首页 > 代码库 > Bind
Bind
DNS服务器安装部署,The DNS server installation deployment.html
文章主题:
一、配置一台DNS缓存服务器 二、配置一个正向解析区域 三、配置一个反向解析区域 四、如何配置DNS主从? 五、如何配置子域授权? 六、如何配置forward? 七、如何配置Bind View?
配置环境
1、虚拟机操作系统:centos6.7 64bit 2、虚拟机IP地址:10.22.22.1(N01)、10.22.22.2(N02)、10.22.22.11(C01)、10.22.22.12(C02) 3、虚拟化客户端:VMware Workstation 12 Pro 12.1.1 build-3770994
一、如何配置一台DNS缓存服务器?(How to config a DNS cache server?)
1、安装bind(Berkeley Internet Name Domain):DNS协议的一种实现
bind:DNS服务器的主程序 bind-libs:提供了bind和bind-utils所依赖的到库文件 bind-utils:提供了bind客户端的程序集合,如dig、host、nslookup等实用工具 bind-chroot:让named运行于jail模式下(jail可以理解为一种更安全的模式)
[root@n01 ~]# ifconfig #查看IP地址 eth0 Link encap:Ethernet HWaddr 00:0C:29:92:D9:2D inet addr:10.22.22.1 Bcast:10.22.22.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff:fe92:d92d/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:47 errors:0 dropped:0 overruns:0 frame:0 TX packets:50 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:5707 (5.5 KiB) TX bytes:6158 (6.0 KiB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) [root@n01 ~]# yum install -y bind bind-libs bind-utils #安装bind程序包 Loaded plugins: fastestmirror Setting up Install Process base | 3.7 kB 00:00 base/primary_db | 4.7 MB 00:03 extras | 3.4 kB 00:00 extras/primary_db | 37 kB 00:00 updates | 3.4 kB 00:00 updates/primary_db | 3.1 MB 00:01 Resolving Dependencies --> Running transaction check ---> Package bind.x86_64 32:9.8.2-0.47.rc1.el6_8.3 will be installed --> Processing Dependency: portreserve for package: 32:bind-9.8.2-0.47.rc1.el6_8.3.x86_64 ---> Package bind-libs.x86_64 32:9.8.2-0.47.rc1.el6_8.3 will be installed ---> Package bind-utils.x86_64 32:9.8.2-0.47.rc1.el6_8.3 will be installed --> Running transaction check ---> Package portreserve.x86_64 0:0.0.4-11.el6 will be installed --> Finished Dependency Resolution Dependencies Resolved ==================================================================================================================================================== Package Arch Version Repository Size ==================================================================================================================================================== Installing: bind x86_64 32:9.8.2-0.47.rc1.el6_8.3 updates 4.0 M bind-libs x86_64 32:9.8.2-0.47.rc1.el6_8.3 updates 890 k bind-utils x86_64 32:9.8.2-0.47.rc1.el6_8.3 updates 187 k Installing for dependencies: portreserve x86_64 0.0.4-11.el6 base 23 k Transaction Summary ==================================================================================================================================================== Install 4 Package(s) Total download size: 5.1 M Installed size: 10 M Downloading Packages: (1/4): bind-9.8.2-0.47.rc1.el6_8.3.x86_64.rpm | 4.0 MB 00:02 (2/4): bind-libs-9.8.2-0.47.rc1.el6_8.3.x86_64.rpm | 890 kB 00:00 (3/4): bind-utils-9.8.2-0.47.rc1.el6_8.3.x86_64.rpm | 187 kB 00:00 (4/4): portreserve-0.0.4-11.el6.x86_64.rpm | 23 kB 00:00 ---------------------------------------------------------------------------------------------------------------------------------------------------- Total 1.6 MB/s | 5.1 MB 00:03 warning: rpmts_HdrFromFdno: Header V3 RSA/SHA1 Signature, key ID c105b9de: NOKEY Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6 Importing GPG key 0xC105B9DE: Userid : CentOS-6 Key (CentOS 6 Official Signing Key) <centos-6-key@centos.org> Package: centos-release-6-7.el6.centos.12.3.x86_64 (@anaconda-CentOS-201508042137.x86_64/6.7) From : /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Installing : 32:bind-libs-9.8.2-0.47.rc1.el6_8.3.x86_64 1/4 Installing : portreserve-0.0.4-11.el6.x86_64 2/4 Installing : 32:bind-9.8.2-0.47.rc1.el6_8.3.x86_64 3/4 Installing : 32:bind-utils-9.8.2-0.47.rc1.el6_8.3.x86_64 4/4 Verifying : 32:bind-utils-9.8.2-0.47.rc1.el6_8.3.x86_64 1/4 Verifying : portreserve-0.0.4-11.el6.x86_64 2/4 Verifying : 32:bind-libs-9.8.2-0.47.rc1.el6_8.3.x86_64 3/4 Verifying : 32:bind-9.8.2-0.47.rc1.el6_8.3.x86_64 4/4 Installed: bind.x86_64 32:9.8.2-0.47.rc1.el6_8.3 bind-libs.x86_64 32:9.8.2-0.47.rc1.el6_8.3 bind-utils.x86_64 32:9.8.2-0.47.rc1.el6_8.3 Dependency Installed: portreserve.x86_64 0:0.0.4-11.el6 Complete!
