Bind
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Bind相关的知识,希望对你有一定的参考价值。
DNS服务器安装部署,The DNS server installation deployment.html文章主题:
一、配置一台DNS缓存服务器 二、配置一个正向解析区域 三、配置一个反向解析区域 四、如何配置DNS主从? 五、如何配置子域授权? 六、如何配置forward? 七、如何配置Bind View?
配置环境
1、虚拟机操作系统:centos6.7 64bit 2、虚拟机IP地址:10.22.22.1(N01)、10.22.22.2(N02)、10.22.22.11(C01)、10.22.22.12(C02) 3、虚拟化客户端:VMware Workstation 12 Pro 12.1.1 build-3770994
一、如何配置一台DNS缓存服务器?(How to config a DNS cache server?)
1、安装bind(Berkeley Internet Name Domain):DNS协议的一种实现
bind:DNS服务器的主程序 bind-libs:提供了bind和bind-utils所依赖的到库文件 bind-utils:提供了bind客户端的程序集合,如dig、host、nslookup等实用工具 bind-chroot:让named运行于jail模式下(jail可以理解为一种更安全的模式)
[[email protected] ~]# ifconfig #查看IP地址 eth0 Link encap:Ethernet HWaddr 00:0C:29:92:D9:2D inet addr:10.22.22.1 Bcast:10.22.22.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff:fe92:d92d/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:47 errors:0 dropped:0 overruns:0 frame:0 TX packets:50 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:5707 (5.5 KiB) TX bytes:6158 (6.0 KiB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) [[email protected] ~]# yum install -y bind bind-libs bind-utils #安装bind程序包 Loaded plugins: fastestmirror Setting up Install Process base | 3.7 kB 00:00 base/primary_db | 4.7 MB 00:03 extras | 3.4 kB 00:00 extras/primary_db | 37 kB 00:00 updates | 3.4 kB 00:00 updates/primary_db | 3.1 MB 00:01 Resolving Dependencies --> Running transaction check ---> Package bind.x86_64 32:9.8.2-0.47.rc1.el6_8.3 will be installed --> Processing Dependency: portreserve for package: 32:bind-9.8.2-0.47.rc1.el6_8.3.x86_64 ---> Package bind-libs.x86_64 32:9.8.2-0.47.rc1.el6_8.3 will be installed ---> Package bind-utils.x86_64 32:9.8.2-0.47.rc1.el6_8.3 will be installed --> Running transaction check ---> Package portreserve.x86_64 0:0.0.4-11.el6 will be installed --> Finished Dependency Resolution Dependencies Resolved ==================================================================================================================================================== Package Arch Version Repository Size ==================================================================================================================================================== Installing: bind x86_64 32:9.8.2-0.47.rc1.el6_8.3 updates 4.0 M bind-libs x86_64 32:9.8.2-0.47.rc1.el6_8.3 updates 890 k bind-utils x86_64 32:9.8.2-0.47.rc1.el6_8.3 updates 187 k Installing for dependencies: portreserve x86_64 0.0.4-11.el6 base 23 k Transaction Summary ==================================================================================================================================================== Install 4 Package(s) Total download size: 5.1 M Installed size: 10 M Downloading Packages: (1/4): bind-9.8.2-0.47.rc1.el6_8.3.x86_64.rpm | 4.0 MB 00:02 (2/4): bind-libs-9.8.2-0.47.rc1.el6_8.3.x86_64.rpm | 890 kB 00:00 (3/4): bind-utils-9.8.2-0.47.rc1.el6_8.3.x86_64.rpm | 187 kB 00:00 (4/4): portreserve-0.0.4-11.el6.x86_64.rpm | 23 kB 00:00 ---------------------------------------------------------------------------------------------------------------------------------------------------- Total 1.6 MB/s | 5.1 MB 00:03 warning: rpmts_HdrFromFdno: Header V3 RSA/SHA1 Signature, key ID c105b9de: NOKEY Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6 Importing GPG key 0xC105B9DE: Userid : CentOS-6 Key (CentOS 6 Official Signing Key) <[email protected]> Package: centos-release-6-7.el6.centos.12.3.x86_64 (@anaconda-CentOS-201508042137.x86_64/6.7) From : /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Installing : 32:bind-libs-9.8.2-0.47.rc1.el6_8.3.x86_64 1/4 Installing : portreserve-0.0.4-11.el6.x86_64 2/4 Installing : 32:bind-9.8.2-0.47.rc1.el6_8.3.x86_64 3/4 Installing : 32:bind-utils-9.8.2-0.47.rc1.el6_8.3.x86_64 4/4 Verifying : 32:bind-utils-9.8.2-0.47.rc1.el6_8.3.x86_64 1/4 Verifying : portreserve-0.0.4-11.el6.x86_64 2/4 Verifying : 32:bind-libs-9.8.2-0.47.rc1.el6_8.3.x86_64 3/4 Verifying : 32:bind-9.8.2-0.47.rc1.el6_8.3.x86_64 4/4 Installed: bind.x86_64 32:9.8.2-0.47.rc1.el6_8.3 bind-libs.x86_64 32:9.8.2-0.47.rc1.el6_8.3 bind-utils.x86_64 32:9.8.2-0.47.rc1.el6_8.3 Dependency Installed: portreserve.x86_64 0:0.0.4-11.el6 Complete!
