BIND | 技术站点 https://flycoolba.cn:443/tags/bind/ BIND HugoBlox Kit (https://hugoblox.com)zh-HansThu, 22 Jan 2026 00:00:00 +0000 https://flycoolba.cn:443/media/icon_hu_6ffd252f98295.png BIND https://flycoolba.cn:443/tags/bind/ DNS 服务器搭建与配置转发完全指南 https://flycoolba.cn:443/blog/dns/dns-server-setup-guide/ Thu, 22 Jan 2026 00:00:00 +0000 https://flycoolba.cn:443/blog/dns/dns-server-setup-guide/ <h1 id="dns-服务器搭建与配置转发完全指南">DNS 服务器搭建与配置转发完全指南</h1> <div class="callout flex px-4 py-3 mb-6 rounded-md border-l-4 bg-blue-100 dark:bg-blue-900 border-blue-500" data-callout="note" data-callout-metadata=""> <span class="callout-icon pr-3 pt-1 text-blue-600 dark:text-blue-300"> <svg height="24" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path fill="none" stroke="currentColor" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.5" d="m16.862 4.487l1.687-1.688a1.875 1.875 0 1 1 2.652 2.652L6.832 19.82a4.5 4.5 0 0 1-1.897 1.13l-2.685.8l.8-2.685a4.5 4.5 0 0 1 1.13-1.897zm0 0L19.5 7.125"/></svg> </span> <div class="callout-content dark:text-neutral-300"> <div class="callout-title font-semibold mb-1">文档信息</div> <div class="callout-body"><ul> <li><strong>版本</strong>:v1.0 · <strong>标准参考</strong>:RFC 1034 / RFC 1035 / RFC 5625 / RFC 7766</li> <li><strong>适用软件</strong>:BIND 9.18+ · Unbound 1.17+ · dnsmasq 2.89+ · Windows Server DNS</li> <li><strong>适用系统</strong>:CentOS/RHEL 8+ · Ubuntu 22.04+ · Debian 12+ · Windows Server 2019/2022</li> </ul></div> </div> </div> <hr> <h2 id="目录">目录</h2> <ol> <li> </li> <li> </li> <li> </li> <li> </li> <li> </li> <li> </li> <li> </li> <li> </li> <li> </li> <li> </li> <li> </li> <li> </li> <li> </li> <li> </li> </ol> <hr> <h2 id="1-dns-基础概念回顾">1. DNS 基础概念回顾</h2> <h3 id="11-核心角色">1.1 核心角色</h3> <table> <thead> <tr> <th>角色</th> <th>说明</th> <th>典型软件</th> </tr> </thead> <tbody> <tr> <td><strong>权威 DNS 服务器</strong></td> <td>托管区域数据,对外应答该区域查询</td> <td>BIND、PowerDNS、NSD</td> </tr> <tr> <td><strong>递归解析器</strong></td> <td>代替客户端完整查询链,返回最终结果</td> <td>BIND、Unbound、dnsmasq</td> </tr> <tr> <td><strong>转发器(Forwarder)</strong></td> <td>将请求转发给上游解析器,本地缓存结果</td> <td>BIND、dnsmasq、Unbound</td> </tr> <tr> <td><strong>根服务器</strong></td> <td>全球 13 组,解析链的起点</td> <td>—</td> </tr> </tbody> </table> <h3 id="12-查询流程">1.2 查询流程</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">客户端 </span></span><span class="line"><span class="cl"> │ </span></span><span class="line"><span class="cl"> ▼ 递归查询 </span></span><span class="line"><span class="cl">本地 DNS(企业内网) </span></span><span class="line"><span class="cl"> │ 命中缓存 → 直接返回 </span></span><span class="line"><span class="cl"> │ 未命中 ↓ </span></span><span class="line"><span class="cl"> ├─ 转发模式 → 上游 DNS(如 114.114.114.114) </span></span><span class="line"><span class="cl"> └─ 递归模式 → 根服务器 → TLD → 权威 → 返回 </span></span></code></pre></div><h3 id="13-重要-dns-记录类型">1.3 重要 DNS 记录类型</h3> <table> <thead> <tr> <th>记录类型</th> <th>用途</th> <th>示例</th> </tr> </thead> <tbody> <tr> <td><code>A</code></td> <td>域名 → IPv4</td> <td><code>www 300 IN A 1.2.3.4</code></td> </tr> <tr> <td><code>AAAA</code></td> <td>域名 → IPv6</td> <td><code>www 300 IN AAAA ::1</code></td> </tr> <tr> <td><code>CNAME</code></td> <td>别名 → 规范名</td> <td><code>blog IN CNAME www</code></td> </tr> <tr> <td><code>MX</code></td> <td>邮件服务器</td> <td><code>@ 300 IN MX 10 mail</code></td> </tr> <tr> <td><code>NS</code></td> <td>区域名称服务器</td> <td><code>@ IN NS ns1.example.com.</code></td> </tr> <tr> <td><code>PTR</code></td> <td>IP → 域名(反向)</td> <td><code>4.3.2.1.in-addr.arpa.</code></td> </tr> <tr> <td><code>SOA</code></td> <td>区域权威信息</td> <td>序列号、刷新时间等</td> </tr> <tr> <td><code>TXT</code></td> <td>文本信息</td> <td>SPF、DKIM、验证记录</td> </tr> <tr> <td><code>SRV</code></td> <td>服务定位</td> <td><code>_sip._tcp 100 443 proxy</code></td> </tr> </tbody> </table> <hr> <h2 id="2-架构设计与选型">2. 架构设计与选型</h2> <h3 id="21-常见部署模式对比">2.1 常见部署模式对比</h3> <table> <thead> <tr> <th>场景</th> <th>推荐方案</th> <th>说明</th> </tr> </thead> <tbody> <tr> <td>家庭 / 小型办公室</td> <td><strong>dnsmasq</strong></td> <td>轻量,配置简单,适合路由器部署</td> </tr> <tr> <td>中型企业内网</td> <td><strong>BIND 9(转发模式)+ Unbound</strong></td> <td>内外网分离,缓存效率高</td> </tr> <tr> <td>大型企业 / ISP</td> <td><strong>BIND 9 权威 + Unbound 递归</strong></td> <td>角色分离,性能与安全均优</td> </tr> <tr> <td>私有云 / K8s</td> <td><strong>CoreDNS</strong></td> <td>云原生,插件化,与 K8s 深度集成</td> </tr> <tr> <td>Windows 域环境</td> <td><strong>Windows Server DNS</strong></td> <td>与 AD 域深度集成</td> </tr> </tbody> </table> <h3 id="22-推荐企业-dns-分层架构">2.2 推荐企业 DNS 分层架构</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">┌─────────────────────────────────────────────┐ </span></span><span class="line"><span class="cl">│ 外网区域 │ </span></span><span class="line"><span class="cl">│ 权威 DNS(对外):ns1.example.com │ </span></span><span class="line"><span class="cl">│ ns2.example.com │ </span></span><span class="line"><span class="cl">└──────────────────┬──────────────────────────┘ </span></span><span class="line"><span class="cl"> │ 防火墙 (UDP/TCP 53) </span></span><span class="line"><span class="cl">┌──────────────────▼──────────────────────────┐ </span></span><span class="line"><span class="cl">│ 内网区域 │ </span></span><span class="line"><span class="cl">│ ┌─────────────┐ ┌─────────────────────┐ │ </span></span><span class="line"><span class="cl">│ │ 递归解析器 │ │ 内部权威 DNS │ │ </span></span><span class="line"><span class="cl">│ │ (Unbound) │ │ (BIND 内网区域) │ │ </span></span><span class="line"><span class="cl">│ │ 192.168.1.53│ │ 192.168.1.54 │ │ </span></span><span class="line"><span class="cl">│ └──────┬──────┘ └─────────────────────┘ │ </span></span><span class="line"><span class="cl">│ │ 转发上游 │ </span></span><span class="line"><span class="cl">│ ┌──────▼──────────────────────────────┐ │ </span></span><span class="line"><span class="cl">│ │ 上游 DNS(加密): │ │ </span></span><span class="line"><span class="cl">│ │ 1.1.1.1 (Cloudflare DoT) │ │ </span></span><span class="line"><span class="cl">│ │ 8.8.8.8 (Google DoH) │ │ </span></span><span class="line"><span class="cl">│ └─────────────────────────────────────┘ │ </span></span><span class="line"><span class="cl">└─────────────────────────────────────────────┘ </span></span></code></pre></div><hr> <h2 id="3-bind-9-权威-dns-服务器">3. BIND 9 权威 DNS 服务器</h2> <h3 id="31-安装">3.1 安装</h3> <p><strong>RHEL / CentOS 8+:</strong></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">dnf install -y <span class="nb">bind</span> bind-utils </span></span><span class="line"><span class="cl">systemctl <span class="nb">enable</span> --now named </span></span><span class="line"><span class="cl">firewall-cmd --permanent --add-service<span class="o">=</span>dns </span></span><span class="line"><span class="cl">firewall-cmd --reload </span></span></code></pre></div><p><strong>Ubuntu / Debian:</strong></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">apt update <span class="o">&amp;&amp;</span> apt install -y bind9 bind9-utils bind9-doc </span></span><span class="line"><span class="cl">systemctl <span class="nb">enable</span> --now named </span></span><span class="line"><span class="cl">ufw allow 53/tcp </span></span><span class="line"><span class="cl">ufw allow 53/udp </span></span></code></pre></div><p><strong>验证版本:</strong></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">named -v </span></span><span class="line"><span class="cl"><span class="c1"># BIND 9.18.x (Extended Support Version)</span> </span></span></code></pre></div><h3 id="32-主配置文件-etcnamedconf">3.2 主配置文件 <code>/etc/named.conf</code></h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-nginx" data-lang="nginx"><span class="line"><span class="cl"><span class="k">//</span> <span class="s">/etc/named.conf</span> </span></span><span class="line"><span class="cl"><span class="s">//</span> <span class="s">BIND</span> <span class="mi">9</span> <span class="s">主配置</span> <span class="s">-</span> <span class="s">权威</span> <span class="s">+</span> <span class="s">内网递归示例</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="s">options</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">version</span> <span class="s">&#34;unknown&#34;</span><span class="p">;</span> <span class="kn">//</span> <span class="s">隐藏版本信息(安全建议)</span> </span></span><span class="line"><span class="cl"> <span class="s">directory</span> <span class="s">&#34;/var/named&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">dump-file</span> <span class="s">&#34;/var/named/data/cache_dump.db&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">statistics-file</span> <span class="s">&#34;/var/named/data/named_stats.txt&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">memstatistics-file</span> <span class="s">&#34;/var/named/data/named_mem_stats.txt&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="kn">//</span> <span class="s">监听接口</span> </span></span><span class="line"><span class="cl"> <span class="s">listen-on</span> <span class="s">port</span> <span class="mi">53</span> <span class="p">{</span> <span class="kn">127.0.0.1</span><span class="p">;</span> <span class="kn">192.168.1.53</span><span class="p">;</span> <span class="p">}</span>; </span></span><span class="line"><span class="cl"> <span class="kn">listen-on-v6</span> <span class="s">port</span> <span class="mi">53</span> <span class="p">{</span> <span class="kn">::1</span><span class="p">;</span> <span class="p">}</span>; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="kn">//</span> <span class="s">允许查询的客户端</span> </span></span><span class="line"><span class="cl"> <span class="s">allow-query</span> <span class="p">{</span> <span class="kn">localhost</span><span class="p">;</span> <span class="kn">192.168.0.0/16</span><span class="p">;</span> <span class="kn">10.0.0.0/8</span><span class="p">;</span> <span class="p">}</span>; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="kn">//</span> <span class="s">允许递归的客户端(仅内网)</span> </span></span><span class="line"><span class="cl"> <span class="s">allow-recursion</span> <span class="p">{</span> <span class="kn">localhost</span><span class="p">;</span> <span class="kn">192.168.0.0/16</span><span class="p">;</span> <span class="kn">10.0.0.0/8</span><span class="p">;</span> <span class="p">}</span>; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="kn">//</span> <span class="s">区域传送限制</span> </span></span><span class="line"><span class="cl"> <span class="s">allow-transfer</span> <span class="p">{</span> <span class="kn">none</span><span class="p">;</span> <span class="p">}</span>; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="kn">//</span> <span class="s">转发配置(见第</span> <span class="mi">4</span> <span class="s">章)</span> </span></span><span class="line"><span class="cl"> <span class="s">forwarders</span> <span class="p">{</span> <span class="kn">1.1.1.1</span><span class="p">;</span> <span class="kn">8.8.8.8</span><span class="p">;</span> <span class="p">}</span>; </span></span><span class="line"><span class="cl"> <span class="kn">forward</span> <span class="s">first</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="kn">//</span> <span class="s">安全选项</span> </span></span><span class="line"><span class="cl"> <span class="s">recursion</span> <span