DNS主从服务器部署配置

Posted 2020-09-27

tags:

篇首语：本文由小常识网(cha138.com)小编为大家整理，主要介绍了DNS主从服务器部署配置相关的知识，希望对你有一定的参考价值。

（1）节点信息

console01	主DNS	192.168.80.3	192.168.10.3
console02	从DNS	192.168.80.4	192.168.10.4

（2）环境部署

# yum -y install bind bind-chroot bind-util bind-libs

# service iptables stop

# setenforce 0

（3）配置主DNS

1.编辑DNS主配置文件/etc/named.conf

# vim /etc/named.conf

options {
    listen-on port 53 { 192.168.10.3; };
    listen-on-v6 port 53 { ::1; };
    directory   "/var/named";
    dump-file   "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
    allow-query     { any; };
    recursion yes;

    dnssec-enable yes;
    dnssec-validation yes;
    dnssec-lookaside auto;
        /* Path to ISC DLV key */
    bindkeys-file "/etc/named.iscdlv.key";

    managed-keys-directory "/var/named/dynamic";
};
logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
    type hint;
    file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

2.编辑区域配置文件/etc/name.rfc1912.zones

# vim /etc/name.rfc1912.zones

在最后添加以下内容：

zone "liwanliang.com" IN {
    type master;
    file "liwanliang.com.zone";
    notify yes;
    also-notify { 192.168.10.4; };
    allow-transfer { 192.168.10.4; };
};
zone "10.168.192.in-addr.arpa." IN {
    type master;
    file "192.168.10.3.zone";
    notify yes;
    also-notify { 192.168.10.4; };
    allow-transfer { 192.168.10.4; };
};

3.编辑区域文件的资源记录

# cd /var/named

# vim liwanliang.com.zone

添加如下内容：

$TTL 600
@       IN  SOA     ns1.liwanliang.com mail.liwanliang.com (
                    2017070713  ;serial
                    2H  ;refresh
                    4M  ;retry
                    1D  ;expire
                    2D )    ;minumum
@       IN  NS      ns1.liwanliang.com.
@       IN  NS      ns2.liwanliang.com.
@       IN  MX 10   mail.liwanliang.com.
ns1     IN  A       192.168.10.3
ns2     IN  A       192.168.10.4
mail    IN  A       192.168.10.3
www     IN  A       192.168.10.3
ftp     IN  A       192.168.10.3
dhcp    IN  A       192.168.10.3

# vim 192.168.10.3.zone

添加以下内容：

$TTL 600
@       IN  SOA     ns1.liwanliang.com mail.liwanliang.com (
                    2017070713  ;serial
                    2H  ;refresh
                    4M  ;retry
                    1D  ;expire
                    2D )    ;minimum
@   IN      NS      ns1.liwanliang.com.
@   IN      NS      ns2.liwanliang.com.
@   IN      MX 10   mail.liwanliang.com.
3   IN      PTR     ns1.liwanliang.com.
4   IN      PTR     ns2.liwanliang.com.
3   IN      PTR     mail.liwanliang.com.
3   IN      PTR     www.liwanliang.com.
3   IN      PTR     ftp.liwanliang.com.
3   IN      PTR     dhcp.liwanliang.com.

4.修改目录文件权限

DNS运行的系统用户为named。因此需要保证/var/named目录下文件的权限正确。因为采用了chroot（yum -y install bind-chroot）安全配置，所有DNS所有的配置，通过回环挂载的模式，即：配置了/var/named下的配置，实际上上配置了/var/named/chroot/var/named下的配置。
这是通过mount –bind方式实现，通过mount命令可以查看

