|
來源:http://blog.51cto.com/yichenyang/1911098 一、bind簡介
Linux中通常使用bind來實(shí)現(xiàn)DNS服務(wù)器的架設(shè)���,bind軟件由isc(https://www./downloads/bind/)維護(hù)。在yum倉庫中可以找到軟件���,配置好yum源���,直接使用命令yum
install
bind就可以安裝。當(dāng)前bind的穩(wěn)定版本為bind9�����,bind的服務(wù)名稱為named�,監(jiān)聽的端口為53號端口����。bind的主要配置文件為/etc/named.conf,此文件主要用于配置區(qū)域�����,并指定區(qū)域數(shù)據(jù)庫文件名稱�。區(qū)域數(shù)據(jù)庫文件通常保存于/var/named/目錄下,用于定義區(qū)域的資源類型�。 二、使用bind架設(shè)DNS服務(wù)器 1.實(shí)例操作:以域名example.com為例配置一個(gè)DNS服務(wù)器�����,實(shí)現(xiàn)正向解析與反向解析。 1 2 3 4 5 6 7 8 9 10 11 | Master DNS(FQDN:dns1.example.com/IP: 192.168.100.199)
Slave DNS(FQDN:dns2.example.com/IP: 192.168.100.198)
OS:CentOS Linux release 7.3.1611 (Core)
Kernel:3.10.0-514.10.2.el7.x86_64
Bind:
bind-license-9.9.4-38.el7_3.2.noarch
bind-9.9.4-38.el7_3.2.x86_64
binutils-2.25.1-22.base.el7.x86_64
bind-libs-lite-9.9.4-38.el7_3.2.x86_64
bind-libs-9.9.4-38.el7_3.2.x86_64
bind-utils-9.9.4-38.el7_3.2.x86_64
|
這里就不再贅述如何使用VM(VirtualBox/VMware/etc)��,如何配置網(wǎng)絡(luò)IP等�。 bind直接用YUM安裝(yum install epel-release; yum install bind)
2、主DNS服務(wù)器bind配置文件為/etc/named.conf�����,此文件用于定義區(qū)域�。每個(gè)區(qū)域的數(shù)據(jù)文件保存在/var/named目錄下。 named.conf各參數(shù)項(xiàng)說明: 1 2 3 4 5 6 7 8 9 | options {
//全局選項(xiàng)
}
zone "ZONE name"{
//定義區(qū)域
}
logging{
//定義日志系統(tǒng)
}
|
named.conf文件內(nèi)容如下: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 | options {
listen-on port 53 { 127.0.0.1; }; #定義監(jiān)聽端口及IP地址
listen-on-v6 port 53 { ::1; }; #定義監(jiān)聽的IPv6地址
directory "/var/named"; #全局目錄
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; };#允許查詢的IP地址
recursion yes; #是否允許遞歸查詢
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
|
注意:bind的配置文件/etc/named.conf里必須要定義的三個(gè)區(qū)域是:根�、127.0.0.1和127.0.0.1的反解�。 以上options選項(xiàng)中有許多是我們用不到,我們先把它們注釋掉����。結(jié)果如下: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 | [root@dns1 ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
//listen-on port 53 { 127.0.0.1; };
//listen-on port 53 { any; };
//listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
//allow-query { 192.168.0.0/16; };
//forward first;
//forwarders{
//202.106.196.115;
//219.141.136.10;
//114.114.114.114;
//};
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
//dnssec-enable yes;
//dnssec-validation yes;
//dnssec-enable no;
//dnssec-validation no;
//dnssec-lookaside no;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
[root@dns1 ~]# hostname
dns1.example.com
|
3、打開/etc/named.rfc1912.zones文件��,添加一個(gè)區(qū)域�����。 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 | [root@dns1 ~]# cat /etc/named.rfc1912.zones
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};
//###############################
//自定義example.com正向解的區(qū)域
//###############################
zone "example.com" IN {
type master;
file "example.com.zone";
allow-transfer{ 127.0.0.1;192.168.100.199;192.168.100.198; };
};
//#############################
//自定義反向解析
//#############################
zone "100.168.192.in-addr.arpa" IN {
