      A       127.0.0.1

Edit localhost. to the FQDN of your server, with an additional "." at the end.

Eg:

db.example.com:


;
; BIND data file for local loopback interface
;
$TTL    604800
@       IN      SOA     box.example.com. root.localhost. (
                              1         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
@       IN      NS      localhost.
@       IN      A       127.0.0.1

Edit root.localhost to be your email address, but with a "." instead of the "@", and another "." at the end.

Eg:

[email protected] should be added as johndoe.example.com.


Increment the Serial number (you must increment the serial number for every time you make any changes to the zone file and reload the zone by restarting BIND9. If you make multiple changes before restarting BIND9, simply increment the serial once.

Tip: Many people like to use the last date edited as the serial of a zone, such as 2005010100 which is yyyymmddss (where s is serial)


Now, you can add DNS records to the bottom of the zone. Do remember to increment the serial as you add entries though.

Slave Server

First, on the master server, you have to allow the zone transfer. The sample zone definition in /etc/bind/named.conf.local should like this:


        [...]

        zone "example.com" {
             type master;
             file "/etc/bind/db.example.com";
             allow-transfer {
                 @ip_slave;
             };
        };

        [...]

On the slave, you have to proceed to the same installation that was done on the master. Then edit the /etc/bind/named.conf.local and add the following declaration for the zone:


        [...]

        zone "example.com" {
             type slave;
             file "/etc/bind/db.example.com";
             masters { @ip_master; };
        };        

        [...]

Restart the server, you should see in /var/log/syslog something like:

syslog.5.gz:May 14 23:33:53 smith named[5064]: zone example.com/IN: transferred serial 2006051401
syslog.5.gz:May 14 23:33:53 smith named[5064]: transfer of 'example.com/IN' from 10.0.0.202#53: end of transfer

Chrooting BIND9

Chrooting BIND9 is a recommended setup from a security perspective. In a chroot enviroment, BIND9 has access to all the files and hardware devices it needs, but is unable to access anything it should not need.


To chroot BIND9, simply create a chroot enviroment for it and add the additional configuration below

The Chroot Enviroment

Create the following directory structure

$ sudo mkdir -p /chroot/named
$ cd /chroot/named
$ sudo mkdir -p dev etc/namedb/slave var/run

Set permissions for chroot environment

$ sudo chown root:root /chroot
$ sudo chmod 700 /chroot
$ sudo chown bind:bind /chroot/named
$ sudo chmod 700 /chroot/named

Create or move the bind configuration file.

$ sudo touch /chroot/named/etc/named.conf

or

$ sudo cp /etc/named.conf /chroot/named/etc

Give write permissions to the user bind for /chroot/named/etc/namedb/slave directory.

$ sudo chown bind:bind /chroot/named/etc/namedb/slave

This is where the files for all slave zones will be kept. This increases security, by stopping the ability of an attacker to edit any of your master zone files if they do gain access as the bind user. Accordingly, all slave file names in the /chroot/named/etc/named.conf file will need to have directory names that designate the slave directory. An example zone definition is listed below.

zone “my.zone.com.” {
	type slave;
	file “slaves/my.zone.com.dns”;
	masters {
		10.1.1.10;
	};
};

Create the devices BIND9 requires

$ sudo mknod /chroot/named/dev/null c 1 3
$ sudo mknod /chroot/named/dev/random c 1 8

Give the user bind access to the /chroot/named/var/run directory that will be used to strore PID and statistical data.

$ sudo chown bind:bind /chroot/named/var/run

BIND9's Configuration

Edit the bind startup options found in /etc/default/bind9. Change the line the reads:

/etc/default/bind9:

OPTIONS=”-u bind”

So that it reads

/etc/default/bind9:


OPTIONS="-u bind -t /var/named -t /chroot/named -c /etc/named.conf"

The -t option changes the root directory from which bind operates to be /chroot/named. The -c option tells Bind that the configuration file is located at /etc/named.conf. Remember that this path is relative to the root set by -t.


The named.conf file must also recieve extra options in order to run correctly below is a minimal set of options:

/chroot/named/etc/named.conf:

options {
    directory "/etc/namedb";
    pid-file "/var/run/named.pid";
    statistics-file "/var/run/named.stats";
};

Ubuntu's syslod Daemon Configuration

/etc/init.d/sysklogd:


        [...]

SYSLOGD="-u syslog -a /chroot/named/dev/log"

        [...]

(Author Note: Check this config)


Restart the syslog server and BIND9

$ sudo /etc/init.d/sysklogd restart
$ sudo /etc/init.d/bind9 restart

At this point you should check /var/log/messages for any errors that may have been thrown by bind.

Starting, Stopping, and Restarting BIND9

Use the following command to start BIND9 :

$ sudo /etc/init.d/bind9 start

To stop it, use :

$ sudo /etc/init.d/bind9 stop

Finally, to restart it, run

$ sudo /etc/init.d/bind9 restart

Status

To check the status of your BIND9 installation:

$ host $record localhost

or

$ dig $record @localhost

(where localhost is the system you are setting BIND9 up on. If not localhost, use the appropriate IP number.)

Tips & Tricks

Additional Possibilities

You can monitor your BIND9 server usage by installing the bindgraph package from the Universe (To enable Universe - see AddingRepositoriesHowto) and following configuration details as outlined in bindgraph's README documents

Further Information

Online Recources

"ISC's BIND9 Manual"

TLDP's "DNS HOWTO" (For General Overview)

"Chroot BIND Howto"

Printed Resources

"DNS & BIND" - Paul Albitz & Cricket Liu - 4th Edition - "O'Reilly Press" (Amazon.com)

"DNS & BIND Cookbook" - Cricket Liu - 4th Edition - "O'Reilly Press" (Amazon.com)


CategoryDocumentation