參考網頁(含ip-v6):http://tanet.center.kl.edu.tw/e107_plugins/content/content.php?content.16
安裝方法:
# cd /usr/ports/dns/bind98
# make install clean
.........................
If there are vulnerabilities in these programs there may be a security
risk to the system. FreeBSD makes no guarantee about the security of
ports included in the Ports Collection. Please type 'make deinstall'
to deinstall the port if this is a concern.
For more information, and contact details about the security
status of this software, see the following webpage:
https://www.isc.org/software/bind
===> Cleaning for libxml2-2.8.0_2
===> Cleaning for gmake-3.82_1
===> Cleaning for pkgconf-0.9.2_1
===> Cleaning for libiconv-1.14_1
===> Cleaning for gettext-0.18.1.1_1
===> Cleaning for libtool-2.4.2
===> Cleaning for bind98-9.8.5
# rehash //重刷一次,才容易找到剛剛新增的command。
檢查版本:
# /usr/local/sbin/named -v
BIND 9.8.5
檔案位置:
# ls -l /usr/local/sbin/named*
-r-xr-xr-x 2 root wheel 2389808 Jun 3 06:08 /usr/local/sbin/named
-r-xr-xr-x 1 root wheel 1840752 Jun 3 06:08 /usr/local/sbin/named-checkconf
-r-xr-xr-x 1 root wheel 1760096 Jun 3 06:08 /usr/local/sbin/named-checkzone
lrwxr-xr-x 1 root wheel 15 Jun 3 06:08 /usr/local/sbin/named-compilezone -> named-checkzone
-r-xr-xr-x 1 root wheel 1747104 Jun 3 06:08 /usr/local/sbin/named-journalprint
建立rndc.key:如果沒有需要remote control DNS,這個不用裝。
# cd /etc/namedb/
# /usr/sbin/rndc-confgen -a
wrote key file "/etc/namedb/rndc.key"
# cp rndc.key /etc/namedb/working/rndc.key
#/usr/local/sbin/rndc-confgen > /etc/namedb/rndc.conf
將其中的secret複製到rndc.conf
#cat rndc.key
key "rndc-key" {
algorithm hmac-md5;
secret "lJAgsiJPgwcUnNmkxbSfJw==";
};
#vi rndc.conf
# Start of rndc.conf
key "rndc-key" {
algorithm hmac-md5;
secret "lJAgsiJPgwcUnNmkxbSfJw==";
};
修改開機設定:
# vi /etc/rc.conf
# -- DNS Settings -- #
named_enable="Yes"
named_flags="-c /etc/namedb/named.conf"
named_program="/usr/local/sbin/named"
設定named.conf:(將rndc.key的內容copy到named.conf中。)
#cd /etc/namedb/
#vi named.conf
options {
directory "/etc/namedb/working"; //工作目錄,所以要把所有db檔全部放在這個目錄下,不然在讀目錄時會存取失敗。
pid-file "/var/run/named/pid";
dump-file "/var/dump/named_dump.db";
statistics-file "/var/stats/named.stats";
version "None of your business"; //不顯示自己使用的bind版本。
listen-on { 127.0.0.1; 1.2.3.4; };
hostname "ns1.test.com";
query-source address * port 53; //這三行可加可不加的樣子,沒有也可以用。
empty-zones-enable no; //加了這行就沒有empty-zones的warning訊息了。這其實是bind的bug。
allow-query { any; }; //一定要寫Any,不然mx會查不到。
allow-recursion { 127.0.0.1; 168.95.1.1; 168.95.192.1;
1.2.3.4; 192.168.0.0/24; };
//recursion的限制一定要寫,不然會爆大流量!
forwarders { //上層的Name Server,據說google的Name Server也很好用。這裡是用hinet的。
168.95.1.1;
168.95.192.1;
};
};
// RFC 3152
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA"
{
type master;
file "localhost-v6.rev";
};
// RFC 1886 -- deprecated
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.INT" {
type master;
file "localhost-v6.rev";
};
zone "." {
type hint;
file "named.root";
};
zone "test.com" {
type master;
file "db.test.com";
};
zone "3.2.1.in-addr.arpa" {
type master;
file "db.1.2.3";
};
存檔退出。
檢查語法:如果named.conf有寫錯,這個檢查會顯示。
#/usr/sbin/named-checkconf
新增db檔:
#cd working
#vi db.test.com <<<這是正解檔。
$TTL 259200
@ IN SOA ns1.test.com. postmaster.test.com. (
2012102536 ;Serial
10800 ;Refresh
900 ;Retry
1209600 ;Expire
3600 ) ;Minimum
; Name Server
in ns ns2.test.com.
in a 1.2.3.5
in ns ns1.test.com.
in a 1.2.3.4
; Mail Exchange
@ in mx 10 ns1.test.com.
in mx 20 ns2.test.com.
