DNS安装与设置(3)
主要实现DNS从服务器及配置转发服务器配置与实现
测试环境还是参照1,2来实现从服务器配置
1:测试环境
DNS版本:version: 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6
主服务器:10.1.77.85
从服务器:192.168.7.74
2:安装从服务器和转发服务器之前需要知道的
1-1.如何创建从服务器?
如果有多台DNS从服务器,必须为每个DNS服务器建立NS记录,否则主DNS不能向从服务器发送通知。
区域定义:
zone "区域名称" IN {
type slave;
file "slaves/ZONE_NAME.zone";
master {
master_dns_ip;
master_dns2_ip;};
};
在主服务器/etc/named.rfc1912.zones 设置从服务器可以请求数据allow-transfer { IP; };
1-2.bind访问控制列表
acl string { address_match_clement;.... };
ang, none,local,localnet 这几个参数都可以选择
2-2.如何将请求转发出去解析:
转发类型:
转发所有针对非本机负责解析的区域的请求;
options {
forwarders { 192.168.211.116; };
forward only;
};
仅针对特定区域进行转发:
zone {
type forward;
};
PS:转发的前提,接受请求的服务器必须能够为请求者做递归查询;
forwarders { IP; };
forward only | first;
3:现在根据前面的提示开始设置
1-1:在主服务器设置 allow-transfer
[root@erickpuppet77_85 ~]# less /etc/named.rfc1912.zones
zone "luhaigang.com" IN {
type master;
file "luhaigang.com.zone";
allow-transfer { 192.168.7.74; };
};
zone "luhaigang.cn" IN {
type master;
file "luhaigang.cn.zone";
allow-transfer { 192.168.7.74; };
};
zone "77.1.10.in-addr.arpa" IN {
type master;
file "77.1.10.zone";
allow-transfer { 192.168.7.74; };
};
1-2:在192.168.7.74安装 DNS从服务器
[root@erickagent ~]#yum -y install bind*
修改配置文件之前不要启动named
修改从服务器192.168.7.74的DNS配置文件/etc/named.rfc1912.zones
[root@erickagent ~]# less /etc/named.rfc1912.zones
allow-update { none; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};
zone "luhaigang.com" IN {
type slave;//类型为从服务器
file "slaves/luhaigang.com.zone";//从服务器的区域文件
allow-transfer { none; };//从服务器不允许其它DNS请求
masters { 10.1.77.85; };//指明主服务器的IP地址
};
zone "luhaigang.cn" IN {
type slave;
file "slaves/luhaigang.cn.zone";
allow-transfer { none; };
masters { 10.1.77.85; };
};
zone "77.1.10.in-addr.arpa" {
type slave;
file "slaves/77.1.10.zone";
allow-transfer { none; };
masters { 10.1.77.85; };
};
在从服务器192.168.7.74创建slaves这个目录即可
#makdir /var/named/slaves
#chown named:named /var/named/slaves
#chmod 640 /var/named/slaves
以上步骤做完之后即可在从服务器192.168.7.74启动named程序:
#service named start
启动之后,去从服务器192.168.7.74下的/var/named/slaves会看到两个正向解析文件和一个反向解析文件都会同步到从服务器
[root@erickagent ~]# ll /var/named/slaves/
总用量 12
-rw-r--r-- 1 named named 491 3月 25 13:45 77.1.10.zone
-rw-r--r-- 1 named named 437 3月 25 13:48 luhaigang.cn.zone
-rw-r--r-- 1 named named 443 3月 25 14:19 luhaigang.com.zone
[root@erickagent ~]# less /var/named/slaves/luhaigang.cn.zone
$ORIGIN .
$TTL 3600 ; 1 hour
luhaigang.cn IN SOA dns.luhaigang.cn. admin.luhaigang.cn. (
2015032315 ; serial
3600 ; refresh (1 hour)
300 ; retry (5 minutes)
259200 ; expire (3 days)
10800 ; minimum (3 hours)
)
NS dns.luhaigang.cn.
MX 10 mail.luhaigang.cn.
$ORIGIN luhaigang.cn.