class="s">yes</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">dnssec-validation</span> <span class="s">auto</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="kn">//</span> <span class="s">性能优化</span> </span></span><span class="line"><span class="cl"> <span class="s">max-cache-size</span> <span class="mi">256m</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">max-cache-ttl</span> <span class="mi">3600</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">min-cache-ttl</span> <span class="mi">30</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">max-ncache-ttl</span> <span class="mi">300</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span>; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">//</span> <span class="s">日志配置</span> </span></span><span class="line"><span class="cl"><span class="s">logging</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">channel</span> <span class="s">default_log</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">file</span> <span class="s">&#34;/var/log/named/named.log&#34;</span> <span class="s">versions</span> <span class="mi">5</span> <span class="s">size</span> <span class="mi">20m</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">print-time</span> <span class="s">yes</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">print-severity</span> <span class="s">yes</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">print-category</span> <span class="s">yes</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">severity</span> <span class="s">info</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span>; </span></span><span class="line"><span class="cl"> <span class="kn">channel</span> <span class="s">query_log</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">file</span> <span class="s">&#34;/var/log/named/query.log&#34;</span> <span class="s">versions</span> <span class="mi">3</span> <span class="s">size</span> <span class="mi">50m</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">print-time</span> <span class="s">yes</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">severity</span> <span class="s">info</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span>; </span></span><span class="line"><span class="cl"> <span class="kn">category</span> <span class="s">default</span> <span class="p">{</span> <span class="kn">default_log</span><span class="p">;</span> <span class="p">}</span>; </span></span><span class="line"><span class="cl"> <span class="kn">category</span> <span class="s">queries</span> <span class="p">{</span> <span class="kn">query_log</span><span class="p">;</span> <span class="p">}</span>; </span></span><span class="line"><span class="cl"> <span class="kn">category</span> <span class="s">security</span> <span class="p">{</span> <span class="kn">default_log</span><span class="p">;</span> <span class="p">}</span>; </span></span><span class="line"><span class="cl"><span class="p">}</span>; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">//</span> <span class="s">根区域提示</span> </span></span><span class="line"><span class="cl"><span class="s">zone</span> <span class="s">&#34;.&#34;</span> <span class="s">IN</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">type</span> <span class="s">hint</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">file</span> <span class="s">&#34;named.ca&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span>; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">//</span> <span class="s">本地回环区域</span> </span></span><span class="line"><span class="cl"><span class="s">zone</span> <span class="s">&#34;localhost&#34;</span> <span class="s">IN</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">type</span> <span class="s">master</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">file</span> <span class="s">&#34;named.localhost&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">allow-update</span> <span class="p">{</span> <span class="kn">none</span><span class="p">;</span> <span class="p">}</span>; </span></span><span class="line"><span class="cl"><span class="p">}</span>; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">//</span> <span class="s">内部区域引用</span> </span></span><span class="line"><span class="cl"><span class="s">include</span> <span class="s">&#34;/etc/named/named.conf.local&#34;</span><span class="p">;</span> </span></span></code></pre></div><h3 id="33-创建正向区域文件">3.3 创建正向区域文件</h3> <p><strong><code>/etc/named/named.conf.local</code></strong> 中声明区域:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-nginx" data-lang="nginx"><span class="line"><span class="cl"><span class="k">//</span> <span class="s">正向区域</span> </span></span><span class="line"><span class="cl"><span class="s">zone</span> <span class="s">&#34;example.com&#34;</span> <span class="s">IN</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">type</span> <span class="s">master</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">file</span> <span class="s">&#34;/var/named/zones/db.example.com&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">allow-update</span> <span class="p">{</span> <span class="kn">none</span><span class="p">;</span> <span class="p">}</span>; </span></span><span class="line"><span class="cl"> <span class="kn">notify</span> <span class="s">yes</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span>; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">//</span> <span class="s">反向区域(192.168.1.0/24)</span> </span></span><span class="line"><span class="cl"><span class="s">zone</span> <span class="s">&#34;1.168.192.in-addr.arpa&#34;</span> <span class="s">IN</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">type</span> <span class="s">master</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">file</span> <span class="s">&#34;/var/named/zones/db.192.168.1&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">allow-update</span> <span class="p">{</span> <span class="kn">none</span><span class="p">;</span> <span class="p">}</span>; </span></span><span class="line"><span class="cl"><span class="p">}</span>; </span></span></code></pre></div><p><strong>区域数据文件 <code>/var/named/zones/db.example.com</code>:</strong></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-dns" data-lang="dns"><span class="line"><span class="cl"><span class="c">; /var/named/zones/db.example.com</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c">; 区域文件 - example.com</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c">; 最后更新:2026-04-14</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="na">$TTL</span><span class="w"> </span><span class="sc">3600</span><span class="w"> </span><span class="c">; 默认 TTL:1 小时</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="na">$ORIGIN</span><span class="w"> </span><span class="py">example.com.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c">; SOA 记录(区域起始授权)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nc">@</span><span class="w"> </span><span class="k">IN</span><span class="w"> </span><span class="k">SOA</span><span class="w"> </span><span class="py">ns1.example.com. </span><span class="w"> </span><span class="py">admin.example.com. </span><span class="p">(</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="sc">2026041401</span><span class="w"> </span><span class="c">; Serial(年月日+序号,每次修改必须递增)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="sc">3600</span><span class="w"> </span><span class="c">; Refresh(从服务器刷新间隔)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="sc">900</span><span class="w"> </span><span class="c">; Retry(失败后重试间隔)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="sc">604800</span><span class="w"> </span><span class="c">; Expire(区域过期时间)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="sc">300</span><span class="w"> </span><span class="p">)</span><span class="w"> </span><span class="c">; Negative Cache TTL</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c">; NS 记录</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nc">@</span><span class="w"> </span><span class="k">IN</span><span class="w"> </span><span class="k">NS</span><span class="w"> </span><span class="py">ns1.example.com.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nc">@</span><span class="w"> </span><span class="k">IN</span><span class="w"> </span><span class="k">NS</span><span class="w"> </span><span class="py">ns2.example.com.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c">; A 记录</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nc">ns1</span><span class="w"> </span><span class="k">IN</span><span class="w"> </span><span class="k">A</span><span class="w"> </span><span class="mi">192.168.1.53</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nc">ns2</span><span class="w"> </span><span class="k">IN</span><span class="w"> </span><span class="k">A</span><span class="w"> </span><span class="mi">192.168.1.54</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nc">@</span><span class="w"> </span><span class="k">IN</span><span class="w"> </span><span class="k">A</span><span class="w"> </span><span class="mi">1.2.3.4</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nc">www</span><span class="w"> </span><span class="k">IN</span><span class="w"> </span><span class="k">A</span><span class="w"> </span><span class="mi">1.2.3.4</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nc">mail</span><span class="w"> </span><span class="k">IN</span><span class="w"> </span><span class="k">A</span><span class="w"> </span><span class="mi">1.2.3.5</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nc">api</span><span class="w"> </span><span class="k">IN</span><span class="w"> </span><span class="k">A</span><span class="w"> </span><span class="mi">1.2.3.6</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c">; AAAA 记录</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nc">www</span><span class="w"> </span><span class="k">IN</span><span class="w"> </span><span class="k">AAAA</span><span class="w"> </span><span class="il">2001:db8::1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c">; CNAME 记录</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nc">blog</span><span class="w"> </span><span class="k">IN</span><span class="w"> </span><span class="k">CNAME</span><span class="w"> </span><span class="py">www.example.com.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nc">ftp</span><span class="w"> </span><span class="k">IN</span><span class="w"> </span><span class="k">CNAME</span><span class="w"> </span><span class="py">www.example.com.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c">; MX 记录</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nc">@</span><span class="w"> </span><span class="k">IN</span><span class="w"> </span><span class="k">MX</span><span class="w"> </span><span class="sc">10</span><span class="w"> </span><span class="py">mail.example.com.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nc">@</span><span class="w"> </span><span class="k">IN</span><span class="w"> </span><span class="k">MX</span><span class="w"> </span><span class="sc">20</span><span class="w"> </span><span class="py">mail2.example.com.