2、修改bind的主配置文件(Modify the bind master configuration file)
主配置文件:/etc/named.conf
[[email protected] ~]# vim /etc/named.conf// // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // options { //全局配置段 listen-on port 53 { 127.0.0.1; }; //将此处添加本地DNS服务器IP,此处为10.22.22.1(注意:大括号前后的空格,以及IP后边的分号) listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { localhost; }; //此处将“localhost”修改为“any” recursion yes; //学习时建议关闭dnssec的参数 dnssec-enable yes; dnssec-validation yes; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; }; //注意配一个大括号均需要以“;”进行结尾 logging { //日志配置段 channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { //区域配置段,但常常在named.rfc1912.zones中进行zone的配置 type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; #此配置文件专用于定义zoneinclude "/etc/named.root.key";
3、启动服务(Start service)& 关闭10.22.22.1的防火墙
此处操作系统为CentOS 6.7 64bit,故使用service命令操作服务的start、restart、stop
[[email protected] ~]# service named startGenerating /etc/rndc.key: [ OK ] Starting named: [ OK ] [[email protected] ~]# service iptables stop #此处是为了学习测试,所以暂时将防火墙关闭即可iptables: Setting chains to policy ACCEPT: filter [ OK ] iptables: Flushing firewall rules: [ OK ] iptables: Unloading modules: [ OK ]
4、检查服务的状态(check service status)
[[email protected] ~]# ss -tnl #look at line 2,the port 53 is listenedState Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 3 ::1:53 :::* LISTEN 0 3 10.22.22.1:53 *:* LISTEN 0 3 127.0.0.1:53 *:* LISTEN 0 128 :::22 :::* LISTEN 0 128 *:22 *:* LISTEN 0 128 ::1:953 :::* LISTEN 0 128 127.0.0.1:953 *:* LISTEN 0 100 ::1:25 :::* LISTEN 0 100 127.0.0.1:25 *:*
5、修改客户端的DNS服务器IP地址为10.22.22.1(To modify the client of the DNS server IP address is 10.22.22.1)
DNS服务器IP地址的配置文件为:/etc/resolv.conf
[[email protected] ~]# vi /etc/resolv.conf# Generated by NetworkManagernameserver 10.22.22.1
6、使用dig命令测试(Using the dig command for test)
常见的DNS客户端工具集合有:dig、nslookup(windows默认情况下只有这个)、host
[[email protected] ~]# dig -t A www.baidu.com #正常解析 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.3 <<>> -t A www.baidu.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3545 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 5, ADDITIONAL: 5 ;; QUESTION SECTION: #问题部分 ;www.baidu.com. IN A ;; ANSWER SECTION: #应答部分 www.baidu.com. 1200 IN CNAME www.a.shifen.com. www.a.shifen.com. 300 IN A 61.135.169.121 www.a.shifen.com. 300 IN A 61.135.169.125 ;; AUTHORITY SECTION: #权威部分,是指二级域解析服务器 a.shifen.com. 1200 IN NS ns1.a.shifen.com. a.shifen.com. 1200 IN NS ns4.a.shifen.com. a.shifen.com. 1200 IN NS ns5.a.shifen.com. a.shifen.com. 1200 IN NS ns2.a.shifen.com. a.shifen.com. 1200 IN NS ns3.a.shifen.com. ;; ADDITIONAL SECTION: #二级域名解析服务器的IP地址 ns3.a.shifen.com. 1200 IN A 61.135.162.215 ns5.a.shifen.com. 1200 IN A 119.75.222.17 ns2.a.shifen.com. 1200 IN A 180.149.133.241 ns1.a.shifen.com. 1200 IN A 61.135.165.224 ns4.a.shifen.com. 1200 IN A 115.239.210.176 ;; Query time: 891 msec ;; SERVER: 10.22.22.1#53(10.22.22.1) ;; WHEN: Tue Nov 15 21:16:18 2016 ;; MSG SIZE rcvd: 260 [[email protected] ~]# dig +trace -t A www.baidu.com #追踪解析过程 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.3 <<>> +trace -t A www.baidu.com ;; global options: +cmd #/var/named/named.ca,此配置文件中记录了所有根域服务器的IP地址 . 3600000 IN NS D.ROOT-SERVERS.NET. . 3600000 IN NS H.ROOT-SERVERS.NET. . 3600000 IN NS K.ROOT-SERVERS.NET. . 3600000 IN NS M.ROOT-SERVERS.NET. . 3600000 IN NS B.ROOT-SERVERS.NET. . 3600000 IN NS F.ROOT-SERVERS.NET. . 3600000 IN NS J.ROOT-SERVERS.NET. . 3600000 IN NS A.ROOT-SERVERS.NET. . 