Compile install Chroot Bind Split DNS

Software instruction

Bind官网：https://www.isc.org/downloads/

当前版本：bind-9.10.4-P6.tar.gz （2017-03）

---

Compile & Install

[root@arnohost bind-9.10.4-P6]# ./configure --prefix=/opt/soft/bind \
--oldincludedir=/opt/soft/bind/oldinclude \
--enable-threads \
--enable-largefile \

[root@arnohost bind-9.10.4-P6]# make -j4
[root@arnohost bind-9.10.4-P6]# make install

# 
[root@arnohost bind-9.10.4-P6]# cat ~/.bash_profile 
# .bash_profile

# Get the aliases and functions
if [ -f ~/.bashrc ]; then
 . ~/.bashrc
fi

# User specific environment and startup programs
BINDPATH=/opt/soft/bind/bin:/opt/soft/bind/sbin
export PATH=$PATH:$HOME/bin:$BINDPATH

[root@arnohost bind-9.10.4-P6]# source ~/.bash_profile

 

Config Bind Chroot Env.

# add bind running user. 
[root@arnohost bind]# groupadd named
[root@arnohost bind]# useradd -s /sbin/nologin -d /opt/soft/bind -g named named
useradd: warning: the home directory already exists.
Not copying any file from skel directory into it. # 这里的提示是正常的，不用管。

# chroot
[root@arnohost bind]# pwd
/opt/soft/bind
[root@arnohost bind]# mkdir -p chroot/{dev,etc,var/{log,run,named}}
[root@arnohost bind]# tree chroot/
chroot/
├── dev
├── etc
└── var
 ├── log
 ├── named
 └── run

7 directories, 0 files

[root@arnohost dev]# ls -lL /dev/zero /dev/null /dev/random 
crw-rw-rw- 1 root root 1, 3 Dec 7 01:42 /dev/null
crw-rw-rw- 1 root root 1, 8 Dec 7 01:42 /dev/random
crw-rw-rw- 1 root root 1, 5 Dec 7 01:42 /dev/zero

[root@arnohost bind]# cd chroot/dev/
[root@arnohost dev]# mknod null c 1 3
[root@arnohost dev]# mknod random c 1 8
[root@arnohost dev]# mknod zero c 1 5
[root@arnohost dev]# ls
null random zero

 

bind.keys & rndc.conf

[root@arnohost dev]# cd /opt/soft/bind/chroot/etc/
[root@arnohost etc]# cp /opt/soft/bind/etc/bind.keys /opt/soft/bind/chroot/etc/    # Relative path way:  cp ../../etc/bind.keys ./
[root@arnohost etc]# vim rndc.conf      # PS：rndc-confgen  Can automatically generate the following content.
# Start of rndc.conf
key "rndc-key" {
 algorithm hmac-md5;
 secret "1wXLXlgKatfuc7hmzlwQog==";
};

options {
 default-key "rndc-key";
 default-server 127.0.0.1;
 default-port 953;
};
# End of rndc.conf

 

config named.conf

# Tip： named.conf all file path are relative to /opt/soft/bind/chroot .
# Exp： /var/log/named.log ---> Actual file path: /opt/soft/bind/chroot/var/log/named.log 
[root@arnohost chroot]# cat etc/named.conf 
# Start of named.conf #
# ACL
acl allnet {
    127.0.0.1;
    10.0.0.0/8;
    172.16.0.0/12;
    192.168.0.0/16;
    100.64.0.0/10;
};
acl beijingnet {
    10.100.0.0/16;
};
acl shanghainet {
    10.111.0.0/16;
};
 
# Include 
include "/etc/view/view-beijing.conf";
include "/etc/view/view-shanghai.conf";
 
# KEY 与上面rndc.conf中的一致
key "rndc-key" {
    algorithm hmac-md5;
    secret "1wXLXlgKatfuc7hmzlwQog==";
};
 
# CONTROLS
controls {
    inet 127.0.0.1 port 953
    allow { 127.0.0.1; } keys { "rndc-key"; };
};

# LOGGING
# severity (critical | error | warning | notice | info | debug [ level ] | dynamic ); 
logging {
    channel default_log {
        file "/var/log/named.log" versions 10 size 200m;
        severity dynamic;
        print-category yes;
        print-severity yes;
        print-time yes;
    };
    channel query_log {
        file "/var/log/query.log" versions 10 size 200m;
        severity dynamic;
        print-category yes;
        print-severity yes;
        print-time yes;
    };
    channel resolver_log {
        file "/var/log/resolver.log" versions 10 size 200m;
        severity dynamic;
        print-category yes;
        print-severity yes;
        print-time yes;
    };

    category default {default_log;};
    category queries {query_log;};
    category query-errors {query_log;};
    category resolver {resolver_log;};
    category lame-servers {null;};
    category edns-disabled {null;};
};

