Bind9安裝設(shè)置指南 - Ubuntu中文頁碼，1/12Linux ChatIRC Blog Paste Wiki Forum Ubuntu 搜索 進(jìn)入 搜索文章討論 編輯 歷史

Bind9安裝設(shè)置指南 - Ubuntu中文頁碼，1/12

Linux ChatIRC Blog Paste Wiki Forum Ubuntu 搜索 進(jìn)入 搜索

文章

討論 編輯 歷史 簡體中文 繁體中文

導(dǎo)航

首頁

社區(qū)

當(dāng)前事件

最近更改

隨機(jī)頁面

幫助

資助

工具箱

鏈入頁面

鏈出更改

上傳文件

特殊頁面

個(gè)人工具

登錄／創(chuàng)建賬戶

Bind9安裝設(shè)置指南

Bind9安裝設(shè)置指南 - Ubuntu中文頁碼，2/12HOWTO Setup BIND9 DNS Server （如何設(shè)置Bind9 DNS服務(wù)器）

原文出處：

原文作者：

授權(quán)許可：

創(chuàng)作共享協(xié)議Attribution-ShareAlike 2.0 GNU 自由文檔許可證

翻譯人員：FireHare

校正人員：purewind

貢獻(xiàn)人員：

適用版本：

This HOWTO is aimed to at people looking to learn how to configure and maintain a DNS server, such as for a network or to serve DNS zones for a domain name.

本指南是寫給那些想學(xué)習(xí)如何配置和維護(hù)DNS 服務(wù)器的人，例如為某個(gè)網(wǎng)絡(luò)或者DNS zones(DNS域) 提供 Domain Name(域名) 服務(wù)

Repositories 軟件庫

Bind9安裝設(shè)置指南 - Ubuntu中文頁碼，3/12BIND9 is available in the core Ubuntu repository. No additional repository needs to be enabled for BIND9.

BIND9 已經(jīng)包含在 Ubuntu 核心庫中，BIND9 并不需要啟用其它附加庫。

Before we begin, you should be familiar with RootSudo.

在我們開始之前，您應(yīng)該熟悉 RootSudo 。

Installing BIND9 （安裝 BIND9）

The Server

服務(wù)器

$ sudo apt-get install bind9

Useful Tools (For Testing)

有用的工具（測試用）

$ sudo apt-get install bind9-host dnsutils

Documentation (Optional)

文檔（可選）

$ sudo apt-get install bind9-doc

BIND9 Scenarios

There are many setups BIND9 may be configured.

BIND9 可以安裝配置成許多類型。

The most useful setups are: 最常用的配置有：

Caching Server（緩沖服務(wù)器）

This can be useful for a broadband connection to a host or small network. By caching DNS queries, you reduce the bandwidth used and (hopefully) reducing your bandwidth used (and hopefully even your broadband bill!).

這對(duì)于寬帶連接的主機(jī)或小網(wǎng)絡(luò)來說是有用的。通過緩沖 DNS 隊(duì)列，您可以減少帶寬的消耗，或者說有望減少您帶寬的使用（甚至有望減少您寬帶費(fèi)用）。

Master Server（主服務(wù)器）

BIND9 can be used to serve DNS records (groups of records are referred to as zones) for a registered domain name or an imaginary one (but only if used on a restricted network)

BIND9 可以用于為已注冊或虛擬的（僅用于受限網(wǎng)絡(luò)中）域名提供 DNS 記錄（指向域的記錄組）。

Slave Server（從服務(wù)器）

Bind9安裝設(shè)置指南 - Ubuntu中文頁碼，4/12A slave DNS server is used to complement a Master DNS server by serving a copy of the zone(s) configured on the Master server. Slave servers are recommended in larger setups (larger networks or on the internet) if you intend to power a registered domain name, since they ensure that your DNS zone is still available, even if your Master server is not online.

從服務(wù)器用于提供一個(gè)在主服務(wù)器中配置域的完整備份。如果您想要支持一個(gè)注冊的域名，建議將從服務(wù)器用在較大的機(jī)構(gòu)（較大的網(wǎng)絡(luò)或在因特網(wǎng)上）。因?yàn)檫@樣做可以確保您的 DNS 域甚至在您主服務(wù)器沒有在線的情況下依然可用。

Hybrids （雜和模式）

You can even configure BIND9 to be a Caching and Master DNS server simultaneously, a Caching and a Slave server or even a Caching, Master and Slave server. All that is required is simply combining the differnet configuration examples from this document.