3600000 IN NS E.ROOT-SERVERS.NET. . 3600000 IN NS L.ROOT-SERVERS.NET. . 3600000 IN NS G.ROOT-SERVERS.NET. . 3600000 IN NS I.ROOT-SERVERS.NET. . 3600000 IN NS C.ROOT-SERVERS.NET. ;; Received 228 bytes from 10.22.22.1#53(10.22.22.1) in 3420 ms com. 172800 IN NS a.gtld-servers.net. com. 172800 IN NS b.gtld-servers.net. com. 172800 IN NS c.gtld-servers.net. com. 172800 IN NS d.gtld-servers.net. com. 172800 IN NS e.gtld-servers.net. com. 172800 IN NS f.gtld-servers.net. com. 172800 IN NS g.gtld-servers.net. com. 172800 IN NS h.gtld-servers.net. com. 172800 IN NS i.gtld-servers.net. com. 172800 IN NS j.gtld-servers.net. com. 172800 IN NS k.gtld-servers.net. com. 172800 IN NS l.gtld-servers.net. com. 172800 IN NS m.gtld-servers.net. ;; Received 491 bytes from 192.58.128.30#53(192.58.128.30) in 2832 ms baidu.com. 172800 IN NS dns.baidu.com. baidu.com. 172800 IN NS ns2.baidu.com. baidu.com. 172800 IN NS ns3.baidu.com. baidu.com. 172800 IN NS ns4.baidu.com. baidu.com. 172800 IN NS ns7.baidu.com. ;; Received 201 bytes from 192.35.51.30#53(192.35.51.30) in 989 ms www.baidu.com. 1200 IN CNAME www.a.shifen.com. a.shifen.com. 1200 IN NS ns5.a.shifen.com. a.shifen.com. 1200 IN NS ns3.a.shifen.com. a.shifen.com. 1200 IN NS ns4.a.shifen.com. a.shifen.com. 1200 IN NS ns1.a.shifen.com. a.shifen.com. 1200 IN NS ns2.a.shifen.com. ;; Received 228 bytes from 220.181.37.10#53(220.181.37.10) in 11 ms
至此,DNS缓存服务器已经配置好了,在此基础上继续配置一个正向解析区域
二、配置一个正向解析区域
1、编辑区域配置文件
区域配置文件:/etc/named.rfc1912.zones
[[email protected] ~]# vim /etc/named.rfc1912.zones // named.rfc1912.zones: // // Provided by Red Hat caching-nameserver package // // ISC BIND named zone configuration for zones recommended by // RFC 1912 section 4.1 : localhost TLDs and address zones // and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt // (c)2007 R W Franks // // See /usr/share/doc/bind*/sample/ for example named configuration files. // zone "localhost.localdomain" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "localhost" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "1.0.0.127.in-addr.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "0.in-addr.arpa" IN { type master; file "named.empty"; allow-update { none; }; }; zone "tornado.com" IN { type master; file "tornado.com.zone"; allow-query { 10.22.22.11; }; allow-update { none; }; }; //正向区域配置段详细解析,正向区域负责正向解析,即FQDN-->IP //zone "tornado.com" IN { // type master(主)|slave(从)|hint(根)|forward(转发); // file "tornado.com.zone"; --> 正向区域配置文件名称 // allow-query { any(任何)|local(本地主机)|localnet(本地网络)|none(任何都不行); }; --> 允许进行查询的IP地址 // allow-transfer { any|local|localnet|none; }; --> 允许向哪些主机做区域传送,建议如果有从服务器,只配置从服务器即可 // allow-recursion { any|local|localnet|none; }; --> 允许那些主机可以向此区域发起递归请求 // allow-update { any|local|localnet|none; }; --> 允许动态更新区域数据库文件中的内容,生产环境中建议关闭此项 //}; --> allow-*:是访问控制指令,可以配置acl一起在options配置段中进行配置,也可以单独配置在zone配置段中 // allow-*:可以配置ACL一起使用: // acl mynet { 10.22.22.0/24; }; 或 acl myhost { 10.22.22.11; }; // allow-query { mynet; }; 或 allow-query { myhost; };
2、检查配置文件语法是否存在问题
[[email protected] named]# named-checkconf
3、建立区域配置文件:tornado.com.zone
/var/named/目录是bind服务默认的区域配置文件所在的目录,区域配置文件中主要记录的是资源记录(Resource Recard,简称rr)
[[email protected] ~]# cd /var/named/[[email protected] named]# touch tornado.com.zone[[email protected] named]# chown :named tornado.com.zone[[email protected] named]# chmod o= tornado.com.zone[[email protected] named]# vim tornado.com.zone