2、修改bind的主配置文件(Modify the bind master configuration file)
主配置文件:/etc/named.conf
[root@n01 ~]# vim /etc/named.conf// // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // options { //全局配置段 listen-on port 53 { 127.0.0.1; }; //将此处添加本地DNS服务器IP,此处为10.22.22.1(注意:大括号前后的空格,以及IP后边的分号) listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { localhost; }; //此处将“localhost”修改为“any” recursion yes; //学习时建议关闭dnssec的参数 dnssec-enable yes; dnssec-validation yes; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; }; //注意配一个大括号均需要以“;”进行结尾 logging { //日志配置段 channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { //区域配置段,但常常在named.rfc1912.zones中进行zone的配置 type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; #此配置文件专用于定义zoneinclude "/etc/named.root.key";
3、启动服务(Start service)& 关闭10.22.22.1的防火墙
此处操作系统为CentOS 6.7 64bit,故使用service命令操作服务的start、restart、stop
[root@n01 ~]# service named startGenerating /etc/rndc.key: [ OK ] Starting named: [ OK ] [root@n01 ~]# service iptables stop #此处是为了学习测试,所以暂时将防火墙关闭即可iptables: Setting chains to policy ACCEPT: filter [ OK ] iptables: Flushing firewall rules: [ OK ] iptables: Unloading modules: [ OK ]
4、检查服务的状态(check service status)
[root@n01 ~]# ss -tnl #look at line 2,the port 53 is listenedState Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 3 ::1:53 :::* LISTEN 0 3 10.22.22.1:53 *:* LISTEN 0 3 127.0.0.1:53 *:* LISTEN 0 128 :::22 :::* LISTEN 0 128 *:22 *:* LISTEN 0 128 ::1:953 :::* LISTEN 0 128 127.0.0.1:953 *:* LISTEN 0 100 ::1:25 :::* LISTEN 0 100 127.0.0.1:25 *:*
5、修改客户端的DNS服务器IP地址为10.22.22.1(To modify the client of the DNS server IP address is 10.22.22.1)
DNS服务器IP地址的配置文件为:/etc/resolv.conf
[root@c01 ~]# vi /etc/resolv.conf# Generated by NetworkManagernameserver 10.22.22.1
6、使用dig命令测试(Using the dig command for test)
常见的DNS客户端工具集合有:dig、nslookup(windows默认情况下只有这个)、host
[root@c01 ~]# dig -t A www.baidu.com #正常解析 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.3 <<>> -t A www.baidu.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3545 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 5, ADDITIONAL: 5 ;; QUESTION SECTION: #问题部分 ;www.baidu.com. IN A ;; ANSWER SECTION: #应答部分 www.baidu.com. 1200 IN CNAME www.a.shifen.com. www.a.shifen.com. 300 IN A 61.135.169.121 www.a.shifen.com. 300 IN A 61.135.169.125 ;; AUTHORITY SECTION: #权威部分,是指二级域解析服务器 a.shifen.com. 1200 IN NS ns1.a.shifen.com. a.shifen.com. 1200 IN NS ns4.a.shifen.com. a.shifen.com. 1200 IN NS ns5.a.shifen.com. a.shifen.com. 1200 IN NS ns2.a.shifen.com. a.shifen.com. 1200 IN NS ns3.a.shifen.com. ;; ADDITIONAL SECTION: #二级域名解析服务器的IP地址 ns3.a.shifen.com. 1200 IN A 61.135.162.215 ns5.a.shifen.com. 1200 IN A 119.75.222.17 ns2.a.shifen.com. 1200 IN A 180.149.133.241 ns1.a.shifen.com. 1200 IN A 61.135.165.224 ns4.a.shifen.com. 1200 IN A 115.239.210.176 ;; Query time: 891 msec ;; SERVER: 10.22.22.1#53(10.22.22.1) ;; WHEN: Tue Nov 15 21:16:18 2016 ;; MSG SIZE rcvd: 260 [root@c01 ~]# dig +trace -t A www.baidu.com #追踪解析过程 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.3 <<>> +trace -t A www.baidu.com ;; global options: +cmd #/var/named/named.ca,此配置文件中记录了所有根域服务器的IP地址 . 3600000 IN NS D.ROOT-SERVERS.NET. . 3600000 IN NS H.ROOT-SERVERS.NET. . 3600000 IN NS K.ROOT-SERVERS.NET. . 3600000 IN NS M.ROOT-SERVERS.NET. . 3600000 IN NS B.ROOT-SERVERS.NET. . 3600000 IN NS F.ROOT-SERVERS.NET. . 3600000 IN NS J.ROOT-SERVERS.NET. . 3600000 IN NS A.ROOT-SERVERS.NET. . 