type master;
file "100.168.192.in-addr-arpa";
allow-transfer{ 127.0.0.1;192.168.100.199;192.168.100.198; };
};
[root@dns1 ~]#
|
說明:
type: 用于定義區(qū)域類型�,此時(shí)只有一個(gè)DNS服務(wù)器,所以為master,type可選值為:hint(根的)|master(主的)|slave(輔助的)|forward(轉(zhuǎn)發(fā)) file:用于定義區(qū)域數(shù)據(jù)文件路徑��,默認(rèn)該文件保存在/var/named/目錄����。 區(qū)域添加好后,使用命令:named-checkconf 或 service named configtest測試配置文件語法格式��。
1 | [root@dns1 ~]# named-checkconf
|
沒有提示則表示文件語法正常�。
4���、新建數(shù)據(jù)庫文件/var/named/example.com.zone����,并添加資源記錄�。 說明: 資源記錄的格式:
name [ttl] IN RRtype Value
資源記錄名 有效時(shí)間 IN 類型 資源記錄的值
SOA: 只能有一個(gè),而且必須是第一個(gè)
name: 只能是區(qū)域名稱����,通常可以簡寫為@
value: 主DNS服務(wù)器的FQDN
NS: 可以有多條
name: 區(qū)域名稱�,通常可以簡寫為@
value: DNS服務(wù)器的FQDN(可以使用相對名稱)
A: 只能定義在正向區(qū)域文件中
name: FQDN(可以使用相對名稱)
value: IP
MX: 可以有多個(gè)
name: 區(qū)域名稱�����,用于標(biāo)識smtp服務(wù)器
value: 包含優(yōu)先級和FQDN
優(yōu)先級:0-99,數(shù)字越小����,級別越高;
CNAME:
name: FQDN
value: FQDN
PTR: IP --> FQDN, 只能定義在反向區(qū)域數(shù)據(jù)文件中�,反向區(qū)域名稱為逆向網(wǎng)絡(luò)地址加.in-addr.arpa.后綴組成
name: IP, 逆向的主機(jī)地址,主機(jī)地址反過來寫加上.in-addr.arpa.
value: FQDN
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 | [root@dns1 ~]# cat /var/named/example.com.zone
$TTL 300
;
@ IN SOA dns1.example.com admin.example.com(
2017032800 ; Serial
300 ; Refresh
1800 ; Retry
604800 ; Expire
300 ; TTL
)
;
IN NS dns1
IN NS dns2
dns1 IN A 192.168.100.199
dns2 IN A 192.168.100.198
;
;
agent IN A 192.168.100.102
puppet IN A 192.168.100.101
[root@dns1 ~]#
|
說明: $TTL為定義的宏����,表示下面資源記錄ttl的值都為600秒。 @符號可代表區(qū)域文件/etc/named.conf里面定義的區(qū)域名稱�,即:"wubinary.com."。 每個(gè)區(qū)域的資源記錄第一條必須是SOA���,SOA后面接DNS服務(wù)器的域名和電子郵箱地址���,此處電子郵箱地址里的@因?yàn)橛刑厥庥猛荆源颂幰命c(diǎn)號代替��。SOA后面小括號里的各值所代表的意義如下所示: 1 2 3 4 5 6 | @ IN SOA dns.example.com admin.example.com (
2017032800 ;標(biāo)識序列號�����,十進(jìn)制數(shù)字,不能超過10位���,通常使用日期
2H ;刷新時(shí)間����,即每隔多久到主服務(wù)器檢查一次�����,此處為2小時(shí)
4M ;重試時(shí)間�����,應(yīng)該小于刷新時(shí)間�,此處為4分鐘
1D ;過期時(shí)間�,此處為1天
2D ;主服務(wù)器掛后,從服務(wù)器至多工作的時(shí)間�,此處為2天)
|
區(qū)域數(shù)據(jù)文件配置好后,可以使用命令named-checkzone檢查語法錯(cuò)誤����。 命令格式: 1 2 3 4 | [root@dns1 ~]# named-checkzone "example.com.zome" /var/named/example.com.zone
zone example.com.zome/IN: loaded serial 2017032800
OK
[root@dns1 ~]#
|
5���、兩個(gè)文件都配置好后��,記得查看一下文件的所屬組����。因?yàn)閎ind程序的服務(wù)名稱為named����,bind默認(rèn)是使用named組的身份操作文件,所以我們新建的文件所屬組都要改為named��,并且為了安全起見不能讓別人有修改的權(quán)限�,權(quán)限最好改為640。 1 2 3 4 5 6 7 8 9 10 11 12 | [root@dns1 ~]# ll /var/named/
total 24
-rw-r--r-- 1 root named 463 Mar 28 10:46 100.168.192.in-addr-arpa
drwxrwx---. 2 named named 23 Mar 27 13:28 data
drwxrwx---. 2 named named 60 Mar 28 13:28 dynamic
-rw-r--r-- 1 root named 403 Mar 28 10:45 example.com.zone
-rw-r-----. 1 root named 2076 Jan 28 2013 named.ca
-rw-r-----. 1 root named 152 Dec 15 2009 named.empty
-rw-r-----. 1 root named 152 Jun 21 2007 named.localhost
-rw-r-----. 1 root named 168 Dec 15 2009 named.loopback
drwxrwx---. 2 named named 6 Feb 15 21:16 slaves
[root@dns1 ~]#
|
