|
|
前言:上回博客说道如何配置一台DNS服务器,本博客就来为这台主DNS服务器配置从DNS服务器
从服务器拥有一个主服务器一模一样的区域解析库,从服务器是区域的概念,主服务器可以有多个正向区域或反向区域,从服务器是相对于区域配置的,而不是相对于整个主服务器而言的,若想配置所有区域的从服务器,就要对所有的正向区域或反向区域配置从服务器.
为主DNS服务器的正向区域配置从服务器
On Master:(以下步骤在主服务器上进行)
第一步:确保区域数据文件中为每个从服务器配置NS记录和对应的A记录
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
| [iyunv@localhost named]# vim stu61.com.zone
$TTL 3600
@ IN SOA ns1.stu61.com. tz.stu61.com. (
2016010802 #每次修改都要+1
1H
10M
3D
1D )
@ IN NS ns1.stu61.com.
@ IN NS ns2.stu61.com. #在主服务器上为从服务器添加NS记录
IN MX 10 mx1
IN MX 20 mx2
ns1 IN A 172.16.249.130
ns2 IN A 172.16.249.131 #为从服务器添加A记录
mx1 IN A 172.16.249.10
mx2 IN A 172.16.249.11
www IN A 172.16.249.130
web IN CNAME www
[iyunv@localhost named]# named-checkzone stu61.com stu61.com.zone
zone stu61.com/IN: loaded serial 2016010802
OK #修改完后检查是否有语法错误
|
第二步:重载配置文件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| [iyunv@localhost named]# rndc reload
server reload successful
[iyunv@localhost named]# rndc status
version: 9.9.4-RedHat-9.9.4-29.el7_2.1 <id:8f9657aa>
CPUs found: 4
worker threads: 4
UDP listeners per interface: 4
number of zones: 103
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running
|
On Slave:(以下步骤在从服务器上进行)
第一步:
①配置BIND服务的主配置文件:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| [iyunv@centos7 ~]# vim /etc/named.conf
options {
listen-on port 53 { 127.0.0.1; 172.16.249.131; }; #要将53号端口监听本机地址
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; };
dnssec-enable no;
dnssec-validation no;
dnssec-lookaside no; #关闭dnssec的功能
[iyunv@centos7 ~]# systemctl start named.service #启动BIND服务
|
②定义区域:定义一个从区域:(配置主服务器的正向区域为从区域)
1
2
3
4
5
6
7
8
| [iyunv@centos7 ~]# vim /etc/named.rfc1912.zones
zone "stu61.com" IN {
type slave; #定义类型为从服务器
file "slaves/stu61.com.zone"; #必须在/var/named/slaves目录下创建从区域解析库文件
masters { 172.16.249.130; }; #指定主服务器地址
};
[iyunv@centos7 ~]# named-checkconf #检查配置文件是否有语法错误
|
第二步:重载配置
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
| [iyunv@centos7 ~]# rndc reload
server reload successful
[iyunv@centos7 slaves]# systemctl status named.service
named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; disabled)
Active: active (running) since Sun 2016-01-10 21:05:52 CST; 2s ago
Process: 2681 ExecStop=/bin/sh -c /usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID (code=exited, status=0/SUCCESS)
Process: 2592 ExecReload=/bin/sh -c /usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS)
Process: 2693 ExecStart=/usr/sbin/named -u named $OPTIONS (code=exited, status=0/SUCCESS)
Process: 2691 ExecStartPre=/usr/sbin/named-checkconf -z /etc/named.conf (code=exited, status=0/SUCCESS)
Main PID: 2695 (named)
CGroup: /system.slice/named.service
?..2695 /usr/sbin/named -u named
Jan 10 21:05:51 centos7.localdomain named[2695]: zone localhost/IN: loaded serial 0
Jan 10 21:05:51 centos7.localdomain named[2695]: zone localhost.localdomain/IN: loaded serial 0
Jan 10 21:05:51 centos7.localdomain named[2695]: all zones loaded
Jan 10 21:05:51 centos7.localdomain named[2695]: running
Jan 10 21:05:52 centos7.localdomain systemd[1]: Started Berkeley Internet Name Domain (DNS).
Jan 10 21:05:52 centos7.localdomain named[2695]: zone stu61.com/IN: Transfer started.