3600000 IN NS E.ROOT-SERVERS.NET. . 3600000 IN NS L.ROOT-SERVERS.NET. . 3600000 IN NS G.ROOT-SERVERS.NET. . 3600000 IN NS I.ROOT-SERVERS.NET. . 3600000 IN NS C.ROOT-SERVERS.NET. ;; Received 228 bytes from 10.22.22.1#53(10.22.22.1) in 3420 ms com. 172800 IN NS a.gtld-servers.net. com. 172800 IN NS b.gtld-servers.net. com. 172800 IN NS c.gtld-servers.net. com. 172800 IN NS d.gtld-servers.net. com. 172800 IN NS e.gtld-servers.net. com. 172800 IN NS f.gtld-servers.net. com. 172800 IN NS g.gtld-servers.net. com. 172800 IN NS h.gtld-servers.net. com. 172800 IN NS i.gtld-servers.net. com. 172800 IN NS j.gtld-servers.net. com. 172800 IN NS k.gtld-servers.net. com. 172800 IN NS l.gtld-servers.net. com. 172800 IN NS m.gtld-servers.net. ;; Received 491 bytes from 192.58.128.30#53(192.58.128.30) in 2832 ms baidu.com. 172800 IN NS dns.baidu.com. baidu.com. 172800 IN NS ns2.baidu.com. baidu.com. 172800 IN NS ns3.baidu.com. baidu.com. 172800 IN NS ns4.baidu.com. baidu.com. 172800 IN NS ns7.baidu.com. ;; Received 201 bytes from 192.35.51.30#53(192.35.51.30) in 989 ms www.baidu.com. 1200 IN CNAME www.a.shifen.com. a.shifen.com. 1200 IN NS ns5.a.shifen.com. a.shifen.com. 1200 IN NS ns3.a.shifen.com. a.shifen.com. 1200 IN NS ns4.a.shifen.com. a.shifen.com. 1200 IN NS ns1.a.shifen.com. a.shifen.com. 1200 IN NS ns2.a.shifen.com. ;; Received 228 bytes from 220.181.37.10#53(220.181.37.10) in 11 ms
至此,DNS缓存服务器已经配置好了,在此基础上继续配置一个正向解析区域
二、配置一个正向解析区域
1、编辑区域配置文件
区域配置文件:/etc/named.rfc1912.zones
[root@n01 ~]# vim /etc/named.rfc1912.zones // named.rfc1912.zones: // // Provided by Red Hat caching-nameserver package // // ISC BIND named zone configuration for zones recommended by // RFC 1912 section 4.1 : localhost TLDs and address zones // and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt // (c)2007 R W Franks // // See /usr/share/doc/bind*/sample/ for example named configuration files. // zone "localhost.localdomain" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "localhost" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "1.0.0.127.in-addr.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "0.in-addr.arpa" IN { type master; file "named.empty"; allow-update { none; }; }; zone "tornado.com" IN { type master; file "tornado.com.zone"; allow-query { 10.22.22.11; }; allow-update { none; }; }; //正向区域配置段详细解析,正向区域负责正向解析,即FQDN-->IP //zone "tornado.com" IN { // type master(主)|slave(从)|hint(根)|forward(转发); // file "tornado.com.zone"; --> 正向区域配置文件名称 // allow-query { any(任何)|local(本地主机)|localnet(本地网络)|none(任何都不行); }; --> 允许进行查询的IP地址 // allow-transfer { any|local|localnet|none; }; --> 允许向哪些主机做区域传送,建议如果有从服务器,只配置从服务器即可 // allow-recursion { any|local|localnet|none; }; --> 允许那些主机可以向此区域发起递归请求 // allow-update { any|local|localnet|none; }; --> 允许动态更新区域数据库文件中的内容,生产环境中建议关闭此项 //}; --> allow-*:是访问控制指令,可以配置acl一起在options配置段中进行配置,也可以单独配置在zone配置段中 // allow-*:可以配置ACL一起使用: // acl mynet { 10.22.22.0/24; }; 或 acl myhost { 10.22.22.11; }; // allow-query { mynet; }; 或 allow-query { myhost; };
2、检查配置文件语法是否存在问题
[root@n01 named]# named-checkconf
3、建立区域配置文件:tornado.com.zone
/var/named/目录是bind服务默认的区域配置文件所在的目录,区域配置文件中主要记录的是资源记录(Resource Recard,简称rr)
[root@n01 ~]# cd /var/named/[root@n01 named]# touch tornado.com.zone[root@n01 named]# chown :named tornado.com.zone[root@n01 named]# chmod o= tornado.com.zone[root@n01 named]# vim tornado.com.zone
