BIND (简体中文)

From ArchWiki
Revision as of 09:00, 20 August 2013 by SteamedFish (Talk | contribs) (增加 TranslationStatus 模板和 en:BIND)

Jump to: navigation, search
翻译状态: 本文是英文页面 BIND翻译,最后翻译时间:2013-08-20,点击这里可以查看翻译后英文页面的改动。



伯克利互联网名称服务 Berkeley Internet Name Daemon (BIND) 是 DNS 协议的一个参考实现。


安装官方源中的 bind

启动 named 守护进程。

缓存 DNS 服务器

BIND 的默认配置即为缓存 DNS 服务器,可以直接使用。

你可以编辑 /etc/named.conf 并且在 options 中加上下面的这一行,来只允许来自 localhost 的查询。

listen-on {; };

如果你想开放给外网查询,建议在 /etc/named.conf 的 "options" 中加上下面的几行,来防止其他人查询到你的系统信息

version none;
hostname none;
server-id none;

你可以编辑 /etc/resolv.conf 让其使用本机作为 DNS 服务器。


重启 named 守护进程。

权威 DNS 服务器

下面是一个如何设置自己的权威域的简单教程,假设我们要用的权威域为 "domain.tld" (请替换成自己真实的域)

更详尽的教程参见 Two-in-one DNS server with BIND9.

1. 设置一个 zone 文件

# nano /var/named/
$TTL 7200
; domain.tld
@       IN      SOA     ns01.domain.tld. postmaster.domain.tld. (
                                        2007011601 ; Serial
                                        28800      ; Refresh
                                        1800       ; Retry
                                        604800     ; Expire - 1 week
                                        86400 )    ; Minimum
                IN      NS      ns01
                IN      NS      ns02
ns01            IN      A
ns02            IN      A
localhost       IN      A
@               IN      MX 10   mail
imap            IN      CNAME   mail
smtp            IN      CNAME   mail
@               IN      A
www             IN      A
mail            IN      A
@               IN      TXT     "v=spf1 mx"

$TTL 定义了这个文件里面的记录在未指定情况下默认的 TTL, 单位是秒。在这个例子中,默认 TTL 为2小时

每次修改 zone 文件的时候,都需要将 Serial 加一,然后再重启 named, 否则 BIND 主服务器不会将 zone 文件的变更发送给从服务器。让主服务器将变更发送给从服务器的条件是主服务器上的 zone 文件的 Serial 比从服务器的大。

2. 配置主服务器

将你的 zone 文件加到 /etc/named.conf:

zone "domain.tld" IN {
        type master;
        file "";
        allow-update { none; };
        notify no;

如果你想让 BIND 仅仅作为权威服务器使用,不做递归查询,你可以在 /etc/named.conf 的 "options" 中关掉递归查询:

recursion no;

重启 "named"

3. 配置从服务器


仅转发 DNS 服务器

If you have problems with, for example, VPN connections, they can sometimes be solved by setting-up a forwarding DNS server. This is very simple with BIND. Add these lines to /etc/named.conf, and change IP address according to your setup.

listen-on {; };
forwarders {;; };

Don't forget to restart the service!

Running BIND in a chrooted environment

Running in a chroot environment is not required but improves security. See BIND (chroot) for how to do this.

Configuring BIND to serve DNSSEC signed zones

See DNSSEC#BIND (serving signed DNS zones)

Automatically listen on new interfaces without chroot and root privileges

Tango-view-refresh-red.pngThis article or section is out of date.Tango-view-refresh-red.png

Reason: initscripts have been replaced by systemd (Discuss in Talk:BIND (简体中文)#)


 interface-interval <rescan-timeout-in-minutes>;

parameter into named.conf options. Then you should modify rc-script:

     stat_busy "Starting DNS"
-    [ -z "$PID" ] && /usr/sbin/named ${NAMED_ARGS}
+    setcap cap_net_bind_service=eip /usr/sbin/named
+    NAMED_ARGS=`echo ${NAMED_ARGS} | sed 's#-u [[:alnum:]]*##'`
+    [ -z "$PID" ] && sudo -u named /usr/sbin/named ${NAMED_ARGS}

So your /etc/rc.d/named should look like this:

     stat_busy "Starting DNS"
     setcap cap_net_bind_service=eip /usr/sbin/named
     NAMED_ARGS=`echo ${NAMED_ARGS} | sed 's#-u [[:alnum:]]*##'`
     [ -z "$PID" ] && sudo -u named /usr/sbin/named ${NAMED_ARGS}

Change user name in last line (with "... sudo -u named ...") if your named user is not 'named'.

See also

BIND Resources