/var/named on /var/named/chroot/var/named type none (rw,bind)
/etc/named.conf on /var/named/chroot/etc/named.conf type none (rw,bind)
/etc/named.rfc1912.zones on /var/named/chroot/etc/named.rfc1912.zones type none (rw,bind)
/etc/rndc.key on /var/named/chroot/etc/rndc.key type none (rw,bind)
/usr/lib64/bind on /var/named/chroot/usr/lib64/bind type none (rw,bind)
/etc/named.iscdlv.key on /var/named/chroot/etc/named.iscdlv.key type none (rw,bind)
/etc/named.root.key on /var/named/chroot/etc/named.root.key type none (rw,bind)
/etc/services on /var/named/chroot/etc/services type none (rw,bind)
/etc/protocols on /var/named/chroot/etc/protocols type none (rw,bind)
/lib64/libnss_files-2.12.so on /var/named/chroot/lib64/libnss_files.so.2 type none (rw,bind)

# chown -R root.named /var/named/chroot

# chown -R root.named /var/named/slaves

5.检查配置文件是否正确

# named-checkzone "liwanliang.com" liwanliang.com.zone

# named-checkconf

# service named configtest

5.开启并检测DNS服务

# service named start

# ps -ef | grep named

# netstat -tupln | grep named

6.验证主DNS正反向解析

假如配置了主机的DNS指向：

echo "DNS1=192.168.10.3" >> /etc/sysconfig/network-scripts/ifcfg-eth0
service network restart

则采用一下命令即可：

# dig -t A www.liwanliang.com

假如未配置主机的DNS指向,通过@DNS的IP进行检测：

# dig -t A www.liwanliang.com @192.168.10.3

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t A www.liwanliang.com @192.168.10.3
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42299
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;www.liwanliang.com.        IN    A

;; ANSWER SECTION:
www.liwanliang.com.    600    IN    A    192.168.10.3

;; AUTHORITY SECTION:
liwanliang.com.        600    IN    NS    ns2.liwanliang.com.
liwanliang.com.        600    IN    NS    ns1.liwanliang.com.

;; ADDITIONAL SECTION:
ns1.liwanliang.com.    600    IN    A    192.168.10.3
ns2.liwanliang.com.    600    IN    A    192.168.10.4

;; Query time: 0 msec
;; SERVER: 192.168.10.3#53(192.168.10.3)
;; WHEN: Sat Jul  8 21:34:46 2017
;; MSG SIZE  rcvd: 120

反向解析：

# dig -x 192.168.10.3 @192.168.10.3

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -x 192.168.10.3 @192.168.10.3
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23601
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;3.10.168.192.in-addr.arpa.    IN    PTR

;; ANSWER SECTION:
3.10.168.192.in-addr.arpa. 600    IN    PTR    mail.liwanliang.com.
3.10.168.192.in-addr.arpa. 600    IN    PTR    www.liwanliang.com.
3.10.168.192.in-addr.arpa. 600    IN    PTR    ftp.liwanliang.com.
3.10.168.192.in-addr.arpa. 600    IN    PTR    dhcp.liwanliang.com.
3.10.168.192.in-addr.arpa. 600    IN    PTR    ns1.liwanliang.com.

;; AUTHORITY SECTION:
10.168.192.in-addr.arpa. 600    IN    NS    ns1.liwanliang.com.
10.168.192.in-addr.arpa. 600    IN    NS    ns2.liwanliang.com.

;; ADDITIONAL SECTION:
ns1.liwanliang.com.    600    IN    A    192.168.10.3
ns2.liwanliang.com.    600    IN    A    192.168.10.4

;; Query time: 0 msec
;; SERVER: 192.168.10.3#53(192.168.10.3)
;; WHEN: Sat Jul  8 21:49:50 2017
;; MSG SIZE  rcvd: 213

至此，主DNS配置和验证完成

（4）从DNS配置

1.基础环境

# yum -y install bind bind-chroot bind-utils bind-libs

2.编辑主配置文件

# vim /etc/named.conf

options {
    listen-on port 53 { 192.168.10.4; };
    listen-on-v6 port 53 { ::1; };
    directory   "/var/named";
    dump-file   "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
    allow-query     { any; };
    recursion yes;

    dnssec-enable yes;
    dnssec-validation yes;
    dnssec-lookaside    auto;

