BIND(Berkeley internet Name Daemon)也叫做NAMED,是现今互联网上使用最为广泛的DNS 服务器程序。这篇文章将要讲述如何在 chroot 监牢中运行 BIND,这样它就无法访问文件系统中除“监牢”以外的其它部分。
例如,在这篇文章中,我会将BIND的运行根目录改为 /var/named/chroot/。当然,对于BIND来说,这个目录就是 /(根目录)。 “jail”(监牢,下同)是一个软件机制,其功能是使得某个程序无法访问规定区域之外的资源,同样也为了增强安全性(LCTT 译注:chroot “监牢”,所谓“监牢”就是指通过chroot机制来更改某个进程所能看到的根目录,即将某进程限制在指定目录中,保证该进程只能对该目录及其子目录的文件进行操作,从而保证整个服务器的安全)。Bind Chroot DNS 服务器的默认“监牢”为 /var/named/chroot。
你可以按照下列步骤,在CentOS 7.0 上部署 Bind Chroot DNS 服务器。
1、安装Bind Chroot DNS 服务器
复制代码代码如下:[root@centos7 ~]# yum install bind-chroot bind -y
2、拷贝bind相关文件,准备bind chroot 环境
复制代码代码如下: [root@centos7 ~]# cp -R /usr/share/doc/bind-*/sample/var/namedsample/ for example named configuration files.
//
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory"/var/named";
dump-file"/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "example.local" {
type master;
file "example.local.zone";
};
zone "0.168.192.in-addr.arpa" IN {
type master;
file "192.168.0.zone";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
7、 为 example.local 域名创建转发域与反向域文件
a)创建转发域
复制代码代码如下:[root@centos7 ~]# vi /var/named/chroot/var/named/example.local.zone
添加如下内容并保存:
复制代码代码如下:;
;Addresses and other host information.
;
$TTL 86400
@IN SOA example.local. hostmaster.example.local. (
2014101901 ; Serial
43200 ; Refresh
3600; Retry
3600000 ; Expire
2592000 ) ; Minimum
;Define the nameservers and the mail servers
IN NS ns1.example.local.
IN NS ns2.example.local.
IN A192.168.0.70
IN MX 10 mx.example.local.
centos7 IN A192.168.0.70
mx IN A192.168.0.50
ns1IN A192.168.0.70
ns2IN A192.168.0.80
b)创建反向域
复制代码代码如下:[root@centos7 ~]# vi /var/named/chroot/var/named/192.168.0.zone
-
;
;Addresses and other host information.
;
$TTL 86400
@IN SOA example.local. hostmaster.example.local. (
2014101901 ; Serial
43200 ; Refresh
3600; Retry
3600000 ; Expire
2592000 ) ; Minimum
0.168.192.in-addr.arpa. IN NS centos7.example.local.
70.0.168.192.in-addr.arpa. IN PTR mx.example.local.
70.0.168.192.in-addr.arpa. IN PTR ns1.example.local.
80.0.168.192.in-addr.arpa. IN PTR ns2.example.local.。
8、开机自启动 bind-chroot 服务
复制代码代码如下: [root@centos7 ~]# /usr/libexec/setup-named-chroot.sh /var/named/chroot on
[root@centos7 ~]# systemctl stop named
[root@centos7 ~]# systemctl disable named
[root@centos7 ~]# systemctl start named-chroot
[root@centos7 ~]# systemctl enable named-chroot
ln -s '/usr/lib/systemd/system/named-chroot.service' '/etc/systemd/system/multi-user.target.wants/named-chroot.service'
