2009年8月31日

【DNS Server】架設心得

安裝完CentOS 5.3之後

記得再update bind

#yum install bind*

更新完之後就會有chroot的功能

控制chroot開關狀態是在

/etc/sysconfig/named

裡面有個參數:ROOTDIR

若不啟動註解掉即可

chroot可大大提高安全性

即使named被hacker控制

最多也只能在root dir內遊走

named.conf - 主要設定檔
可參考sample
/usr/share/doc/bind-9.3.4/sample/etc/named.conf

以下是我的簡單設定
options
{
      
        directory "/var/named"; // the default
};

zone "." {  // root server
        type hint;
        file "named.ca";
};

//本機正反解
zone "localhost" {
        type master;
        file "named_localhost";
};

zone "0.0.127.in-addr.arpa" {
        type master;
        file "arpa_127.0.0";
};

//herbsite 正反解
zone "herbsite.tw" {
        type master;
        file "named_herbsite.tw";
};

zone "75.208.134.in-addr.arpa" {
        type master;
        file "arpa_134.208.75";
};

herbsite正解設定:
named_herbsite.tw

$TTL 1d

@ IN SOA www.herbsite.tw. root.herbsite.tw. (
        2009090100;
        28800;
        14400;
        720000;
        86400;
)

@ IN NS herbsite.tw.
@ IN A 134.208.75.141

@ IN NS dns.herbsite.tw.
dns IN A 134.208.75.143

@ IN NS www.herbsite.tw.
www IN A 134.208.75.143

@ IN MX 10 mail.herbsite.tw.
mail IN A 134.208.75.143


herbsite 反解設定:
arpa_134.208.75

$TTL 1d

@ IN SOA localhost. root.localhost. (
        2009090100;
        28800;
        14400;
        720000;
        86400;
)

@ IN NS herbsite.tw.
@ IN NS mail.herbsite.tw.

141 IN PTR herbsite.tw.
143 IN PTR mail.herbsite.tw. //只做mail反解,以免被當成垃圾信


然後就可以啟動了

/etc/init.d/named restart

若有錯誤或失敗請檢查/var/log/messages

最常見錯誤為分號和空格問題!

沒有留言:

張貼留言