$TTL 3600 // --> $TTL:表示资源记录的缓存时间,可以从全局继承 $ORIGIN tornado.com. // --> $ORIGIN:定义此变量,存放二级域名,可以被“@”来进行调用 //资源记录语法:@ [TTL] IN RR_TYPE(资源记录类型) value(名称或IP地址) @ IN SOA ns1 tornado ( // --> @:表示当前区域的名称(引用变量$ORIGIN的值,补全到如上方的ns1、tornado处,以及下方的ns1、mx1处) // --> SOA:Start Of Authority,起始授权记录;每一个区域配置文件中有且只有一条此记录,且必须配置在所有资源记录的最上方 // --> ns1:当前区域的主DNS服务器名称,$ORIGIN中定义的后缀会自动补全到ns1之后 // --> tornado:当前区域管理员的邮箱地hi,$ORIGIN中定义的后缀会自动补全到tornado之后 2017010801 ; serial,maxlength<10,表示序列号,在DNS主从架构下,每一个主DNS服务器的区域配置文件(正反独立)被修改完成后,均需要手动的修改此序列号 1H ; refresh,刷新时间,是指多长时间之后,从服务器就会主服务器来进行刷新 10M ; retry,在一次刷新失败之后,多长时间之后进行重试 3D ; expire,过期时长,缓存的过期时间 1D ; negative answer ttl,否定答案的TTL值 ) IN NS ns1 // --> NS:域名服务资源记录;ns1:表示NS的值(FQDN),即当前区域的DNS服务器名称;NS记录可以有多个,当区域中有多个DNS服务器时,就需要写多个NS记录 IN MX 10 mx1 // --> MX:邮件服务资源记录;mx1:表示MX的值(FQDN),即当前区域的邮件服务器名称;可以有多个 // --> 10:表示优先级,范围0-99,数字越小,优先级越高 ns1 IN A 10.22.22.1 // --> ns1主机的A记录,ns1是一台DNS服务器 www IN A 10.22.22.2 // --> www主机的A记录 // --> A记录:表示一台真正的主机,比如www.tornado.com是一台真正的服务器地址,一般为web服务器 wwww IN CNAME www // --> CNAME记录:表示别名,此处定义的是www.tornado.com的别名wwww.tornado.com bbs IN A 10.22.22.3 // --> bbs主机的A记录 mx1 IN A 10.22.22.4 // --> mx1主机的A记录
4、检查区域配置文件的语法
[[email protected] named]# named-checkzone tornado.com. /var/named/tornado.com.zonezone tornado.com/IN: loaded serial 2017010801OK
5、重载服务配置文件和区域配置文件
第一种方法
[[email protected] named]# service named restartStopping named: [ OK ] Starting named: [ OK ]
第二种方法
[[email protected] named]# rndc reloadserver reload successful
6、通过客户端用dig命令进行测试(10.22.22.11、10.22.22.12)
(1)通过10.22.22.11进行测试,可以正常解析
[[email protected] ~]# dig -t A www.tornado.com #dig命令的基础语法:dig [-t RR_TYPE] name [@SERVER] [query options] ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.3 <<>> -t A www.tornado.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15473 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;www.tornado.com. IN A ;; ANSWER SECTION: www.tornado.com. 3600 IN A 10.22.22.2 ;; AUTHORITY SECTION: tornado.com. 3600 IN NS ns1.tornado.com. ;; ADDITIONAL SECTION: ns1.tornado.com. 3600 IN A 10.22.22.1 ;; Query time: 0 msec ;; SERVER: 10.22.22.1#53(10.22.22.1) ;; WHEN: Sun Nov 20 17:48:44 2016 ;; MSG SIZE rcvd: 83 [[email protected] ~]# dig -t A wwww.tornado.com #测试www.tornado.com的别名 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.3 <<>> -t A wwww.tornado.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38708 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;wwww.tornado.com. IN A ;; ANSWER SECTION: wwww.tornado.com. 3600 IN CNAME www.tornado.com. www.tornado.com. 3600 IN A 10.22.22.2 ;; AUTHORITY SECTION: tornado.com. 3600 IN NS ns1.tornado.com. ;; ADDITIONAL SECTION: ns1.tornado.com. 3600 IN A 10.22.22.1 ;; Query time: 1 msec ;; SERVER: 10.22.22.1#53(10.22.22.1) ;; WHEN: Sun Nov 20 18:21:45 2016 ;; MSG SIZE rcvd: 102
(2)通过10.22.22.12进行测试,不可以正常解析,说明在配置tornado.com区域的时配置的“allow-query”指令生效了
[[email protected] ~]# ifconfig eth0 Link encap:Ethernet HWaddr 00:0C:29:68:11:4B inet addr:10.22.22.12 Bcast:10.22.22.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff:fe68:114b/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:110 errors:0 dropped:0 overruns:0 frame:0 TX packets:100 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:12387 (12.0 KiB) TX bytes:12762 (12.4 KiB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) [[email protected] ~]# dig -t A mx1.tornado.com @10.22.22.1 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.3 <<>> -t A mx1.tornado.com @10.22.22.