dns A 10.1.77.85
mail A 10.1.77.89
web CNAME www
www A 10.1.77.86
A 10.1.77.87
A 10.1.77.88
把从服务器192.168.7.74的本地dns配置文件修改成自己的地址
[root@erickagent ~]# less /etc/resolv.conf
nameserver 192.168.7.74
如果一切顺利,现在测试是否可以解析到luhaigang.com(正向),luhaigang.cn(正向),192.168.7.74(反向),10.1.77.85(反向)
[root@erickagent ~]# dig -t A luhaigang.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6 <<>> -t A luhaigang.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14140
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;luhaigang.com. IN A
;; AUTHORITY SECTION:
luhaigang.com. 3600 IN SOA dns.luhaigang.com. admin.luhaigang.com. 2015032315 3600 300 259200 10800
;; Query time: 0 msec
;; SERVER: 192.168.7.74#53(192.168.7.74)
;; WHEN: Wed Mar 25 14:45:20 2015
;; MSG SIZE rcvd: 77
[root@erickagent ~]# dig -t A luhaigang.con
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6 <<>> -t A luhaigang.con
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 26850
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;luhaigang.con. IN A
;; AUTHORITY SECTION:
. 10800 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2015032401 1800 900 604800 86400
;; Query time: 230 msec
;; SERVER: 192.168.7.74#53(192.168.7.74)
;; WHEN: Wed Mar 25 14:45:27 2015
;; MSG SIZE rcvd: 106
[root@erickagent ~]# dig -x 192.168.7.74
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6 <<>> -x 192.168.7.74
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 58440
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;74.7.168.192.in-addr.arpa. IN PTR
;; Query time: 415 msec
;; SERVER: 192.168.7.74#53(192.168.7.74)
;; WHEN: Wed Mar 25 14:45:47 2015
;; MSG SIZE rcvd: 43
[root@erickagent ~]# dig -x 10.1.77.85
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6 <<>> -x 10.1.77.85
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32824
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;85.77.1.10.in-addr.arpa. IN PTR
;; ANSWER SECTION:
85.77.1.10.in-addr.arpa. 3600 IN PTR dns.luhaigang.com.
;; AUTHORITY SECTION:
77.1.10.in-addr.arpa. 3600 IN NS dns.luhaigang.com.
;; ADDITIONAL SECTION:
dns.luhaigang.com. 3600 IN A 10.1.77.85
;; Query time: 0 msec
;; SERVER: 192.168.7.74#53(192.168.7.74)
;; WHEN: Wed Mar 25 14:45:56 2015
;; MSG SIZE rcvd: 102
[root@erickagent ~]#
4:以上实现了从服务器的配置与实现,以下开始实现转发功能
1:在主DNS服务器10.1.77.85编辑named.conf配置文件
[root@erickpuppet77_85 ~]# less /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
// listen-on port 53 { 127.0.0.1; };
// listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
// allow-query { localhost; };
recursion yes;
forwarders { 192.168.211.116; };
forward only;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
配置文件修改完成之后重启下named #service named restart
这个Ip地址是我们内网的一个DNS服务器
现在测试一下是否可以解析211.116这个dns服务器负责的域名解析
1:主DNS服务器测试是否可以转发
[root@erickpuppet77_85 ~]# dig -t A www.baidu.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.2 <<>> -t A www.baidu.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41941
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.baidu.com. IN A
;; ANSWER SECTION:
www.baidu.com. 1200 IN CNAME www.a.shifen.com.
www.a.shifen.com. 299 IN A 115.239.210.27
www.a.shifen.com. 299 IN A 115.239.211.112
;; Query time: 1145 msec
;; SERVER: 10.1.77.85#53(10.1.77.85)
;; WHEN: Wed Mar 25 15:11:39 2015
;; MSG SIZE rcvd: 90
You have new mail in /var/spool/mail/root
[root@erickpuppet77_85 ~]#
2:从服务器测试是否可以转发
[root@erickagent ~]# dig -t A www.baidu.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6 <<>> -t A www.baidu.com
;; global options: +cmd
;; connection timed out; no servers could be reached
[root@erickagent ~]# service named start
Starting named: [ OK ]
[root@erickagent ~]# dig -t A www.baidu.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6 <<>> -t A www.baidu.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24832
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 5, ADDITIONAL: 5
;; QUESTION SECTION:
;www.baidu.com. IN A
;; ANSWER SECTION:
www.baidu.com. 1200 IN CNAME www.a.shifen.com.
www.a.shifen.com. 300 IN A 115.239.210.27
www.a.shifen.com. 300 IN A 115.239.211.112
;; AUTHORITY SECTION:
a.shifen.com. 1200 IN NS ns1.a.shifen.com.
a.shifen.com. 1200 IN NS ns2.a.shifen.com.
a.shifen.com. 1200 IN NS ns3.a.shifen.com.
a.shifen.com. 1200 IN NS ns4.a.shifen.com.
a.shifen.com. 1200 IN NS ns5.a.shifen.com.
;; ADDITIONAL SECTION:
ns4.a.shifen.com. 1200 IN A 115.239.210.176
ns1.a.shifen.com. 1200 IN A 61.135.165.224
ns3.a.shifen.com. 1200 IN A 61.135.162.215
ns2.a.shifen.com. 1200 IN A 180.149.133.241
ns5.a.shifen.com. 1200 IN A 119.75.222.17
;; Query time: 1694 msec
;; SERVER: 192.168.7.74#53(192.168.7.74)
;; WHEN: Wed Mar 25 15:12:34 2015
;; MSG SIZE rcvd: 260
现在主从都可以通过211.116转发请求到www.baidu.com的A记录
下一章节就开始实现DNS的日志系统的实现