DNS服务器综合实验(包含view下主从+子域授权+转发域)
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了DNS服务器综合实验(包含view下主从+子域授权+转发域)相关的知识,希望对你有一定的参考价值。
说明:本文并不是一上来就搭建包含view下主从+子域授权+转发域的实验环境,我们按照先易后难的顺序逐渐深入搭建的。特此说明。
===============================实战=======================================
规划:
主DNS:192.168.0.10
从DNS:192.168.0.11 其他地址:192.168.0.13、192.168.0.14
子域DNS:192.168.0.12
注意:所有工作之前,将所有的主机进行如下设置
[[email protected] ~]# setenforce 0 #selinux
[[email protected] ~]# systemctl stop firewalld.service #防火墙
实验一、建立区域和相应的区域数据文件(在主服务器192.168.0.10上实验)
1.修改主配置文件:
[[email protected] ~]# vim /etc/named.conf
修改如下几行内容:
listen-on port 53 { any; }; #由listen-on port 53 { 127.0.0.1; };修改
allow-query { any; }; #由allow-query { localhost; };修改
修改后检查主配置文件是否有语法错误:
[[email protected] ~]# named-checkconf
修改主配置文件:
[[email protected] ~]# vim /etc/named.rfc1912.zones
在最后追加想要添加的区域,本例中创建一个正向区域和一个相对应的反向区域:ljzlinux.com、0.168.192.in-addr.arpa
zone "ljzlinux.com" IN { type master; file "ljzlinux.com.zone"; allow-update { none; }; }; zone "0.168.192.in-addr.arpa" IN { type master; file "0.168.192.zone"; allow-update { none; }; };
2.创建以上两个区域的区域数据文件:
[[email protected] named]# vim /var/named/ljzlinux.com.zone #创建正向区域数据文件
$TTL 600 @ IN SOA ns1.ljzlinux.com. admin.ljzlinux.com. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum @ IN NS ns1.ljzlinux.com. IN NS ns2.ljzlinux.com. IN MX 10 mail ns1 IN A 192.168.0.10 ns2 IN A 192.168.0.11 mail IN A 192.168.0.101 www.ljzlinux.com. IN A 192.168.0.102#此处使用全称 www IN A 192.168.0.103 ftp IN CNAME www
修改后检查区域数据文件是否有语法错误:
[[email protected] ~]# named-checkzone ljzlinux.com /var/named/ljzlinux.com.zone
zone ljzlinux.com.zone/IN: loaded serial 0
OK
[[email protected] named]# vim /var/named/0.168.192.zone #创建反向区域数据文件
#反向区域数据文件可以在正向区域数据文件的基础上修改,通过cp -a 命令复制。反向区域数据文件只保留SOA、NS记录,其他的A记录转换为PTR记录,CNAME也要转换为PTR.
$TTL 600 @ IN SOA ns1.ljzlinux.com. admin.ljzlinux.com. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum @ IN NS ns1.ljzlinux.com.#注意(易错点):值中的FQDN部分在反向解析库中需要写全称 IN NS ns2.ljzlinux.com. 10 IN PTR ns1.ljzlinux.com. 11 IN PTR ns2.ljzlinux.com. 101 IN PTR mail.ljzlinux.com. 102 IN PTR www.ljzlinux.com. 103 IN PTR www.ljzlinux.com. 102 IN PTR ftp.ljzlinux.com. #102.0.168.192.in-addr.arpa. IN PTR ftp.ljzlinux.com.#这是IP全称的写法
修改后检查区域数据文件是否有语法错误:
[[email protected] named]# named-checkzone 0.168.192.zone /var/named/0.168.192.zone
自己建立的区域数据文件一定要修改其属主属主为root:named,权限为640:
[[email protected] named]# chown root:named ljzlinux.com.zone 0.168.192.zone
[[email protected] named]# chmod 640 ljzlinux.com.zone 0.168.192.zone
#以上部分完成后就完成了区域和区域数据文件的建立。
实验二:在实验一的基础上,通过view(视图)实现分离解析:
view定义:DNS服务器有一个高级的功能,能够实现不同的用户访问同一个域名,把域名解析成不同的IP地址,使用户能够访问离他最近的服务器上的数据,这就是 DNS服务器的视图功能。使用DNS服务器的视图功能可以增加网站的响应速度。例如,当我们网站的数据同步在两台web服务器上时,一台是电信服务器,一台是网通服务器,那么我们肯定希望全国访问我们网站的用户在打开网站的时候,能够自动实现,电信用户访问电信服务器,网通用户访问网通服务器。配置这种情 况的前提是,web服务器必须要有一个电信的IP地址和一个网通的IP地址。DNS服务器的这种解析功能通常也被称之为智能解析。
view视图的实现:通过view下的match-clients语句控制此view的访问客户端来源,以实现分离解析。view视图主要格式为:
view “VIEW_NAME” { match-clients { IP;ACL; };#此语句是view中最关键的一个语句,使用访问IP的控制,可以使用预先定义的ACL(访问控制列表) zone .... };
view视图特点:要求所有的zone都要包含在view视图中。view视图是根据配置文件从上往下匹配的,所以希望优先访问的资源记录文件、区域应该尽量写前面。
1.修改主配置文件:
将/etc/named.conf中的根区域复制到/etc/named.rfc1912.zones文件中,以便让view视图能够覆盖所有的zone:
zone "." IN { type hint; file "named.ca"; };
将所有的zone进行view划分:划分为unicom、telecom、default。每个view都包括所有的zone。
[[email protected] named]# vim /etc/named.rfc1912.zones
// named.rfc1912.zones: // // Provided by Red Hat caching-nameserver package // // ISC BIND named zone configuration for zones recommended by // RFC 1912 section 4.1 : localhost TLDs and address zones // and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt // (c)2007 R W Franks // // See /usr/share/doc/bind*/sample/ for example named configuration files. // #以下自定义ACL acl "unicom" { 192.168.0.0/24; }; acl "telecom" { 1.1.1.0/24; };
#以下定义的是视图unicom,注意:同一个zone在不同视图下要用file指定不同的区域数据文件,通过此法实现解析分离(例如ljzlinux.com的区域数据文件在unicom视图下为ljzlinux.com.zone.unicom,在teltcom视图下为ljzlinux.com.zone.telecom。分别在这两个区域数据文件中定义同一个服务器的不同的网址。)