$TTL 3600 // --> $TTL:表示资源记录的缓存时间,可以从全局继承 $ORIGIN tornado.com. // --> $ORIGIN:定义此变量,存放二级域名,可以被“@”来进行调用 //资源记录语法:@ [TTL] IN RR_TYPE(资源记录类型) value(名称或IP地址) @ IN SOA ns1 tornado ( // --> @:表示当前区域的名称(引用变量$ORIGIN的值,补全到如上方的ns1、tornado处,以及下方的ns1、mx1处) // --> SOA:Start Of Authority,起始授权记录;每一个区域配置文件中有且只有一条此记录,且必须配置在所有资源记录的最上方 // --> ns1:当前区域的主DNS服务器名称,$ORIGIN中定义的后缀会自动补全到ns1之后 // --> tornado:当前区域管理员的邮箱地hi,$ORIGIN中定义的后缀会自动补全到tornado之后 2017010801 ; serial,maxlength<10,表示序列号,在DNS主从架构下,每一个主DNS服务器的区域配置文件(正反独立)被修改完成后,均需要手动的修改此序列号 1H ; refresh,刷新时间,是指多长时间之后,从服务器就会主服务器来进行刷新 10M ; retry,在一次刷新失败之后,多长时间之后进行重试 3D ; expire,过期时长,缓存的过期时间 1D ; negative answer ttl,否定答案的TTL值 ) IN NS ns1 // --> NS:域名服务资源记录;ns1:表示NS的值(FQDN),即当前区域的DNS服务器名称;NS记录可以有多个,当区域中有多个DNS服务器时,就需要写多个NS记录 IN MX 10 mx1 // --> MX:邮件服务资源记录;mx1:表示MX的值(FQDN),即当前区域的邮件服务器名称;可以有多个 // --> 10:表示优先级,范围0-99,数字越小,优先级越高 ns1 IN A 10.22.22.1 // --> ns1主机的A记录,ns1是一台DNS服务器 www IN A 10.22.22.2 // --> www主机的A记录 // --> A记录:表示一台真正的主机,比如www.tornado.com是一台真正的服务器地址,一般为web服务器 wwww IN CNAME www // --> CNAME记录:表示别名,此处定义的是www.tornado.com的别名wwww.tornado.com bbs IN A 10.22.22.3 // --> bbs主机的A记录 mx1 IN A 10.22.22.4 // --> mx1主机的A记录
4、检查区域配置文件的语法
[root@n01 named]# named-checkzone tornado.com. /var/named/tornado.com.zonezone tornado.com/IN: loaded serial 2017010801OK
5、重载服务配置文件和区域配置文件
第一种方法
[root@n01 named]# service named restartStopping named: [ OK ] Starting named: [ OK ]
第二种方法
[root@n01 named]# rndc reloadserver reload successful
6、通过客户端用dig命令进行测试(10.22.22.11、10.22.22.12)
(1)通过10.22.22.11进行测试,可以正常解析
[root@c01 ~]# dig -t A www.tornado.com #dig命令的基础语法:dig [-t RR_TYPE] name [@SERVER] [query options] ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.3 <<>> -t A www.tornado.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15473 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;www.tornado.com. IN A ;; ANSWER SECTION: www.tornado.com. 3600 IN A 10.22.22.2 ;; AUTHORITY SECTION: tornado.com. 3600 IN NS ns1.tornado.com. ;; ADDITIONAL SECTION: ns1.tornado.com. 3600 IN A 10.22.22.1 ;; Query time: 0 msec ;; SERVER: 10.22.22.1#53(10.22.22.1) ;; WHEN: Sun Nov 20 17:48:44 2016 ;; MSG SIZE rcvd: 83 [root@c01 ~]# dig -t A wwww.tornado.com #测试www.tornado.com的别名 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.3 <<>> -t A wwww.tornado.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38708 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;wwww.tornado.com. IN A ;; ANSWER SECTION: wwww.tornado.com. 3600 IN CNAME www.tornado.com. www.tornado.com. 3600 IN A 10.22.22.2 ;; AUTHORITY SECTION: tornado.com. 3600 IN NS ns1.tornado.com. ;; ADDITIONAL SECTION: ns1.tornado.com. 3600 IN A 10.22.22.1 ;; Query time: 1 msec ;; SERVER: 10.22.22.1#53(10.22.22.1) ;; WHEN: Sun Nov 20 18:21:45 2016 ;; MSG SIZE rcvd: 102
(2)通过10.22.22.12进行测试,不可以正常解析,说明在配置tornado.com区域的时配置的“allow-query”指令生效了
[root@c02 ~]# ifconfig eth0 Link encap:Ethernet HWaddr 00:0C:29:68:11:4B inet addr:10.22.22.12 Bcast:10.22.22.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff:fe68:114b/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:110 errors:0 dropped:0 overruns:0 frame:0 TX packets:100 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:12387 (12.0 KiB) TX bytes:12762 (12.4 KiB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) [root@c02 ~]# dig -t A mx1.tornado.com @10.22.22.1 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.3 <<>> -t A mx1.tornado.com @10.22.22.