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c">; TXT 记录(SPF)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nc">@</span><span class="w"> </span><span class="k">IN</span><span class="w"> </span><span class="k">TXT</span><span class="w"> </span><span class="err">&#34;v=spf1</span><span class="w"> </span><span class="err">mx</span><span class="w"> </span><span class="err">a</span><span class="w"> </span><span class="err">~all&#34;</span><span class="w"> </span></span></span></code></pre></div><p><strong>反向区域文件 <code>/var/named/zones/db.192.168.1</code>:</strong></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-dns" data-lang="dns"><span class="line"><span class="cl"><span class="na">$TTL</span><span class="w"> </span><span class="sc">3600</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="na">$ORIGIN</span><span class="w"> </span><span class="sc">1</span><span class="py">.168.192.in-addr.arpa.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nc">@</span><span class="w"> </span><span class="k">IN</span><span class="w"> </span><span class="k">SOA</span><span class="w"> </span><span class="py">ns1.example.com. </span><span class="w"> </span><span class="py">admin.example.com. </span><span class="p">(</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="sc">2026041401</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="sc">3600</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="sc">900</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="sc">604800</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="sc">300</span><span class="w"> </span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nc">@</span><span class="w"> </span><span class="k">IN</span><span class="w"> </span><span class="k">NS</span><span class="w"> </span><span class="py">ns1.example.com.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nc">@</span><span class="w"> </span><span class="k">IN</span><span class="w"> </span><span class="k">NS</span><span class="w"> </span><span class="py">ns2.example.com.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c">; PTR 记录(IP 末位 → 域名)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="sc">53</span><span class="w"> </span><span class="k">IN</span><span class="w"> </span><span class="k">PTR</span><span class="w"> </span><span class="py">ns1.example.com.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="sc">54</span><span class="w"> </span><span class="k">IN</span><span class="w"> </span><span class="k">PTR</span><span class="w"> </span><span class="py">ns2.example.com.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="sc">100</span><span class="w"> </span><span class="k">IN</span><span class="w"> </span><span class="k">PTR</span><span class="w"> </span><span class="py">www.example.com.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="sc">101</span><span class="w"> </span><span class="k">IN</span><span class="w"> </span><span class="k">PTR</span><span class="w"> </span><span class="py">mail.example.com.</span><span class="w"> </span></span></span></code></pre></div><h3 id="34-主从复制zone-transfer">3.4 主从复制(Zone Transfer)</h3> <p><strong>主服务器 <code>named.conf.local</code> 补充:</strong></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-nginx" data-lang="nginx"><span class="line"><span class="cl"><span class="k">zone</span> <span class="s">&#34;example.com&#34;</span> <span class="s">IN</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">type</span> <span class="s">master</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">file</span> <span class="s">&#34;/var/named/zones/db.example.com&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">allow-transfer</span> <span class="p">{</span> <span class="kn">192.168.1.54</span><span class="p">;</span> <span class="p">}</span>; <span class="kn">//</span> <span class="s">仅允许从服务器</span> </span></span><span class="line"><span class="cl"> <span class="s">notify</span> <span class="s">yes</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">also-notify</span> <span class="p">{</span> <span class="kn">192.168.1.54</span><span class="p">;</span> <span class="p">}</span>; </span></span><span class="line"><span class="cl"><span class="p">}</span>; </span></span></code></pre></div><p><strong>从服务器配置:</strong></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-nginx" data-lang="nginx"><span class="line"><span class="cl"><span class="k">zone</span> <span class="s">&#34;example.com&#34;</span> <span class="s">IN</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">type</span> <span class="s">slave</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">file</span> <span class="s">&#34;/var/named/slaves/db.example.com&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">masters</span> <span class="p">{</span> <span class="kn">192.168.1.53</span><span class="p">;</span> <span class="p">}</span>; </span></span><span class="line"><span class="cl"><span class="p">}</span>; </span></span></code></pre></div><h3 id="35-配置检查与启动">3.5 配置检查与启动</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 检查主配置语法</span> </span></span><span class="line"><span class="cl">named-checkconf /etc/named.conf </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 检查区域文件语法</span> </span></span><span class="line"><span class="cl">named-checkzone example.com /var/named/zones/db.example.com </span></span><span class="line"><span class="cl">named-checkzone 1.168.192.in-addr.arpa /var/named/zones/db.192.168.1 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 重载配置(不中断服务)</span> </span></span><span class="line"><span class="cl">rndc reload </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 查看服务状态</span> </span></span><span class="line"><span class="cl">systemctl status named </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 查看运行日志</span> </span></span><span class="line"><span class="cl">journalctl -u named -f </span></span></code></pre></div><hr> <h2 id="4-bind-9-递归解析与转发配置">4. BIND 9 递归解析与转发配置</h2> <h3 id="41-纯转发模式forwarder-only">4.1 纯转发模式(Forwarder Only)</h3> <p>将所有无法解析的请求全部转发给上游:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-nginx" data-lang="nginx"><span class="line"><span class="cl"><span class="k">options</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">//</span> <span class="s">...其他配置...</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="s">forwarders</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">114.114.114.114</span><span class="p">;</span> <span class="kn">//</span> <span class="s">114DNS</span> </span></span><span class="line"><span class="cl"> <span class="n">114.114.115.115</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">1.1.1.1</span><span class="p">;</span> <span class="kn">//</span> <span class="s">Cloudflare</span> </span></span><span class="line"><span class="cl"> <span class="n">8.8.8.8</span><span class="p">;</span> <span class="kn">//</span> <span class="s">Google</span> </span></span><span class="line"><span class="cl"> <span class="err">}</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="kn">forward</span> <span class="no">on</span><span class="s">ly</span><span class="p">;</span> <span class="kn">//</span> <span class="s">仅转发,不自行递归</span> </span></span><span class="line"><span class="cl"> <span class="s">recursion</span> <span class="s">yes</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span>; </span></span></code></pre></div> <blockquote class="border-l-4 border-neutral-300 dark:border-neutral-600 pl-4 italic text-neutral-600 dark:text-neutral-400 my-6"> <p><strong><code>forward only</code> vs <code>forward first</code></strong></p> <ul> <li><code>forward only</code>:只转发,上游不可达时直接失败(适合严格控制出口流量的环境)</li> <li><code>forward first</code>:先转发,上游失败后自行递归(适合有备用解析能力的场景)</li> </ul> </blockquote> <h3 id="42-条件转发split-dns--分离解析">4.2 条件转发(Split-DNS / 分离解析)</h3> <p>企业内外网域名走不同上游,是最常见的企业 DNS 策略:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-nginx" data-lang="nginx"><span class="line"><span class="cl"><span class="k">//</span> <span class="s">内部域名走内网权威服务器</span> </span></span><span class="line"><span class="cl"><span class="s">zone</span> <span class="s">&#34;internal.example.com&#34;</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">type</span> <span class="s">forward</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">forwarders</span> <span class="p">{</span> <span class="kn">192.168.1.200</span><span class="p">;</span> <span class="kn">192.168.1.201</span><span class="p">;</span> <span class="p">}</span>; </span></span><span class="line"><span class="cl"> <span class="kn">forward</span> <span class="no">on</span><span class="s">ly</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span>; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">//</span> <span class="s">阿里云域名走阿里云</span> <span class="s">DNS</span> </span></span><span class="line"><span class="cl"><span class="s">zone</span> <span class="s">&#34;aliyuncs.com&#34;</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">type</span> <span class="s">forward</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">forwarders</span> <span class="p">{</span> <span class="kn">100.100.2.136</span><span class="p">;</span> <span class="kn">100.100.2.138</span><span class="p">;</span> <span class="p">}</span>; </span></span><span class="line"><span class="cl"> <span class="kn">forward</span> <span class="no">on</span><span class="s">ly</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span>; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">//</span> <span class="s">其他域名走公共</span> <span class="s">DNS(在</span> <span class="s">options</span> <span class="s">中配置)</span> </span></span><span class="line"><span class="cl"><span class="s">options</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">forwarders</span> <span class="p">{</span> <span class="kn">1.1.1.1</span><span class="p">;</span> <span class="kn">8.8.8.8</span><span class="p">;</span> <span class="p">}</span>; </span></span><span class="line"><span class="cl"> <span class="kn">forward</span> <span class="s">first</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span>; </span></span></code></pre></div><h3 id="43-视图view实现内外网分离">4.3 视图(View)实现内外网分离</h3> <p>同一 DNS 服务器对内网返回私有 IP,对外返回公网 IP:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-nginx" data-lang="nginx"><span class="line"><span class="cl"><span class="k">acl</span> <span class="s">&#34;internal&#34;</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">192.168.0.0/16</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">10.0.0.0/8</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">127.0.0.0/8</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span>; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">acl</span> <span class="s">&#34;external&#34;</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">any</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span>; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">//</span> <span class="s">内网视图(优先匹配)</span> </span></span><span class="line"><span class="cl"><span class="s">view</span> <span class="s">&#34;internal&#34;</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">match-clients</span> <span