bind9 主配置文件 /etc/bind/bind.conf
引入配置文件,卸载主配置文件中 每个条目后面应该加上分号做分割
include "/etc/bind/myconf.conf";
zone:区域 定义格式 :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 zone string optional_class { type ( master | slave | stub | hint | /* Master(主域):主域用来保存某个区域(如www.wzvtc.cn)的数据信息。 Slave(辅域):也叫次级域,数据来自主域,起备份作用。 Stub:Stub区与辅域相似,但它只复制主域的NS记录,而不是整个区数据。它不是标准DNS的功能,只是BIND提供的功能。 Forward(转发):转发域中一般配置了 forward和forwarders子句,用于把对该域的查询请求转由其他DNS服务器处理。 Hint:Hint域定义了一套最新的根DNS服务器地址,如果没有定义,DNS服务器会使用内建的根DNS服务器地址。 */ forward | delegation-only ); file quoted_string; masters [ port integer ] { ( masters | ipv4_address [port integer] | ipv6_address [ port integer ] ) [ key string ]; ... }; database string; delegation-only boolean; check-names ( fail | warn | ignore ); check-mx ( fail | warn | ignore ); check-integrity boolean; check-mx-cname ( fail | warn | ignore ); check-srv-cname ( fail | warn | ignore ); dialup dialuptype; ixfr-from-differences boolean; journal quoted_string; zero-no-soa-ttl boolean; dnssec-secure-to-insecure boolean; allow-query { address_match_element; ... }; allow-query-on { address_match_element; ... }; allow-transfer { address_match_element; ... }; allow-update { address_match_element; ... }; allow-update-forwarding { address_match_element; ... }; update-policy local | { ( grant | deny ) string ( name | subdomain | wildcard | self | selfsub | selfwild | krb5-self | ms-self | krb5-subdomain | ms-subdomain | tcp-self | zonesub | 6to4-self ) string rrtypelist; [...] }; update-check-ksk boolean; dnssec-dnskey-kskonly boolean; masterfile-format ( text | raw ); notify notifytype; notify-source ( ipv4_address | * ) [ port ( integer | * ) ]; notify-source-v6 ( ipv6_address | * ) [ port ( integer | * ) ]; notify-delay seconds; notify-to-soa boolean; also-notify [ port integer ] { ( ipv4_address | ipv6_address ) [ port integer ]; ... }; allow-notify { address_match_element; ... }; forward ( first | only ); forwarders [ port integer ] { ( ipv4_address | ipv6_address ) [ port integer ]; ... }; max-journal-size size_no_default; max-transfer-time-in integer; max-transfer-time-out integer; max-transfer-idle-in integer; max-transfer-idle-out integer; max-retry-time integer; min-retry-time integer; max-refresh-time integer; min-refresh-time integer; multi-master boolean; sig-validity-interval integer; transfer-source ( ipv4_address | * ) [ port ( integer | * ) ]; transfer-source-v6 ( ipv6_address | * ) [ port ( integer | * ) ]; alt-transfer-source ( ipv4_address | * ) [ port ( integer | * ) ]; alt-transfer-source-v6 ( ipv6_address | * ) [ port ( integer | * ) ]; use-alt-transfer-source boolean; zone-statistics boolean; try-tcp-refresh boolean; key-directory quoted_string; nsec3-test-zone boolean; // testing only ixfr-base quoted_string; // obsolete ixfr-tmp-file quoted_string; // obsolete maintain-ixfr-base boolean; // obsolete max-ixfr-log-size size; // obsolete pubkey integer integer integer quoted_string; // obsolete };
zone配置文件样例: 1 2 3 4 5 6 7 8 9 10 11 $ cat myconf.conf zone "divint3.club" { type master; //主类型 file "/etc/bind/db.club"; //区域配置文件 }; zone "124.93.47.in-addr.arpa" { type master; file "/etc/bind/db.47"; };
acl:访问控制列表 定义格式 :
1 2 3 acl acl-name { address_match_list };
acl配置文件样例: 1 2 3 4 5 6 7 8 acl "divint3" { 192.168.0.1; 192.168.0.2; 192.168.0.3; //定义一个acl列表,包含了三个ip }; zone "divint3.club" { type master; file "/etc/bind/db.club"; allow-query{"divint3"}; //引用acl列表 };