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 21872 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;mx1.tornado.com. IN A ;; Query time: 2 msec ;; SERVER: 10.22.22.1#53(10.22.22.1) ;; WHEN: Sun Nov 20 12:38:04 2016 ;; MSG SIZE rcvd: 33 [root@c02 ~]# dig -t A www.tornado.com @10.22.22.1 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.3 <<>> -t A www.tornado.com @10.22.22.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 45617 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.tornado.com. IN A ;; Query time: 0 msec ;; SERVER: 10.22.22.1#53(10.22.22.1) ;; WHEN: Sun Nov 20 12:40:04 2016 ;; MSG SIZE rcvd: 33
至此,一个正向解析区域已经配置好了,接下来,我们继续配置一个反向解析区域
三、配置一个反向解析区域
1、编辑区域配置文件
区域配置文件:/etc/named.rfc1912.zones
[root@n01 named]# vim /etc/named.rfc1912.zones// named.rfc1912.zones: // // Provided by Red Hat caching-nameserver package // // ISC BIND named zone configuration for zones recommended by // RFC 1912 section 4.1 : localhost TLDs and address zones // and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt // (c)2007 R W Franks // // See /usr/share/doc/bind*/sample/ for example named configuration files. // zone "localhost.localdomain" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "localhost" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "1.0.0.127.in-addr.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "0.in-addr.arpa" IN { type master; file "named.empty"; allow-update { none; }; }; zone "tornado.com" IN { type master; file "tornado.com.zone"; allow-update { none; }; allow-query { 10.22.22.11; }; }; zone "0.22.22.10.in-addr.arpa" IN { type master; file "10.22.22.zone"; allow-update { none; }; allow-query { 10.22.22.12; }; };
2、检查区域配置文件语法
[root@n01 named]# named-checkconf
3、建立区域配置文件:10.22.22.zone
/var/named/目录是bind服务默认的区域配置文件所在的目录
[root@n01 named]# touch 10.22.22.zone && chown :named 10.22.22.zone && chmod o= 10.22.22.zone && vim 10.22.22.zone $TTL 3600 $ORIGIN 22.22.10.in-addr.arpa. @ IN SOA ns1.tornado.com. tornado.tornado.com. ( 2018010801 1H 10M 3D 12H ) IN NS ns1.tornado.com. 2 IN PTR www.tornado.com. // --> 2.22.22.10.in-addr.arpa 表示名称;www.tornado.com.表示值,FQDN 3 IN PTR bbs.tornado.com. 4 IN PTR mx1.tornado.com.
4、检查区域配置文件语法
[root@n01 named]# named-checkzone 22.22.10.in-addr.arpa. /var/named/10.22.22.zonezone 22.22.10.in-addr.arpa/IN: loaded serial 2018010801OK
5、重新加载服务
[root@n01 named]# service named restartStopping named: [ OK ] Starting named: [ OK ]
6、通过客户端测试反向区域的解析
(1)通过客户端10.22.22.11,不能正常解析,说明allow-query指令生效了
[root@c01 ~]# dig -x 10.22.22.3 @10.22.22.1 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.3 <<>> -x 10.22.22.3 @10.22.22.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 5789 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;3.22.22.10.in-addr.arpa. IN PTR ;; Query time: 1 msec ;; SERVER: 10.22.22.1#53(10.22.22.1) ;; WHEN: Sun Nov 20 18:42:35 2016 ;; MSG SIZE rcvd: 41
(2)通过客户端10.22.22.12,可以正常解析
[root@c02 ~]# dig -x 10.22.22.3 @10.22.22.1 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.3 <<>> -x 10.22.22.3 @10.22.22.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59123 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;3.22.22.10.in-addr.arpa. IN PTR ;; ANSWER SECTION: 3.22.22.10.in-addr.arpa. 3600 IN PTR bbs.tornado.com. ;; AUTHORITY SECTION: 22.22.10.in-addr.arpa. 3600 IN NS ns1.tornado.com. ;; Query time: 0 msec ;; SERVER: 10.22.22.1#53(10.22.22.1) ;; WHEN: Sun Nov 20 13:30:46 2016 ;; MSG SIZE rcvd: 88
至此,反向区域配置已经完成,接下来,我们为tornado.com.域配置一台从DNS服务器
四、如何配置DNS主从?