class="p">{</span> <span class="kn">internal</span><span class="p">;</span> <span class="p">}</span>; </span></span><span class="line"><span class="cl"> <span class="kn">recursion</span> <span class="s">yes</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">allow-query</span> <span class="p">{</span> <span class="kn">internal</span><span class="p">;</span> <span class="p">}</span>; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="kn">zone</span> <span class="s">&#34;example.com&#34;</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">type</span> <span class="s">master</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">file</span> <span class="s">&#34;/var/named/views/internal/db.example.com&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span>; </span></span><span class="line"><span class="cl"><span class="p">}</span>; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">//</span> <span class="s">外网视图</span> </span></span><span class="line"><span class="cl"><span class="s">view</span> <span class="s">&#34;external&#34;</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">match-clients</span> <span class="p">{</span> <span class="kn">external</span><span class="p">;</span> <span class="p">}</span>; </span></span><span class="line"><span class="cl"> <span class="kn">recursion</span> <span class="s">no</span><span class="p">;</span> <span class="kn">//</span> <span class="s">外网禁止递归</span> </span></span><span class="line"><span class="cl"> <span class="s">allow-query</span> <span class="p">{</span> <span class="kn">any</span><span class="p">;</span> <span class="p">}</span>; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="kn">zone</span> <span class="s">&#34;example.com&#34;</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">type</span> <span class="s">master</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">file</span> <span class="s">&#34;/var/named/views/external/db.example.com&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span>; </span></span><span class="line"><span class="cl"><span class="p">}</span>; </span></span></code></pre></div><hr> <h2 id="5-unbound-递归解析服务器">5. Unbound 递归解析服务器</h2> <p>Unbound 专注于<strong>安全递归解析</strong>,性能优于 BIND 递归模式,推荐作为企业内网解析器。</p> <h3 id="51-安装">5.1 安装</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># RHEL/CentOS</span> </span></span><span class="line"><span class="cl">dnf install -y unbound </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Ubuntu/Debian</span> </span></span><span class="line"><span class="cl">apt install -y unbound </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">systemctl <span class="nb">enable</span> --now unbound </span></span></code></pre></div><h3 id="52-主配置-etcunboundunboundconf">5.2 主配置 <code>/etc/unbound/unbound.conf</code></h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">server</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># 监听地址</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">interface</span><span class="p">:</span><span class="w"> </span><span class="m">0.0.0.0</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">interface</span><span class="p">:</span><span class="w"> </span><span class="p">::</span><span class="m">0</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">port</span><span class="p">:</span><span class="w"> </span><span class="m">53</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># 访问控制</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">access-control</span><span class="p">:</span><span class="w"> </span><span class="m">0.0.0.0</span><span class="l">/0 refuse</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">access-control</span><span class="p">:</span><span class="w"> </span><span class="m">127.0.0.0</span><span class="l">/8 allow</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">access-control</span><span class="p">:</span><span class="w"> </span><span class="m">192.168.0.0</span><span class="l">/16 allow</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">access-control</span><span class="p">:</span><span class="w"> </span><span class="m">10.0.0.0</span><span class="l">/8 allow</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">access-control</span><span class="p">:</span><span class="w"> </span><span class="p">::</span><span class="m">1</span><span class="l">/128 allow</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># 隐藏版本</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">hide-version</span><span class="p">:</span><span class="w"> </span><span class="kc">yes</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">hide-identity</span><span class="p">:</span><span class="w"> </span><span class="kc">yes</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># 性能</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">num-threads</span><span class="p">:</span><span class="w"> </span><span class="m">4</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">msg-cache-size</span><span class="p">:</span><span class="w"> </span><span class="l">128m</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">rrset-cache-size</span><span class="p">:</span><span class="w"> </span><span class="l">256m</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">cache-min-ttl</span><span class="p">:</span><span class="w"> </span><span class="m">30</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">cache-max-ttl</span><span class="p">:</span><span class="w"> </span><span class="m">3600</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">prefetch</span><span class="p">:</span><span class="w"> </span><span class="kc">yes</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">prefetch-key</span><span class="p">:</span><span class="w"> </span><span class="kc">yes</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># DNSSEC 验证</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">auto-trust-anchor-file</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/var/lib/unbound/root.key&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># 日志</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">logfile</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/var/log/unbound/unbound.log&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">log-queries</span><span class="p">:</span><span class="w"> </span><span class="kc">yes</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">verbosity</span><span class="p">:</span><span class="w"> </span><span class="m">1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># 本地数据(内部域名)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">local-zone</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;internal.example.com.&#34;</span><span class="w"> </span><span class="l">static</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">local-data</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;gateway.internal.example.com. IN A 192.168.1.1&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">local-data</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;nas.internal.example.com. IN A 192.168.1.100&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># 转发配置(向上游转发外部域名)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">forward-zone</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">forward-addr</span><span class="p">:</span><span class="w"> </span><span class="m">1.1.1.1</span>@<span class="m">853</span><span class="c">#cloudflare-dns.com # Cloudflare DoT</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">forward-addr</span><span class="p">:</span><span class="w"> </span><span class="m">8.8.8.8</span>@<span class="m">853</span><span class="c">#dns.google # Google DoT</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">forward-tls-upstream</span><span class="p">:</span><span class="w"> </span><span class="kc">yes</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># 包含本地配置</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">include</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/etc/unbound/conf.d/*.conf&#34;</span><span class="w"> </span></span></span></code></pre></div><h3 id="53-配置验证与管理">5.3 配置验证与管理</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 语法检查</span> </span></span><span class="line"><span class="cl">unbound-checkconf </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 重载配置</span> </span></span><span class="line"><span class="cl">unbound-control reload </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 刷新缓存</span> </span></span><span class="line"><span class="cl">unbound-control flush_zone example.com </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 查看统计</span> </span></span><span class="line"><span class="cl">unbound-control stats_noreset </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 更新 DNSSEC 根信任锚</span> </span></span><span class="line"><span class="cl">unbound-anchor -a /var/lib/unbound/root.key </span></span></code></pre></div><hr> <h2 id="6-dnsmasq-轻量级-dns-转发">6. dnsmasq 轻量级 DNS 转发</h2> <p>dnsmasq 适合嵌入式设备、路由器、小型局域网,兼具 DNS 转发与 DHCP 功能。</p> <h3 id="61-安装">6.1 安装</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># RHEL/CentOS</span> </span></span><span class="line"><span class="cl">dnf install -y dnsmasq </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Ubuntu/Debian</span> </span></span><span class="line"><span class="cl">apt install -y dnsmasq </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 停止 systemd-resolved(Ubuntu 下可能冲突)</span> </span></span><span class="line"><span class="cl">systemctl disable --now systemd-resolved </span></span></code></pre></div><h3 id="62-配置文件-etcdnsmasqconf">6.2 配置文件 <code>/etc/dnsmasq.conf</code></h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-ini" data-lang="ini"><span class="line"><span class="cl"><span class="c1"># /etc/dnsmasq.conf</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># ── 基础设置 ──────────────────────────────────────────────</span> </span></span><span class="line"><span class="cl"><span class="c1"># 监听接口(不指定则监听所有)</span> </span></span><span class="line"><span class="cl"><span class="na">interface</span><span class="o">=</span><span class="s">eth0</span> </span></span><span class="line"><span class="cl"><span class="na">bind-interfaces</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 不读取 /etc/hosts(可选)</span> </span></span><span class="line"><span class="cl"><span class="c1"># no-hosts</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 缓存大小(条目数)</span> </span></span><span class="line"><span class="cl"><span class="na">cache-size</span><span class="o">=</span><span class="s">10000</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 禁止转发不含点的域名(避免泄漏本地名称)</span> </span></span><span class="line"><span class="cl"><span class="na">domain-needed</span> </span></span><span class="line"><span class="cl"><span class="na">bogus-priv</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># ── 上游 DNS 转发 ─────────────────────────────────────────</span> </span></span><span class="line"><span class="cl"><span class="c1"># 默认上游转发(注释 /etc/resolv.conf,使用此处配置)</span> </span></span><span class="line"><span class="cl"><span