view "unicom" { match-clients { unicom; }; zone "." IN { type hint; file "named.ca"; }; zone "localhost.localdomain" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "localhost" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "1.0.0.127.in-addr.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "0.in-addr.arpa" IN { type master; file "named.empty"; allow-update { none; }; }; zone "ljzlinux.com" IN { type master; file "ljzlinux.com.zone.unicom"; allow-update { none; }; }; zone "0.168.192.in-addr.arpa" IN { type master; file "0.168.192.zone.unicom"; allow-update { none; }; }; }; #以下定义的是视图telecom view "telecom" { match-clients { telecom; }; zone "." IN { type hint; file "named.ca"; }; zone "localhost.localdomain" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "localhost" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "1.0.0.127.in-addr.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "0.in-addr.arpa" IN { type master; file "named.empty"; allow-update { none; }; }; zone "ljzlinux.com" IN { type master; file "ljzlinux.com.zone.telecom"; allow-update { none; }; }; zone "1.1.1.in-addr.arpa" IN {#将0.168.192.in-addr.arpa修改为1.1.1.in-addr.arpa type master; file "1.1.1.zone.telecom";#注意此处的文件名的修改 allow-update { none; }; }; }; #以下部分定义的default视图,如果unicom和telecom视图都没有匹配到的ip会访问此视图。 view "default" { match-clients { any; }; zone "." IN { type hint; file "named.ca"; }; zone "localhost.localdomain" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "localhost" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "1.0.0.127.in-addr.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "0.in-addr.arpa" IN { type master; file "named.empty"; allow-update { none; }; }; zone "ljzlinux.com" IN { type master; file "ljzlinux.com.zone.unicom"; allow-update { none; }; }; zone "0.168.192.in-addr.arpa" IN { type master; file "0.168.192.zone.unicom"; allow-update { none; }; }; };
2.修改区域数据文件:
创建正向区域数据文件ljzlinux.com.zone.unicom: #此文件使用原来的内容,所以无需改动,只需要修改一下解析库(区域数据文件)文件名即可
[[email protected] named]# cp -a ljzlinux.com.zone ljzlinux.com.zone.unicom
创建正向区域数据文件ljzlinux.com.zone.telecom:
[[email protected] named]# cp -a ljzlinux.com.zone ljzlinux.com.zone.telecom
[[email protected] named]# vim ljzlinux.com.zone.telecom
$TTL 600 @ IN SOA ns1.ljzlinux.com. admin.ljzlinux.com. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum @ IN NS ns1.ljzlinux.com. IN NS ns2.ljzlinux.com. IN MX 10 mail ns1 IN A 1.1.1.10 ns2 IN A 1.1.1.11 mail IN A 1.1.1.101 www.ljzlinux.com. IN A 1.1.1.102 www IN A 1.1.1.103 ftp IN CNAME www
创建反向区域数据文件0.168.192.zone.unicom:
[[email protected] named]# cp -a 0.168.192.zone 0.168.192.zone.unicom
创建反向区域数据文件1.1.1.zone.telecom:
[[email protected] named]# cp -a 0.168.192.zone 1.1.1.zone.telecom
[[email protected] named]# vim 1.1.1.zone.telecom
#因为此处我的反向区域数据文件使用的是简写IP,而我修改了主配置文件中区域的名称为1.1.1.in-addr.arpa,IP自动补全后正是我们需要的IP,所以无需修改。
#如果你的IP不是简写的,需要将你ip修改为其正向区域对应的IP。
至此,view视图配置完毕。
进行如下测试:
[[email protected] named]# ifconfig eno16777736:0 1.1.1.10/24
#配置一个1.1.1.0/24网段的地址,将此服务器配置成IP为1.1.1.10的DNS服务器 [[email protected] named]# ifconfig eno16777736:1 11.11.11.10/24 #配置一个11.11.11.0/24网段的地址。
[[email protected] named]# dig -t A www.ljzlinux.com @192.168.0.10
# ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> -t A www.ljzlinux.com @192.168.0.10 # ;; global options: +cmd # ;; Got answer: # ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15217 # ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3 # ;; OPT PSEUDOSECTION: # ; EDNS: version: 0, flags:; udp: 4096 # ;; QUESTION SECTION: # ;www.ljzlinux.com. IN A # ;; ANSWER SECTION: # www.ljzlinux.com. 600 IN A 192.168.0.103 # www.ljzlinux.com. 600 IN A 192.168.0.102 # ;; AUTHORITY SECTION: # ljzlinux.com. 600 IN NS ns1.ljzlinux.com. # ljzlinux.com. 600 IN NS ns2.ljzlinux.com. # ;; ADDITIONAL SECTION: # ns1.ljzlinux.com. 600 IN A 192.168.0.10 # ns2.ljzlinux.com. 600 IN A 192.168.0.11 # ;; Query time: 8 msec # ;; SERVER: 192.168.0.10#53(192.168.0.10) # ;; WHEN: Wed Jan 18 08:44:17 EST 2017 # ;; MSG SIZE rcvd: 145
反向解析:
[[email protected] ~]# dig -x 192.168.0.103 @192.168.0.10 # ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> -x 192.168.0.103 @192.168.0.10 # ;; global options: +cmd # ;; Got answer: # ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9916 # ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 # ;; OPT PSEUDOSECTION: # ; EDNS: version: 0, flags:; udp: 4096 # ;; QUESTION SECTION: # ;103.0.168.192.in-addr.arpa. IN PTR # ;; ANSWER SECTION: # 103.0.168.192.in-addr.arpa. 600 IN PTR www.ljzlinux.com. # ;; AUTHORITY SECTION: # 0.168.192.in-addr.arpa. 600 IN NS ns2.ljzlinux.com. # 0.168.192.in-addr.arpa. 600 IN NS ns1.ljzlinux.com. # ;; ADDITIONAL SECTION: # ns1.ljzlinux.com. 600 IN A 192.168.0.10 # ns2.ljzlinux.com. 600 IN A 192.168.0.11 # ;; Query time: 0 msec # ;; SERVER: 192.168.0.10#53(192.168.0.10) # ;; WHEN: Thu Jan 19 07:17:54 EST 2017 # ;; MSG SIZE rcvd: 153 [[email protected] named]# dig -t A www.ljzlinux.com @1.1.1.10 # ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> -t A www.ljzlinux.com @1.1.1.10 # ;; global options: +cmd # ;; Got answer: # ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57698 # ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3 # ;; OPT PSEUDOSECTION: # ; EDNS: version: 0, flags:; udp: 4096 # ;; QUESTION SECTION: # ;www.ljzlinux.com. IN A # ;; ANSWER SECTION: # www.ljzlinux.com. 600 IN A 1.1.1.102 # www.ljzlinux.com. 600 IN A 1.1.1.103 # ;; AUTHORITY SECTION: # ljzlinux.com. 600 IN NS ns1.ljzlinux.com. # ljzlinux.com. 600 IN NS ns2.ljzlinux.com. # ;; ADDITIONAL SECTION: # ns1.ljzlinux.com. 600 IN A 1.1.1.10 # ns2.ljzlinux.com. 600 IN A 1.1.1.11 # ;; Query time: 0 msec # ;; SERVER: 1.1.1.10#53(1.1.1.10) # ;; WHEN: Wed Jan 18 08:40:33 EST 2017 # ;; MSG SIZE rcvd: 145