1、配置从DNS服务器的NS记录到主DNS服务器的tornado.com.区域配置文件tornado.com.zone中
[root@n01 named]# vim tornado.com.zone $TTL 3600 $ORIGIN tornado.com. @ IN SOA ns1 tornado ( 2017010801 1H 10M 3D 1D // 注:仅靠以上时间,也会出现主从配置不同步的时间差,所以在主DNS服务器配置完成后,可以分别重新加载主从DNS服务的方法进行同步,或者可以主动进行区域传送 // 区域传送命令:dig -t axfr|ixfr tornado.com @(master_ip)10.22.22.1 // axfr:表示传送整个数据库;ixfr:表示仅传送变化的数据 ) IN NS ns1 IN NS ns2 // --> 从DNS服务器的名称 IN MX 10 mx1 ns1 IN A 10.22.22.1 ns2 IN A 10.22.22.2 // --> 从DNS服务器的A记录 www IN A 10.22.22.2 wwww IN CNAME www bbs IN A 10.22.22.3 mx1 IN A 10.22.22.4 [root@n02 ~]# named-checkzone tornado.com /var/named/tornado.com.zone [root@n01 named]# service named restart Stopping named: [ OK ] Starting named: [ OK ]
2、安装部署从DNS服务器
[root@n02 ~]# yum install -y bind bind-libs bind-utils Loaded plugins: fastestmirror Setting up Install Process base | 3.7 kB 00:00 base/primary_db | 4.7 MB 00:03 extras | 3.4 kB 00:00 extras/primary_db | 37 kB 00:00 updates | 3.4 kB 00:00 updates/primary_db | 3.7 MB 00:02 Resolving Dependencies --> Running transaction check ---> Package bind.x86_64 32:9.8.2-0.47.rc1.el6_8.3 will be installed --> Processing Dependency: portreserve for package: 32:bind-9.8.2-0.47.rc1.el6_8.3.x86_64 ---> Package bind-libs.x86_64 32:9.8.2-0.47.rc1.el6_8.3 will be installed ---> Package bind-utils.x86_64 32:9.8.2-0.47.rc1.el6_8.3 will be installed --> Running transaction check ---> Package portreserve.x86_64 0:0.0.4-11.el6 will be installed --> Finished Dependency Resolution Dependencies Resolved ==================================================================================================================================================== Package Arch Version Repository Size ==================================================================================================================================================== Installing: bind x86_64 32:9.8.2-0.47.rc1.el6_8.3 updates 4.0 M bind-libs x86_64 32:9.8.2-0.47.rc1.el6_8.3 updates 890 k bind-utils x86_64 32:9.8.2-0.47.rc1.el6_8.3 updates 187 k Installing for dependencies: portreserve x86_64 0.0.4-11.el6 base 23 k Transaction Summary ==================================================================================================================================================== Install 4 Package(s) Total download size: 5.1 M Installed size: 10 M Downloading Packages: (1/4): bind-9.8.2-0.47.rc1.el6_8.3.x86_64.rpm | 4.0 MB 00:07 (2/4): bind-libs-9.8.2-0.47.rc1.el6_8.3.x86_64.rpm | 890 kB 00:00 (3/4): bind-utils-9.8.2-0.47.rc1.el6_8.3.x86_64.rpm | 187 kB 00:00 (4/4): portreserve-0.0.4-11.el6.x86_64.rpm | 23 kB 00:00 ---------------------------------------------------------------------------------------------------------------------------------------------------- Total 541 kB/s | 5.1 MB 00:09 warning: rpmts_HdrFromFdno: Header V3 RSA/SHA1 Signature, key ID c105b9de: NOKEY Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6 Importing GPG key 0xC105B9DE: Userid : CentOS-6 Key (CentOS 6 Official Signing Key) <centos-6-key@centos.org> Package: centos-release-6-7.el6.centos.12.3.x86_64 (@anaconda-CentOS-201508042137.x86_64/6.7) From : /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Installing : 32:bind-libs-9.8.2-0.47.rc1.el6_8.3.x86_64 1/4 Installing : portreserve-0.0.4-11.el6.x86_64 2/4 Installing : 32:bind-9.8.2-0.47.rc1.el6_8.3.x86_64 3/4 Installing : 32:bind-utils-9.8.2-0.47.rc1.el6_8.3.x86_64 4/4 Verifying : 32:bind-utils-9.8.2-0.47.rc1.el6_8.3.x86_64 1/4 Verifying : portreserve-0.0.4-11.el6.x86_64 2/4 Verifying : 32:bind-libs-9.8.2-0.47.rc1.el6_8.3.x86_64 3/4 Verifying : 32:bind-9.8.2-0.47.rc1.el6_8.3.x86_64 4/4 Installed: bind.x86_64 32:9.8.2-0.47.rc1.el6_8.3 bind-libs.x86_64 32:9.8.2-0.47.rc1.el6_8.3 bind-utils.x86_64 32:9.8.2-0.47.rc1.el6_8.3 Dependency Installed: portreserve.x86_64 0:0.0.4-11.el6 Complete! [root@n02 ~]# vim /etc/named.conf // // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // options { listen-on port 53 { 10.22.22.12; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { any; }; recursion yes; dnssec-enable yes; dnssec-validation yes; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; [root@n02 ~]# vim /etc/named.rfc1912.zones // named.rfc1912.zones: // // Provided by Red Hat caching-nameserver package // // ISC BIND named zone configuration for zones recommended by // RFC 1912 section 4.1 : localhost TLDs and address zones // and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt // (c)2007 R W Franks // // See /usr/share/doc/bind*/sample/ for example named configuration files. // zone "localhost.localdomain" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "localhost" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "1.0.0.127.in-addr.