class="na">no-resolv</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="na">server</span><span class="o">=</span><span class="s">114.114.114.114</span> </span></span><span class="line"><span class="cl"><span class="na">server</span><span class="o">=</span><span class="s">114.114.115.115</span> </span></span><span class="line"><span class="cl"><span class="na">server</span><span class="o">=</span><span class="s">1.1.1.1</span> </span></span><span class="line"><span class="cl"><span class="na">server</span><span class="o">=</span><span class="s">8.8.8.8</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># ── 条件转发 ──────────────────────────────────────────────</span> </span></span><span class="line"><span class="cl"><span class="c1"># 内部域名走内网 DNS</span> </span></span><span class="line"><span class="cl"><span class="na">server</span><span class="o">=</span><span class="s">/internal.example.com/192.168.1.200</span> </span></span><span class="line"><span class="cl"><span class="na">server</span><span class="o">=</span><span class="s">/corp.local/10.0.0.53</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 反向解析也走内网</span> </span></span><span class="line"><span class="cl"><span class="na">server</span><span class="o">=</span><span class="s">/168.192.in-addr.arpa/192.168.1.200</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># ── 本地静态 DNS 记录 ──────────────────────────────────────</span> </span></span><span class="line"><span class="cl"><span class="na">address</span><span class="o">=</span><span class="s">/gateway.local/192.168.1.1</span> </span></span><span class="line"><span class="cl"><span class="na">address</span><span class="o">=</span><span class="s">/nas.local/192.168.1.100</span> </span></span><span class="line"><span class="cl"><span class="na">address</span><span class="o">=</span><span class="s">/printer.local/192.168.1.200</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># ── 日志 ──────────────────────────────────────────────────</span> </span></span><span class="line"><span class="cl"><span class="na">log-queries</span> </span></span><span class="line"><span class="cl"><span class="na">log-facility</span><span class="o">=</span><span class="s">/var/log/dnsmasq.log</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># ── DHCP(可选)──────────────────────────────────────────</span> </span></span><span class="line"><span class="cl"><span class="c1"># dhcp-range=192.168.1.100,192.168.1.200,12h</span> </span></span><span class="line"><span class="cl"><span class="c1"># dhcp-option=6,192.168.1.53 # 告知客户端使用本机 DNS</span> </span></span></code></pre></div><h3 id="63-管理命令">6.3 管理命令</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 语法检查</span> </span></span><span class="line"><span class="cl">dnsmasq --test </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 重启服务</span> </span></span><span class="line"><span class="cl">systemctl restart dnsmasq </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 清除缓存(发送 SIGHUP)</span> </span></span><span class="line"><span class="cl"><span class="nb">kill</span> -HUP <span class="k">$(</span>pidof dnsmasq<span class="k">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 查看日志</span> </span></span><span class="line"><span class="cl">tail -f /var/log/dnsmasq.log </span></span></code></pre></div><hr> <h2 id="7-windows-server-dns-配置">7. Windows Server DNS 配置</h2> <h3 id="71-安装-dns-服务器角色">7.1 安装 DNS 服务器角色</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-powershell" data-lang="powershell"><span class="line"><span class="cl"><span class="c"># 安装 DNS 服务器角色(PowerShell,管理员)</span> </span></span><span class="line"><span class="cl"><span class="nb">Install-WindowsFeature</span> <span class="n">-Name</span> <span class="n">DNS</span> <span class="n">-IncludeManagementTools</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c"># 验证安装</span> </span></span><span class="line"><span class="cl"><span class="nb">Get-WindowsFeature</span> <span class="n">DNS</span> </span></span></code></pre></div><h3 id="72-创建正向查找区域">7.2 创建正向查找区域</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-powershell" data-lang="powershell"><span class="line"><span class="cl"><span class="c"># 创建主要正向查找区域</span> </span></span><span class="line"><span class="cl"><span class="nb">Add-DnsServerPrimaryZone</span> <span class="p">`</span> </span></span><span class="line"><span class="cl"> <span class="n">-Name</span> <span class="s2">&#34;example.com&#34;</span> <span class="p">`</span> </span></span><span class="line"><span class="cl"> <span class="n">-ZoneFile</span> <span class="s2">&#34;example.com.dns&#34;</span> <span class="p">`</span> </span></span><span class="line"><span class="cl"> <span class="n">-DynamicUpdate</span> <span class="n">None</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c"># 添加 A 记录</span> </span></span><span class="line"><span class="cl"><span class="nb">Add-DnsServerResourceRecordA</span> <span class="p">`</span> </span></span><span class="line"><span class="cl"> <span class="n">-ZoneName</span> <span class="s2">&#34;example.com&#34;</span> <span class="p">`</span> </span></span><span class="line"><span class="cl"> <span class="n">-Name</span> <span class="s2">&#34;www&#34;</span> <span class="p">`</span> </span></span><span class="line"><span class="cl"> <span class="n">-IPv4Address</span> <span class="s2">&#34;1.2.3.4&#34;</span> <span class="p">`</span> </span></span><span class="line"><span class="cl"> <span class="n">-TimeToLive</span> <span class="s2">&#34;01:00:00&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c"># 添加 CNAME 记录</span> </span></span><span class="line"><span class="cl"><span class="nb">Add-DnsServerResourceRecordCName</span> <span class="p">`</span> </span></span><span class="line"><span class="cl"> <span class="n">-ZoneName</span> <span class="s2">&#34;example.com&#34;</span> <span class="p">`</span> </span></span><span class="line"><span class="cl"> <span class="n">-Name</span> <span class="s2">&#34;blog&#34;</span> <span class="p">`</span> </span></span><span class="line"><span class="cl"> <span class="n">-HostNameAlias</span> <span class="s2">&#34;www.example.com&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c"># 添加 MX 记录</span> </span></span><span class="line"><span class="cl"><span class="nb">Add-DnsServerResourceRecordMX</span> <span class="p">`</span> </span></span><span class="line"><span class="cl"> <span class="n">-ZoneName</span> <span class="s2">&#34;example.com&#34;</span> <span class="p">`</span> </span></span><span class="line"><span class="cl"> <span class="n">-Name</span> <span class="s2">&#34;@&#34;</span> <span class="p">`</span> </span></span><span class="line"><span class="cl"> <span class="n">-MailExchange</span> <span class="s2">&#34;mail.example.com&#34;</span> <span class="p">`</span> </span></span><span class="line"><span class="cl"> <span class="n">-Preference</span> <span class="mf">10</span> </span></span></code></pre></div><h3 id="73-配置-dns-转发">7.3 配置 DNS 转发</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-powershell" data-lang="powershell"><span class="line"><span class="cl"><span class="c"># 设置全局转发器</span> </span></span><span class="line"><span class="cl"><span class="nb">Set-DnsServerForwarder</span> <span class="p">`</span> </span></span><span class="line"><span class="cl"> <span class="n">-IPAddress</span> <span class="s2">&#34;1.1.1.1&#34;</span><span class="p">,</span><span class="s2">&#34;8.8.8.8&#34;</span> <span class="p">`</span> </span></span><span class="line"><span class="cl"> <span class="n">-UseRootHint</span> <span class="vm">$false</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c"># 查看当前转发器</span> </span></span><span class="line"><span class="cl"><span class="nb">Get-DnsServerForwarder</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c"># 添加条件转发(内部域)</span> </span></span><span class="line"><span class="cl"><span class="nb">Add-DnsServerConditionalForwarderZone</span> <span class="p">`</span> </span></span><span class="line"><span class="cl"> <span class="n">-Name</span> <span class="s2">&#34;internal.corp.com&#34;</span> <span class="p">`</span> </span></span><span class="line"><span class="cl"> <span class="n">-MasterServers</span> <span class="s2">&#34;192.168.1.200&#34;</span><span class="p">,</span><span class="s2">&#34;192.168.1.201&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c"># 查看所有条件转发</span> </span></span><span class="line"><span class="cl"><span class="nb">Get-DnsServerZone</span> <span class="p">|</span> <span class="nb">Where-Object</span> <span class="p">{</span> <span class="nv">$_</span><span class="p">.</span><span class="py">ZoneType</span> <span class="o">-eq</span> <span class="s2">&#34;Forwarder&#34;</span> <span class="p">}</span> </span></span></code></pre></div><h3 id="74-配置区域传送主从">7.4 配置区域传送(主从)</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-powershell" data-lang="powershell"><span class="line"><span class="cl"><span class="c"># 在主服务器上允许区域传送给从服务器</span> </span></span><span class="line"><span class="cl"><span class="nb">Set-DnsServerPrimaryZone</span> <span class="p">`</span> </span></span><span class="line"><span class="cl"> <span class="n">-Name</span> <span class="s2">&#34;example.com&#34;</span> <span class="p">`</span> </span></span><span class="line"><span class="cl"> <span class="n">-SecureSecondaries</span> <span class="s2">&#34;TransferToSecureServers&#34;</span> <span class="p">`</span> </span></span><span class="line"><span class="cl"> <span class="n">-SecondaryServers</span> <span class="s2">&#34;192.168.1.54&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c"># 在从服务器创建辅助区域</span> </span></span><span class="line"><span class="cl"><span class="nb">Add-DnsServerSecondaryZone</span> <span class="p">`</span> </span></span><span class="line"><span class="cl"> <span class="n">-Name</span> <span class="s2">&#34;example.com&#34;</span> <span class="p">`</span> </span></span><span class="line"><span class="cl"> <span class="n">-ZoneFile</span> <span class="s2">&#34;example.com.dns&#34;</span> <span class="p">`</span> </span></span><span class="line"><span class="cl"> <span class="n">-MasterServers</span> <span class="s2">&#34;192.168.1.53&#34;</span> </span></span></code></pre></div><hr> <h2 id="8-dns-转发策略详解">8. DNS 转发策略详解</h2> <h3 id="81-转发类型对比">8.1 转发类型对比</h3> <table> <thead> <tr> <th>类型</th> <th>配置方式</th> <th>适用场景</th> <th>优点</th> <th>缺点</th> </tr> </thead> <tbody> <tr> <td><strong>全局转发</strong></td> <td><code>forwarders { ... }; forward only;</code></td> <td>中小企业简单出口</td> <td>配置简单</td> <td>缺乏灵活性</td> </tr> <tr> <td><strong>条件转发</strong></td> <td><code>zone &quot;x.com&quot; { type forward; }</code></td> <td>多域名分流</td> <td>精细控制</td> <td>需逐域名配置</td> </tr> <tr> <td><strong>分视图转发</strong></td> <td><code>view + match-clients</code></td> <td>内外网 Split-DNS</td> <td>同一 IP 双结果</td> <td>配置复杂</td> </tr> <tr> <td><strong>策略转发(RPZ)</strong></td> <td><code>response-policy zone</code></td> <td>安全过滤</td> <td>可屏蔽恶意域名</td> <td>需维护黑名单</td> </tr> </tbody> </table> <h3 id="82-国内常用公共上游-dns">8.2 国内常用公共上游 DNS</h3> <table> <thead> <tr> <th>服务商</th> <th>IP</th> <th>DoT / DoH</th> <th>说明</th> </tr> </thead> <tbody> <tr> <td>DNSPod(腾讯)</td> <td><code>119.29.29.29</code> <code>119.28.28.28</code></td> <td>✅</td> <td>国内速度最快之一</td> </tr> <tr> <td>阿里 DNS</td> <td><code>223.5.5.5</code> <code>223.6.6.6</code></td> <td>✅</td> <td>稳定可靠</td> </tr> <tr> <td>114DNS</td> <td><code>114.114.114.114</code> <code>114.114.115.115</code></td> <td>❌</td> <td>纯净版可屏蔽广告</td> </tr> <tr> <td>Cloudflare</td> <td><code>1.1.1.1</code> <code>1.0.0.1</code></td> <td>✅ <code>#cloudflare-dns.com</code></td> <td>全球最快,隐私保护</td> </tr> <tr> <td>Google</td> <td><code>8.8.8.8</code> <code>8.8.4.4</code></td> <td>✅ <code>#dns.google</code></td> <td>全球权威</td> </tr> <tr> <td>Quad9</td> <td><code>9.9.9.9</code></td> <td>✅</td> <td>安全过滤,屏蔽恶意域名</td> </tr> </tbody> </table> <h3 id="83-转发链路优化建议">8.3 转发链路优化建议</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">优先级建议(企业环境): </span></span><span class="line"><span class="cl">1. 