注册
登录控制台
➔
DNS和DHCP是企业内网的两大基础网络服务,DNS负责域名解析,DHCP负责IP地址自动分配。合理配置这两项服务可以大幅提升内网管理的效率和可靠性。本文以Debian 12为例,详细介绍BIND DNS服务器和ISC DHCP服务器的安装配置、安全加固和日常运维方法。
▶一、BIND DNS服务器安装
# 安装BIND 9
apt update && apt install -y bind9 bind9utils bind9-doc
# 或 yum install -y bind bind-utils
# 查看BIND版本
named -v
# 启动并设置开机自启
systemctl start named
systemctl enable named
# 检查服务状态
systemctl status named
ss -tuln | grep :53▶二、主DNS区域配置
# /etc/bind/named.conf.local
zone "bacaiyun.com" {
type master;
file "/etc/bind/db.bacaiyun.com";
allow-transfer { 192.168.1.2; }; # 允许从DNS同步
also-notify { 192.168.1.2; };
};
# /etc/bind/db.bacaiyun.com
$TTL 604800
@ IN SOA ns1.bacaiyun.com. admin.bacaiyun.com. (
2026050101 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
@ IN NS ns1.bacaiyun.com.
@ IN NS ns2.bacaiyun.com.
@ IN A 192.168.1.100
ns1 IN A 192.168.1.100
ns2 IN A 192.168.1.101
www IN A 192.168.1.100
mail IN A 192.168.1.100
@ IN MX 10 mail.bacaiyun.com.▶三、反向解析区域
# /etc/bind/named.conf.local - 添加反向区域
zone "1.168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.192.168.1";
};
# /etc/bind/db.192.168.1
$TTL 604800
@ IN SOA ns1.bacaiyun.com. admin.bacaiyun.com. (
2026050101 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
@ IN NS ns1.bacaiyun.com.
100 IN PTR ns1.bacaiyun.com.
100 IN PTR www.bacaiyun.com.
101 IN PTR ns2.bacaiyun.com.▶四、DNS安全配置(DNSSEC)
# 启用DNSSEC签名
dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE bacaiyun.com
dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE bacaiyun.com
# named.conf配置DNSSEC
options {
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
};
# 转发器配置(性能优化)
options {
forwarders {
8.8.8.8;
114.114.114.114;
};
forward only; # 仅使用转发器
};▶五、ISC DHCP服务器安装与配置
# 安装DHCP服务器
apt install -y isc-dhcp-server
# 或 yum install -y dhcp-server
# /etc/dhcp/dhcpd.conf
option domain-name "bacaiyun.com";
option domain-name-servers 192.168.1.100, 8.8.8.8;
default-lease-time 600;
max-lease-time 7200;
authoritative;
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.200 192.168.1.250;
option routers 192.168.1.1;
option broadcast-address 192.168.1.255;
option subnet-mask 255.255.255.0;
}
# 静态IP分配(基于MAC地址)
host webserver {
hardware ethernet 00:11:22:33:44:55;
fixed-address 192.168.1.100;
}▶六、DHCP/DNS动态更新
# DHCP配置DNS动态更新
# named.conf允许更新
zone "bacaiyun.com" {
type master;
file "/etc/bind/db.bacaiyun.com";
allow-update { key dhcp-update; };
};
# dhcpd.conf中启用DDNS
ddns-update-style interim;
update-static-leases on;
include "/etc/dhcp/dns-update.key";
zone bacaiyun.com. {
primary 127.0.0.1;
key dhcp-update;
}▶七、DNS缓存加速配置
# 配置BIND作为缓存DNS服务器
options {
directory "/var/cache/bind";
recursion yes;
allow-recursion { 192.168.0.0/16; 10.0.0.0/8; };
allow-query { any; };
allow-query-cache { 192.168.0.0/16; };
# 缓存大小限制
max-cache-size 500M;
max-cache-ttl 86400;
# 防止DNS放大攻击
allow-transfer { none; };
rate-limit {
responses-per-second 10;
log-only no;
};
};▶八、多子网与DHCP中继
当网络有多个子网时,每个子网都需要DHCP服务器或DHCP中继代理。DHCP中继(dhcrelay)将子网的DHCP广播转发到中心DHCP服务器。配置DHCP中继后,所有子网的客户端IP分配都由统一服务器管理,简化了IP地址规划和审计工作。
▶九、日志与监控
# BIND DNS统计信息
rndc stats
cat /var/cache/bind/named.stats
# 启用查询日志
rndc querylog
# 查看/var/log/syslog中的DNS查询记录
# DHCP租约查看
cat /var/lib/dhcp/dhcpd.leases
dhcp-lease-list
# 使用dnstop实时监控DNS查询
dnstop -s eth0▶十、故障排除指南
DNS故障排查:使用dig +trace domain.com检查解析链路、nslookup结合不同DNS服务器测试、检查named-checkconf和named-checkzone配置语法。DHCP故障排查:检查dhcpd服务状态和系统日志、确认防火墙放行67/68端口、验证子网配置和IP地址范围是否重叠、使用tcpdump -i eth0 port 67抓包查看DHCP交互过程。
