原创：Ubuntu 8.04下配置最新BIND版本的DNS服务器（可避免最近热炒的DNS CACHE漏洞）！

[gzwimax]

最近DNS服务器出现的CACHE的Bug问题，现在的DNS服务器BIND软件需升级到最新版本( BIND 9.5.0-P1)！本机环境：ubuntu 8.04，Linux ns.ovirt.cn 2.6.24-20-generic，hostname os.ovirt.cn。
一.Ubuntu下架设最简单的DNS服务器步骤
1.下载最近的BIND软件 BIND 9.5.0-P1(正式版)或BIND 9.5.1-b1(BETA版)。
http://www.isc.org/index.pl 下载
Package Download Signatures
Source bind-9.5.1b1.tar.gz asc sha256 sha512

2.安装刚下载的BIND软件。
root@ns:/software# ls
bind-9.5.1b1.tar.gz
root@ns:/software# tar -zxvf bind-9.5.1b1.tar.gz
root@ns:/software# ls
bind-9.5.1b1.tar.gz
bind-9.5.1b1
root@ns:/software# cd bind-9.5.1b1
root@ns:/software/bind-9.5.1b1# ./configure
root@ns:/software/bind-9.5.1b1#make
root@ns:/software/bind-9.5.1b1#make install

3.安装完启动文件为：/usr/local/sbin/named
root@ns:/# ls /usr/local/sbin/named
/usr/local/sbin/named

4.配置文件，只配置基本的文件，其它功能请查看相关文件。
root@ns:/# vi /etc/named.conf
options {
directory "/var/namedb";
pid-file "named.pid";
allow-query {any;};
recursion yes;
};
zone "." {
type hint;
file "root.hint";
};
zone "opensolaris.cn" {
type master;
file "opensolaris.cn.zone";
};

root@ns:/# mkdir /var/namedb
root@ns:/# cd /var/namedb/
root@ns:/# vi root.hint
; last update: Jan 29, 2004
; related version of root zone: 2004012900
;
;
; formerly NS.INTERNIC.NET
;
. 3600000 IN NS A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
;
; formerly NS1.ISI.EDU
;
. 3600000 NS B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201
;
; formerly C.PSI.NET
;
. 3600000 NS C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
;
; formerly TERP.UMD.EDU
;
. 3600000 NS D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET. 3600000 A 128.8.10.90
;
; formerly NS.NASA.GOV
;
. 3600000 NS E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
;
; formerly NS.ISC.ORG
;
. 3600000 NS F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
;
; formerly NS.NIC.DDN.MIL
;
. 3600000 NS G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
;
; formerly AOS.ARL.ARMY.MIL
;
. 3600000 NS H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53
;
; formerly NIC.NORDU.NET
;
. 3600000 NS I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
;
; operated by VeriSign, Inc.
;
. 3600000 NS J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30
;
; operated by RIPE NCC
;
. 3600000 NS K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129
;
; operated by ICANN
;
. 3600000 NS L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET. 3600000 A 198.32.64.12
;
; operated by WIDE
;
. 3600000 NS M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
; End of File

root@ns:/var/namedb# vi opensolaris.cn.zone
$TTL 86400
@ IN SOA ns.opensolaris.cn. postmaster.ns.opensolaris.cn. (
20080731 ; Serial
3600 ; Refresh(1 hour)
600 ; Retry(10 minutes)
36000 ; Expire
7200) ; Minimum
IN NS ns.ovirt.cn.
www IN A 172.16.8.100
mail IN A 172.16.8.101

root@ns:/etc# vi /etc/hosts
127.0.0.1 localhost ns.ovirt.cn
127.0.1.1 ns.ovirt.cn

root@ns:/etc# vi /etc/hostname
ns.ovirt.cn

root@ns:/etc# vi /etc/resolv.conf
nameserver ns.ovirt.cn

5.启动BIND，检查BIND是否运行正常！
root@ns:/etc# /usr/local/sbin/named &
root@ns:/etc#
root@ns:/etc# ps -ef | grep named
root 7332 1 0 Aug01 ? 00:00:00 /usr/local/sbin/named
root 10794 6357 0 01:21 pts/0 00:00:00 grep named
root@ns:/etc#