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "0.in-addr.arpa" IN { type master; file "named.empty"; allow-update { none; }; }; zone "tornado.com" IN { type slave; file "slaves/tornado.com.zone"; masters { 10.22.22.1; }; }; [root@n02 ~]# named-checkconf [root@n02 slaves]# service iptables stop iptables: Setting chains to policy ACCEPT: filter [ OK ] iptables: Flushing firewall rules: [ OK ] iptables: Unloading modules: [ OK ] [root@n02 slaves]# service named restart Stopping named: [ OK ] Starting named: [ OK ]
3、测试主从同步
注意 1、主DNS和从DNS的时间必须一致(ntpdate命令)
#修改主区域配置文件 [root@n01 named]# vim tornado.com.zone $TTL 3600 $ORIGIN tornado.com. @ IN SOA ns1 tornado ( 2017010804 // --> 修改序列号(在每次修改为主DNS服务器的区域配置文件后,都应该修改序列号,以便让从DNS服务器同步) 1H 10M 3D 1D ) IN NS ns1 IN NS ns2 IN MX 10 mx1 ns1 IN A 10.22.22.1 ns2 IN A 10.22.22.2 www IN A 10.22.22.5 aaa IN A 10.22.22.6 // --> 添加新主机记录 wwww IN CNAME www bbs IN A 10.22.22.3 mx1 IN A 10.22.22.4 #主DNS服务器重载服务 [root@n01 named]# rndc reload server reload successful #从DNS服务器重载服务 [root@n02 slaves]# rndc reload server reload successful #查看从服务器配置文件 $ORIGIN . $TTL 3600 ; 1 hour tornado.com IN SOA ns1.tornado.com. tornado.tornado.com. ( 2017010804 ; serial // --> 序列号已经不同 3600 ; refresh (1 hour) 600 ; retry (10 minutes) 259200 ; expire (3 days) 86400 ; minimum (1 day) ) NS ns1.tornado.com. NS ns2.tornado.com. MX 10 mx1.tornado.com. $ORIGIN tornado.com. aaa A 10.22.22.6 // --> 主机A记录亦已经同步 bbs A 10.22.22.3 mx1 A 10.22.22.4 ns1 A 10.22.22.1 ns2 A 10.22.22.2 www A 10.22.22.5 wwww CNAME www #从客户端10.22.22.11进行解析测试 [root@c01 ~]# dig -t A aaa.tornado.com @10.22.22.1 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.3 <<>> -t A aaa.tornado.com @10.22.22.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59449 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;aaa.tornado.com. IN A ;; ANSWER SECTION: aaa.tornado.com. 3600 IN A 10.22.22.6 ;; AUTHORITY SECTION: tornado.com. 3600 IN NS ns1.tornado.com. tornado.com. 3600 IN NS ns2.tornado.com. ;; ADDITIONAL SECTION: ns1.tornado.com. 3600 IN A 10.22.22.1 ns2.tornado.com. 3600 IN A 10.22.22.2 ;; Query time: 0 msec ;; SERVER: 10.22.22.1#53(10.22.22.1) ;; WHEN: Sun Nov 20 19:21:08 2016 ;; MSG SIZE rcvd: 117 [root@c01 ~]# dig -t A aaa.tornado.com @10.22.22.2 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.3 <<>> -t A aaa.tornado.com @10.22.22.2 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33172 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;aaa.tornado.com. IN A ;; ANSWER SECTION: aaa.tornado.com. 3600 IN A 10.22.22.6 ;; AUTHORITY SECTION: tornado.com. 3600 IN NS ns1.tornado.com. tornado.com. 3600 IN NS ns2.tornado.com. ;; ADDITIONAL SECTION: ns1.tornado.com. 3600 IN A 10.22.22.1 ns2.tornado.com. 3600 IN A 10.22.22.2 ;; Query time: 31 msec ;; SERVER: 10.22.22.2#53(10.22.22.2) ;; WHEN: Sun Nov 20 19:21:10 2016 ;; MSG SIZE rcvd: 117 #从客户端10.22.22.12进行解析测试 [root@c02 ~]# dig -t A aaa.tornado.com @10.22.22.1 #从10.22.22.1不能解析成功,是因为allow-query ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.3 <<>> -t A aaa.tornado.com @10.22.22.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 60297 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;aaa.tornado.com. IN A ;; Query time: 1 msec ;; SERVER: 10.22.22.1#53(10.22.22.1) ;; WHEN: Sun Nov 20 14:09:37 2016 ;; MSG SIZE rcvd: 33 [root@c02 ~]# dig -t A aaa.tornado.com @10.22.22.2 #从10.22.22.2可以解析成功,说明allow-query只能在从DNS服务器上重新配置,不能从主DNS服务器进行同步 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.3 <<>> -t A aaa.tornado.com @10.22.22.2 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44199 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;aaa.tornado.com. IN A ;; ANSWER SECTION: aaa.tornado.com. 3600 IN A 10.22.22.6 ;; AUTHORITY SECTION: tornado.com. 3600 IN NS ns2.tornado.com. tornado.com. 3600 IN NS ns1.tornado.com. ;; ADDITIONAL SECTION: ns1.tornado.com. 3600 IN A 10.22.22.1 ns2.tornado.com. 3600 IN A 10.22.22.2 ;; Query time: 0 msec ;; SERVER: 10.22.22.2#53(10.22.22.2) ;; WHEN: Sun Nov 20 14:09:34 2016 ;; MSG SIZE rcvd: 117
至此,DNS主从配置已经完成,接下来,我们来介绍一下子域授权
五、如何配置子域授权?