内部 DNS 缓存(命中率 &gt; 60% 时优先) </span></span><span class="line"><span class="cl">2. 条件转发(内网域走内网服务器) </span></span><span class="line"><span class="cl">3. 国内公共 DNS(114 / DNSPod / 阿里) </span></span><span class="line"><span class="cl">4. 国际 DNS 作为备用(Cloudflare DoT) </span></span></code></pre></div><hr> <h2 id="9-dns-安全加固dnssec--dot--doh">9. DNS 安全加固(DNSSEC &amp; DoT &amp; DoH)</h2> <h3 id="91-dnssec-配置bind-9">9.1 DNSSEC 配置(BIND 9)</h3> <p>DNSSEC 为 DNS 应答添加数字签名,防止域名劫持。</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 生成 ZSK(区域签名密钥)</span> </span></span><span class="line"><span class="cl">dnssec-keygen -a ECDSAP256SHA256 -n ZONE example.com </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 生成 KSK(密钥签名密钥)</span> </span></span><span class="line"><span class="cl">dnssec-keygen -a ECDSAP256SHA256 -f KSK -n ZONE example.com </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 在区域文件末尾引入密钥</span> </span></span><span class="line"><span class="cl"><span class="nb">echo</span> <span class="s1">&#39;$INCLUDE Kexample.com.+013+XXXXX.key&#39;</span> &gt;&gt; /var/named/zones/db.example.com </span></span><span class="line"><span class="cl"><span class="nb">echo</span> <span class="s1">&#39;$INCLUDE Kexample.com.+013+YYYYY.key&#39;</span> &gt;&gt; /var/named/zones/db.example.com </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 对区域文件签名</span> </span></span><span class="line"><span class="cl">dnssec-signzone -A -3 <span class="k">$(</span>head -c <span class="m">1000</span> /dev/urandom <span class="p">|</span> sha1sum <span class="p">|</span> cut -b 1-16<span class="k">)</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> -N increment -o example.com -t <span class="se">\ </span></span></span><span class="line"><span class="cl"> /var/named/zones/db.example.com </span></span></code></pre></div><p><strong><code>named.conf</code> 开启 DNSSEC 验证:</strong></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-nginx" data-lang="nginx"><span class="line"><span class="cl"><span class="k">options</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">dnssec-validation</span> <span class="s">auto</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span>; </span></span></code></pre></div><h3 id="92-dns-over-tlsdot-unbound">9.2 DNS over TLS(DoT)— Unbound</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># /etc/unbound/unbound.conf 补充</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">server</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">tls-service-key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/etc/ssl/private/dns.key&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">tls-service-pem</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/etc/ssl/certs/dns.crt&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">tls-port</span><span class="p">:</span><span class="w"> </span><span class="m">853</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">interface</span><span class="p">:</span><span class="w"> </span><span class="m">0.0.0.0</span>@<span class="m">853</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">forward-zone</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">forward-addr</span><span class="p">:</span><span class="w"> </span><span class="m">1.1.1.1</span>@<span class="m">853</span><span class="c">#cloudflare-dns.com</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">forward-addr</span><span class="p">:</span><span class="w"> </span><span class="m">8.8.8.8</span>@<span class="m">853</span><span class="c">#dns.google</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">forward-tls-upstream</span><span class="p">:</span><span class="w"> </span><span class="kc">yes</span><span class="w"> </span></span></span></code></pre></div><h3 id="93-dns-over-httpsdoh-nginx-反代">9.3 DNS over HTTPS(DoH)— nginx 反代</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-nginx" data-lang="nginx"><span class="line"><span class="cl"><span class="c1"># nginx.conf 片段 </span></span></span><span class="line"><span class="cl"><span class="k">server</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">listen</span> <span class="mi">443</span> <span class="s">ssl</span> <span class="s">http2</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">server_name</span> <span class="s">dns.example.com</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="kn">ssl_certificate</span> <span class="s">/etc/ssl/certs/dns.crt</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">ssl_certificate_key</span> <span class="s">/etc/ssl/private/dns.key</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="kn">location</span> <span class="s">/dns-query</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">proxy_pass</span> <span class="s">http://127.0.0.1:8053</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">proxy_http_version</span> <span class="mi">1</span><span class="s">.1</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">proxy_set_header</span> <span class="s">Host</span> <span class="nv">$host</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">add_header</span> <span class="s">Content-Type</span> <span class="s">&#34;application/dns-message&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></div><h3 id="94-安全加固清单">9.4 安全加固清单</h3> <table> <thead> <tr> <th>加固项</th> <th>BIND 9 配置</th> <th>说明</th> </tr> </thead> <tbody> <tr> <td>隐藏版本</td> <td><code>version &quot;unknown&quot;;</code></td> <td>防止版本探测</td> </tr> <tr> <td>禁止外网递归</td> <td><code>allow-recursion { internal; };</code></td> <td>防止开放解析器滥用</td> </tr> <tr> <td>限制区域传送</td> <td><code>allow-transfer { slave-ip; };</code></td> <td>防止区域数据泄露</td> </tr> <tr> <td>限制动态更新</td> <td><code>allow-update { none; };</code></td> <td>防止未授权写入</td> </tr> <tr> <td>速率限制(RRL)</td> <td><code>rate-limit { responses-per-second 10; };</code></td> <td>防 DNS 放大攻击</td> </tr> <tr> <td>禁用 CHAOS 查询</td> <td><code>deny-answer-aliases { any; };</code></td> <td>防信息探测</td> </tr> </tbody> </table> <hr> <h2 id="10-高可用与负载均衡">10. 高可用与负载均衡</h2> <h3 id="101-主从-dns-高可用">10.1 主从 DNS 高可用</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl"> ┌─────────────────┐ </span></span><span class="line"><span class="cl">客户端 ─────┬──▶│ 主 DNS (Master) │ </span></span><span class="line"><span class="cl"> │ │ 192.168.1.53 │ </span></span><span class="line"><span class="cl"> │ └────────┬────────┘ </span></span><span class="line"><span class="cl"> │ │ 区域传送 </span></span><span class="line"><span class="cl"> │ ┌────────▼────────┐ </span></span><span class="line"><span class="cl"> └──▶│ 从 DNS (Slave) │ </span></span><span class="line"><span class="cl"> │ 192.168.1.54 │ </span></span><span class="line"><span class="cl"> └─────────────────┘ </span></span></code></pre></div><p>客户端同时配置两个 DNS 服务器,主不可达时自动切换从。</p> <h3 id="102-keepalived-vip-漂移">10.2 Keepalived VIP 漂移</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># /etc/keepalived/keepalived.conf(主节点)</span> </span></span><span class="line"><span class="cl">vrrp_script chk_dns <span class="o">{</span> </span></span><span class="line"><span class="cl"> script <span class="s2">&#34;dig @127.0.0.1 example.com +time=2 +tries=1 &gt; /dev/null 2&gt;&amp;1&#34;</span> </span></span><span class="line"><span class="cl"> interval <span class="m">5</span> </span></span><span class="line"><span class="cl"> fall <span class="m">2</span> </span></span><span class="line"><span class="cl"> rise <span class="m">2</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">vrrp_instance DNS_VIP <span class="o">{</span> </span></span><span class="line"><span class="cl"> state MASTER </span></span><span class="line"><span class="cl"> interface eth0 </span></span><span class="line"><span class="cl"> virtual_router_id <span class="m">61</span> </span></span><span class="line"><span class="cl"> priority <span class="m">200</span> </span></span><span class="line"><span class="cl"> advert_int <span class="m">1</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> authentication <span class="o">{</span> </span></span><span class="line"><span class="cl"> auth_type PASS </span></span><span class="line"><span class="cl"> auth_pass dns_vip_pass </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> virtual_ipaddress <span class="o">{</span> </span></span><span class="line"><span class="cl"> 192.168.1.50/24 dev eth0 <span class="c1"># 虚拟 IP(客户端使用此地址)</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> track_script <span class="o">{</span> </span></span><span class="line"><span class="cl"> chk_dns </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span></code></pre></div><h3 id="103-多播-dns-round-robin">10.3 多播 DNS Round-Robin</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">; 同一域名绑定多个 IP 实现简单负载均衡 </span></span><span class="line"><span class="cl">www 60 IN A 1.2.3.4 </span></span><span class="line"><span class="cl">www 60 IN A 1.2.3.5 </span></span><span class="line"><span class="cl">www 60 IN A 1.2.3.6 </span></span></code></pre></div> <blockquote class="border-l-4 border-neutral-300 dark:border-neutral-600 pl-4 italic text-neutral-600 dark:text-neutral-400 my-6"> <p><strong>注意</strong>:DNS Round-Robin 无健康检查,生产环境推荐配合 F5 / HAProxy / 阿里云 SLB 使用。</p> </blockquote> <hr> <h2 id="11-性能调优">11. 