6�、設(shè)置妥當(dāng)當(dāng)后我們就可以開啟服務(wù)了。 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 | [root@dns1 ~]# systemctl restart named.service
[root@dns1 ~]# systemctl status named.service
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2017-03-28 13:33:15 CST; 10s ago
Process: 5001 ExecStop=/bin/sh -c /usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID (code=exited, status=0/SUCCESS)
Process: 5012 ExecStart=/usr/sbin/named -u named $OPTIONS (code=exited, status=0/SUCCESS)
Process: 5010 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z /etc/named.conf; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
Main PID: 5014 (named)
CGroup: /system.slice/named.service
└─5014 /usr/sbin/named -u named
Mar 28 13:33:15 dns1.example.com named[5014]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
Mar 28 13:33:15 dns1.example.com named[5014]: zone localhost/IN: loaded serial 0
Mar 28 13:33:15 dns1.example.com named[5014]: zone 100.168.192.in-addr.arpa/IN: loaded serial 2017032800
Mar 28 13:33:15 dns1.example.com named[5014]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN...rial 0
Mar 28 13:33:15 dns1.example.com named[5014]: zone example.com/IN: loaded serial 2017032800
Mar 28 13:33:15 dns1.example.com named[5014]: zone localhost.localdomain/IN: loaded serial 0
Mar 28 13:33:15 dns1.example.com named[5014]: all zones loaded
Mar 28 13:33:15 dns1.example.com named[5014]: running
Mar 28 13:33:15 dns1.example.com named[5014]: zone 100.168.192.in-addr.arpa/IN: sending notifies (serial 2017032800)
Mar 28 13:33:15 dns1.example.com named[5014]: zone example.com/IN: sending notifies (serial 2017032800)
Hint: Some lines were ellipsized, use -l to show in full.
[root@dns1 ~]#
|
7���、使用dig命令測試DNS��。 命令格式: 1 | dig [-t type] [-x addr] [name] [@server]
|
-t: 指定資源類型��,用于正解 -x: 指定IP地址�,用于反解 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 | [root@dns1 ~]# dig -t A puppet.example.com @192.168.100.199
; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3.2 <<>> -t A puppet.example.com @192.168.100.199
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17827
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;puppet.example.com. IN A
;; ANSWER SECTION:
puppet.example.com. 300 IN A 192.168.100.101
;; AUTHORITY SECTION:
example.com. 300 IN NS dns2.example.com.
example.com. 300 IN NS dns1.example.com.
;; ADDITIONAL SECTION:
dns1.example.com. 300 IN A 192.168.100.199
dns2.example.com. 300 IN A 192.168.100.198
;; Query time: 0 msec
;; SERVER: 192.168.100.199#53(192.168.100.199)
;; WHEN: Tue Mar 28 14:14:02 CST 2017
;; MSG SIZE rcvd: 133
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 | [root@dns1 ~]# dig -x 192.168.100.102 @192.168.100.199
; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3.2 <<>> -x 192.168.100.102 @192.168.100.199
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58688
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;102.100.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
102.100.168.192.in-addr.arpa. 300 IN PTR agent.example.com.
