[服务搭建] bind正反向配置 主从配置 子域配置 基本安全设置

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了[服务搭建] bind正反向配置 主从配置 子域配置 基本安全设置相关的知识,希望对你有一定的参考价值。

实验环境

 

 系统       主机名          IP          备注

Centos6.8   nod1.wupeng.com   10.208.131.222     主服务器

Centos6.8   nod2.wupeng.com   10.208.131.228     从服务器

Centos6.8   nod3.wupeng.com   10.208.131.229     子域服务器


bind程序包:

 bind:提供的dns server程序、以及几个常用的测试程序;

 bind-libs:被bind和bind-utils包中的程序共同用到的库文件;


 bind-utils:bind客户端程序集,例如dig, host, nslookup等;

 bind-chroot:选装,让named运行于jail模式下;


对三台主机分别更改主机名 关闭防火墙以及关闭selinux (iptables和selinux保存配置后需要重启服务才能生效)


nod1更改主机

[[email protected] ~]# vim /etc/sysconfig/network    
NETWORKING=yes
HOSTNAME=nod1.wupeng.com


nod2更改主机

[[email protected] ~]# vim /etc/sysconfig/network    
NETWORKING=yes
HOSTNAME=nod2.wupeng.com


nod3更改主机

[[email protected] ~]# vim /etc/sysconfig/network    
NETWORKING=yes
HOSTNAME=nod3.wupeng.com


nod1清空防火墙规则

[[email protected] ~]# iptables -F 
[[email protected] ~]# service iptables save


nod2清空防火墙规则

[[email protected] ~]# iptables -F 
[[email protected] ~]# service iptables save


nod3清空防火墙规则

[[email protected] ~]# iptables -F 
[[email protected] ~]# service iptables save


nod1关闭selinux安全机制

[[email protected] ~]# vim /etc/sysconfig/selinux 或者 vim /etc/selinux/config
SELINUX=disabled


nod2关闭selinux安全机制

[[email protected] ~]# vim /etc/sysconfig/selinux 或者 vim /etc/selinux/config
SELINUX=disabled


nod3关闭selinux安全机制

[[email protected] ~]# vim /etc/sysconfig/selinux 或者 vim /etc/selinux/config
SELINUX=disabled


三台主机分别同步时间为一致 可以使用ntpdate命令来进行时间同步

[[email protected] ~]# yum install ntpdate -y

[[email protected] ~]# yum install ntpdate -y

[[email protected] ~]# yum install ntpdate -y


[[email protected] ~]# ntpdate ntp.api.bz

28 Jun 15:42:08 ntpdate[1598]: step time server 17.253.84.125 offset 856096.191423 sec


[[email protected] ~]# ntpdate ntp.api.bz

28 Jun 15:42:08 ntpdate[1577]: step time server 17.253.84.125 offset 854843.947376 sec


[[email protected] ~]# ntpdate ntp.api.bz

28 Jun 15:42:08 ntpdate[1593]: step time server 17.253.84.125 offset 599540.432080 sec


正向配置 

在nod1主机上安装bind的相关软件


[[email protected] ~]# yum install bind bind-utils -y      //bind-libs 这个库文件会进行依赖安装



编辑/etc/bind.conf主配置文件


[[email protected] ~]# vim /etc/named.conf 



options {
        listen-on port 53 { 127.0.0.1; 10.208.131.222; };        //监听地址
//      listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { any; };                   //允许的请求方式为所有人
        recursion yes;
        dnssec-enable no;                          //安全机制为NO
        dnssec-validation no;                        //安全机制为NO
        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";
        managed-keys-directory "/var/named/dynamic";
};

编辑/etc/named.rfc1912.zones创建正向区域文件


[[email protected] ~]# vim /etc/named.rfc1912.zones 

zone "wupeng.com" IN {
        type master;
        file "wupeng.com.zone";
};

利用模板创建一个wupeng.com域的区域数据文件  文件权限为640 属组为named

[[email protected] ~]# cd /var/named/

第一种:
[[email protected] named]# cp -p named.localhost wupeng.com.zone
第二种:
[[email protected] named]# cp -rf named.localhost wupeng.com.zone
[[email protected] named]# chmod 640 wupeng.com.zone 
[[email protected] named]# chgrp named wupeng.com.zone

