參考網頁(含ip-v6):http://tanet.center.kl.edu.tw/e107_plugins/content/content.php?content.16

 

安裝方法:

# cd /usr/ports/dns/bind98
# make install clean
.........................


      If there are vulnerabilities in these programs there may be a security
      risk to the system. FreeBSD makes no guarantee about the security of
      ports included in the Ports Collection. Please type 'make deinstall'
      to deinstall the port if this is a concern.

      For more information, and contact details about the security
      status of this software, see the following webpage:
https://www.isc.org/software/bind
===>  Cleaning for libxml2-2.8.0_2
===>  Cleaning for gmake-3.82_1
===>  Cleaning for pkgconf-0.9.2_1
===>  Cleaning for libiconv-1.14_1
===>  Cleaning for gettext-0.18.1.1_1
===>  Cleaning for libtool-2.4.2
===>  Cleaning for bind98-9.8.5

# rehash   //重刷一次,才容易找到剛剛新增的command。

 

檢查版本:

# /usr/local/sbin/named -v
BIND 9.8.5

檔案位置:

# ls -l /usr/local/sbin/named*
-r-xr-xr-x  2 root  wheel  2389808 Jun  3 06:08 /usr/local/sbin/named
-r-xr-xr-x  1 root  wheel  1840752 Jun  3 06:08 /usr/local/sbin/named-checkconf
-r-xr-xr-x  1 root  wheel  1760096 Jun  3 06:08 /usr/local/sbin/named-checkzone
lrwxr-xr-x  1 root  wheel       15 Jun  3 06:08 /usr/local/sbin/named-compilezone -> named-checkzone
-r-xr-xr-x  1 root  wheel  1747104 Jun  3 06:08 /usr/local/sbin/named-journalprint

 

建立rndc.key:如果沒有需要remote control DNS,這個不用裝。

# cd /etc/namedb/
# /usr/sbin/rndc-confgen -a
wrote key file "/etc/namedb/rndc.key"
# cp rndc.key /etc/namedb/working/rndc.key
#/usr/local/sbin/rndc-confgen > /etc/namedb/rndc.conf

將其中的secret複製到rndc.conf

#cat rndc.key

key "rndc-key" {
        algorithm hmac-md5;
        secret "lJAgsiJPgwcUnNmkxbSfJw==";
};


#vi rndc.conf

# Start of rndc.conf
key "rndc-key" {
        algorithm hmac-md5;
        secret "lJAgsiJPgwcUnNmkxbSfJw==";
};


修改開機設定:

# vi /etc/rc.conf

# -- DNS Settings -- #
named_enable="Yes"
named_flags="-c /etc/namedb/named.conf"
named_program="/usr/local/sbin/named"

 

設定named.conf:(將rndc.key的內容copy到named.conf中。)

#cd /etc/namedb/
#vi named.conf

options {
        directory       "/etc/namedb/working";      //工作目錄,所以要把所有db檔全部放在這個目錄下,不然在讀目錄時會存取失敗。
        pid-file        "/var/run/named/pid";
        dump-file       "/var/dump/named_dump.db";
        statistics-file "/var/stats/named.stats";
        version         "None of your business";       //不顯示自己使用的bind版本。
        listen-on       { 127.0.0.1; 1.2.3.4; };
        hostname        "ns1.test.com";
        query-source address * port 53;   //這三行可加可不加的樣子,沒有也可以用。
        empty-zones-enable no;     //加了這行就沒有empty-zones的warning訊息了。這其實是bind的bug。

        allow-query { any; };                                       //一定要寫Any,不然mx會查不到。

        allow-recursion { 127.0.0.1; 168.95.1.1; 168.95.192.1;   
                        1.2.3.4; 192.168.0.0/24; };  
        //recursion的限制一定要寫,不然會爆大流量!

        forwarders {                   //上層的Name Server,據說google的Name Server也很好用。這裡是用hinet的。
                168.95.1.1;
                168.95.192.1;
        };
};


// RFC 3152
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA"
{
        type master;
        file "localhost-v6.rev";
};

// RFC 1886 -- deprecated
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.INT" {
        type master;
        file "localhost-v6.rev";
};

zone "." {
        type hint;
        file "named.root";
};

zone "test.com" {
        type master;
        file "db.test.com";
};

zone "3.2.1.in-addr.arpa" {
        type master;
        file "db.1.2.3";
};
存檔退出。

檢查語法:如果named.conf有寫錯,這個檢查會顯示。

#/usr/sbin/named-checkconf

 

新增db檔:

#cd working
#vi db.test.com   <<<這是正解檔。

$TTL    259200
@       IN      SOA     ns1.test.com. postmaster.test.com. (
                        2012102536      ;Serial
                        10800           ;Refresh
                        900             ;Retry
                        1209600         ;Expire
                        3600 )          ;Minimum

; Name Server
                in ns           ns2.test.com.
                in a            1.2.3.5
                in ns           ns1.test.com.
                in a            1.2.3.4
; Mail Exchange
@               in mx   10      ns1.test.com.
               in mx   20      ns2.test.com.