反向解析测试
[[email protected] ~]# dig -x 1.1.1.103 @1.1.1.10 # ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> -x 1.1.1.103 @1.1.1.10 # ;; global options: +cmd # ;; Got answer: # ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56412 # ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 # ;; OPT PSEUDOSECTION: # ; EDNS: version: 0, flags:; udp: 4096 # ;; QUESTION SECTION: # ;103.1.1.1.in-addr.arpa. IN PTR # ;; ANSWER SECTION: # 103.1.1.1.in-addr.arpa. 600 IN PTR www.ljzlinux.com. # ;; AUTHORITY SECTION: # 1.1.1.in-addr.arpa. 600 IN NS ns1.ljzlinux.com. # 1.1.1.in-addr.arpa. 600 IN NS ns2.ljzlinux.com. # ;; ADDITIONAL SECTION: # ns1.ljzlinux.com. 600 IN A 1.1.1.10 # ns2.ljzlinux.com. 600 IN A 1.1.1.11 # ;; Query time: 0 msec # ;; SERVER: 1.1.1.10#53(1.1.1.10) # ;; WHEN: Thu Jan 19 07:16:07 EST 2017 # ;; MSG SIZE rcvd: 149 [[email protected] named]# dig -t A www.ljzlinux.com @11.11.11.10 # ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> -t A www.ljzlinux.com @11.11.11.10 # ;; global options: +cmd # ;; Got answer: # ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49483 # ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3 # ;; OPT PSEUDOSECTION: # ; EDNS: version: 0, flags:; udp: 4096 # ;; QUESTION SECTION: # ;www.ljzlinux.com. IN A # ;; ANSWER SECTION: # www.ljzlinux.com. 600 IN A 192.168.0.102 # www.ljzlinux.com. 600 IN A 192.168.0.103 # ;; AUTHORITY SECTION: # ljzlinux.com. 600 IN NS ns2.ljzlinux.com. # ljzlinux.com. 600 IN NS ns1.ljzlinux.com. # ;; ADDITIONAL SECTION: # ns1.ljzlinux.com. 600 IN A 192.168.0.10 # ns2.ljzlinux.com. 600 IN A 192.168.0.11 # ;; Query time: 0 msec # ;; SERVER: 11.11.11.10#53(11.11.11.10) # ;; WHEN: Wed Jan 18 08:45:36 EST 2017 # ;; MSG SIZE rcvd: 145 [r[email protected] ~]# dig -x 192.168.0.103 @11.11.11.10 # ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> -x 192.168.0.103 @11.11.11.10 # ;; global options: +cmd # ;; Got answer: # ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10269 # ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 # ;; OPT PSEUDOSECTION: # ; EDNS: version: 0, flags:; udp: 4096 # ;; QUESTION SECTION: # ;103.0.168.192.in-addr.arpa. IN PTR # ;; ANSWER SECTION: # 103.0.168.192.in-addr.arpa. 600 IN PTR www.ljzlinux.com. # ;; AUTHORITY SECTION: # 0.168.192.in-addr.arpa. 600 IN NS ns2.ljzlinux.com. # 0.168.192.in-addr.arpa. 600 IN NS ns1.ljzlinux.com. # ;; ADDITIONAL SECTION: # ns1.ljzlinux.com. 600 IN A 192.168.0.10 # ns2.ljzlinux.com. 600 IN A 192.168.0.11 # ;; Query time: 0 msec # ;; SERVER: 11.11.11.10#53(11.11.11.10) # ;; WHEN: Thu Jan 19 07:19:41 EST 2017 # ;; MSG SIZE rcvd: 153
可以看到使用同IP的NS服务器访问,会得到不同的解析结果。
实验三、主从DNS服务器配置(在以上基础上实现):
配置目的:如果只有一个DNS服务器工作,出现宕机,造成损失。为了实现当有一台服务器出现宕机情况时,仍能够提供正常的服务,就出现了主从DNS服务器的搭建。主和从的解析库(区域数据文件)内容是完全一样的,从的解析库是从主上面完全copy来的,所以要让两台服务器都能够提供解析功能,这两台NS服务器都必须在主的区域配置文件中定义。(例如实验一中的ns1和ns2。)
如何实现:只需在主的zone中用allow-transfer { IP; };指定要进行数据传输的从IP,然后在从的同一zone中用masters { IP; };指定要从哪台主服务器进行数据传输。所以对于主从复制,每个zone都需要allow-transfer、transfer-source两个参数同时指定,二者缺一不可。
1.修改主的配置文件中要进行传输zone:(本例配置ljzlinux.com.和其反向区域0.168.192.in-addr.arpa)
[[email protected] named]# vim /etc/named.rfc1912.zones
#在需要的zone中加入allow-transfer { 192.168.0.11; };语句
。。。。。之前部分省略。。。。。
zone "ljzlinux.com" IN {
type master;
file "ljzlinux.com.zone";
allow-update { none; };
allow-transfer { 192.168.0.11; } #此语句为新增
};
zone "0.168.192.in-addr.arpa" IN {
type master;
file "0.168.192.zone";
allow-update { none; };
allow-transfer { 192.168.0.11; } #此语句为新增
};
2.修改从的配置文件中相应的zone:
从的配置可以将主的配置文件复制过来进行修改:
[[email protected] named]#scp -a 192.168.0.10:/etc/named.rfc1912.zones /etc/named.rfc1912.zones [[email protected] named]# vim /etc/named.rfc1912.zones 。。。。。之前部分省略。。。。。 zone "ljzlinux.com" IN { type slave;#由原来的type master;修改 file "slaves/ljzlinux.com.zone";#由原来的file "ljzlinux.com.zone";修改 allow-update { none; }; masters { 192.168.0.10; }#此语句为新增 masterfile-format text;#如果复制到slaves目录下的文件是乱码,使用此语句。 }; zone "0.168.192.in-addr.arpa" IN { type slave; file "slaves/0.168.192.zone"; allow-update { none; }; masters { 192.168.0.10; }#此语句为新增 masterfile-format text; };