Jan 10 21:05:52 centos7.localdomain named[2695]: transfer of 'stu61.com/IN' from 172.16.249.130#53: connected using 172.16.249.131#50209
Jan 10 21:05:52 centos7.localdomain named[2695]: zone stu61.com/IN: transferred serial 2016010802
Jan 10 21:05:52 centos7.localdomain named[2695]: transfer of 'stu61.com/IN' from 172.16.249.130#53: Transfer completed: 1 messages, 12 records, 280 bytes, 0....ytes/sec) #显示传输成功
Jan 10 21:05:52 centos7.localdomain named[2695]: zone stu61.com/IN: sending notifies (serial 2016010802)
Hint: Some lines were ellipsized, use -l to show in full.
[iyunv@centos7 slaves]# ls
stu61.com.zone #在/var/named/slaves自动生成一个解析库文件
|
配置完成之后在从服务器上测试解析结果:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
| [iyunv@centos7 slaves]# dig -t A www.stu61.com @172.16.249.131
; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7 <<>> -t A www.stu61.com @172.16.249.131
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43056
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.stu61.com. IN A
;; ANSWER SECTION:
;; AUTHORITY SECTION:
stu61.com. 3600 IN NS ns2.stu61.com.
stu61.com. 3600 IN NS ns1.stu61.com.
;; ADDITIONAL SECTION:
ns1.stu61.com. 3600 IN A 172.16.249.130
ns2.stu61.com. 3600 IN A 172.16.249.131
;; Query time: 1 msec
;; SERVER: 172.16.249.131#53(172.16.249.131)
;; WHEN: Sun Jan 10 21:10:20 CST 2016
;; MSG SIZE rcvd: 126
|
为主DNS服务器的反向区域配置从服务器
On Master:(以下步骤在主服务器上进行)
第一步:确保区域数据文件中为每个从服务器配置NS记录和对应的PTR记录
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
| [iyunv@localhost named]# vim 172.16.249.zone
$TTL 3600
$ORIGIN 249.16.172.in-addr.arpa.
@ IN SOA ns1.stu61.com. tz.stu61.com. (
2016010802
1H
10M
3D
12H )
IN NS ns1.stu61.com.
IN NS ns2.stu61.com. #为从服务器增加NS记录
130 IN PTR ns1.stu61.com.
10 IN PTR mx1.stu61.com.
11 IN PTR mx2.stu61.com.
130 IN PTR www.stu61.com.
131 IN PTR ns2.stu61.com. #为从服务器增加PTR记录
[iyunv@localhost named]# named-checkzone 249.16.172.in-addr.arpa 172.16.249.zone #检查是否有语法错误
|
第二步:重载配置文件
1
| [iyunv@localhost named]# rndc reload
|
On Slave:(以下步骤在从服务器上进行)
第一步:
①配置BIND服务的主配置文件:
1
2
3
4
5
6
7
| [iyunv@centos7 slaves]# vim /etc/named.rfc1912.zones
zone "249.16.172.in-addr.arpa" IN {
type slave; #设置类型为从服务器
file "slaves/172.16.249.zone"; #在从服务器中的slaves/目录下生成反向解析库文件
masters { 172.16.249.130; };
};
[iyunv@centos7 ~]# named-checkconf #检查配置文件是否有语法错误
|
第二步:重载配置文件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
| [iyunv@centos7 slaves]# rndc reload
server reload successful
[iyunv@centos7 slaves]# systemctl status named.service
named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; disabled)
Active: active (running) since Sun 2016-01-10 21:44:00 CST; 31min ago
Process: 2785 ExecStop=/bin/sh -c /usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID (code=exited, status=0/SUCCESS)
Process: 2592 ExecReload=/bin/sh -c /usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS)
Process: 2797 ExecStart=/usr/sbin/named -u named $OPTIONS (code=exited, status=0/SUCCESS)
Process: 2795 ExecStartPre=/usr/sbin/named-checkconf -z /etc/named.conf (code=exited, status=0/SUCCESS)
Main PID: 2799 (named)
CGroup: /system.slice/named.service
?..2799 /usr/sbin/named -u named
Jan 10 22:15:14 centos7.localdomain named[2799]: reloading zones succeeded
Jan 10 22:15:14 centos7.localdomain named[2799]: all zones loaded
Jan 10 22:15:14 centos7.localdomain named[2799]: running
Jan 10 22:15:14 centos7.localdomain named[2799]: zone 249.16.172.in-addr.arpa/IN: Transfer started.
