yum install -y bind bind-chroot bind-utils
chroot是通过相关文件封装在一个伪根目录内,已达到安全防护的目的,一旦程序被攻破,将只能访问伪根目录内的内容,而不是真实的根目录
BIND安装好之后不会有预制的配置文件,但是在BIND的文档文件夹内(/usr/share/doc/bind-9.9.4),BIND为我们提供了配置文件模板,我们可以直接拷贝过来:
cp -r /usr/share/doc/bind-9.9./sample/etc/* /var/named/chroot/etc/
cp -r /usr/share/doc/bind-9.9.4/sample/var/* /var/named/chroot/var/
配置BIND服务的主配置文件(/var/named/chroot/etc/named.conf),命令:vim /var/named/chroot/etc/named.conf;
内容很多使用简单配置,删除文件中logging以下的全部内容,以及option中的部分内容,得到如下配置
vim /var/named/chroot/etc/named.conf
options
{
// Put files that named is allowed to write in the data/ directory:
directory "/var/named"; // "Working" directory
listen-on port { any; }; listen-on-v6 port { any; }; };
在主配置文件(/var/named/chroot/etc/named.conf )中加入,zone参数
vim /var/named/chroot/etc/named.conf
options
{
// Put files that named is allowed to write in the data/ directory:
directory "/var/named"; // "Working" directory
listen-on port { any; }; listen-on-v6 port { any; }; }; zone "yaohjk.com" {
type master;
file "yaohjk.com.zone";
};
新建yaohjk.com.zone文件,yaohjk.com的域名解析文件,zone文件放在/var/named/chroot/var/named/下,zone文件可以已/var/named/chroot/var/named/named.localhost为模板。
命令:
cp /var/named/chroot/var/named/named.localhost /var/named/chroot/var/named/yaohjk.com.zone
文件yaohjk.com.zone的内容如下:
[root@xxx]# cat yaohjk.com.zone
$TTL 1D
@ IN SOA @ rname.invalid. (
; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
A 127.0.0.1
AAAA ::
gz IN A 192.168.0.199
boss IN A 192.168.0.199
login IN A 192.168.0.199
pay IN A 192.168.0.199
wx IN A 192.168.0.199
禁用bind默认方式启动,改用bind-chroot方式启动。命令如下:
[root@xxx named]# /usr/libexec/setup-named-chroot.sh /var/named/chroot on
[root@xxx named]# systemctl stop named
[root@xxx named]# systemctl disable named
[root@xxx named]# systemctl start named-chroot
[root@xxx named]# systemctl enable named-chroot
[root@xxx named]#
[root@xxx named]# ps -ef|grep named
named : ? :: /usr/sbin/named -u named -c /etc/named.conf -t /var/named/chroot
root : pts/ :: grep --color=auto named
[root@xxx named]#