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 21872 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;mx1.tornado.com. IN A ;; Query time: 2 msec ;; SERVER: 10.22.22.1#53(10.22.22.1) ;; WHEN: Sun Nov 20 12:38:04 2016 ;; MSG SIZE rcvd: 33 [[email protected] ~]# dig -t A www.tornado.com @10.22.22.1 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.3 <<>> -t A www.tornado.com @10.22.22.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 45617 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.tornado.com. IN A ;; Query time: 0 msec ;; SERVER: 10.22.22.1#53(10.22.22.1) ;; WHEN: Sun Nov 20 12:40:04 2016 ;; MSG SIZE rcvd: 33
至此,一个正向解析区域已经配置好了,接下来,我们继续配置一个反向解析区域
三、配置一个反向解析区域
1、编辑区域配置文件
区域配置文件:/etc/named.rfc1912.zones
[[email protected] named]# vim /etc/named.rfc1912.zones// named.rfc1912.zones: // // Provided by Red Hat caching-nameserver package // // ISC BIND named zone configuration for zones recommended by // RFC 1912 section 4.1 : localhost TLDs and address zones // and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt // (c)2007 R W Franks // // See /usr/share/doc/bind*/sample/ for example named configuration files. // zone "localhost.localdomain" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "localhost" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "1.0.0.127.in-addr.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "0.in-addr.arpa" IN { type master; file "named.empty"; allow-update { none; }; }; zone "tornado.com" IN { type master; file "tornado.com.zone"; allow-update { none; }; allow-query { 10.22.22.11; }; }; zone "0.22.22.10.in-addr.arpa" IN { type master; file "10.22.22.zone"; allow-update { none; }; allow-query { 10.22.22.12; }; };
2、检查区域配置文件语法
[[email protected] named]# named-checkconf
3、建立区域配置文件:10.22.22.zone
/var/named/目录是bind服务默认的区域配置文件所在的目录
[[email protected] named]# touch 10.22.22.zone && chown :named 10.22.22.zone && chmod o= 10.22.22.zone && vim 10.22.22.zone $TTL 3600 $ORIGIN 22.22.10.in-addr.arpa. @ IN SOA ns1.tornado.com. tornado.tornado.com. ( 2018010801 1H 10M 3D 12H ) IN NS ns1.tornado.com. 2 IN PTR www.tornado.com. // --> 2.22.22.10.in-addr.arpa 表示名称;www.tornado.com.表示值,FQDN 3 IN PTR bbs.tornado.com. 4 IN PTR mx1.tornado.com.
4、检查区域配置文件语法
[[email protected] named]# named-checkzone 22.22.10.in-addr.arpa. /var/named/10.22.22.zonezone 22.22.10.in-addr.arpa/IN: loaded serial 2018010801OK
5、重新加载服务
[[email protected] named]# service named restartStopping named: [ OK ] Starting named: [ OK ]
6、通过客户端测试反向区域的解析
(1)通过客户端10.22.22.11,不能正常解析,说明allow-query指令生效了
[[email protected] ~]# dig -x 10.22.22.3 @10.22.22.1 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.3 <<>> -x 10.22.22.3 @10.22.22.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 5789 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;3.22.22.10.in-addr.arpa. IN PTR ;; Query time: 1 msec ;; SERVER: 10.22.22.1#53(10.22.22.1) ;; WHEN: Sun Nov 20 18:42:35 2016 ;; MSG SIZE rcvd: 41
(2)通过客户端10.22.22.12,可以正常解析
[[email protected] ~]# dig -x 10.22.22.3 @10.22.22.1 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.3 <<>> -x 10.22.22.3 @10.22.22.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59123 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;3.22.22.10.in-addr.arpa. IN PTR ;; ANSWER SECTION: 3.22.22.10.in-addr.arpa. 3600 IN PTR bbs.tornado.com. ;; AUTHORITY SECTION: 22.22.10.in-addr.arpa. 3600 IN NS ns1.tornado.com. ;; Query time: 0 msec ;; SERVER: 10.22.22.1#53(10.22.22.1) ;; WHEN: Sun Nov 20 13:30:46 2016 ;; MSG SIZE rcvd: 88
至此,反向区域配置已经完成,接下来,我们为tornado.com.域配置一台从DNS服务器
四、如何配置DNS主从?