;; AUTHORITY SECTION:
100.168.192.in-addr.arpa. 300 IN NS dns2.example.com.
100.168.192.in-addr.arpa. 300 IN NS dns1.example.com.
;; ADDITIONAL SECTION:
dns1.example.com. 300 IN A 192.168.100.199
dns2.example.com. 300 IN A 192.168.100.198
;; Query time: 0 msec
;; SERVER: 192.168.100.199#53(192.168.100.199)
;; WHEN: Tue Mar 28 14:15:31 CST 2017
;; MSG SIZE rcvd: 158
[root@dns1 ~]#
|
測試成功���! 注意:通常在應(yīng)用中��,DNS的反向解析并不是很重要����,可以不配置��,當(dāng)服務(wù)器中有域名作為郵件服務(wù)器時(shí)�,此時(shí)可以配置反向解析,因?yàn)猷]件中過濾垃圾郵件的技術(shù)通常是解析郵箱地址��,如果IP地址不能反解成一個(gè)域名則視為垃圾郵件���。
三���、使用bind架設(shè)輔助DNS服務(wù)器,實(shí)現(xiàn)主從數(shù)據(jù)同步
DNS從服務(wù)器也叫輔服DNS服務(wù)器��,如果網(wǎng)絡(luò)上某個(gè)節(jié)點(diǎn)只有一臺DNS服務(wù)器的話��,首先服務(wù)器的抗壓能力是有限的���,當(dāng)壓力達(dá)到一定的程度,服務(wù)器就會宕機(jī)罷工����,其次如果這臺服務(wù)器出現(xiàn)了硬件故障那么服務(wù)器管理的區(qū)域的域名將無法訪問����。為了解決這些問題�,最好的辦法就是使用多個(gè)DNS服務(wù)器同時(shí)工作,并實(shí)現(xiàn)數(shù)據(jù)的同步���,這樣兩臺服務(wù)器就都可以實(shí)現(xiàn)域名解析操作�。
主DNS服務(wù)器架設(shè)好后�����,輔助的DNS服務(wù)器的架設(shè)就相對簡單多了���。架設(shè)主從DNS服務(wù)器有兩個(gè)前提條件�����,一是兩臺主機(jī)可以不一定處在同一網(wǎng)段�����,但是兩臺主機(jī)之間必須要實(shí)現(xiàn)網(wǎng)絡(luò)通信�����;二��,輔助DNS服務(wù)器必須要有主DNS服務(wù)器的授權(quán)�,才可以正常操作。
1�、從DNS服務(wù)器bind配置文件為/etc/named.conf,此文件用于定義區(qū)域�����。每個(gè)區(qū)域的數(shù)據(jù)文件保存在/var/named目錄下����。 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 | [root@dns2 named]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
//listen-on port 53 { 127.0.0.1; };
//listen-on port 53 { any; };
//listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
//allow-query { 192.168.0.0/16; };
//forward first;
//forwarders{
//202.106.196.115;
//219.141.136.10;
//114.114.114.114;
//};
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
//dnssec-enable yes;
dnssec-validation yes;
//dnssec-enable no;
//dnssec-validation no;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
[root@dns2 named]#
|
2、打開輔助DNS服務(wù)器的/etc/named.rfc1912.zones文件���,添加兩個(gè)區(qū)域記錄�,這兩個(gè)記錄是主DNS服務(wù)器配置文件里已經(jīng)存在的記錄�����,一個(gè)是正向解析記錄�,一個(gè)是反向解析記錄。 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 | ////////////////////////////
//從服務(wù)器正解配置
////////////////////////////
zone "example.com." IN {
type slave;
masters { 192.168.100.199; };
file "slaves/example.com.zone";
allow-transfer { none;};
};
/////////////////////////
//從DNS服務(wù)器反解設(shè)置
/////////////////////////
zone"100.168.192.in-addr.arpa." IN {
type slave;
masters { 192.168.1.199; };
file"slaves/100.168.192.in-addr.zone";
allow-transfer{ none; }; //作為從服務(wù)器不應(yīng)該讓其他服務(wù)器zone傳送���。
};
|
說明:type:
slave�����,表示此時(shí)DNS服務(wù)器為輔助DNS服務(wù)器��,于是下面一行就要定義主DNS服務(wù)器的IP地址��,輔助DNS服務(wù)器才知道去哪里同步數(shù)據(jù)���。輔助DNS服務(wù)器的資源類型數(shù)據(jù)文件通常保存在slaves目錄,只需定義一個(gè)名稱�,文件內(nèi)容通常是自動生成。 配置好后��,直接開啟DNS服務(wù)����,然后再回到主DNS服務(wù)器上。 3�、修改主DNS服務(wù)器的數(shù)據(jù)文件,添加一條輔助DNS服務(wù)器記錄,給輔助DNS服務(wù)器授權(quán)��。 修改正向解析文件/var/named/example.com.zone�。 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 | [root@dns1 ~]# cat /var/named/example.com.zone