性能调优</h2> <h3 id="111-bind-9-性能参数">11.1 BIND 9 性能参数</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-nginx" data-lang="nginx"><span class="line"><span class="cl"><span class="k">options</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">//</span> <span class="s">并发查询线程(建议</span> <span class="p">=</span> <span class="s">CPU</span> <span class="s">核心数)</span> </span></span><span class="line"><span class="cl"> <span class="s">//</span> <span class="s">BIND</span> <span class="mi">9</span><span class="s">.16+</span> <span class="s">自动调整,通常无需手动设置</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="s">//</span> <span class="s">缓存</span> </span></span><span class="line"><span class="cl"> <span class="s">max-cache-size</span> <span class="mi">512m</span><span class="p">;</span> <span class="kn">//</span> <span class="s">缓存总大小</span> </span></span><span class="line"><span class="cl"> <span class="s">max-cache-ttl</span> <span class="mi">86400</span><span class="p">;</span> <span class="kn">//</span> <span class="s">正解最大缓存时间</span> </span></span><span class="line"><span class="cl"> <span class="s">max-ncache-ttl</span> <span class="mi">3600</span><span class="p">;</span> <span class="kn">//</span> <span class="s">负解(NXDOMAIN)最大缓存时间</span> </span></span><span class="line"><span class="cl"> <span class="s">min-cache-ttl</span> <span class="mi">60</span><span class="p">;</span> <span class="kn">//</span> <span class="s">强制最小</span> <span class="s">TTL</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="s">//</span> <span class="s">连接</span> </span></span><span class="line"><span class="cl"> <span class="s">tcp-clients</span> <span class="mi">1000</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">recursive-clients</span> <span class="mi">5000</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">clients-per-query</span> <span class="mi">100</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">max-clients-per-query</span> <span class="mi">500</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="kn">//</span> <span class="s">预取(即将过期的热点记录提前刷新)</span> </span></span><span class="line"><span class="cl"> <span class="s">prefetch</span> <span class="mi">10</span> <span class="mi">60</span><span class="p">;</span> <span class="kn">//</span> <span class="s">剩余</span> <span class="s">TTL</span> <span class="s">&lt;</span> <span class="s">10s</span> <span class="s">且访问超</span> <span class="s">60次/s</span> <span class="s">时预取</span> </span></span><span class="line"><span class="cl"><span class="err">}</span><span class="p">;</span> </span></span></code></pre></div><h3 id="112-系统层面优化">11.2 系统层面优化</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># /etc/sysctl.conf 追加</span> </span></span><span class="line"><span class="cl">net.core.rmem_max <span class="o">=</span> <span class="m">16777216</span> </span></span><span class="line"><span class="cl">net.core.wmem_max <span class="o">=</span> <span class="m">16777216</span> </span></span><span class="line"><span class="cl">net.core.rmem_default <span class="o">=</span> <span class="m">1048576</span> </span></span><span class="line"><span class="cl">net.core.wmem_default <span class="o">=</span> <span class="m">1048576</span> </span></span><span class="line"><span class="cl">net.core.netdev_max_backlog <span class="o">=</span> <span class="m">65536</span> </span></span><span class="line"><span class="cl">net.ipv4.udp_rmem_min <span class="o">=</span> <span class="m">8192</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">sysctl -p </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 文件描述符限制</span> </span></span><span class="line"><span class="cl"><span class="nb">echo</span> <span class="s2">&#34;named soft nofile 65536&#34;</span> &gt;&gt; /etc/security/limits.conf </span></span><span class="line"><span class="cl"><span class="nb">echo</span> <span class="s2">&#34;named hard nofile 65536&#34;</span> &gt;&gt; /etc/security/limits.conf </span></span></code></pre></div><h3 id="113-ttl-设置建议">11.3 TTL 设置建议</h3> <table> <thead> <tr> <th>记录类型</th> <th>建议 TTL</th> <th>说明</th> </tr> </thead> <tbody> <tr> <td>基础设施(NS/SOA)</td> <td>86400(24h)</td> <td>变动极少</td> </tr> <tr> <td>邮件服务(MX)</td> <td>3600(1h)</td> <td>较稳定</td> </tr> <tr> <td>Web 服务(A/AAAA)</td> <td>300~3600</td> <td>按变更频率定</td> </tr> <tr> <td>CDN / 负载均衡</td> <td>60~300</td> <td>可能频繁漂移</td> </tr> <tr> <td>灰度发布期间</td> <td>30~60</td> <td>便于快速回滚</td> </tr> </tbody> </table> <hr> <h2 id="12-监控与日志">12. 监控与日志</h2> <h3 id="121-bind-9-统计监控http-接口">12.1 BIND 9 统计监控(HTTP 接口)</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-nginx" data-lang="nginx"><span class="line"><span class="cl"><span class="k">//</span> <span class="s">named.conf</span> <span class="s">开启统计通道</span> </span></span><span class="line"><span class="cl"><span class="s">statistics-channels</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">inet</span> <span class="n">127.0.0.1</span> <span class="s">port</span> <span class="mi">8080</span> <span class="s">allow</span> <span class="p">{</span> <span class="kn">127.0.0.1</span><span class="p">;</span> <span class="p">}</span>; </span></span><span class="line"><span class="cl"><span class="p">}</span>; </span></span></code></pre></div><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 获取 XML 格式统计数据</span> </span></span><span class="line"><span class="cl">curl http://127.0.0.1:8080/xml/v3/server </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 使用 rndc 命令行统计</span> </span></span><span class="line"><span class="cl">rndc stats </span></span><span class="line"><span class="cl">cat /var/named/data/named_stats.txt </span></span></code></pre></div><h3 id="122-关键监控指标">12.2 关键监控指标</h3> <table> <thead> <tr> <th>指标</th> <th>说明</th> <th>告警阈值</th> </tr> </thead> <tbody> <tr> <td>Query Rate (QPS)</td> <td>每秒查询数</td> <td>突增 &gt; 500% 告警</td> </tr> <tr> <td>Cache Hit Rate</td> <td>缓存命中率</td> <td>&lt; 60% 告警</td> </tr> <tr> <td>Recursive Clients</td> <td>当前递归查询数</td> <td>&gt; <code>recursive-clients</code> 的 80%</td> </tr> <tr> <td>SERVFAIL Rate</td> <td>解析失败率</td> <td>&gt; 1% 告警</td> </tr> <tr> <td>Zone Transfer Failures</td> <td>区域传送失败次数</td> <td>&gt; 0 告警</td> </tr> </tbody> </table> <h3 id="123-prometheus--grafana-集成">12.3 Prometheus + Grafana 集成</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 安装 bind_exporter</span> </span></span><span class="line"><span class="cl">wget https://github.com/prometheus-community/bind_exporter/releases/latest/download/bind_exporter-linux-amd64 </span></span><span class="line"><span class="cl">chmod +x bind_exporter-linux-amd64 </span></span><span class="line"><span class="cl">./bind_exporter-linux-amd64 --bind.stats-url<span class="o">=</span><span class="s2">&#34;http://127.0.0.1:8080/&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># prometheus.yml 抓取配置</span> </span></span><span class="line"><span class="cl"><span class="c1"># - job_name: &#39;bind9&#39;</span> </span></span><span class="line"><span class="cl"><span class="c1"># static_configs:</span> </span></span><span class="line"><span class="cl"><span class="c1"># - targets: [&#39;localhost:9119&#39;]</span> </span></span></code></pre></div><h3 id="124-日志分析常用命令">12.4 日志分析常用命令</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 查看查询最多的域名 Top 20</span> </span></span><span class="line"><span class="cl">grep <span class="s2">&#34;query:&#34;</span> /var/log/named/query.log <span class="se">\ </span></span></span><span class="line"><span class="cl"> <span class="p">|</span> awk <span class="s1">&#39;{print $6}&#39;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> <span class="p">|</span> sort <span class="p">|</span> uniq -c <span class="p">|</span> sort -rn <span class="p">|</span> head -20 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 查看 NXDOMAIN 记录(可能的恶意域名探测)</span> </span></span><span class="line"><span class="cl">grep <span class="s2">&#34;NXDOMAIN&#34;</span> /var/log/named/query.log <span class="p">|</span> awk <span class="s1">&#39;{print $6}&#39;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> <span class="p">|</span> sort <span class="p">|</span> uniq -c <span class="p">|</span> sort -rn <span class="p">|</span> head -20 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 查看来源 IP Top 10</span> </span></span><span class="line"><span class="cl">grep <span class="s2">&#34;query:&#34;</span> /var/log/named/query.log <span class="se">\ </span></span></span><span class="line"><span class="cl"> <span class="p">|</span> awk <span class="s1">&#39;{print $5}&#39;</span> <span class="p">|</span> cut -d<span class="s1">&#39;#&#39;</span> -f1 <span class="se">\ </span></span></span><span class="line"><span class="cl"> <span class="p">|</span> sort <span class="p">|</span> uniq -c <span class="p">|</span> sort -rn <span class="p">|</span> head -10 </span></span></code></pre></div><hr> <h2 id="13-故障排查">13. 故障排查</h2> <h3 id="131-常用诊断工具">13.1 常用诊断工具</h3> <table> <thead> <tr> <th>工具</th> <th>用途</th> <th>典型命令</th> </tr> </thead> <tbody> <tr> <td><code>dig</code></td> <td>最强 DNS 查询工具</td> <td><code>dig @dns-ip domain A +trace</code></td> </tr> <tr> <td><code>nslookup</code></td> <td>交互式查询</td> <td><code>nslookup domain dns-ip</code></td> </tr> <tr> <td><code>host</code></td> <td>简洁查询</td> <td><code>host domain dns-ip</code></td> </tr> <tr> <td><code>rndc</code></td> <td>BIND 管理</td> <td><code>rndc status</code> / <code>rndc flush</code></td> </tr> <tr> <td><code>tcpdump</code></td> <td>抓包分析</td> <td><code>tcpdump -i eth0 port 53</code></td> </tr> <tr> <td><code>dnstracer</code></td> <td>追踪完整解析链</td> <td><code>dnstracer -s . domain</code></td> </tr> </tbody> </table> <h3 id="132-常见问题排查">13.2 常见问题排查</h3> <p><strong>❶ 域名解析失败(SERVFAIL)</strong></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 1. 检查 named 是否运行</span> </span></span><span class="line"><span class="cl">systemctl status named </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 2. 检查配置语法</span> </span></span><span class="line"><span class="cl">named-checkconf <span class="o">&amp;&amp;</span> named-checkzone example.com /var/named/zones/db.example.com </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 3. 测试上游转发</span> </span></span><span class="line"><span class="cl">dig @1.1.1.1 example.com </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 4. 检查防火墙</span> </span></span><span class="line"><span class="cl">firewall-cmd --list-all <span class="p">|</span> grep <span class="m">53</span> </span></span><span class="line"><span class="cl">iptables -L -n <span class="p">|</span> grep <span class="m">53</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 5. 