; Server Address
ns1             in a    1.2.3.4
mail            in a    1.2.3.4
ns2             in a    1.2.3.5
www           in a    1.2.3.5

#vi db.1.2.3   <<<這是反解檔。除了在這兒要加入反解檔之外,也要記得上isp的name server設定反解喔!否則有些檢查會不過。

$TTL    259200
@       IN      SOA     ns1.test.com. postmaster.test.com. (
                        2012060301      ;Serial
                        10800           ;Refresh
                        900             ;Retry
                        1209600         ;Expire
                        3600 )          ;Minimum

; Name Server
        in ns   ns1.test.com.
        in ns   ns2.test.com.

; PTR
4     in ptr  ns1.test.com.
5     in ptr  www.test.com.
4     in ptr  mail.test.com.
5     in ptr  ns2.test.com.

#vi localhost-v6.rev
$TTL    3600

@       IN      SOA     ns1.test.com. root.ns1.test.com.  (
                                2012060301  ; Serial
                                3600    ; Refresh
                                900     ; Retry
                                3600000 ; Expire
                                3600 )  ; Minimum
        IN      NS      ns1.test.com.
        IN      PTR     localhost.test.com.

#cp /etc/namedb/named.root /etc/namedb/working/named.root

所以工作目錄下至少有這些檔案:

# ls
PROTO.localhost-v6.rev  db.test.com       rndc.key
PROTO.localhost.rev     localhost-v6.rev
db.1.2.3           named.root
//沒有PROTO那二個檔也可以運作唷。

 

記得解開解譯檔:

# vi /etc/resolv.conf

nameserver 127.0.0.1        //把前面的#拿掉,可以用自己的bind查詢。
nameserver 168.95.192.1
nameserver 168.95.1.1
domain test.com

 

手動啟動:

#/etc/rc.d/named start (或是stop, restart, reload等等)
Starting named.

檢查bind啟動狀態:

# tail /var/log/messages

Jun  5 14:52:23 mail named[5638]: starting BIND 9.8.5 -c /etc/namedb/named.conf -t /var/named -u bind
Jun  5 14:52:23 mail named[5638]: built with '--localstatedir=/var' '--disable-linux-caps' '--disable-symtable' '--with-randomdev=/dev/random' '--with-openssl=/usr' '--with-libxml2=/usr/local' '--without-idn' '--enable-ipv6' '--enable-threads' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/info/' '--build=i386-portbld-freebsd8.3' 'build_alias=i386-portbld-freebsd8.3' 'CC=cc' 'CFLAGS=-O2 -pipe -fno-strict-aliasing' 'LDFLAGS= -Wl,-rpath=/usr/lib:/usr/local/lib' 'CPPFLAGS=' 'CPP=cpp'
Jun  5 14:52:23 mail named[5638]: ----------------------------------------------------
Jun  5 14:52:23 mail named[5638]: BIND 9 is maintained by Internet Systems Consortium,
Jun  5 14:52:23 mail named[5638]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
Jun  5 14:52:23 mail named[5638]: corporation.  Support and training for BIND 9 are
Jun  5 14:52:23 mail named[5638]: available at https://www.isc.org/support
Jun  5 14:52:23 mail named[5638]: ----------------------------------------------------
Jun  5 14:52:23 mail named[5638]: command channel listening on 127.0.0.1#953
Jun  5 14:52:23 mail named[5638]: command channel listening on ::1#953
Jun  5 14:52:23 mail named[5638]: running
↑正常的樣子。

 

查詢自己的DNS:

# host test.com
test.com has address 1.2.3.4
test.com has address 1.2.3.5
test.com mail is handled by 10 mail.test.com.

↑三條都要有才是對的喔。

 

或是借用其他機器來查:http://network-tools.com/nslook/Default.asp

使用#top指令,查詢哪個程式佔用最多資源。

 

其他:錯誤訊息:

Named啟動錯誤:

mail# tail /var/log/messages
Jun  5 13:46:22 mail named[5150]: could not listen on UDP socket: address in use
Jun  5 13:46:22 mail named[5150]: creating IPv4 interface xl0 failed; interface ignored
Jun  5 13:46:22 mail named[5150]: could not listen on UDP socket: address in use
Jun  5 13:46:22 mail named[5150]: creating IPv4 interface em0 failed; interface ignored
Jun  5 13:46:22 mail named[5150]: could not listen on UDP socket: address in use
Jun  5 13:46:22 mail named[5150]: creating IPv4 interface lo0 failed; interface ignored
Jun  5 13:46:22 mail named[5150]: running
Jun  5 13:46:54 mail named[3611]: Warning: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones

更新/etc/named/named.conf之後已正常,因為沒有用到遠端遙控,所以不需要使用rndc。

        empty-zones-enable no;     //加了這行就沒有warning了。

arrow
arrow
    文章標籤
    Freebsd Bind 正解 反解
    全站熱搜

    貓熊麗麗 發表在 痞客邦 留言(0) 人氣()