您甚至可以將 BIND9 同時(shí)配置成一個(gè)緩沖和主服務(wù)器，一個(gè)緩沖服務(wù)器和一個(gè)從服務(wù)器，甚至是一個(gè)緩沖、主、從服務(wù)器。而所有這一切只需將本文檔中不同配置簡單的合并在一起就可以了。

Stealth Servers（私密服務(wù)器）

There are also two other common DNS server setups (used when working with zones for registered domain names), Stealth Master and Stealth Slave. These are effectively the same as Master and Slave DNS servers, but with a slight organisational difference.

還有另外兩種常用的 DNS 服務(wù)器的安裝（使用注冊域名運(yùn)行）：私有主服務(wù)器和私有從服務(wù)器。它們的作用與主、從 DNS 服務(wù)是相同的，但在組織結(jié)構(gòu)上有所不同。

For example, you have 3 DNS servers; A, B and C.

例如，您有3個(gè)DNS 服務(wù)器：A 、B 和 C 。

A is the Master, B and C are slaves.

A 是主服務(wù)器，B 和C 是從服務(wù)器。

If you configure your registered domain to use A and B as your domain's DNS servers, then C is a Stealth Slave. It's still a slave, but it's not going to be asked about the zone you are serving to the internet from A and B

如果您將 A 和 B 配置成您的域 DNS 服務(wù)器，然後 C 是一個(gè)私密從服務(wù)器。它也是個(gè)從服務(wù)器，但您為互聯(lián)網(wǎng)提供服務(wù)的 A 和 B 不會(huì)去詢問其中的域。

If you configure your registerd domain to use B and C as your domain's DNS servers, then A is a stealth master. Any additional records or edits to the zone are done on A, but computers on the internet will only ever ask B and C about the zone.

如果您將 B 和 C 配置成您的域 DNS 服務(wù)器，然後 A 是一個(gè)私密主服務(wù)器。任何附加的記錄或?qū)^(qū)域的編輯都做在 A 上，但在互聯(lián)網(wǎng)上的計(jì)算機(jī)只會(huì)詢問 B 和 C 中的域。 DNS Record Types（DNS 記錄類型）

There are lots of different DNS record types, but for a someone reading this document, you need only deal with these record types

DNS 記錄類型是有很多不同的，但對(duì)于閱讀本文檔的人來說，您只需要處理以下這些記錄類型

Address Records（地址記錄）

Bind9安裝設(shè)置指南 - Ubuntu中文頁碼，5/12The most commonly used type of record.

最常用的記錄類型

www IN A 1.2.3.4

Alias Records（別名記錄）

Used to create an alias from an existing A record. You cannot create a CNAME record pointing to another CNAME record.

常用于為一個(gè)已有的 A 記錄創(chuàng)建別名。您不能創(chuàng)建一個(gè)CNAME 記錄指向另一個(gè)CNAME 記錄。

mail IN CNAME www

www IN A 1.2.3.4

Mail Exchange Records（郵件交換記錄）

Used to define where email should be sent to. Must point to an A record, not a CNAME. 常用于定義郵件發(fā)往何處。必須指向一個(gè) A 記錄，不能是 CNAME 。

IN MX mail.example.com.

[...]

mail IN A 1.2.3.4

Name Server Records（域名服務(wù)器記錄）

Used to define which servers serve copies of this zone. It must point to an A record, not a CNAME.常用于定義哪個(gè)服務(wù)器提供該區(qū)域的拷貝。它必須指向一個(gè) A 記錄，不能是 CNAME 。 This is where Master and Slave servers are definied. Stealth servers are intentionally omitted. 這是定義主、從服務(wù)器的地方。私密服務(wù)器被有意省略。

IN NS ns.example.com.

[...]

ns IN A 1.2.3.4

Configuring BIND9（配置 BIND9）

BIND9 Configuration files are stored in

BIND9 配置文件被保存在 /etc/bind/

Bind9安裝設(shè)置指南 - Ubuntu中文頁碼，6/12The main configuration is stored in the following files

主配置文件被保存在下列文件中

/etc/bind/named.conf

/etc/bind/named.conf.options

/etc/bind/named.conf.local

Caching Server（緩沖服務(wù)器）

The default configuration is setup to act as a caching server by default.

缺省狀態(tài)下默認(rèn)是當(dāng)作緩沖服務(wù)器來配置安裝的。

All that is required is simply adding the IP numbers of your ISP's DNS servers.

所有的要求只是簡單的添加您ISP 的DNS 服務(wù)器的 IP 而已。

Simply uncomment and edit the following:

只需反注釋并編輯下列內(nèi)容：

named.conf.options:

[...]

forwarders {

1.2.3.4;

5.6.7.8;

};

[...]