Jan 10 22:15:14 centos7.localdomain named[2799]: transfer of '249.16.172.in-addr.arpa/IN' from 172.16.249.130#53: connected using ...1#36407
Jan 10 22:15:14 centos7.localdomain named[2799]: zone 249.16.172.in-addr.arpa/IN: transferred serial 2016010802
Jan 10 22:15:14 centos7.localdomain named[2799]: transfer of '249.16.172.in-addr.arpa/IN' from 172.16.249.130#53: Transfer complet...es/sec)
Jan 10 22:15:14 centos7.localdomain named[2799]: zone 249.16.172.in-addr.arpa/IN: sending notifies (serial 2016010802)
Jan 10 22:15:21 centos7.localdomain named[2799]: client 172.16.249.130#56183: received notify for zone '249.16.172.in-addr.arpa'
Jan 10 22:15:21 centos7.localdomain named[2799]: zone 249.16.172.in-addr.arpa/IN: notify from 172.16.249.130#56183: zone is up to date
Hint: Some lines were ellipsized, use -l to show in full.
[iyunv@centos7 slaves]# ll
total 8
-rw-r--r--. 1 named named 478 Jan 10 22:15 172.16.249.zone #在slaves目录下生成从服务器的反向解析库文件
-rw-r--r--. 1 named named 538 Jan 10 21:53 stu61.com.zone
|
配置完成之后在从服务器上测试解析结果:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
| [iyunv@centos7 slaves]# dig -x 172.16.249.130 @172.16.249.131
; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7 <<>> -x 172.16.249.130 @172.16.249.131
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37248
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;130.249.16.172.in-addr.arpa. IN PTR
;; ANSWER SECTION:
130.249.16.172.in-addr.arpa. 3600 IN PTR ns1.stu61.com.
130.249.16.172.in-addr.arpa. 3600 IN PTR www.stu61.com.
;; AUTHORITY SECTION:
249.16.172.in-addr.arpa. 3600 IN NS ns2.stu61.com.
249.16.172.in-addr.arpa. 3600 IN NS ns1.stu61.com.
;; ADDITIONAL SECTION:
ns1.stu61.com. 3600 IN A 172.16.249.130
ns2.stu61.com. 3600 IN A 172.16.249.131
;; Query time: 0 msec
;; SERVER: 172.16.249.131#53(172.16.249.131)
;; WHEN: Sun Jan 10 22:26:53 CST 2016
;; MSG SIZE rcvd: 165
|
总结
当DNS服务器不仅有主的还有从的时候,客户端配置DNS服务器时就可以分开配置,一半配置为主的一半配置为从的,这样一来在客户端解析请求增多时就能大大加快客户端的解析速度。
子域授权:
当我们有了二级域名的时候,就可以为二级域名设置三级域,三级域就可以在一定区域内使用了,在主DNS服务器中为三级域进行授权即可,例如ops.stu61.com
正向解析区域授权子域的方法:
第一步:在主DNS服务器上修改正向区域配置文件增加子域的NS记录以及A记录:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
| [iyunv@localhost named]# vim stu61.com.zone
$TTL 3600
@ IN SOA ns1.stu61.com. tz.stu61.com. (
2016010804 #序列号得+1
1H
10M
3D
1D )
@ IN NS ns1.stu61.com.
@ IN NS ns2.stu61.com.
IN MX 10 mx1
IN MX 20 mx2
ns1 IN A 172.16.249.130
ns2 IN A 172.16.249.131
mx1 IN A 172.16.249.10
mx2 IN A 172.16.249.11
www IN A 172.16.249.130
web IN CNAME www
tzz IN A 172.16.249.132
ops IN NS ns1.ops.stu61.com. #为三级域增加NS记录
ns1.ops IN A 172.16.249.147 #为三级域增加A记录
|
第二步:重载配置文件
1
2
| [iyunv@localhost named]# rndc reload
server reload successful
|
第三步:为子域服务器配置BIND服务并启动
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
| [iyunv@Tzz ~]# vim /etc/named.conf
options {
listen-on port 53 { 127.0.0.1; 172.16.249.147; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
//allow-query { localhost; };
recursion yes;
dnssec-enable no;
dnssec-validation no;
dnssec-lookaside no;
[iyunv@Tzz ~]# service named start
Generating /etc/rndc.key: [ OK ]
Starting named: [ OK ]
|
第四步:为子域服务器配置正向解析文件:
1
2
3
4
5
| [iyunv@Tzz ~]# vim /etc/named.rfc1912.zones
zone "ops.stu61.com" IN {
type master;
file "ops.stu61.com.zone";
};
|
第五步:在从服务器的/var/named/目录下创建正向区域解析文件:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| [iyunv@Tzz named]# vim ops.stu61.com.zone
$TTL 3600
$ORIGIN ops.stu61.com.
