Centos

Centos配置DNS服务

Posted by FanHao on 2026-06-04

环境

系统:Centos7发行版本
安装:

1
[root@localhost /]# yum install bind

配置

编辑主配置文件
1
[root@localhost /]# vi  /etc/named.conf

配置文件的内容如下;
修改listen-on所有接口,关闭allow-query允许的查询地址
添加obctest.com域名

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html


options {
    #listen-on port 53 {0.0.0.0;};  
    #listen-on port 53 { 127.0.0.1; };
    listen-on-v6 port 53 { any; }; # 监听所有端口和地址,包括ipv4
    directory     "/var/named";   # 域数据文件默认存放位置
    dump-file     "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";  # 缓存数据库文件
    memstatistics-file "/var/named/data/named_mem_stats.txt"; # 状态统计文件
    recursing-file  "/var/named/data/named.recursing";
    secroots-file   "/var/named/data/named.secroots";
    allow-query     { any; };   # 允许使用本DNS服务的网段地址,any代表所有


    /*
     - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
     - If you are building a RECURSIVE (caching) DNS server, you need to enable
       recursion.
     - If your recursive DNS server has a public IP address, you MUST enable access
       control to limit queries to your legitimate users. Failing to do so will
       cause your server to become part of large scale DNS amplification
       attacks. Implementing BCP38 within your network would greatly
       reduce such attack surface
    */
    recursion yes;


    dnssec-enable yes;
    dnssec-validation yes;


    /* Path to ISC DLV key */
    bindkeys-file "/etc/named.root.key";


    managed-keys-directory "/var/named/dynamic";


    pid-file "/run/named/named.pid";
    session-keyfile "/run/named/session.key";
};


logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};


zone "." IN {
    type hint;
    file "named.ca";
};

# 添加域名;正向解析;创建文件/var/named/obctest.com
# obctest.com
zone "obctest.com" IN {
    type master;  # 主要区域
    file "obctest.com";# 数据文件
    # allow-transfer { 172.16.20.21; }; # 允许转发的从服务器,可不设置
};

# 添加反向解析,# 反向区域
zone "20.20.16.172.in-addr.arpa" in {
        type master;
        file "172.16.20.20.arpa";  # 区域数据文件
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
添加域数据文件

在指定存放的域数据文件夹创建对应的文本内容;并复制已存在的模版

1
2
[root@localhost /]# vi /var/named/obctest.com
:r /var/named/named.localhost

修改内容如下:增加IPv4及IPv6地址。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
$TTL  1D  # 解析记录生存周期
@        IN      SOA   @ obctest.com.   (
                0               ;Update Flags
                1H              ;更新周期
                15M             ;重试更新周期
                1W              ;有效时间
                1D              ;TTL
)

        IN    NS  ns1.obctest.com.    
ns1     IN   A     172.16.20.20
@       IN   A     172.16.20.20
@       IN  AAAA   2001:db8:1234::1
www     IN  AAAA   2001:db8:1234::1

添加反向解析文件,内容如下

1
2
3
4
5
6
7
8
9
10
11
12
13
[root@localhost /]# vi /var/named/172.16.20.20.arpa
$TTL  1D  # 解析记录生存周期
@        IN      SOA   @  obctest.com.    (
                0               ;Update Flags
                1H              ;更新周期
                15M             ;重试更新周期
                1W              ;有效时间
                1D              ;TTL
)
@       IN        NS         ns1.obctest.com
1       IN        PTR        ns1.obctest.com
2       IN        PTR        www.obctest.com
3       IN        PTR        1jz.obctest.com
启动服务
1
2
[root@localhost /]# systemctl start named
[root@localhost /]# systemctl enable named
代理转发

在本地域中未设置的DNS,可以设置将其转发;编辑/etc/named.conf,如下位置新增灰色字体内容
本机不能解析的转发给202.96.209.5做解析

1
2
3
4
5
6
7
8
9
10
11
#first:首先转发;转发器不响应时,自行去迭代查询;only:只转发;
    recursion yes
    forward first;           
    forwarders  {
        202.96.209.5;
        210.22.84.3;
        202.96.209.133;
        223.5.5.5;
        #8.8.8.8;
     };
     dnssec-enable yes;
验证DNS是否配置成功

1.centos在172.16.20.20网卡上启用DHCP服务,dns设置为172.16.20.20
2.PC连接centos获取IP及DNS
3.PC在cmd中执行nslookup解析域名

1
nslookup  obctest.com

结果如下,代表dns服务配置成功,域名IP绑定记录添加成功

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
nslookup obctest.com 172.16.20.20
20.20.16.172.in-addr.arpa
        primary name server = 20.20.16.172.in-addr.arpa
        responsible mail addr = obctest.com
        serial  = 1
        refresh = 86400 (1 day)
        retry   = 3600 (1 hour)
        expire  = 604800 (7 days)
        default TTL = 10800 (3 hours)
服务器:  UnKnown
Address:  172.16.20.20

名称:    obctest.com
Addresses:  2001:db8:1234::1
            172.16.20.20
FEATURED TAGS
Centos
FRIENDS