至此,简单的主从DNS服务器搭建完毕。
实验四:搭建view下的主从DNS服务器:
与简单主从的区别:view视图下主从DNS服务器要求:主服务器下的每个view都需要从服务器的一个IP来传输,不能用同一个IP来传输多个view,所以主有几个view,从就需要几个IP。
如何实现:主设置与简单主从一样,只需在主的view(或zone)中用allow-transfer { IP; };指定要进行数据传输的从IP,但需要注意的是每个view使用不同的从IP,不能重复。其次,从的设置是在简单主从的基础上,增加transfer-source IP;来指定此view用从的哪个IP去传输数据,注意此语句的IP不能用花括号扩起来。还要注意的一点就是:在主、从相应的同一个view中,主allow-transfer { IP; }与从transfer-source IP;要一致。这样才能建立传输连接进行传输。所以对于view视图下的主从复制,每个zone都需要allow-transfer、transfer-source、masters三个参数同时指定,缺一不可。
说明:此试验在view建立之下实验:
1.修改主DNS服务器的主配置文件:
[[email protected] named]# vim /etc/named.rfc1912.zones // named.rfc1912.zones: // // Provided by Red Hat caching-nameserver package // // ISC BIND named zone configuration for zones recommended by // RFC 1912 section 4.1 : localhost TLDs and address zones // and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt // (c)2007 R W Franks // // See /usr/share/doc/bind*/sample/ for example named configuration files. // acl "unicom" { 192.168.0.0/24; }; acl "telecom" { 1.1.1.0/24; }; view "unicom" { match-clients { 192.168.0.11;!192.168.0.13;!192.168.0.14;unicom; };#需要在match-clients中添加从服务器同步view的IP地址。其中!192.168.0.13意思是排除此IP. allow-transfer { 192.168.0.11; };#添加此行,allow-transfer允许同步该view的从服务器的IP地址(注意allow-transfer位置不同,作用域不同) zone "." IN { type hint; file "named.ca"; }; zone "localhost.localdomain" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "localhost" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "1.0.0.127.in-addr.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "0.in-addr.arpa" IN { type master; file "named.empty"; allow-update { none; }; }; zone "ljzlinux.com" IN { type master; file "ljzlinux.com.zone.unicom"; allow-update { none; }; }; zone "0.168.192.in-addr.arpa" IN { type master; file "0.168.192.zone.unicom"; allow-update { none; }; }; }; view "telecom" { match-clients { !192.168.0.11;192.168.0.13;!192.168.0.14;telecom; };#修改此行 allow-transfer { 192.168.0.13; };#此行为新增 zone "." IN { type hint; file "named.ca"; }; zone "localhost.localdomain" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "localhost" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "1.0.0.127.in-addr.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "0.in-addr.arpa" IN { type master; file "named.empty"; allow-update { none; }; }; zone "ljzlinux.com" IN { type master; file "ljzlinux.com.zone.telecom"; allow-update { none; }; }; zone "1.1.1.in-addr.arpa" IN { type master; file "1.1.1.zone.telecom"; allow-update { none; }; }; }; view "default" { match-clients { !192.168.0.11;!192.168.0.13;192.168.0.14;any; };#修改此行 allow-transfer { 192.168.0.14; };#此行为新增 zone "." IN { type hint; file "named.ca"; }; zone "localhost.localdomain" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "localhost" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "1.0.0.127.in-addr.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "0.in-addr.arpa" IN { type master; file "named.empty"; allow-update { none; }; }; zone "ljzlinux.com" IN { type master; file "ljzlinux.com.zone.unicom"; allow-update { none; }; }; zone "0.168.192.in-addr.arpa" IN { type master; file "0.168.192.zone.unicom"; allow-update { none; }; }; };
2.修改从服务器的主配置文件;
我们将主的配置文件复制过来,在其基础上进行修改:
[[email protected] ~]# scp -p 192.168.0.10:/etc/named.conf /etc/named.conf [[email protected] ~]# scp -p 192.168.0.10:/etc/named.rfc1912.zones /etc/named.rfc1912.zones [[email protected] ~]# vim /etc/named.rfc1912.zones [[email protected] slaves]# cat /etc/named.rfc1912.zones // named.rfc1912.zones: // // Provided by Red Hat caching-nameserver package // // ISC BIND named zone configuration for zones recommended by // RFC 1912 section 4.1 : localhost TLDs and address zones // and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt // (c)2007 R W Franks // // See /usr/share/doc/bind*/sample/ for example named configuration files. // acl "unicom" { 192.168.0.0/24; }; acl "telecom" { 1.1.1.0/24; }; view "unicom" { match-clients { 192.168.0.11;!192.168.0.13;!192.168.0.14;unicom; }; transfer-source 192.168.0.11; #将此行由原来的allow-transfer 修改为transfer-source,注意IP地址要一样,且去掉花括号。(其他view修改雷同) zone "." IN { type hint; file "named.ca"; }; zone "localhost.localdomain" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "localhost" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "1.0.0.127.in-addr.