组成
命令程序 and 配置文件
arpaname:translate IP addresses to the corresponding ARPA names.
bind9-config:hardlinked to isc-config.sh.
ddns-confgen:generates a key for use by nsupdate and named.
delv:is a new debugging tool that is a successor to dig.
dig:interrogates DNS servers.
dnssec-checkds:is a DNSSEC delegation consistency checking tool.
dnssec-coverage:verifies that the DNSSEC keys for a given zone or a set of zones have timing metadata set properly to ensure no future lapses in DNSSEC coverage.
dnssec-dsfromkey:outputs the Delegation Signer (DS) resource record (RR).
dnssec-importkey:reads a public DNSKEY record and generates a pair of .key/.private files.
dnssec-keyfromlabel:gets keys with the given label from a crypto hardware and builds key files for DNSSEC.
dnssec-keygen:is a key generator for secure DNS.
dnssec-revoke:Set the REVOKED bit on a DNSSEC key.
dnssec-settime:set the key timing metadata for a DNSSEC key.
dnssec-signzone:generates signed versions of zone files.
dnssec-verify:verifies that a zone is fully signed for each algorithm found in the DNSKEY RRset for the zone, and that the NSEC / NSEC3 chains are complete.
genrandom:generate a file containing random data.
host:is a utility for DNS lookups.
isc-config.sh:prints information related to the installed version of ISC BIND.
isc-hmac-fixup:fixes HMAC keys generated by older versions of BIND.
lwresd:is a caching-only name server for local process use.
named:is the name server daemon.
named-checkconf:checks the syntax of named.conf files.
named-checkzone:checks zone file validity.
named-compilezone:is similar to named-checkzone, but it always dumps the zone contents to a specified file in a specified format.
named-journalprint:print zone journal in human-readable form.
named-rrchecker:read a individual DNS resource record from standard input and checks if it is syntactically correct.
nsec3hash:generates an NSEC3 hash based on a set of NSEC3 parameters.
nslookup:is a program used to query Internet domain nameservers.
nsupdate:is used to submit DNS update requests.
rndc:controls the operation of BIND.
rndc-confgen:generates rndc.conf files.
tsig-keygen:is a symlink to ddns-confgen.
用作缓存的 DNS 服务架设
用作转发的 DNS 服务架设
用作覆盖的 DNS 服务架设
主 / 从同步的 DNS 服务架设
改进
#1 network unreachable resolving
DISABLING IPv6 lookups in bind
问题描述:
使用journalctl -f -u named.service查看日志时,会发现在执行 DNS 解析时产生如下错误:
network unreachable resolving
问题原因:
所有现代操作系统都支持开箱即用的 IPv6 协议,其中 BIND 也是如此。操作系统在接口上配置 IPv6 地址,但是 IPv6 不能在本地网络之外工作,所以说 IPv6 地址是不可达的,所以产生了这个错误。
解决方法:
解决方法有两个:
1)要么使 IPv6 网络可用,可以访问外部网络。(访问外网有些麻烦,暂时不可行)
2)要么在 Bind 层面禁用 IPv6 监听。(禁用 BIND9 的 IPv6 监听)
在 CentOS 中,修改/etc/sysconfig/named文件,加入OPTIONS="-4"行,然后重启 DNS 服务。这只是禁止了 Bind 服务监听 IPv6 的地址。(这并不能阻止 Bind 在 IPv4 上进行 AAAA 记录的解析。我们也不需要禁止 IPv4 上的 AAAA 解析,因为我们的问题是 IPv6 网络不可用导致的,所以只要不再 IPv6 地址上发包即可)
参考
BIND 9 – Versatile, Classic, Complete Name Server Software
鳥哥的 Linux 私房菜 /第十九章、主機名稱控制者:DNS 伺服器