1、配置从DNS服务器的NS记录到主DNS服务器的tornado.com.区域配置文件tornado.com.zone中
[[email protected] named]# vim tornado.com.zone $TTL 3600 $ORIGIN tornado.com. @ IN SOA ns1 tornado ( 2017010801 1H 10M 3D 1D // 注:仅靠以上时间,也会出现主从配置不同步的时间差,所以在主DNS服务器配置完成后,可以分别重新加载主从DNS服务的方法进行同步,或者可以主动进行区域传送 // 区域传送命令:dig -t axfr|ixfr tornado.com @(master_ip)10.22.22.1 // axfr:表示传送整个数据库;ixfr:表示仅传送变化的数据 ) IN NS ns1 IN NS ns2 // --> 从DNS服务器的名称 IN MX 10 mx1 ns1 IN A 10.22.22.1 ns2 IN A 10.22.22.2 // --> 从DNS服务器的A记录 www IN A 10.22.22.2 wwww IN CNAME www bbs IN A 10.22.22.3 mx1 IN A 10.22.22.4 [[email protected] ~]# named-checkzone tornado.com /var/named/tornado.com.zone [[email protected] named]# service named restart Stopping named: [ OK ] Starting named: [ OK ]
2、安装部署从DNS服务器
[[email protected] ~]# yum install -y bind bind-libs bind-utils Loaded plugins: fastestmirror Setting up Install Process base | 3.7 kB 00:00 base/primary_db | 4.7 MB 00:03 extras | 3.4 kB 00:00 extras/primary_db | 37 kB 00:00 updates | 3.4 kB 00:00 updates/primary_db | 3.7 MB 00:02 Resolving Dependencies --> Running transaction check ---> Package bind.x86_64 32:9.8.2-0.47.rc1.el6_8.3 will be installed --> Processing Dependency: portreserve for package: 32:bind-9.8.2-0.47.rc1.el6_8.3.x86_64 ---> Package bind-libs.x86_64 32:9.8.2-0.47.rc1.el6_8.3 will be installed ---> Package bind-utils.x86_64 32:9.8.2-0.47.rc1.el6_8.3 will be installed --> Running transaction check ---> Package portreserve.x86_64 0:0.0.4-11.el6 will be installed --> Finished Dependency Resolution Dependencies Resolved ==================================================================================================================================================== Package Arch Version Repository Size ==================================================================================================================================================== Installing: bind x86_64 32:9.8.2-0.47.rc1.el6_8.3 updates 4.0 M bind-libs x86_64 32:9.8.2-0.47.rc1.el6_8.3 updates 890 k bind-utils x86_64 32:9.8.2-0.47.rc1.el6_8.3 updates 187 k Installing for dependencies: portreserve x86_64 0.0.4-11.el6 base 23 k Transaction Summary ==================================================================================================================================================== Install 4 Package(s) Total download size: 5.1 M Installed size: 10 M Downloading Packages: (1/4): bind-9.8.2-0.47.rc1.el6_8.3.x86_64.rpm | 4.0 MB 00:07 (2/4): bind-libs-9.8.2-0.47.rc1.el6_8.3.x86_64.rpm | 890 kB 00:00 (3/4): bind-utils-9.8.2-0.47.rc1.el6_8.3.x86_64.rpm | 187 kB 00:00 (4/4): portreserve-0.0.4-11.el6.x86_64.rpm | 23 kB 00:00 ---------------------------------------------------------------------------------------------------------------------------------------------------- Total 541 kB/s | 5.1 MB 00:09 warning: rpmts_HdrFromFdno: Header V3 RSA/SHA1 Signature, key ID c105b9de: NOKEY Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6 Importing GPG key 0xC105B9DE: Userid : CentOS-6 Key (CentOS 6 Official Signing Key) <[email protected]> Package: centos-release-6-7.el6.centos.12.3.x86_64 (@anaconda-CentOS-201508042137.x86_64/6.7) From : /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Installing : 32:bind-libs-9.8.2-0.47.rc1.el6_8.3.x86_64 1/4 Installing : portreserve-0.0.4-11.el6.x86_64 2/4 Installing : 32:bind-9.8.2-0.47.rc1.el6_8.3.x86_64 3/4 Installing : 32:bind-utils-9.8.2-0.47.rc1.el6_8.3.x86_64 4/4 Verifying : 32:bind-utils-9.8.2-0.47.rc1.el6_8.3.x86_64 1/4 Verifying : portreserve-0.0.4-11.el6.x86_64 2/4 Verifying : 32:bind-libs-9.8.2-0.47.rc1.el6_8.3.x86_64 3/4 Verifying : 32:bind-9.8.2-0.47.rc1.el6_8.3.x86_64 4/4 Installed: bind.x86_64 32:9.8.2-0.47.rc1.el6_8.3 bind-libs.x86_64 32:9.8.2-0.47.rc1.el6_8.3 bind-utils.x86_64 32:9.8.2-0.47.rc1.el6_8.3 Dependency Installed: portreserve.x86_64 0:0.0.4-11.el6 Complete! [[email protected] ~]# vim /etc/named.conf // // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // options { listen-on port 53 { 10.22.22.12; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { any; }; recursion yes; dnssec-enable yes; dnssec-validation yes; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; [[email protected] ~]# vim /etc/named.rfc1912.zones // named.rfc1912.zones: // // Provided by Red Hat caching-nameserver package // // ISC BIND named zone configuration for zones recommended by // RFC 1912 section 4.1 : localhost TLDs and address zones // and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt // (c)2007 R W Franks // // See /usr/share/doc/bind*/sample/ for example named configuration files. // zone "localhost.localdomain" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "localhost" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "1.0.0.127.in-addr.