查看文件属性

[[email protected] named]# ll wupeng.com.zone 
-rw-r----- 1 root named 152 6月  21 2007 wupeng.com.zone

编辑wupeng.com.zone文件记录 NS和A记录

[[email protected] named]# vim wupeng.com.zone 

$TTL 1D
$ORIGIN wupeng.com.
@       IN SOA  ns1.wupeng.com. admin.wupeng.com. (
                                        2017062800      ; serial
                                        1D              ; refresh
                                        1H              ; retry
                                        1W              ; expire
                                        3H )            ; minimum
        IN      NS      ns1.wupeng.com.
ns1     IN      A       10.208.131.222
www     IN      A       10.208.131.223

检测主配置文件和区域数据文件是否有错误

[[email protected] named]# named-checkconf                        //正确是没有任何提示
[[email protected] named]# named-checkzone wupeng.com /var/named/wupeng.com.zone 
zone wupeng.com/IN: loaded serial 2017062800
OK

启动bind服务 并测试正向解析是否成功

[[email protected] named]# service named start

Generating /etc/rndc.key:                                  [确定]

启动 named:                                           [确定]


测试:

[[email protected] named]# dig -t A www.wupeng.com @10.208.131.222


; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.2 <<>> -t A www.wupeng.com @10.208.131.222

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33056

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1


;; QUESTION SECTION:

;www.wupeng.com. IN A


;; ANSWER SECTION:

www.wupeng.com. 86400 IN A 10.208.131.223


;; AUTHORITY SECTION:

wupeng.com. 86400 IN NS ns1.wupeng.com.


;; ADDITIONAL SECTION:

ns1.wupeng.com. 86400 IN A 10.208.131.222


;; Query time: 0 msec

;; SERVER: 10.208.131.222#53(10.208.131.222)

;; WHEN: Wed Jun 28 21:26:24 2017

;; MSG SIZE  rcvd: 82


解释:

-t A www.wupeng.com    类型为A记录的域名

@10.208.131.222      以10.208.131.222的IP进行解析 无需在/etc/resolv.conf里进行设置


编辑/etc/named.rfc1912.zones创建反向区域文件

[[email protected] named]# vim /etc/named.rfc1912.zones
zone "131.208.10.in-addr.arpa" IN {
        type master;
        file "10.208.131";
};

利用模板创建一个10.208.131.zone的区域数据文件  文件权限为640 属组为named

[[email protected] ~]# cd /var/named/

第一种:
[[email protected] named]# cp -p named.loopback 10.208.131.zone
第二种:
[[email protected] named]# cp -rf named.loopback 10.208.131.zone
[[email protected] named]# chmod 640 wupeng.com.zone 
[[email protected] named]# chgrp named wupeng.com.zone

查看文件属性

[[email protected] named]# ll 10.208.131.zone 

-rw-r----- 1 root named 263 6月  28 21:07 10.208.131.zone


编辑wupeng.com.zone文件记录 NS和PTR记录

[[email protected] named]# vim 10.208.131.zone
$TTL 1D
$ORIGIN 131.208.10.in-addr.arpa.
@       IN SOA  ns1.wupeng.com  admin.wupeng.com. (
                                        2017062800        ; serial
                                        1D              ; refresh
                                        1H              ; retry
                                        1W              ; expire
                                        3H )             ; minimum
      IN       NS     ns1.wupeng.com.
222     IN      PTR     ns1.wupeng.com.
223     IN      PTR     www.wupeng.com.

重新加载bind服务 并测试反向解析是否成功


[[email protected] named]# rndc reload

server reload successful


测试:

[[email protected] named]# dig -x 10.208.131.223 @10.208.131.222


; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.2 <<>> -x 10.208.131.223 @10.208.131.222

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54483

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1


;; QUESTION SECTION:

;223.131.208.10.in-addr.arpa. IN PTR


;; ANSWER SECTION:

223.131.208.10.in-addr.arpa. 86400 IN PTR www.wupeng.com.


;; AUTHORITY SECTION:

131.208.10.in-addr.arpa. 86400 IN NS ns1.wupeng.com.