@ IN SOA ns1.ops.stu61.com tz.ops.stu61.com. (
2016010801
1H
10M
1D
2H )
IN NS ns1
ns1 IN A 172.16.249.147
www IN A 172.16.249.147
[iyunv@Tzz named]# chmod o= ops.stu61.com.zone #修改权限
[iyunv@Tzz named]# chown :named ops.stu61.com.zone #修改属组
|
第六步:重载文件
1
2
| [iyunv@Tzz named]# rndc reload
server reload successful
|
第七步:测试解析结果:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
| [iyunv@Tzz named]# dig -t A www.ops.stu61.com @172.16.249.147
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6 <<>> -t A www.ops.stu61.com @172.16.249.147
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30865
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;www.ops.stu61.com. IN A
;; ANSWER SECTION:
www.ops.stu61.com. 3600 IN A 172.16.249.147
;; AUTHORITY SECTION:
ops.stu61.com. 3600 IN NS ns1.ops.stu61.com.
;; ADDITIONAL SECTION:
ns1.ops.stu61.com. 3600 IN A 172.16.249.147
;; Query time: 1 msec
;; SERVER: 172.16.249.147#53(172.16.249.147)
;; WHEN: Sun Jan 10 11:51:36 2016
;; MSG SIZE rcvd: 85
|
测试成功,说明子域配置成功。
但这时就会有一个问题,当在子域中解析父域stu61.com时,因为不是自己的负责区域,子域只能迭代查查找,这样的话未免太过复杂,明明是自己的父域,查找时却还要迭代查找,我们可以设置转发机制,就能解决此问题,可以在子域中定义转发。
定义转发:
注意:被转发的服务器必须允许为当前服务做递归;
(1) 区域转发:仅转发对某特定区域的解析请求;
1
2
3
4
5
| zone "stu61.com" IN { #定义父域
type forward; #定义类型为转发
forward only; #定义为仅转发(转发无响应就结束,不迭代)
forwarders { 172.16.249.130; 172.16.249.131; } #定义的转发器
};
|
配置完后测试:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
| [iyunv@Tzz named]# dig -t A www.stu61.com @172.16.249.147
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6 <<>> -t A www.stu61.com @172.16.249.147
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8578
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;www.stu61.com. IN A
;; ANSWER SECTION:
www.stu61.com. 3600 IN A 172.16.249.130
;; AUTHORITY SECTION:
stu61.com. 3600 IN NS ns2.stu61.com.
stu61.com. 3600 IN NS ns1.stu61.com.
;; ADDITIONAL SECTION:
ns2.stu61.com. 3600 IN A 172.16.249.131
ns1.stu61.com. 3600 IN A 172.16.249.130
;; Query time: 4 msec
;; SERVER: 172.16.249.147#53(172.16.249.147)
;; WHEN: Sun Jan 10 12:46:47 2016
;; MSG SIZE rcvd: 115
|
(2) 全局转发:针对凡本地没有通过zone定义的区域查询请求,通通转给某转发器;
1
2
3
4
5
6
7
| [iyunv@Tzz named]# vim /etc/named.conf
options {
... ...
forward {only|first};
forwarders { SERVER_IP; };
.. ...
};
|
bind中的安全相关配置:
acl:访问控制列表;把一个或多个地址归并一个命名的集合,随后通过此名称即可对此集全内的所有主机实现统一调用;
1
2
3
4
| acl mynet {
172.16.0.0/16;
127.0.0.0/8;
};
|
bind有四个内置的acl
none:没有一个主机;
any:任意主机;
local:本机;
localnet:本机所在的IP所属的网络;
访问控制指令(在options中定义的话是全局定义的,在区域定义就在当前区域生效):
allow-query {}:允许查询的主机;白名单;
allow-transfer {}:允许向哪些主机做区域传送;默认为向所有主机;应该配置仅允许从服务器;
allow-recursion {}:允许哪此主机向当前DNS服务器发起递归查询请求;
allow-update {}:DDNS,允许动态更新区域数据库文件中内容;
|
|
QQ群⑧:
窥视卡
雷达卡
发表于 2016-1-11 08:33:44
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