; Server Address
ns1 in a 1.2.3.4
mail in a 1.2.3.4
ns2 in a 1.2.3.5
www in a 1.2.3.5
#vi db.1.2.3 <<<這是反解檔。除了在這兒要加入反解檔之外,也要記得上isp的name server設定反解喔!否則有些檢查會不過。
$TTL 259200
@ IN SOA ns1.test.com. postmaster.test.com. (
2012060301 ;Serial
10800 ;Refresh
900 ;Retry
1209600 ;Expire
3600 ) ;Minimum
; Name Server
in ns ns1.test.com.
in ns ns2.test.com.
; PTR
4 in ptr ns1.test.com.
5 in ptr www.test.com.
4 in ptr mail.test.com.
5 in ptr ns2.test.com.
#vi localhost-v6.rev
$TTL 3600
@ IN SOA ns1.test.com. root.ns1.test.com. (
2012060301 ; Serial
3600 ; Refresh
900 ; Retry
3600000 ; Expire
3600 ) ; Minimum
IN NS ns1.test.com.
IN PTR localhost.test.com.
#cp /etc/namedb/named.root /etc/namedb/working/named.root
所以工作目錄下至少有這些檔案:
# ls
PROTO.localhost-v6.rev db.test.com rndc.key
PROTO.localhost.rev localhost-v6.rev
db.1.2.3 named.root
//沒有PROTO那二個檔也可以運作唷。
記得解開解譯檔:
# vi /etc/resolv.conf
nameserver 127.0.0.1 //把前面的#拿掉,可以用自己的bind查詢。
nameserver 168.95.192.1
nameserver 168.95.1.1
domain test.com
手動啟動:
#/etc/rc.d/named start (或是stop, restart, reload等等)
Starting named.
檢查bind啟動狀態:
# tail /var/log/messages
Jun 5 14:52:23 mail named[5638]: starting BIND 9.8.5 -c /etc/namedb/named.conf -t /var/named -u bind
Jun 5 14:52:23 mail named[5638]: built with '--localstatedir=/var' '--disable-linux-caps' '--disable-symtable' '--with-randomdev=/dev/random' '--with-openssl=/usr' '--with-libxml2=/usr/local' '--without-idn' '--enable-ipv6' '--enable-threads' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/info/' '--build=i386-portbld-freebsd8.3' 'build_alias=i386-portbld-freebsd8.3' 'CC=cc' 'CFLAGS=-O2 -pipe -fno-strict-aliasing' 'LDFLAGS= -Wl,-rpath=/usr/lib:/usr/local/lib' 'CPPFLAGS=' 'CPP=cpp'
Jun 5 14:52:23 mail named[5638]: ----------------------------------------------------
Jun 5 14:52:23 mail named[5638]: BIND 9 is maintained by Internet Systems Consortium,
Jun 5 14:52:23 mail named[5638]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
Jun 5 14:52:23 mail named[5638]: corporation. Support and training for BIND 9 are
Jun 5 14:52:23 mail named[5638]: available at https://www.isc.org/support
Jun 5 14:52:23 mail named[5638]: ----------------------------------------------------
Jun 5 14:52:23 mail named[5638]: command channel listening on 127.0.0.1#953
Jun 5 14:52:23 mail named[5638]: command channel listening on ::1#953
Jun 5 14:52:23 mail named[5638]: running
↑正常的樣子。
查詢自己的DNS:
# host test.com
test.com has address 1.2.3.4
test.com has address 1.2.3.5
test.com mail is handled by 10 mail.test.com.
↑三條都要有才是對的喔。
或是借用其他機器來查:http://network-tools.com/nslook/Default.asp
使用#top指令,查詢哪個程式佔用最多資源。
其他:錯誤訊息:
Named啟動錯誤:
mail# tail /var/log/messages
Jun 5 13:46:22 mail named[5150]: could not listen on UDP socket: address in use
Jun 5 13:46:22 mail named[5150]: creating IPv4 interface xl0 failed; interface ignored
Jun 5 13:46:22 mail named[5150]: could not listen on UDP socket: address in use
Jun 5 13:46:22 mail named[5150]: creating IPv4 interface em0 failed; interface ignored
Jun 5 13:46:22 mail named[5150]: could not listen on UDP socket: address in use
Jun 5 13:46:22 mail named[5150]: creating IPv4 interface lo0 failed; interface ignored
Jun 5 13:46:22 mail named[5150]: running
Jun 5 13:46:54 mail named[3611]: Warning: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones
更新/etc/named/named.conf之後已正常,因為沒有用到遠端遙控,所以不需要使用rndc。
empty-zones-enable no; //加了這行就沒有warning了。
留言列表