(where 1.2.3.4 and 5.6.7.8 are the IP numbers of your ISP's DNS servers)

（其中 1.2.3.4 和 5.6.7.8 是您 ISP 商 DNS 服務(wù)器的 IP 。

Master Server（主服務(wù)器）

To add a DNS zone to BIND9, turning BIND9 into a Master server, all you simply have to do is: 要添加 DNS 域到 BIND9，讓 BIND9 成為主服務(wù)器，您只需如下所示：

named.conf.local:

[...]

zone "example.com" {

type master;

file "/etc/bind/db.example.com";

};

[...]

Now use an existing zone file as a template

現(xiàn)在使用一個(gè)已有域文件作為模板 $ sudo cp /etc/bind/db.local /etc/bind/db.example.com

Bind9安裝設(shè)置指南 - Ubuntu中文頁碼，7/12Now, to edit our zone

現(xiàn)在，編輯我們的域

db.example.com:

;

; BIND data file for local loopback interface

;

$TTL 604800

@ IN SOA localhost. root.localhost. (

1 ; Serial

604800 ; Refresh

86400 ; Retry

2419200 ; Expire

604800 ) ; Negative Cache TTL

;

@ IN NS localhost.

@ IN A 127.0.0.1

Edit localhost. to the FQDN of your server, with an additional "." at the end.

編輯 localhost. 指向您服務(wù)器的 FQDN ，在其後有一個(gè)附加的 "." 。

Eg:

例如：

db.example.com:

;

; BIND data file for local loopback interface

;

$TTL 604800

@ IN SOA box.example.com. root.localhost. (

1 ; Serial

604800 ; Refresh

86400 ; Retry

2419200 ; Expire

604800 ) ; Negative Cache TTL

;

@ IN NS localhost.

@ IN A 127.0.0.1

Edit root.localhost to be your email address, but with a "." instead of the "@", and another "." at the end.

編輯 root.localhost 指向你的郵件地址，不過要用 "." 代替 "@"，另一個(gè) "." 放在末尾。 Eg:

例如：

johndoe@exmaple.com should be added as johndoe.example.com.

johndoe@exmaple.com 將使用 johndoe.example.com. 的形式添加。

Increment the Serial number (you must increment the serial number for every time you make any changes to the zone file and reload the zone by restarting BIND9. If you make multiple changes before restarting BIND9, simply increment the serial once.

增加序列號(hào)（您必須在您每次對(duì)域文件做更改并通過重啟 BIND9 重新引導(dǎo)域時(shí)增加您的序列號(hào)。如果您在重啟 BIND9 之前做了多處改變，只需增加一次序列號(hào)即可）。

Bind9安裝設(shè)置指南 - Ubuntu中文頁碼，8/12Tip: Many people like to use the last date edited as the serial of a zone, such as 2005010100 which is yyyymmddss (where s is serial)

技巧：許多人喜歡使用最新的日期作為域的序列號(hào)，例如以 yyyymmddss 的形式

2005010100 。

Now, you can add DNS records to the bottom of the zone. Do remember to increment the serial as you add entries though.

現(xiàn)在，您可以將 DNS 記錄添加在域的底部。記住漢您添加條目之後要增加序列號(hào)。 Slave Server（從服務(wù)器）

First, on the master server, you have to allow the zone transfer. The sample zone definition in /etc/bind/named.conf.local should like this:

首先，在主服務(wù)器上，您必須允許域可以傳輸。這個(gè)在 /etc/bind/named.conf.local 中域定義的示例如下所示：

[...]

zone "example.com" {

type master;

file "/etc/bind/db.example.com";

allow-transfer {

@ip_slave;

};

};

[...]

On the slave, you have to proceed to the same installation that was done on the master. Then edit the /etc/bind/named.conf.local and add the following declaration for the zone:

在從服務(wù)器上，您還必須象主服務(wù)器上一樣做同樣處理。然後編

輯 /etc/bind/named.conf.local 并為域添加下列聲明：

[...]

zone "example.com" {

type slave;

file "/etc/bind/db.example.com";

masters { @ip_master; };

};

[...]