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "0.in-addr.arpa" IN { type master; file "named.empty"; allow-update { none; }; }; zone "ljzlinux.com" IN { type slave; file "slaves/ljzlinux.com.zone.unicom"; masterfile-format text; masters { 192.168.0.10; }; masterfile-format text;#从主服务器复制来的文件是乱码时,采用此选项 }; zone "0.168.192.in-addr.arpa" IN { type slave; file "slaves/0.168.192.zone.unicom"; masterfile-format text; masters { 192.168.0.10; }; masterfile-format text; }; }; view "telecom" { match-clients { !192.168.0.11;192.168.0.13;!192.168.0.14;telecom; }; transfer-source 192.168.0.13; zone "." IN { type hint; file "named.ca"; }; zone "localhost.localdomain" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "localhost" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "1.0.0.127.in-addr.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "0.in-addr.arpa" IN { type master; file "named.empty"; allow-update { none; }; }; zone "ljzlinux.com" IN { type slave; file "slaves/ljzlinux.com.zone.telecom"; masterfile-format text; masters { 192.168.0.10; }; masterfile-format text; }; zone "1.1.1.in-addr.arpa" IN { type slave; file "slaves/1.1.1.zone.telecom"; masterfile-format text; masters { 192.168.0.10; }; masterfile-format text; }; }; view "default" { match-clients{ !192.168.0.11;!192.168.0.13;192.168.0.14;any; }; transfer-source 192.168.0.14; zone "." IN { type hint; file "named.ca"; }; zone "localhost.localdomain" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "localhost" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "1.0.0.127.in-addr.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "0.in-addr.arpa" IN { type master; file "named.empty"; allow-update { none; }; }; zone "ljzlinux.com" IN { type slave; file "slaves/ljzlinux.com.zone.unicom"; masterfile-format text; masters { 192.168.0.10; }; masterfile-format text; }; zone "0.168.192.in-addr.arpa" IN { type slave; file "slaves/0.168.192.zone.unicom"; masterfile-format text; masters { 192.168.0.10; }; masterfile-format text; }; };
由于文件是从主服务器上复制过来的,需要修改其属主和数组:
[[email protected] ~]# chown root:named /etc/named.rfc1912.zones
3.为从服务器增加两个ip地址:
[[email protected] slaves]# cd /etc/sysconfig/network-scripts/ [[email protected] network-scripts]# cp ifcfg-eno16777736 ifcfg-eno16777736:0 [[email protected] network-scripts]# vim ifcfg-eno16777736:0
修改如下几行:
NAME=eno16777736:0
DEVICE=eno16777736:0
IPADDR=192.168.0.13
[[email protected] network-scripts]# cp ifcfg-eno16777736 ifcfg-eno16777736:1 [[email protected] network-scripts]# vim ifcfg-eno16777736:1
修改如下几行:
NAME=eno16777736:1
DEVICE=eno16777736:1
IPADDR=192.168.0.14
重启network服务:
[[email protected] network-scripts]# systemctl restart network.service
重启naned服务:
[[email protected] slaves]# systemctl restart named.service
4.从DNS解析测试:
首先将主DNS服务器关机:
然后为从DNS服务器再增加两个不同网段的IP,用于测试不同网段的请求:
[[email protected] slaves]# ifconfig eno16777736:2 1.1.1.11/24 [[email protected] slaves]# ifconfig eno16777736:3 11.11.11.11/24
重启named服务:
[[email protected] slaves]# systemctl restart named
正式测试:
[[email protected] slaves]# dig -t A www.ljzlinux.com @192.168.0.11
# ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> -t A www.ljzlinux.com @192.168.0.11 # ;; global options: +cmd # ;; Got answer: # ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55341 # ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3 # ;; OPT PSEUDOSECTION: # ; EDNS: version: 0, flags:; udp: 4096 # ;; QUESTION SECTION: # ;www.ljzlinux.com. IN A # ;; ANSWER SECTION: # www.ljzlinux.com. 600 IN A 192.168.0.102 # www.ljzlinux.com. 600 IN A 192.168.0.103 # ;; AUTHORITY SECTION: # ljzlinux.com. 600 IN NS ns2.ljzlinux.com. # ljzlinux.com. 600 IN NS ns1.ljzlinux.com. # ;; ADDITIONAL SECTION: # ns1.ljzlinux.com. 600 IN A 192.168.0.10 # ns2.ljzlinux.com. 600 IN A 192.168.0.11 # ;; Query time: 0 msec # ;; SERVER: 192.168.0.11#53(192.168.0.11) # ;; WHEN: Thu Jan 19 09:56:02 EST 2017 # ;; MSG SIZE rcvd: 145
解析成功!
[[email protected] slaves]# dig -x 192.168.0.103 @192.168.0.11 # ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> -x192.168.0.103 @192.168.0.11 # ;; global options: +cmd # ;; Got answer: # ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62294 # ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 # ;; OPT PSEUDOSECTION: # ; EDNS: version: 0, flags:; udp: 4096 # ;; QUESTION SECTION: # ;103.0.168.192.in-addr.arpa. IN PTR # ;; ANSWER SECTION: # 103.0.168.192.in-addr.arpa. 600 IN PTR www.ljzlinux.com. # ;; AUTHORITY SECTION: # 0.168.192.in-addr.arpa. 600 IN NS ns2.ljzlinux.com. # 0.168.192.in-addr.arpa. 600 IN NS ns1.ljzlinux.com. # ;; ADDITIONAL SECTION: # ns1.ljzlinux.com. 600 IN A 192.168.0.10 # ns2.ljzlinux.com. 600 IN A 192.168.0.11 # ;; Query time: 0 msec # ;; SERVER: 192.168.0.11#53(192.168.0.11) # ;; WHEN: Thu Jan 19 09:56:31 EST 2017 # ;; MSG SIZE rcvd: 153
解析成功!