    /* Path to ISC DLV key */
    bindkeys-file "/etc/named.iscdlv.key";

    managed-keys-directory "/var/named/dynamic";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};
zone "." IN {
    type hint;
    file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

3.编辑区域配置文件

# vim /etc/named.rfc1912.zones

在最后添加一下内容：

zone "liwanliang.com" IN {
    type slave;
    masters { 192.168.10.3; };
    allow-update { none; };
    file "slaves/liwanliang.com.zone";
};
zone "10.168.192.in-addr.arpa" IN {
    type slave;
    masters { 192.168.10.3; };
    allow-update { none; };
    file "slaves/192.168.10.3.zone";
};

4.查看并修改目录文件权限

# ls -l /var/named/chroot

# chown -R root.named /var/named/chroot

5.检查配置文件正确性

# named-checkconf

# service named configtest

6.启动named服务

# service named start

# ps -ef | grep named

# netstat -tupln | grep named

7.检查文件同步结果

`# ls -l /var/named/slaves

total 8
-rw-r–r– 1 named named 601 Jul  8 20:58 192.168.10.3.zone
-rw-r–r– 1 named named 528 Jul  8 20:58 liwanliang.com.zone

8.从DNS正反解析验证

正向解析验证：

# dig -t A www.liwanliang.com @192.168.10.4

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t A www.liwanliang.com @192.168.10.4
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2955
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;www.liwanliang.com.        IN    A

;; ANSWER SECTION:
www.liwanliang.com.    600    IN    A    192.168.10.3

;; AUTHORITY SECTION:
liwanliang.com.        600    IN    NS    ns1.liwanliang.com.
liwanliang.com.        600    IN    NS    ns2.liwanliang.com.

;; ADDITIONAL SECTION:
ns1.liwanliang.com.    600    IN    A    192.168.10.3
ns2.liwanliang.com.    600    IN    A    192.168.10.4

;; Query time: 0 msec
;; SERVER: 192.168.10.4#53(192.168.10.4)
;; WHEN: Sat Jul  8 22:08:17 2017
;; MSG SIZE  rcvd: 120

反向解析验证：

# dig -x 192.168.10.3 @192.168.10.4

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -x 192.168.10.3 @192.168.10.4
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29194
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;3.10.168.192.in-addr.arpa.    IN    PTR

;; ANSWER SECTION:
3.10.168.192.in-addr.arpa. 600    IN    PTR    mail.liwanliang.com.
3.10.168.192.in-addr.arpa. 600    IN    PTR    www.liwanliang.com.
3.10.168.192.in-addr.arpa. 600    IN    PTR    ftp.liwanliang.com.
3.10.168.192.in-addr.arpa. 600    IN    PTR    dhcp.liwanliang.com.
3.10.168.192.in-addr.arpa. 600    IN    PTR    ns1.liwanliang.com.

;; AUTHORITY SECTION:
10.168.192.in-addr.arpa. 600    IN    NS    ns2.liwanliang.com.
10.168.192.in-addr.arpa. 600    IN    NS    ns1.liwanliang.com.

;; ADDITIONAL SECTION:
ns1.liwanliang.com.    600    IN    A    192.168.10.3
ns2.liwanliang.com.    600    IN    A    192.168.10.4

;; Query time: 0 msec
;; SERVER: 192.168.10.4#53(192.168.10.4)
;; WHEN: Sat Jul  8 22:09:32 2017
;; MSG SIZE  rcvd: 213

null

以上是关于DNS主从服务器部署配置的主要内容，如果未能解决你的问题，请参考以下文章

部署DNS主从复制区域传送

DNS主从服务器配置

CentOS 7部署DNS主从复制及Apache域名虚拟主机

Centos下高可用主从同步DNS服务部署

Linux （二十三）剖析DNS服务主从分离反向解析等部署方式

DNS主从同步部署