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "0.in-addr.arpa" IN { type master; file "named.empty"; allow-update { none; }; }; zone "tornado.com" IN { type slave; file "slaves/tornado.com.zone"; masters { 10.22.22.1; }; }; [[email protected] ~]# named-checkconf [[email protected] slaves]# service iptables stop iptables: Setting chains to policy ACCEPT: filter [ OK ] iptables: Flushing firewall rules: [ OK ] iptables: Unloading modules: [ OK ] [[email protected] slaves]# service named restart Stopping named: [ OK ] Starting named: [ OK ]
3、测试主从同步
注意 1、主DNS和从DNS的时间必须一致(ntpdate命令)
#修改主区域配置文件 [[email protected] named]# vim tornado.com.zone $TTL 3600 $ORIGIN tornado.com. @ IN SOA ns1 tornado ( 2017010804 // --> 修改序列号(在每次修改为主DNS服务器的区域配置文件后,都应该修改序列号,以便让从DNS服务器同步) 1H 10M 3D 1D ) IN NS ns1 IN NS ns2 IN MX 10 mx1 ns1 IN A 10.22.22.1 ns2 IN A 10.22.22.2 www IN A 10.22.22.5 aaa IN A 10.22.22.6 // --> 添加新主机记录 wwww IN CNAME www bbs IN A 10.22.22.3 mx1 IN A 10.22.22.4 #主DNS服务器重载服务 [[email protected] named]# rndc reload server reload successful #从DNS服务器重载服务 [[email protected] slaves]# rndc reload server reload successful #查看从服务器配置文件 $ORIGIN . $TTL 3600 ; 1 hour tornado.com IN SOA ns1.tornado.com. tornado.tornado.com. ( 2017010804 ; serial // --> 序列号已经不同 3600 ; refresh (1 hour) 600 ; retry (10 minutes) 259200 ; expire (3 days) 86400 ; minimum (1 day) ) NS ns1.tornado.com. NS ns2.tornado.com. MX 10 mx1.tornado.com. $ORIGIN tornado.com. aaa A 10.22.22.6 // --> 主机A记录亦已经同步 bbs A 10.22.22.3 mx1 A 10.22.22.4 ns1 A 10.22.22.1 ns2 A 10.22.22.2 www A 10.22.22.5 wwww CNAME www #从客户端10.22.22.11进行解析测试 [[email protected] ~]# dig -t A aaa.tornado.com @10.22.22.1 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.3 <<>> -t A aaa.tornado.com @10.22.22.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59449 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;aaa.tornado.com. IN A ;; ANSWER SECTION: aaa.tornado.com. 3600 IN A 10.22.22.6 ;; AUTHORITY SECTION: tornado.com. 3600 IN NS ns1.tornado.com. tornado.com. 3600 IN NS ns2.tornado.com. ;; ADDITIONAL SECTION: ns1.tornado.com. 3600 IN A 10.22.22.1 ns2.tornado.com. 3600 IN A 10.22.22.2 ;; Query time: 0 msec ;; SERVER: 10.22.22.1#53(10.22.22.1) ;; WHEN: Sun Nov 20 19:21:08 2016 ;; MSG SIZE rcvd: 117 [[email protected] ~]# dig -t A aaa.tornado.com @10.22.22.2 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.3 <<>> -t A aaa.tornado.com @10.22.22.2 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33172 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;aaa.tornado.com. IN A ;; ANSWER SECTION: aaa.tornado.com. 3600 IN A 10.22.22.6 ;; AUTHORITY SECTION: tornado.com. 3600 IN NS ns1.tornado.com. tornado.com. 3600 IN NS ns2.tornado.com. ;; ADDITIONAL SECTION: ns1.tornado.com. 3600 IN A 10.22.22.1 ns2.tornado.com. 3600 IN A 10.22.22.2 ;; Query time: 31 msec ;; SERVER: 10.22.22.2#53(10.22.22.2) ;; WHEN: Sun Nov 20 19:21:10 2016 ;; MSG SIZE rcvd: 117 #从客户端10.22.22.12进行解析测试 [[email protected] ~]# dig -t A aaa.tornado.com @10.22.22.1 #从10.22.22.1不能解析成功,是因为allow-query ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.3 <<>> -t A aaa.tornado.com @10.22.22.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 60297 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;aaa.tornado.com. IN A ;; Query time: 1 msec ;; SERVER: 10.22.22.1#53(10.22.22.1) ;; WHEN: Sun Nov 20 14:09:37 2016 ;; MSG SIZE rcvd: 33 [[email protected] ~]# dig -t A aaa.tornado.com @10.22.22.2 #从10.22.22.2可以解析成功,说明allow-query只能在从DNS服务器上重新配置,不能从主DNS服务器进行同步 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.3 <<>> -t A aaa.tornado.com @10.22.22.2 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44199 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;aaa.tornado.com. IN A ;; ANSWER SECTION: aaa.tornado.com. 3600 IN A 10.22.22.6 ;; AUTHORITY SECTION: tornado.com. 3600 IN NS ns2.tornado.com. tornado.com. 3600 IN NS ns1.tornado.com. ;; ADDITIONAL SECTION: ns1.tornado.com. 3600 IN A 10.22.22.1 ns2.tornado.com. 3600 IN A 10.22.22.2 ;; Query time: 0 msec ;; SERVER: 10.22.22.2#53(10.22.22.2) ;; WHEN: Sun Nov 20 14:09:34 2016 ;; MSG SIZE rcvd: 117
至此,DNS主从配置已经完成,接下来,我们来介绍一下子域授权
五、如何配置子域授权?