[[email protected] named]# dig -x 1.1.1.102 @192.168.0.10 # ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> -x 1.1.1.102 @192.168.0.10 # ;; global options: +cmd # ;; Got answer: # ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 1686 # ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 # ;; OPT PSEUDOSECTION: # ; EDNS: version: 0, flags:; udp: 4096 # ;; QUESTION SECTION: # ;102.1.1.1.in-addr.arpa. IN PTR # ;; Query time: 1060 msec # ;; SERVER: 192.168.0.10#53(192.168.0.10) # ;; WHEN: Fri Jan 20 08:58:56 EST 2017 # ;; MSG SIZE rcvd: 51
解析失败! 这是为什么呢?我们知道,在view作用下为了实现分离解析提高网站的相应速度,我们让1台主机拥有两个不同网段的IP,例如www.ljzlinux.com主机的ip分别为192.168.0.103(我们假设为网通unicom内的IP)和1.1.1.103(假设为telecom内IP),从而实现来自网通用户通过网通IP访问,来自电信用户通过电信IP访问。而来自192.168.0.10 这台NS服务器的请求在view作用下,按照上面的配置文件,反向解析只能解析192.168.0.0/24网段内主机,而不能解析1.1.1.0/24这个网段内的主机,因为我们在view "teltcom"下我们只配置了zone "0.168.192.in-addr.arpa"而没有配置zone "1.1.1.in-addr.arpa"。
综上总结:如上面的例子,为了让网通用户(192.168.0.10)不仅能够反向解析网通IP(192.168.0.103),又能反向解析电信IP(1.1.1.103)。网通view视图下的反向解析应同时包含所有网段的反向解析库。
[[email protected] slaves]# dig -t A www.ljzlinux.com @1.1.1.11 # ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> -t A www.ljzlinux.com @1.1.1.11 # ;; global options: +cmd # ;; Got answer: # ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9442 # ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3 # ;; OPT PSEUDOSECTION: # ; EDNS: version: 0, flags:; udp: 4096 # ;; QUESTION SECTION: # ;www.ljzlinux.com. IN A # ;; ANSWER SECTION: # www.ljzlinux.com. 600 IN A 1.1.1.102 # www.ljzlinux.com. 600 IN A 1.1.1.103 # ;; AUTHORITY SECTION: # ljzlinux.com. 600 IN NS ns2.ljzlinux.com. # ljzlinux.com. 600 IN NS ns1.ljzlinux.com. # ;; ADDITIONAL SECTION: # ns1.ljzlinux.com. 600 IN A 1.1.1.10 # ns2.ljzlinux.com. 600 IN A 1.1.1.11 # ;; Query time: 0 msec # ;; SERVER: 1.1.1.11#53(1.1.1.11) # ;; WHEN: Thu Jan 19 09:56:59 EST 2017 # ;; MSG SIZE rcvd: 145 [[email protected] slaves]# dig -x 1.1.1.101 @1.1.1.11 # ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> -x 1.1.1.101 @1.1.1.11 # ;; global options: +cmd # ;; Got answer: # ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12199 # ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 # ;; OPT PSEUDOSECTION: # ; EDNS: version: 0, flags:; udp: 4096 # ;; QUESTION SECTION: # ;101.1.1.1.in-addr.arpa. IN PTR # ;; ANSWER SECTION: # 101.1.1.1.in-addr.arpa. 600 IN PTR mail.ljzlinux.com. # ;; AUTHORITY SECTION: # 1.1.1.in-addr.arpa. 600 IN NS ns2.ljzlinux.com. # 1.1.1.in-addr.arpa. 600 IN NS ns1.ljzlinux.com. # ;; ADDITIONAL SECTION: # ns1.ljzlinux.com. 600 IN A 1.1.1.10 # ns2.ljzlinux.com. 600 IN A 1.1.1.11 # ;; Query time: 0 msec # ;; SERVER: 1.1.1.11#53(1.1.1.11) # ;; WHEN: Thu Jan 19 09:57:37 EST 2017 # ;; MSG SIZE rcvd: 150 [[email protected] slaves]# dig -t A www.ljzlinux.com @11.11.11.11 # ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> -t A www.ljzlinux.com @11.11.11.11 # ;; global options: +cmd # ;; Got answer: # ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7303 # ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3 # ;; OPT PSEUDOSECTION: # ; EDNS: version: 0, flags:; udp: 4096 # ;; QUESTION SECTION: # ;www.ljzlinux.com. IN A # ;; ANSWER SECTION: # www.ljzlinux.com. 600 IN A 192.168.0.103 # www.ljzlinux.com. 600 IN A 192.168.0.102 # ;; AUTHORITY SECTION: # ljzlinux.com. 600 IN NS ns2.ljzlinux.com. # ljzlinux.com. 600 IN NS ns1.ljzlinux.com. # ;; ADDITIONAL SECTION: # ns1.ljzlinux.com. 600 IN A 192.168.0.10 # ns2.ljzlinux.com. 600 IN A 192.168.0.11 # ;; Query time: 0 msec # ;; SERVER: 11.11.11.11#53(11.11.11.11) # ;; WHEN: Thu Jan 19 09:57:50 EST 2017 # ;; MSG SIZE rcvd: 145 [[email protected] slaves]# dig -x 192.168.0.101 @11.11.11.11 # ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> -x 192.168.0.101 @11.11.11.11 # ;; global options: +cmd # ;; Got answer: # ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58867 # ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 # ;; OPT PSEUDOSECTION: # ; EDNS: version: 0, flags:; udp: 4096 # ;; QUESTION SECTION: # ;101.0.168.192.in-addr.arpa. IN PTR # ;; ANSWER SECTION: # 101.0.168.192.in-addr.arpa. 600 IN PTR mail.ljzlinux.com. # ;; AUTHORITY SECTION: # 0.168.192.in-addr.arpa. 600 IN NS ns2.ljzlinux.com. # 0.168.192.in-addr.arpa. 600 IN NS ns1.ljzlinux.com. # ;; ADDITIONAL SECTION: # ns1.ljzlinux.com. 600 IN A 192.168.0.10 # ns2.ljzlinux.com. 600 IN A 192.168.0.11 # ;; Query time: 0 msec # ;; SERVER: 11.11.11.11#53(11.11.11.11) # ;; WHEN: Thu Jan 19 09:58:09 EST 2017 # ;; MSG SIZE rcvd: 154
扩展:为了让来自每个view的客户端能够请求每个view内的IP,需要在每个view内放置所有的反向解析库,上例中需要放置zone "1.1.1.in-addr.arpa" 和zone "0.168.192.in-addr.arpa"这两个解析库,所以配置文件变为如下:
主服务器的主配置文件:
