首页 > 代码库 > 三.主从DNS 与DNS相关配置
三.主从DNS 与DNS相关配置
####三.主从DNS DNS加密####
1.主从DNS的配置
1)配置好两台DNS服务器
2)其中从DNS服务器配置如下:
vim /etc/named.rfc1912.zones
---------------------------------------
25 zone "westos.com" IN {
26 type slave;
27 masters { 172.25.254.100; };
28 file "slaves/westos.com.zone";
29 allow-update { none; };
30 };
---------------------------------------
主DNS服务器配置如下:
---------------------------------------
25 zone "westos.com" IN {
26 type master;
27 file "westos.com.zone";
28 allow-update { none; };
29 allow-transfer { 172.25.254.200; }; ##允许谁去修改主DNS
30 also-notify { 172.25.254.200; }; ##主动修改主DNS
31 };
测试:
dig www.westos.com
2.主从DNS的 修改
修改主DNS服务器配置
cd /var/named/
ls
vim westos.com.zone
----------------------------------------------------------
$ORIGIN .
$TTL 86400 ; 1 day
westos.com IN SOA dns.westos.com. root.westos.com. (
2016113004 ; serial
86400 ; refresh (1 day)
3600 ; retry (1 hour)
604800 ; expire (1 week)
10800 ; minimum (3 hours)
)
NS dns.westos.com.
$ORIGIN westos.com.
dns A 172.25.254.100
www A 172.25.254.110
---------------------------------------------------------------
在从DNS下:
cd slaves/
ls
rm -fr westos.com.zone
systemctl restart named
dig www.westos.com
systemctl stop firewalld.server
3.从DNS对主DNS的 nsupdate
配置主DNS如下:
vim /etc/named.rfc1912.zones
-----------------------------------------------------------------
25 zone "westos.com" IN {
26 type master;
27 file "westos.com.zone";
28 allow-update { 172.25.254.221; }; ##允许谁去更新主DNS
29 allow-transfer { 172.25.254.221; };
30 also-notify { 172.25.254.221; };
31 };
-----------------------------------------------------------------
getenforce
setenforce 0 ##关闭主DNS的selinux
systemctl restart named
在从服务器上:
nsupdate
> server
could not read server name
> server 172.25.254.121
> update delete www.westos.com
> send
update failed: SERVFAIL
> server 172.25.254.121
> update delete www.westos.com
> send
> server 172.25.254.121
> update add www.westos.com 86400 A 172.25.254.110
> send
若出现:
> server 172.25.254.121
> update delete www.westos.com
> send
update failed: SERVFAIL
则说明主DNS没有关闭selinux
4.主DNS加密
主DNS上:
cd /mnt/
dnssec-keygen -a HMAC-MD5 -b 128 -n HOST westos
ls
cat Kwestos.+157+46777.key
-------------------------------------------------
westos. IN KEY 512 3 157 aukf9ImtS6taM/cNKXLWMg==
-------------------------------------------------
cat Kwestos.+157+46777.private
-------------------------------------
Private-key-format: v1.3
Algorithm: 157 (HMAC_MD5)
Key: aukf9ImtS6taM/cNKXLWMg==
Bits: AAA=
Created: 20161130084047
Publish: 20161130084047
Activate: 20161130084047
--------------------------------------
cp -p /etc/rndc.key /etc/westos.key
vim /etc/westos.com
---------------------------------------------
key "westos" {
algorithm hmac-md5;
secret "aukf9ImtS6taM/cNKXLWMg=="; ##密码就是上面生成的密码
};
---------------------------------------------
vim /etc/named.conf
42 include "/etc/westos.key"; ##添加
vim /etc/named.rfc1912.zones
25 zone "westos.com" IN {
26 type master;
27 file "westos.com.zone";
28 allow-update { key westos; };
29 };
systemctl restart named
cd /mnt/
scp Kwestos.+157+46777.* root@172.25.254.221:/mnt/ ##复制密钥
在从DNS下:
cd /mnt/
ls
nsupdate -k Kwestos.+157+46777.private
> server 172.25.254.121
> update delete www.westos.com
> send
> quit
##修改(删除)成功
5.自动加密寻址
yum install dhcp
cp /usr/share/doc/dhcp-4.2.5/dhcpd.conf.example /etc/dhcp/dhcpd.conf
vim /etc/dhcp/dhcpd.conf
-----------------------------------------------------------
1 # dhcpd.conf
2 #
3 # Sample configuration file for ISC dhcpd
4 #
5
6 # option definitions common to all supported networks...
7 option domain-name "westos.com";
8 option domain-name-servers 172.25.254.100;
9
10 default-lease-time 600;
11 max-lease-time 7200;
12
13 # Use this to enble / disable dynamic dns updates globally.
14 ddns-update-style none;
15
16 # If this DHCP server is the official DHCP server for the local
17 # network, the authoritative directive should be uncommented.
18 #authoritative;
19
20 # Use this to send dhcp log messages to a different log file (you also
21 # have to hack syslog.conf to complete the redirection).
22 log-facility local7;
23
24 # No service will be given on this subnet, but declaring it helps the
25 # DHCP server to understand the network topology.
26
27
28 # This is a very basic subnet declaration.
29
30 subnet 172.25.254.0 netmask 255.255.255.0 {
31 range 172.25.254.204 172.25.254.234;
32 option routers 172.25.254.100;
33 }
34 key westos {
algorithm hmac-md5;
secret 84f932vU/s198FosSEdmg==; ##密钥
};
39 zone westos.com. {
primaty 127.0.0.1;
key westos;
}
---------------------------------------------------------------
本文出自 “12100661” 博客,谢绝转载!
三.主从DNS 与DNS相关配置