$TTL 300
;
@ IN SOA dns1.example.com admin.example.com(
2017032800 ; Serial
300 ; Refresh
1800 ; Retry
604800 ; Expire
300 ; TTL
)
;
IN NS dns1
IN NS dns2
dns1 IN A 192.168.100.199
dns2 IN A 192.168.100.198
;
;
agent IN A 192.168.100.102
puppet IN A 192.168.100.101
[root@dns1 ~]#
|
說明:添加了一條NS記錄,值為�,dns2.example.com.,對應(yīng)的A記錄也要增加一條����,把IP地址指向?qū)?yīng)的輔助DNS服務(wù)器的IP地址。修改完成后���,記得要把序列號的值加1���,用于通知輔助DNS服務(wù)器自動更新數(shù)據(jù)文件。
4�、重新加載主DNS服務(wù)器的配置文件,這時(shí)再到回輔助DNS服務(wù)器���,在/var/named/slaves/目錄下會多了兩個(gè)文件�。 1 2 3 4 | [root@dns2 named]# ll /var/named/slaves/
total 4
-rw-r--r-- 1 named named 392 Mar 28 14:34 example.com.zone
[root@dns2 named]#
|
5�����、測試輔助DNS服務(wù)器。 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 | [root@dns2 slaves]# dig -t A puppet.example.com @192.168.100.198
; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3.2 <<>> -t A puppet.example.com @192.168.100.198
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53695
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;puppet.example.com. IN A
;; ANSWER SECTION:
puppet.example.com. 300 IN A 192.168.100.101
;; AUTHORITY SECTION:
example.com. 300 IN NS dns1.example.com.
example.com. 300 IN NS dns2.example.com.
;; ADDITIONAL SECTION:
dns1.example.com. 300 IN A 192.168.100.199
dns2.example.com. 300 IN A 192.168.100.198
;; Query time: 0 msec
;; SERVER: 192.168.100.198#53(192.168.100.198)
;; WHEN: Tue Mar 28 15:10:43 CST 2017
;; MSG SIZE rcvd: 133
[root@dns2 slaves]#
[root@dns2 slaves]#
[root@dns2 slaves]#
[root@dns2 slaves]# dig -x 192.168.100.102 @192.168.100.198
; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3.2 <<>> -x 192.168.100.102 @192.168.100.198
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 55340
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;102.100.168.192.in-addr.arpa. IN PTR
;; Query time: 0 msec
;; SERVER: 192.168.100.198#53(192.168.100.198)
;; WHEN: Tue Mar 28 15:10:50 CST 2017
;; MSG SIZE rcvd: 57
[root@dns2 slaves]#
|
四��、主從同步數(shù)據(jù)的安全性
DNS服務(wù)器的數(shù)據(jù)同步默認(rèn)是沒有限定主機(jī)的���,也就是說,網(wǎng)絡(luò)上只要有一臺DNS服務(wù)器向你的DNS服務(wù)器請求數(shù)據(jù)��,都能實(shí)現(xiàn)數(shù)據(jù)同步�,那么這樣就相當(dāng)?shù)牟话踩恕N覀兛梢允褂靡粋€(gè)選項(xiàng)allow-transfer�,指定可以同步數(shù)據(jù)的主機(jī)IP。主DNS服務(wù)器的數(shù)據(jù)可以給別的服務(wù)器同步����,相對的,輔助DNS服務(wù)器的數(shù)據(jù)也是可以給其它輔助DNS服務(wù)器同步�,于是,所有的主從DNS服務(wù)器都要設(shè)置該參數(shù)���。 1. 指定可以從主DNS服務(wù)器上同步數(shù)據(jù)的主機(jī)��。 修改/etc/named.rfc1912.zones文件: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 | [root@dns2 named]# cat /etc/named.rfc1912.zones
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};