[[email protected] slaves]# vim /etc/named.rfc1912.zones // named.rfc1912.zones: // // Provided by Red Hat caching-nameserver package // // ISC BIND named zone configuration for zones recommended by // RFC 1912 section 4.1 : localhost TLDs and address zones // and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt // (c)2007 R W Franks // // See /usr/share/doc/bind*/sample/ for example named configuration files. // acl "unicom" { 192.168.0.0/24; }; acl "telecom" { 1.1.1.0/24; }; view "unicom" { match-clients { 192.168.0.11;!192.168.0.13;!192.168.0.14;unicom; }; allow-transfer { 192.168.0.11; }; zone "." IN { type hint; file "named.ca"; }; zone "localhost.localdomain" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "localhost" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "1.0.0.127.in-addr.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "0.in-addr.arpa" IN { type master; file "named.empty"; allow-update { none; }; }; zone "ljzlinux.com" IN { type master; file "ljzlinux.com.zone.unicom"; allow-update { none; }; }; #zone "ljzlinux.com"让网通用户只能解析到网通网段的IP zone "0.168.192.in-addr.arpa" IN { type master; file "0.168.192.zone.unicom"; allow-update { none; }; }; zone "1.1.1.in-addr.arpa" IN { type master; file "1.1.1.zone.telecom"; allow-update { none; }; }; #以上两个反向区域能够让网通用户既能反向解析网通网段IP,又能反向解析电信网段IP。如果只有zone "0.168.192.in-addr.arpa" ,那么1.1.1.x请求解析IP 192.168.0.x是不能完成的。 }; view "telecom" { match-clients { !192.168.0.11;192.168.0.13;!192.168.0.14;telecom; }; allow-transfer { 192.168.0.13; }; zone "." IN { type hint; file "named.ca"; }; zone "localhost.localdomain" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "localhost" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "1.0.0.127.in-addr.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "0.in-addr.arpa" IN { type master; file "named.empty"; allow-update { none; }; }; zone "ljzlinux.com" IN { type master; file "ljzlinux.com.zone.telecom"; allow-update { none; }; }; zone "0.168.192.in-addr.arpa" IN { type master; file "0.168.192.zone.unicom"; allow-update { none; }; }; zone "1.1.1.in-addr.arpa" IN { type master; file "1.1.1.zone.telecom"; allow-update { none; }; }; }; view "default" { match-clients { !192.168.0.11;!192.168.0.13;192.168.0.14;any; }; allow-transfer { 192.168.0.14; }; zone "." IN { type hint; file "named.ca"; }; zone "localhost.localdomain" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "localhost" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "1.0.0.127.in-addr.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "0.in-addr.arpa" IN { type master; file "named.empty"; allow-update { none; }; }; zone "ljzlinux.com" IN { type master; file "ljzlinux.com.zone.unicom"; allow-update { none; }; }; zone "0.168.192.in-addr.arpa" IN { type master; file "0.168.192.zone.unicom"; allow-update { none; }; }; zone "1.1.1.in-addr.arpa" IN { type master; file "1.1.1.zone.telecom"; allow-update { none; }; }; };
从服务器的主配置文件:
[[email protected] slaves]# scp 192.168.0.10:/etc/named.rfc1912.zones /etc/named.rfc1912.zones [[email protected] slaves]# vim /etc/named.rfc1912.zones #主要修改内容:transfer-source 、type slave;、file "slaves/ljzlinux.com.zone.unicom";、masters { 192.168.0.10; }; // named.rfc1912.zones: // // Provided by Red Hat caching-nameserver package // // ISC BIND named zone configuration for zones recommended by // RFC 1912 section 4.1 : localhost TLDs and address zones // and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt // (c)2007 R W Franks // // See /usr/share/doc/bind*/sample/ for example named configuration files. // acl "unicom" { 192.168.0.0/24; }; acl "telecom" { 1.1.1.0/24; }; view "unicom" { match-clients { 192.168.0.11;!192.168.0.13;!192.168.0.14;unicom; };#需要在match-clients中添加从服务器view同步的IP地址。其中!192.168.0.13意思是排斥此IP.(其他view修改雷同) transfer-source 192.168.0.11;#添加allow-transfer允许同步的IP地址。(其他view修改雷同) zone "." IN { type hint; file "named.ca"; }; zone "localhost.localdomain" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "localhost" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "1.0.0.127.in-addr.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "0.in-addr.arpa" IN { type master; file "named.empty"; allow-update { none; }; }; zone "ljzlinux.com" IN {#其他所有的zone按照以下模板进行修改 type slave;#类型修改为slave file "slaves/ljzlinux.com.zone.unicom";#注意从服务器的解析文件存放位置的修改 masters { 192.168.0.10; };#添加此行,删除 allow-update。 masterfile-format text; }; zone "0.168.192.in-addr.arpa" IN { type slave; file "slaves/0.168.192.zone.unicom"; masters { 192.168.0.10; }; masterfile-format text; }; zone "1.1.1.in-addr.arpa" IN { type slave; file "slaves/1.1.1.zone.telecom"; masters { 192.168.0.10; }; masterfile-format text; }; }; view "telecom" { match-clients { !192.168.0.11;192.168.0.13;!192.168.0.14;telecom; }; transfer-source 192.168.0.13; zone "." IN { type hint; file "named.ca"; }; zone "localhost.localdomain" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "localhost" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "1.0.0.127.in-addr.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "0.in-addr.arpa" IN { type master; file "named.empty"; allow-update { none; }; }; zone "ljzlinux.com" IN { type slave; file "slaves/ljzlinux.com.zone.telecom"; masters { 192.168.0.10; }; masterfile-format text; }; zone "0.168.192.in-addr.arpa" IN { type slave; file "slaves/0.168.192.zone.unicom"; masters { 192.168.0.10; }; masterfile-format text; }; zone "1.1.1.in-addr.arpa" IN { type slave; file "slaves/1.1.1.zone.telecom"; masters { 192.168.0.10; }; masterfile-format text; }; }; view "default" { match-clients { !192.168.0.11;!192.168.0.13;192.168.0.14;any; }; transfer-source 192.168.0.14; zone "." IN { type hint; file "named.ca"; }; zone "localhost.localdomain" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "localhost" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "1.0.0.127.in-addr.