1、修改主DNS服务器的区域配置文件,添加子域NS记录和对应的A记录
注:如果需要解析如:www.ops.tornado.com,需要再为子域搭建2台DNS服务器,一主一从
[[email protected] named]# vim tornado.com.zone $TTL 3600 $ORIGIN tornado.com. @ IN SOA ns1 tornado ( 2017010805 1H 10M 3D 1D ) IN NS ns1 IN NS ns2 IN NS ns3.ops // --> 子域的主DNS服务器的名称 IN NS ns4.ops // --> 子域的从DNS服务器的名称 IN MX 10 mx1 ns1 IN A 10.22.22.1 ns2 IN A 10.22.22.2 ns3.ops IN A 10.22.22.3 // --> 子域的主DNS服务器名称对应的A记录 ns4.ops IN A 10.22.22.4 // --> 子域的从DNS服务器名称对应的A记录 www IN A 10.22.22.5 aaa IN A 10.22.22.6 mx1 IN A 10.22.22.7 [[email protected] named]# named-checkconf [[email protected] named]# service named restart Stopping named: [ OK ] Starting named: [ OK ]
2、重新加载从DNS服务器的服务
[[email protected] slaves]# service named restart Stopping named: [ OK ] Starting named: [ OK ] [[email protected] slaves]# vim /var/named/slaves/tornado.com.zone $ORIGIN . $TTL 3600 ; 1 hour tornado.com IN SOA ns1.tornado.com. tornado.tornado.com. ( 2017010805 ; serial // -->同步了 3600 ; refresh (1 hour) 600 ; retry (10 minutes) 259200 ; expire (3 days) 86400 ; minimum (1 day) ) NS ns1.tornado.com. NS ns2.tornado.com. NS ns3.ops.tornado.com. NS ns4.ops.tornado.com. MX 10 mx1.tornado.com. $ORIGIN tornado.com. aaa A 10.22.22.6 mx1 A 10.22.22.7 ns1 A 10.22.22.1 ns2 A 10.22.22.2 $ORIGIN ops.tornado.com. ns3 A 10.22.22.3 // -->同步了 ns4 A 10.22.22.4 // -->同步了 $ORIGIN tornado.com. www A 10.22.22.5
六、如何配置forward?
1、区域转发(在区域配置段中进行配置)
/etc/named.rfc1912.zones
zone "google.com" IN { type forward; forward first; // --> 此处可以配置两个值一个是first(首先转发,如转发器没有响应,则自行去迭代);only:另一个值是only,表示只转发 forwarders { server_ip; }; // --> 此处需要转发的目的DNS服务器地址 };
2、全局转发(在主配置文件中的options配置段中进行配置)
options { ... forward only; // --> 此处可以配置两个值一个是first(首先转发,如转发器没有响应,则自行去迭代);only:另一个值是only,表示只转发 forwarders { server_ip; }; // --> 此处需要转发的目的DNS服务器地址 ... };
七、如何配置Bind View?
1、视图用于实现智能DNS,配置格式如下:
view view_name { zone; zone; zone; };
2、视图配置示例及其说明
从联通10.22.22.0网段发送来的请求,访问tornado.com的前往配置文件"tornado.com/cmcc"中进行查询;访问google.com的前往配置文件"google.com/cmcc"中进行查询
view cmcc { match-client { 10.22.22.0; }; zone "tornado.com" IN { type master; file "tornado.com/cmcc"; }; zone "google.com" IN { type master; file "google.com/cmcc"; }; };
从电信10.22.22.0网段发送来的请求,访问tornado.com的前往配置文件"tornado.com/cucc"中进行查询;访问google.com的前往配置文件"google.com/cucc"中进行查询
view cucc { match-client { 10.22.22.0; }; zone "tornado.com" IN { type master; file "tornado.com/cucc"; }; zone "google.com" IN { type master; file "google.com/cucc"; }; };
至此,BIND的所有基础功能全部介绍完毕。
generated by haroopad本文出自 “自动化学习之路” 博客,谢绝转载!
以上是关于Bind的主要内容,如果未能解决你的问题,请参考以下文章