# Options
options {
    directory "/var/named";
    dump-file "/var/run/named_dump.db";
    memstatistics-file "/var/run/named.memstats";
    statistics-file "/var/run/named.stats";
    pid-file "/var/run/named.pid";
    session-keyfile "/var/run/session.key";
    listen-on { any; };
    listen-on-v6 { none; };
    # querylog [on|off]
    version none;
    allow-recursion {
        allnet;
    };
    # allow-recursion-on{ any; };
    # recursion yes_or_no;
 
    allow-query { any; };
    # forward ( first | only );
    forward first;
    forwarders {
        8.8.8.8; # Google DNS
        8.8.4.4; # Google DNS
    };
};
# End of named.conf #

Config View file

[root@arnohost chroot]# mkdir etc/view/
# Beijing View
[root@arnohost chroot]# cat etc/view/view-beijing.conf 
# Start of view-beijing.conf #
# Beijing View
view "beijing" {
    match-clients { beijingnet; };
    # match-destinations {all;};
    zone "." {
        type hint;
        file "named.root";
    };
    zone "example.com" {
        type master;
        file "beijing/example.com.beijing.zone";
    };
};
# End of view-beijing.conf #
 
# ShangHai View
[root@arnohost chroot]# cat etc/view/view-shanghai.conf 
# Start of view-shanghai.conf #
# ShangHai View
view "shanghai" {
    match-clients { shanghainet; };
    # match-destinations {all;};
    zone "." {
        type hint;
        file "named.root";
    };
    zone "example.com" {
    type master;
        file "shanghai/example.com.shanghai.zone";
    };
};
# End of view-shanghai.conf #

 

Config zones file

[root@arnohost chroot]# cat var/named/beijing/example.com.beijing.zone
$ORIGIN example.com.
$TTL 86400
@ IN SOA dns1.example.com. hostmaster.example.com. (
          2001062501 ; serial
          21600 ; refresh after 6 hours
          3600 ; retry after 1 hour
          604800 ; expire after 1 week
          86400 ) ; minimum TTL of 1 day
;
;
         IN NS dns1.example.com.
         IN NS dns2.example.com.
dns1     IN A 10.100.18.158
;        IN AAAA aaaa:bbbb::1
dns2     IN A 10.100.18.2
;        IN AAAA aaaa:bbbb::2
;
;
@        IN MX 10 mail.example.com.
         IN MX 20 mail2.example.com.
mail     IN A 10.100.18.5
mail2    IN A 10.100.18.6
;
;
; This sample zone file illustrates sharing the same IP addresses
; for multiple services:
;
services IN A 10.100.18.10
         IN AAAA aaaa:bbbb::10
         IN A 10.100.18.11
         IN AAAA aaaa:bbbb::11
 
ftp      IN CNAME services.example.com.
www      IN CNAME services.example.com.
;
;
 
[root@arnohost chroot]# cat var/named/shanghai/example.com.shanghai.zone 
$ORIGIN example.com.
$TTL 86400
@ IN SOA dns1.example.com. hostmaster.example.com. (
             2001062501 ; serial
             21600 ; refresh after 6 hours
             3600 ; retry after 1 hour
             604800 ; expire after 1 week
             86400 ) ; minimum TTL of 1 day
;
;
       IN NS dns1.example.com.
       IN NS dns2.example.com.
dns1   IN A 10.111.4.158
;      IN AAAA aaaa:bbbb::1
dns2   IN A 10.111.4.2
;      IN AAAA aaaa:bbbb::2
; 
;
@        IN MX 10 mail.example.com.
         IN MX 20 mail2.example.com.
mail     IN A 10.111.4.5
mail2    IN A 10.111.4.6
;
;
; This sample zone file illustrates sharing the same IP addresses
; for multiple services:
;
services IN A 10.111.4.10
         IN AAAA aaaa:bbbb::10
         IN A 10.111.4.11
         IN AAAA aaaa:bbbb::11
 
ftp      IN CNAME services.example.com.
www      IN CNAME services.example.com.
;
;

 

named start manage

# 启动服务
[root@arnohost chroot]# named -u named -c /etc/named.conf -t /opt/soft/bind/chroot/ # 这里-c 后跟文件也是相对路径，相当于/opt/soft/bind/chroot/etc/named.conf

# rndc 管理服务，rndc 命令默认读取prefix/etc 下的配置文件
[root@arnohost chroot]# cp /opt/soft/bind/chroot/etc/rndc.conf /opt/soft/bind/etc/
[root@arnohost chroot]# rndc status
version: BIND 9.10.4-P6 <id:a6837d0> (version.bind/txt/ch disabled)
boot time: Thu, 09 Mar 2017 03:55:46 GMT
last configured: Thu, 09 Mar 2017 07:40:35 GMT
CPUs found: 4
worker threads: 4
UDP listeners per interface: 3
number of zones: 100
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is ON
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running

# 更多用法，直接执行 rndc 回车查看说明