Restart the server, you should see in /var/log/syslog something like:

重啟服務(wù)器，您將在 /var/log/syslog 類似下面的提示：

syslog.5.gz:May 14 23:33:53 smith named[5064]: zone example.com/IN: transferred serial 2006051401 syslog.5.gz:May 14 23:33:53 smith named[5064]: transfer of 'example.com/IN' from 10.0.0.202#53: end ofChrooting BIND9

Chrooting BIND9 is a recommended setup from a security perspective. In a chroot enviroment, BIND9 has access to all the files and hardware devices it needs, but is unable to access anything it http://wiki.ubuntu.org.cn/index.php?title=Bind9安裝?...2008-6-4

Bind9安裝設(shè)置指南 - Ubuntu中文頁碼，9/12should not need.

Chrooting BIND9 從安全角度來說是被推薦的安裝。在 chroot 環(huán)境中，BIND9 可以訪問所有它所需的文件和硬件，但不能訪問它所不需要的。

To chroot BIND9, simply create a chroot enviroment for it and add the additional configuration below

要 chroot BIND9，只需為它創(chuàng)建一個(gè) chroot 環(huán)境并在下面添加額外配置。

The Chroot Enviroment（Chroot 環(huán)境）

Create the following directory structure

創(chuàng)建下面目錄結(jié)構(gòu)

$ sudo mkdir -p /chroot/named

$ cd /chroot/named

$ sudo mkdir -p dev etc/namedb/slave var/run

Set permissions for chroot environment

為 chroot 環(huán)境設(shè)置權(quán)限

$ sudo chown root:root /chroot

$ sudo chmod 700 /chroot

$ sudo chown bind:bind /chroot/named

$ sudo chmod 700 /chroot/named

Create or move the bind configuration file.

創(chuàng)建或移動(dòng) bind 配置文件。

$ sudo touch /chroot/named/etc/named.conf

or

或

$ sudo cp /etc/named.conf /chroot/named/etc

Give write permissions to the user bind for /chroot/named/etc/namedb/slave directory.

將 /chroot/named/etc/namedb/slave 目錄的寫權(quán)限賦予 bind 用戶。

$sudo chown bind:bind /chroot/named/etc/namedb/slave

This is where the files for all slave zones will be kept. This increasessecurity, by stopping the ability of an attacker to edit any of your master zone files if they do gain access as the bind user. Accordingly, all slave file names in the /chroot/named/etc/named.conf file will need to have directory names that designate the slave directory. An example zone definition is listed below. 所有的從域?qū)⒎胖迷诖颂帯＿@樣可以增強(qiáng)安全性，如果攻擊者得到了 bind 用戶的權(quán)限，他們也沒有辦法修改您的主域文件。因此在 /chroot/named/etc/named.conf 文件中的所有的從文件名都必須帶著指向從目錄的目錄名。下面列出了一個(gè)域定義的示例：

Bind9安裝設(shè)置指南 - Ubuntu中文頁碼，10/12zone “my.zone.com. ” {

type slave;

file “slaves/my.zone.com.dns”;

masters {

10.1.1.10;

};

};

Create the devices BIND9 requires

創(chuàng)建 BIND9 的環(huán)境

$ sudo mknod /chroot/named/dev/null c 1 3

$ sudo mknod /chroot/named/dev/random c 1 8

Give the user bind access to the /chroot/named/var/run directory that will be used to strore PID and statistical data.

給 bind 用戶訪問 /chroot/named/var/run 目錄的權(quán)限，該目錄用于保存 PID 和狀態(tài)數(shù)據(jù) $ sudo chown bind:bind /chroot/named/var/run

BIND9's Configuration（BIND9 的配置）

Edit the bind startup options found in /etc/default/bind9. Change the line the reads:

在 /etc/default/bind9 中編輯 bind 啟動(dòng)選項(xiàng)。原來選項(xiàng)如下：

/etc/default/bind9:

OPTIONS=”-u bind”

So that it reads

現(xiàn)在改為

/etc/default/bind9:

OPTIONS="-u bind -t /var/named -t /chroot/named -c /etc/named.conf"

The -t option changes the root directory from which bind operates to be /chroot/named. The -c option tells Bind that the configuration file is locatedat /etc/named.conf. Remember that this path is relative to the root set by -t.

選項(xiàng) -t 將 bind 操作的根目錄改成 /chroot/named，選項(xiàng) -c 則告訴 bind 配置文件

在 /etc/named.conf。記住用 -t 設(shè)置的是相對(duì)路徑。

The named.conf file must also recieve extra options in order to run correctly below is a minimal set of options:

named.conf 文件也必須接受額外的選項(xiàng)以便正常運(yùn)行，下面是最小的選項(xiàng)集：

/chroot/named/etc/named.conf:

options {

directory "/etc/namedb";

pid-file "/var/run/named.pid"; statistics-file "/var/run/named.stats";