1、修改主DNS服务器的区域配置文件,添加子域NS记录和对应的A记录
注:如果需要解析如:www.ops.tornado.com,需要再为子域搭建2台DNS服务器,一主一从
[root@n01 named]# vim tornado.com.zone $TTL 3600 $ORIGIN tornado.com. @ IN SOA ns1 tornado ( 2017010805 1H 10M 3D 1D ) IN NS ns1 IN NS ns2 IN NS ns3.ops // --> 子域的主DNS服务器的名称 IN NS ns4.ops // --> 子域的从DNS服务器的名称 IN MX 10 mx1 ns1 IN A 10.22.22.1 ns2 IN A 10.22.22.2 ns3.ops IN A 10.22.22.3 // --> 子域的主DNS服务器名称对应的A记录 ns4.ops IN A 10.22.22.4 // --> 子域的从DNS服务器名称对应的A记录 www IN A 10.22.22.5 aaa IN A 10.22.22.6 mx1 IN A 10.22.22.7 [root@n01 named]# named-checkconf [root@n01 named]# service named restart Stopping named: [ OK ] Starting named: [ OK ]
2、重新加载从DNS服务器的服务
[root@n02 slaves]# service named restart Stopping named: [ OK ] Starting named: [ OK ] [root@n02 slaves]# vim /var/named/slaves/tornado.com.zone $ORIGIN . $TTL 3600 ; 1 hour tornado.com IN SOA ns1.tornado.com. tornado.tornado.com. ( 2017010805 ; serial // -->同步了 3600 ; refresh (1 hour) 600 ; retry (10 minutes) 259200 ; expire (3 days) 86400 ; minimum (1 day) ) NS ns1.tornado.com. NS ns2.tornado.com. NS ns3.ops.tornado.com. NS ns4.ops.tornado.com. MX 10 mx1.tornado.com. $ORIGIN tornado.com. aaa A 10.22.22.6 mx1 A 10.22.22.7 ns1 A 10.22.22.1 ns2 A 10.22.22.2 $ORIGIN ops.tornado.com. ns3 A 10.22.22.3 // -->同步了 ns4 A 10.22.22.4 // -->同步了 $ORIGIN tornado.com. www A 10.22.22.5
六、如何配置forward?
1、区域转发(在区域配置段中进行配置)
/etc/named.rfc1912.zones
zone "google.com" IN { type forward; forward first; // --> 此处可以配置两个值一个是first(首先转发,如转发器没有响应,则自行去迭代);only:另一个值是only,表示只转发 forwarders { server_ip; }; // --> 此处需要转发的目的DNS服务器地址 };
2、全局转发(在主配置文件中的options配置段中进行配置)
options { ... forward only; // --> 此处可以配置两个值一个是first(首先转发,如转发器没有响应,则自行去迭代);only:另一个值是only,表示只转发 forwarders { server_ip; }; // --> 此处需要转发的目的DNS服务器地址 ... };
七、如何配置Bind View?
1、视图用于实现智能DNS,配置格式如下:
view view_name { zone; zone; zone; };
2、视图配置示例及其说明
从联通10.22.22.0网段发送来的请求,访问tornado.com的前往配置文件"tornado.com/cmcc"中进行查询;访问google.com的前往配置文件"google.com/cmcc"中进行查询
view cmcc { match-client { 10.22.22.0; }; zone "tornado.com" IN { type master; file "tornado.com/cmcc"; }; zone "google.com" IN { type master; file "google.com/cmcc"; }; };
从电信10.22.22.0网段发送来的请求,访问tornado.com的前往配置文件"tornado.com/cucc"中进行查询;访问google.com的前往配置文件"google.com/cucc"中进行查询
view cucc { match-client { 10.22.22.0; }; zone "tornado.com" IN { type master; file "tornado.com/cucc"; }; zone "google.com" IN { type master; file "google.com/cucc"; }; };
至此,BIND的所有基础功能全部介绍完毕。
generated by haroopad本文出自 “自动化学习之路” 博客,谢绝转载!
Bind
声明:以上内容来自用户投稿及互联网公开渠道收集整理发布,本网站不拥有所有权,未作人工编辑处理,也不承担相关法律责任,若内容有误或涉及侵权可进行投诉: 投诉/举报 工作人员会在5个工作日内联系你,一经查实,本站将立刻删除涉嫌侵权内容。