查看错误日志</span> </span></span><span class="line"><span class="cl">journalctl -u named -p err --since <span class="s2">&#34;1 hour ago&#34;</span> </span></span></code></pre></div><p><strong>❷ 区域传送失败</strong></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 在从服务器手动触发传送并查看详情</span> </span></span><span class="line"><span class="cl">dig @192.168.1.53 example.com AXFR </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 检查主服务器 allow-transfer 配置</span> </span></span><span class="line"><span class="cl">grep -A3 <span class="s2">&#34;allow-transfer&#34;</span> /etc/named/named.conf.local </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 查看 named 安全日志</span> </span></span><span class="line"><span class="cl">grep <span class="s2">&#34;transfer&#34;</span> /var/log/named/named.log </span></span></code></pre></div><p><strong>❸ 缓存投毒/返回错误结果</strong></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 立即清除全部缓存</span> </span></span><span class="line"><span class="cl">rndc flush </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 清除指定域名缓存</span> </span></span><span class="line"><span class="cl">rndc flushname example.com </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Unbound 清除缓存</span> </span></span><span class="line"><span class="cl">unbound-control flush example.com </span></span><span class="line"><span class="cl">unbound-control flush_zone example.com </span></span></code></pre></div><p><strong>❹ DNS 解析延迟高</strong></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 测量解析时间</span> </span></span><span class="line"><span class="cl">dig @192.168.1.53 www.example.com <span class="p">|</span> grep <span class="s2">&#34;Query time&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 检查缓存命中率</span> </span></span><span class="line"><span class="cl">rndc stats <span class="o">&amp;&amp;</span> grep <span class="s2">&#34;cache hits\|cache misses&#34;</span> /var/named/data/named_stats.txt </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 检查上游 DNS 响应时间</span> </span></span><span class="line"><span class="cl"><span class="k">for</span> dns in 114.114.114.114 1.1.1.1 8.8.8.8<span class="p">;</span> <span class="k">do</span> </span></span><span class="line"><span class="cl"> <span class="nb">echo</span> -n <span class="s2">&#34;</span><span class="nv">$dns</span><span class="s2">: &#34;</span> </span></span><span class="line"><span class="cl"> dig @<span class="nv">$dns</span> baidu.com +stats 2&gt;<span class="p">&amp;</span><span class="m">1</span> <span class="p">|</span> grep <span class="s2">&#34;Query time&#34;</span> </span></span><span class="line"><span class="cl"><span class="k">done</span> </span></span></code></pre></div><h3 id="133-故障排查流程图">13.3 故障排查流程图</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">客户端无法解析域名 </span></span><span class="line"><span class="cl"> │ </span></span><span class="line"><span class="cl"> ▼ </span></span><span class="line"><span class="cl"> 本机 DNS 设置是否正确? </span></span><span class="line"><span class="cl"> cat /etc/resolv.conf </span></span><span class="line"><span class="cl"> │ 正确 </span></span><span class="line"><span class="cl"> ▼ </span></span><span class="line"><span class="cl"> ping DNS 服务器 IP 是否通? </span></span><span class="line"><span class="cl"> │ 通 </span></span><span class="line"><span class="cl"> ▼ </span></span><span class="line"><span class="cl"> dig @DNS-IP domain 是否有应答? </span></span><span class="line"><span class="cl"> │ </span></span><span class="line"><span class="cl"> ┌────┴────────────────────────┐ </span></span><span class="line"><span class="cl">NXDOMAIN SERVFAIL/超时 </span></span><span class="line"><span class="cl"> │ │ </span></span><span class="line"><span class="cl">域名记录不存在 DNS 服务故障 </span></span><span class="line"><span class="cl">检查区域文件 检查 named 状态 </span></span><span class="line"><span class="cl"> 检查转发配置 </span></span><span class="line"><span class="cl"> 检查防火墙规则 </span></span></code></pre></div><hr> <h2 id="14-典型企业部署方案">14. 典型企业部署方案</h2> <h3 id="方案一中小企业-500-人">方案一:中小企业(&lt; 500 人)</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">架构:单台 BIND 9(转发模式) + dnsmasq 备用 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">┌────────────────────────────────┐ </span></span><span class="line"><span class="cl">│ 内网 DNS 服务器 │ </span></span><span class="line"><span class="cl">│ 192.168.1.53 │ </span></span><span class="line"><span class="cl">│ ● BIND 9(转发模式) │ </span></span><span class="line"><span class="cl">│ - 内部域 → 本地解析 │ </span></span><span class="line"><span class="cl">│ - 外部域 → 114 / DNSPod │ </span></span><span class="line"><span class="cl">│ ● dnsmasq(备用,端口 5353) │ </span></span><span class="line"><span class="cl">└────────────────────────────────┘ </span></span></code></pre></div><p><strong>关键配置要点:</strong></p> <ul> <li><code>forward first</code> 模式,上游用 114 + 阿里 DNS</li> <li>内网域名(<code>corp.local</code>)配置本地 A 记录</li> <li>客户端 DNS 填 <code>192.168.1.53</code>,备用填 <code>114.114.114.114</code></li> </ul> <hr> <h3 id="方案二大中型企业5005000-人">方案二:大中型企业(500~5000 人)</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">架构:Unbound 递归 + BIND 9 内部权威 + 主从高可用 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> 外网 </span></span><span class="line"><span class="cl"> │ </span></span><span class="line"><span class="cl"> ┌────▼──────────────────────────┐ </span></span><span class="line"><span class="cl"> │ Unbound 递归解析器(主/从) │ </span></span><span class="line"><span class="cl"> │ VIP: 192.168.1.50 │ </span></span><span class="line"><span class="cl"> │ 主: 192.168.1.51 │ </span></span><span class="line"><span class="cl"> │ 从: 192.168.1.52 │ </span></span><span class="line"><span class="cl"> │ ● 外部域 → DoT 加密转发 │ </span></span><span class="line"><span class="cl"> │ ● 内部域 → 条件转发至权威 │ </span></span><span class="line"><span class="cl"> └────────────────┬──────────────┘ </span></span><span class="line"><span class="cl"> │ </span></span><span class="line"><span class="cl"> ┌────────────────▼──────────────┐ </span></span><span class="line"><span class="cl"> │ BIND 9 内部权威 DNS │ </span></span><span class="line"><span class="cl"> │ 主: 192.168.1.53 │ </span></span><span class="line"><span class="cl"> │ 从: 192.168.1.54 │ </span></span><span class="line"><span class="cl"> │ ● 管理 corp.local 等内网域 │ </span></span><span class="line"><span class="cl"> └───────────────────────────────┘ </span></span></code></pre></div><p><strong>关键配置要点:</strong></p> <ul> <li>Unbound + Keepalived VIP 确保高可用</li> <li>外网 DNS 走 DoT(<code>853/tcp</code>)加密</li> <li>BIND 9 内部权威与 AD 域集成</li> <li>启用 RPZ 黑名单过滤恶意域名</li> </ul> <hr> <h3 id="方案三隔离网络air-gapped">方案三:隔离网络(Air-Gapped)</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">架构:BIND 9 纯本地权威,无外网转发 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> ┌─────────────────────────────────┐ </span></span><span class="line"><span class="cl"> │ 全内网 BIND 9 DNS │ </span></span><span class="line"><span class="cl"> │ 主: 10.0.0.53 │ </span></span><span class="line"><span class="cl"> │ 从: 10.0.0.54 │ </span></span><span class="line"><span class="cl"> │ │ </span></span><span class="line"><span class="cl"> │ ● 管理所有内网域名 │ </span></span><span class="line"><span class="cl"> │ ● 无转发(forward none) │ </span></span><span class="line"><span class="cl"> │ ● 根区域指向内网镜像根服务器 │ </span></span><span class="line"><span class="cl"> └─────────────────────────────────┘ </span></span></code></pre></div><p><strong>关键配置:</strong></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-nginx" data-lang="nginx"><span class="line"><span class="cl"><span class="k">options</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">//</span> <span class="s">禁止所有外部转发</span> </span></span><span class="line"><span class="cl"> <span class="s">forward</span> <span class="s">none</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">recursion</span> <span class="s">yes</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">allow-query</span> <span class="p">{</span> <span class="kn">10.0.0.0/8</span><span class="p">;</span> <span class="p">}</span>; </span></span><span class="line"><span class="cl"> <span class="kn">allow-recursion</span> <span class="p">{</span> <span class="kn">10.0.0.0/8</span><span class="p">;</span> <span class="p">}</span>; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="kn">//</span> <span class="s">使用内网镜像根服务器</span> </span></span><span class="line"><span class="cl"> <span class="s">root-delegation-only</span> <span class="s">exclude</span> <span class="p">{</span> <span class="kn">&#34;LOCAL&#34;</span><span class="p">;</span> <span class="p">}</span>; </span></span><span class="line"><span class="cl"><span class="p">}</span>; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">//</span> <span class="s">自定义根区域(指向内网镜像)</span> </span></span><span class="line"><span class="cl"><span class="s">zone</span> <span class="s">&#34;.&#34;</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">type</span> <span class="s">hint</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">file</span> <span class="s">&#34;/var/named/internal-root.hints&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span>; </span></span></code></pre></div><hr> <h2 id="附录">附录</h2> <h3 id="a-bind-9-常用-rndc-命令速查">A. BIND 9 常用 rndc 命令速查</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">rndc status <span class="c1"># 查看服务状态</span> </span></span><span class="line"><span class="cl">rndc reload <span class="c1"># 重载全部配置和区域</span> </span></span><span class="line"><span class="cl">rndc reload zone <span class="c1"># 仅重载指定区域</span> </span></span><span class="line"><span class="cl">rndc flush <span class="c1"># 清除全部缓存</span> </span></span><span class="line"><span class="cl">rndc flushname name <span class="c1"># 清除指定域名缓存</span> </span></span><span class="line"><span class="cl">rndc stats <span class="c1"># 输出统计信息</span> </span></span><span class="line"><span class="cl">rndc dumpdb -cache <span class="c1"># 导出缓存数据库</span> </span></span><span class="line"><span class="cl">rndc retransfer zone <span class="c1"># 立即重新传送指定区域</span> </span></span><span class="line"><span class="cl">rndc freeze zone <span class="c1"># 冻结动态更新(维护用)</span> </span></span><span class="line"><span class="cl">rndc thaw zone <span class="c1"># 解冻动态更新</span> </span></span></code></pre></div><h3 id="b-dig-常用查询速查">B. dig 常用查询速查</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 基础查询</span> </span></span><span class="line"><span class="cl">dig example.com <span class="c1"># 默认 A 记录</span> </span></span><span class="line"><span class="cl">dig example.com MX <span class="c1"># MX 记录</span> </span></span><span class="line"><span class="cl">dig example.com ANY <span class="c1"># 所有记录</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 指定 DNS 服务器</span> </span></span><span class="line"><span class="cl">dig @192.168.1.53 example.com A </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 追踪完整解析链</span> </span></span><span class="line"><span class="cl">dig +trace example.com </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 简洁输出</span> </span></span><span class="line"><span class="cl">dig +short example.com A </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 反向查询</span> </span></span><span class="line"><span class="cl">dig -x 1.2.3.4 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># DNSSEC 验证</span> </span></span><span class="line"><span class="cl">dig +dnssec example.com A </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 批量查询(从文件)</span> </span></span><span class="line"><span class="cl">dig -f domains.txt +short </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 查看 TCP 模式(调试)</span> </span></span><span class="line"><span class="cl">dig +tcp @dns-ip example.com </span></span></code></pre></div><h3 id="c-参考标准与文档">C. 参考标准与文档</h3> <table> <thead> <tr> <th>文档</th> <th>说明</th> </tr> </thead> <tbody> <tr> <td>RFC 1034 / RFC 1035</td> <td>DNS 核心规范(域名概念与实现)</td> </tr> <tr> <td>RFC 2136</td> <td>DNS 动态更新(DDNS)</td> </tr> <tr> <td>RFC 2181</td> <td>DNS 规范澄清</td> </tr> <tr> <td>RFC 3596</td> <td>DNS 的 IPv6 扩展(AAAA)</td> </tr> <tr> <td>RFC 4033~4035</td> <td>DNSSEC 规范</td> </tr> <tr> <td>RFC 5625</td> <td>DNS 代理实现建议</td> </tr> <tr> <td>RFC 7766</td> <td>DNS over TCP 要求</td> </tr> <tr> <td>RFC 7858</td> <td>DNS over TLS(DoT)</td> </tr> <tr> <td>RFC 8484</td> <td>DNS over HTTPS(DoH)</td> </tr> <tr> <td> </td> <td>BIND 9 官方管理员参考手册</td> </tr> <tr> <td> </td> <td>Unbound 官方文档</td> </tr> </tbody> </table> <hr> <blockquote class="border-l-4 border-neutral-300 dark:border-neutral-600 pl-4 italic text-neutral-600 dark:text-neutral-400 my-6"> <p><strong>文档维护说明</strong><br> 本文档基于 BIND 9.18 LTS、Unbound 1.17、dnsmasq 2.89 编写,适用于 Linux(RHEL 8+ / Ubuntu 22.04+)及 Windows Server 2019/2022 环境。<br> 如环境版本有差异,请参阅对应版本官方文档进行核对。</p> </blockquote> <hr>