////////////////////////////
//從服務(wù)器正解配置
////////////////////////////
zone "example.com." IN {
type slave;
masters { 192.168.100.199; };
file "slaves/example.com.zone";
allow-transfer { none;};
};
/////////////////////////
//從DNS服務(wù)器反解設(shè)置
/////////////////////////
zone"100.168.192.in-addr.arpa." IN {
type slave;
masters { 192.168.1.199; };
file"slaves/100.168.192.in-addr.zone";
allow-transfer{ none; }; //作為從服務(wù)器不應(yīng)該讓其他服務(wù)器zone傳送�����。
};
[root@dns2 named]#
|
說明: 我們只有一臺輔助DNS服務(wù)器�����,所以根本不會有主機(jī)從這臺機(jī)器同步數(shù)據(jù)�����,所以我們設(shè)置成不允許任何人同步���。 在每塊區(qū)域上添加參數(shù)allow-transfer�,花括號內(nèi)填寫可以同步的主機(jī)IP�,一般填寫輔助DNS服務(wù)器的IP地址??梢允褂胐ig命令測試,區(qū)域同步: 1 | dig -t axfr ZONE_NAME @DNS_SERVCER_IP
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | [root@dns2 named]# dig -t axfr example.com @192.168.100.199
; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3.2 <<>> -t axfr example.com @192.168.100.199
;; global options: +cmd
example.com. 300 IN SOA dns1.example.com.example.com. admin.example.com.example.com. 2017032800 300 1800 604800 300
example.com. 300 IN NS dns1.example.com.
example.com. 300 IN NS dns2.example.com.
agent.example.com. 300 IN A 192.168.100.102
dns1.example.com. 300 IN A 192.168.100.199
dns2.example.com. 300 IN A 192.168.100.198
puppet.example.com. 300 IN A 192.168.100.101
example.com. 300 IN SOA dns1.example.com.example.com. admin.example.com.example.com. 2017032800 300 1800 604800 300
;; Query time: 1 msec
;; SERVER: 192.168.100.199#53(192.168.100.199)
;; WHEN: Tue Mar 28 14:31:02 CST 2017
;; XFR size: 8 records (messages 1, bytes 239)
[root@dns2 named]#
|
非指定IP不可以同步數(shù)據(jù)��。 1 2 | [root@dns2 slaves]# dig -t axfr example.com @192.168.100.102
;; Connection to 192.168.100.102#53(192.168.100.102) for example.com failed: host unreachable.
|
2.指定可以從輔助DNS服務(wù)器上同步數(shù)據(jù)的主機(jī)��。 修改/etc/named.rfc1912.zones文件: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 | ////////////////////////////
//從服務(wù)器正解配置
////////////////////////////
zone "example.com." IN {
type slave;
masters { 192.168.100.199; };
file "slaves/example.com.zone";
allow-transfer { none;};
};
/////////////////////////
//從DNS服務(wù)器反解設(shè)置
/////////////////////////
zone"100.168.192.in-addr.arpa." IN {
type slave;
masters { 192.168.1.199; };
file"slaves/100.168.192.in-addr.arpa.zone";
allow-transfer{ none; };
};
|
我們只有一臺輔助DNS服務(wù)器����,所以根本不會有主機(jī)從這臺機(jī)器同步數(shù)據(jù),所以我們設(shè)置成不允許任何人同步���。
五�、測試DNS解析的其它命令 測試DNS解析的命令不只是dig可以實(shí)現(xiàn),還有兩個(gè)命令也可以實(shí)現(xiàn)相同的效果���。 1�、host命令 host命令格式: 1 | # host [-t type] {name} [server]
|
2�����、nslookup命令 這個(gè)命令很神奇�,在windows的dos里面也可以使用: 1 2 3 4 | nslookup>
server DNS_SERVER_IP
set q=TYPE
{name}
|
Refer: http://www.cnblogs.com/fatt/p/4494695.html
|