view :视图 格式定义 :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 view string optional_class { match-clients { address_match_element; ... }; match-destinations { address_match_element; ... }; match-recursive-only boolean; key string { algorithm string; secret string; }; zone string optional_class { ... }; server ( ipv4_address[/prefixlen] | ipv6_address[/prefixlen] ) { ... }; trusted-keys { string integer integer integer quoted_string; [...] }; allow-recursion { address_match_element; ... }; allow-recursion-on { address_match_element; ... }; sortlist { address_match_element; ... }; topology { address_match_element; ... }; // not implemented auth-nxdomain boolean; // default changed minimal-responses boolean; recursion boolean; rrset-order { [ class string ] [ type string ] [ name quoted_string ] string string; ... }; provide-ixfr boolean; request-ixfr boolean; rfc2308-type1 boolean; // not yet implemented additional-from-auth boolean; additional-from-cache boolean; query-source ( ( ipv4_address | * ) | [ address ( ipv4_address | * ) ] ) [ port ( integer | * ) ]; query-source-v6 ( ( ipv6_address | * ) | [ address ( ipv6_address | * ) ] ) [ port ( integer | * ) ]; use-queryport-pool boolean; queryport-pool-ports integer; queryport-pool-updateinterval integer; cleaning-interval integer; resolver-query-timeout integer; min-roots integer; // not implemented lame-ttl integer; max-ncache-ttl integer; max-cache-ttl integer; transfer-format ( many-answers | one-answer ); max-cache-size size; max-acache-size size; clients-per-query number; max-clients-per-query number; check-names ( master | slave | response ) ( fail | warn | ignore ); check-mx ( fail | warn | ignore ); check-integrity boolean; check-mx-cname ( fail | warn | ignore ); check-srv-cname ( fail | warn | ignore ); cache-file quoted_string; // test option suppress-initial-notify boolean; // not yet implemented preferred-glue string; dual-stack-servers [ port integer ] { ( quoted_string [port integer] | ipv4_address [port integer] | ipv6_address [port integer] ); ... }; edns-udp-size integer; max-udp-size integer; root-delegation-only [ exclude { quoted_string; ... } ]; disable-algorithms string { string; ... }; dnssec-enable boolean; dnssec-validation boolean; dnssec-lookaside ( auto | no | domain trust-anchor domain ); dnssec-must-be-secure string boolean; dnssec-accept-expired boolean; dns64-server string; dns64-contact string; dns64 prefix { clients { <replacable>acl</replacable>; }; exclude { <replacable>acl</replacable>; }; mapped { <replacable>acl</replacable>; }; break-dnssec boolean; recursive-only boolean; suffix ipv6_address; }; empty-server string; empty-contact string; empty-zones-enable boolean; disable-empty-zone string; dialup dialuptype; ixfr-from-differences ixfrdiff; allow-query { address_match_element; ... }; allow-query-on { address_match_element; ... }; allow-query-cache { address_match_element; ... }; allow-query-cache-on { address_match_element; ... }; allow-transfer { address_match_element; ... }; allow-update { address_match_element; ... }; allow-update-forwarding { address_match_element; ... }; update-check-ksk boolean; dnssec-dnskey-kskonly boolean; masterfile-format ( text | raw ); notify notifytype; notify-source ( ipv4_address | * ) [ port ( integer | * ) ]; notify-source-v6 ( ipv6_address | * ) [ port ( integer | * ) ]; notify-delay seconds; notify-to-soa boolean; also-notify [ port integer ] { ( ipv4_address | ipv6_address ) [ port integer ]; ... }; allow-notify { address_match_element; ... }; forward ( first | only ); forwarders [ port integer ] { ( ipv4_address | ipv6_address ) [ port integer ]; ... }; max-journal-size size_no_default; max-transfer-time-in integer; max-transfer-time-out integer; max-transfer-idle-in integer; max-transfer-idle-out