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "0.in-addr.arpa" IN { type master; file "named.empty"; allow-update { none; }; }; zone "ljzlinux.com" IN { type slave; file "slaves/ljzlinux.com.zone.unicom"; masters { 192.168.0.10; }; masterfile-format text; }; zone "0.168.192.in-addr.arpa" IN { type slave; file "slaves/0.168.192.zone.unicom"; masters { 192.168.0.10; }; masterfile-format text; }; zone "1.1.1.in-addr.arpa" IN { type slave; file "slaves/1.1.1.zone.telecom"; masters { 192.168.0.10; }; masterfile-format text; }; };
实验五:子域授权,转发域:(192.168.0.13)
子域授权:通俗讲,就是将某个创建好的域的NS、A记录写入到父域的区域数据文件中,这样服务就知道子域的存在了。如果有客户端向父域请求解析这个小的区域(子域),父域只要找到子域的DNS服务器,然后将请求转交给子域DNS服务器即可。这样的做的好处可以减轻父DNS的压力,也有利于管理。
1.创建子域tech.ljzlinux.com·
[[email protected] named]# vim /etc/named.rfc1912.zones#在配置文件中追加tech.ljzlinux.com区域 // named.rfc1912.zones: // // Provided by Red Hat caching-nameserver package // // ISC BIND named zone configuration for zones recommended by // RFC 1912 section 4.1 : localhost TLDs and address zones // and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt // (c)2007 R W Franks // // See /usr/share/doc/bind*/sample/ for example named configuration files. // zone "localhost.localdomain" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "localhost" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "1.0.0.127.in-addr.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "0.in-addr.arpa" IN { type master; file "named.empty"; allow-update { none; }; }; #增加子域 zone "tech.ljzlinux.com." IN { type master; file "tech.ljzlinux.com.zone"; allow-update { none; }; };
2.创建tech.ljzlinux.com的区域数据文件
[[email protected] named]# vim tech.ljzlinux.com.zone $TTL 600 @ IN SOA ns1.tech.ljzlinux.com. dnsadmin.tech.ljzlinux.com. ( 20170115 2H 10M 3D 12H) @ IN NS ns1 IN MX 10 mail ns1 IN A 192.168.0.12 mail IN A 192.168.0.121 www IN A 192.168.0.122
至此,服务器192.168.0.12上的子域构建完成。
3.子域授权实现:在父域区域数据文件中加入子域NS和A记录即可完成(反向解析的子域授权比较麻烦,不在此实验范围)
主机:192.168.0.10
[[email protected] named]# vim ljzlinux.com.zone.unicom $TTL 600 @ IN SOA ns1.ljzlinux.com. admin.ljzlinux.com. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum @ IN NS ns1.ljzlinux.com. IN NS ns2.ljzlinux.com. IN MX 10 mail ns1 IN A 192.168.0.10 ns2 IN A 192.168.0.11 mail IN A 192.168.0.101 www.ljzlinux.com. IN A 192.168.0.102 www IN A 192.168.0.103 ftp IN CNAME www tech IN NS ns1 ns1 IN A 192.168.0.12
4.进行子域授权测试:
[[email protected] named]# dig -t A www.tech.ljzlinux.com @192.168.0.10 # ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> -t A www.tech.ljzlinux.com @192.168.0.10 # ;; global options: +cmd # ;; Got answer: # ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51406 # ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 # ;; OPT PSEUDOSECTION: # ; EDNS: version: 0, flags:; udp: 4096 # ;; QUESTION SECTION: # ;www.tech.ljzlinux.com. IN A # ;; ANSWER SECTION: # www.tech.ljzlinux.com. 600 IN A 192.168.0.122 # ;; AUTHORITY SECTION: # tech.ljzlinux.com. 600 IN NS ns1.tech.ljzlinux.com. # ;; ADDITIONAL SECTION: # ns1.tech.ljzlinux.com. 600 IN A 192.168.0.12 # ;; Query time: 6 msec # ;; SERVER: 192.168.0.10#53(192.168.0.10) # ;; WHEN: Sat Jan 21 08:01:14 EST 2017 # ;; MSG SIZE rcvd: 100
解析成功!
5.创建转发域:实现解析父域的请求转发给父域的DNS服务器 (如果转发域无法解析,注释掉主配置文件中的include "/etc/named.root.key";)
在子域服务器主配置文件上追加创建子域转发域ljzlinux.com
#创建父域(ljzlinux.com)的转发域,所有解析父域的请求转发到父域DNS服务器
zone "ljzlinux.com" IN { type forward; forward first;#区域转发类型为first:先转发,不能解析再找根解析;only:只转发,不能解析也不会找根来解析 forwarders { 192.168.0.10;192.168.0.11; }; #区域类型为forward时,只将请求解析父域ljzlinux.com的解析请求转发给192.168.0.10;若定义在options项下,则为全局转发,转发非本机负责解析的所有区域给192.168.0.10 };
测试:
[[email protected] named]# dig -t A www.ljzlinux.com @192.168.0.12 # ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> -t A www.ljzlinux.com @192.168.0.12 # ;; global options: +cmd # ;; Got answer: # ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11232 # ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 4 # ;; OPT PSEUDOSECTION: # ; EDNS: version: 0, flags:; udp: 4096 # ;; QUESTION SECTION: # ;www.ljzlinux.com. IN A # ;; ANSWER SECTION: # www.ljzlinux.com. 443 IN A 192.168.0.103 # www.ljzlinux.com. 443 IN A 192.168.0.102 # ;; AUTHORITY SECTION: # ljzlinux.com. 443 IN NS ns1.ljzlinux.com. # ljzlinux.com. 443 IN NS ns2.ljzlinux.com. # ;; ADDITIONAL SECTION: # ns2.ljzlinux.com. 443 IN A 192.168.0.11 # ns1.ljzlinux.com. 443 IN A 192.168.0.10 # ns1.ljzlinux.com. 443 IN A 192.168.0.12 # ;; Query time: 0 msec # ;; SERVER: 192.168.0.12#53(192.168.0.12) # ;; WHEN: Sat Jan 21 09:41:49 EST 2017 # ;; MSG SIZE rcvd: 161
解析成功!
本文中所有的配置文件都会以附件的形式共享。
本文出自 “juzhanglinux” 博客,请务必保留此出处http://juzhang.blog.51cto.com/12340537/1893956
以上是关于DNS服务器综合实验(包含view下主从+子域授权+转发域)的主要内容,如果未能解决你的问题,请参考以下文章