6.检测域名服务器运行是否正常！
root@ns:/etc# nslookup
> www.163.com
Server: 127.0.0.1
Address: 127.0.0.1#53

Non-authoritative answer:
www.163.com canonical name = www.cache.split.netease.com.
Name: www.cache.split.netease.com
Address: 220.181.28.50
Name: www.cache.split.netease.com
Address: 220.181.28.51
Name: www.cache.split.netease.com
Address: 220.181.28.52
Name: www.cache.split.netease.com
Address: 220.181.28.53
Name: www.cache.split.netease.com
Address: 220.181.28.54
> www.opensolaris.cn
Server: 127.0.0.1
Address: 127.0.0.1#53

Name: www.opensolaris.cn
Address: 172.16.8.100
>
运行正常，域名服务器搭建完成，更深入的配置请查看相关文件！

二.在DNS服务器上配置查询与修改域名服务器的日志文件，有利于排除故障
1.修改主配置文件
root@ns:/etc# vi /etc/named.conf
添加如下配置至named.conf，插入位置在options节后面，如下：
root@ns:/etc# more /etc/named.conf
options {
directory "/var/namedb";
pid-file "named.pid";
allow-query {any;};
recursion yes;
};

logging {
channel config_log {
file "config.log" versions 5 size 10m;
severity info;
print-time yes;
print-category yes;
print-severity yes;
};
channel query_log {
file "query.log" versions 5 size 10m;
severity info;
print-time yes;
print-category yes;
print-severity yes;
};
category config {config_log;};
category queries {query_log;};
};

zone "." {
type hint;
file "root.hint";
};

zone "opensolaris.cn" {
type master;
file "opensolaris.cn.zone";
};

2.保存，然后重启BIND软件
root@ns:/etc# /usr/local/sbin/named &

3.查看是否正常生成日志文件，并查看！
root@ns:/etc# cd /var/namedb/
root@ns:/var/namedb# ls
config.log opensolaris.cn.zone root.hint
named.pid query.log
root@ns:/var/namedb#
root@ns:/var/namedb# nslookup
> www.cisco.com
Server: 127.0.0.1
Address: 127.0.0.1#53

Non-authoritative answer:
Name: www.cisco.com
Address: 198.133.219.25
> www.ibm.com
Server: 127.0.0.1
Address: 127.0.0.1#53

Non-authoritative answer:
www.ibm.com canonical name = www.ibm.com.cs186.net.
Name: www.ibm.com.cs186.net
Address: 129.42.56.216
root@ns:/var/namedb#
02-Aug-2008 12:30:26.515 queries: info: client 127.0.0.1#35647: query: www.cisco.com IN A +
02-Aug-2008 12:30:29.470 queries: info: client 127.0.0.1#47222: query: www.ibm.com IN A +
02-Aug-2008 12:30:35.369 queries: info: client 127.0.0.1#49739: query: www.sina.com.cn IN A +

4.从以上可看出可以正常生成查询日志，其它更深入的配置稍后再回上！


详细请查看我的BLOG，粘贴过来排版不好看！多多指教！
http://hi.baidu.com/gzwimax/blog/item/a ... 8813d.html

[yang_hui1986527]

很详细的教程，收藏学习了，谢谢分享。

[angelus]

DNS高速缓存污染已经很早就有了，两台DNS服务器交换不需要验证，被黑客将不正确信息掺入误倒客户定向
防止方法可以在防火墙上下功夫阻隔外部影响内部DNS更新，不知道现在DNS补丁是怎么阻止的，楼主清楚的话就具体介绍下

[Jarson]

做个记号，有时间再学习

[守望桑田]

局域网是不是要先搭建NAT环境平台才能在本机测试DNS和DHCP服务哈？！

[dogfox]

你是ubuntu的用户吗？bind目前源里就有的，无须自己编译

[mech]

一个问题哦，自己编译安装的bind（如LZ安装步骤）如何卸载？

[mech]

你是ubuntu的用户吗？bind目前源里就有的，无须自己编译

源里面是9.4.2的