integer; max-retry-time integer; min-retry-time integer; max-refresh-time integer; min-refresh-time integer; multi-master boolean; sig-validity-interval integer; transfer-source ( ipv4_address | * ) [ port ( integer | * ) ]; transfer-source-v6 ( ipv6_address | * ) [ port ( integer | * ) ]; alt-transfer-source ( ipv4_address | * ) [ port ( integer | * ) ]; alt-transfer-source-v6 ( ipv6_address | * ) [ port ( integer | * ) ]; use-alt-transfer-source boolean; zone-statistics boolean; try-tcp-refresh boolean; key-directory quoted_string; zero-no-soa-ttl boolean; zero-no-soa-ttl-cache boolean; dnssec-secure-to-insecure boolean; allow-v6-synthesis { address_match_element; ... }; // obsolete fetch-glue boolean; // obsolete maintain-ixfr-base boolean; // obsolete max-ixfr-log-size size; // obsolete };
视图配置文件样例: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 acl "CNS"{ //China Net Segment 1.0.1.0/24; ……; }; acl "OOC"{ //Out Of China 1.1.1.0/24;……; }; view "China" { match-clients {CNS}; recusion yes; //允许递归 zone divint3.club { type master; file "/etc/bind/db.club"; }; }; view "OutOfChina" { match-clients{OOC}; recusion no; zone divint3.club{ type master; file "/etc/bind/db.ooc.club"; }; };
logging:日志文件配置 定义格式:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 logging { channel string { file log_file; syslog optional_facility; null; stderr; severity log_severity; print-time boolean; print-severity boolean; print-category boolean; }; category string { string; ... }; }; /* 在日志中主要有两个概念:通道(channel)和类别(category)。通道指定了应该向哪里发送日志数据:是发送给syslog,还是写在一个文件里,或是发送给named的标准错误输出,还是发送到位存储桶(bit bucket)。类别则规定了哪些数据需要记录。下面我们主要介绍一下文件通道和类别。 */ /* log_severity级别: critical error warning notice info debug [ level ] dynamic */ /* category语句是指定哪一种类别的数据使用哪个或者哪几个已经定义了的通道。在bind9中类别有: default 类别匹配所有未明确指定通道的类别,但是不匹配不属于任何类别的消息。这些不属于任何类别的消息属于下面列出的这些类别。 general 包括所有未明确分类的BIND消息。 client 处理客户端请求。 config 配置文件分析和处理。 database 同BIND内部数据库相关的消息,用来存储区数据和缓存记录。 dnssec 处理DNSSEC签名的响应。 lame-servers 发现错误授权。 network 网络操作 notify 异步区变动通知。 queries 查询日志 resolver 名字解析,包括对来自解析器的递归查询的处理。 security 认可/非认可的请求。 update 动态更新事件。 xfer-in 从远程名字服务器到本地名字服务器的区传送。 xfer-out 从本地名字服务器到远程名字服务器的区传送。 */
日志文件配置样例: 1 2 3 4 5 6 7 8 9 10 11 logging{ channel query_log{ file "query.log" versions 3 size 20m; //最大保存三份,每份最大20m severity info; print_time true; }; categray queries{ query_log; }; };
include:引入其他文件 定义格式 :
keys:秘钥 不用人未定义,使用rndc-confgen可生成配置信息
controls:控制 定义格式 :
1 2 3 4 5 6 7 8 9 10 11 controls { inet ( ipv4_address | ipv6_address | * ) [ port ( integer | * ) ] allow { address_match_element; ... } [ keys { string; ... } ]; unix unsupported; // not implemented };
控制配置文件样例: 1 2 3 4 5 controls { inet 127.0.0.1 port 953 //在127.0.0.1接口的953号端口进行监听 allow { 127.0.0.1; } //只接受127.0.0.1的连接,即只有在本机使用rndc,才能对named进行控制 keys { "rndckey"; }; //使用名为rndckey的密钥才能访问 };
区域配置文件 在配置文件中以file来指定区域配置文件的位置
正向区域文件样例: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 $ cat db.club $TTL 3600 $ORIGIN divint3.club. @ IN SOA divint3.club. divint3.gmail.com. ( 2003221 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; @ IN NS ns1.divint3.club. @ IN NS ns2.divint3.club. @ IN A 47.93.124.161 www IN A 47.93.124.161 ns1 IN A 47.93.124.161 ns2 IN A 47.93.124.161
反向区域文件配置: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 $ cat db.47 $TTL 3600 124.93.47.in-addr.arpa. IN SOA divint3.club. divint3.gmail.com. ( 20032201 ; 1D ; 1H ; 1W ; 3H ; ); @ IN NS ns1.divint3.club. @ IN NS ns2.divint3.club. 9 IN PTR ns1.divint3.club. 9 IN PTR ns2.divint3.club. 9 IN PTR www.divint3.club.
注册配置网络dns服务器-以阿里云为例
注意 :网络dns服务器生效需要时间注册,并不是设置完之后直接可用,一定要在自己的dns服务器上写出dns服务器自己的A记录。