;; ADDITIONAL SECTION:

ns1.wupeng.com. 86400 IN A 10.208.131.222


;; Query time: 0 msec

;; SERVER: 10.208.131.222#53(10.208.131.222)

;; WHEN: Wed Jun 28 21:19:16 2017

;; MSG SIZE  rcvd: 107


主从复制

在主服务器添加从服务器的NS和A记录 并重新加载服务

$TTL 1D

$ORIGIN wupeng.com.

@       IN SOA  ns1.wupeng.com. admin.wupeng.com. (

                                        2017062802        ; serial

                                        1D              ; refresh

                                        1H              ; retry

                                        1W              ; expire

                                        3H )             ; minimum

     IN      NS      ns1.wupeng.com.

     IN      NS      ns2.wupeng.com.

ns1     IN      A       10.208.131.222

ns2     IN      A       10.208.131.228

www     IN      A       10.208.131.223

[[email protected] named]# rndc reload

server reload successful



在主机nod2上安装bind相关文件

[[email protected] ~]# yum install bind bind-utils -y

配置bind主文件

vim /etc/named.conf
options {
        listen-on port 53 { 127.0.0.1; 10.208.131.228; };
//      listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { any; };
        recursion yes;
        dnssec-enable no;
        dnssec-validation no;
        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";
        managed-keys-directory "/var/named/dynamic";
};

配置区域文件

[[email protected] ~]# vim /etc/named.rfc1912.zones 
zone "wupeng.com" IN {
        type slave;
        file "slaves/wupeng.com";
        masters { 10.208.131.222; };
};
zone "131.208.10.in-addr.arpa" IN {
        type slave;
        file "10.208.131.zone";
        masters { 10.208.131.222; };
};


检查配置是否有错误

[[email protected] ~]# named-checkconf 


启动bind服务 查看区域数据是否传输到slaves目录下并测试


[[email protected] ~]# service named start

启动 named:                                               [确定]


[[email protected] ~]# ll /var/named/slaves/

总用量 8

-rw-r--r-- 1 named named 390 6月  28 21:55 10.208.131.zone

-rw-r--r-- 1 named named 335 6月  28 21:54 wupeng.com


测试:

[[email protected] ~]# dig www.wupeng.com @10.208.131.228


; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.2 <<>> www.wupeng.com @10.208.131.228

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1634

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1


;; QUESTION SECTION:

;www.wupeng.com. IN A


;; ANSWER SECTION:

www.wupeng.com. 86400 IN A 10.208.131.223


;; AUTHORITY SECTION:

wupeng.com. 86400 IN NS ns1.wupeng.com.


;; ADDITIONAL SECTION:

ns1.wupeng.com. 86400 IN A 10.208.131.222


;; Query time: 0 msec

;; SERVER: 10.208.131.228#53(10.208.131.228)

;; WHEN: Wed Jun 28 21:56:38 2017

;; MSG SIZE  rcvd: 82



[[email protected] ~]# dig -x 10.208.131.223 @10.208.131.228


; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.2 <<>> -x 10.208.131.223 @10.208.131.228

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18940

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1


;; QUESTION SECTION:

;223.131.208.10.in-addr.arpa. IN PTR


;; ANSWER SECTION:

223.131.208.10.in-addr.arpa. 86400 IN PTR www.wupeng.com.


;; AUTHORITY SECTION:

131.208.10.in-addr.arpa. 86400 IN NS ns1.wupeng.com.


;; ADDITIONAL SECTION:

ns1.wupeng.com. 86400 IN A 10.208.131.222


;; Query time: 0 msec

;; SERVER: 10.208.131.228#53(10.208.131.228)

;; WHEN: Wed Jun 28 21:57:05 2017

;; MSG SIZE  rcvd: 107


在主服务器新增一条记录 在进行测试

[[email protected] named]# vim /var/named/wupeng.com.zone 

$TTL 1D

$ORIGIN wupeng.com.

@       IN SOA  ns1.wupeng.com. admin.wupeng.com. (

                                        2017062802         ; serial

                                        1D              ; refresh

                                        1H              ; retry

                                        1W              ; expire

                                        3H )             ; minimum

     IN      NS      ns1.wupeng.com.

     IN      NS      ns2.wupeng.com.

ns1     IN      A       10.208.131.222

ns2     IN      A       10.208.131.228

www     IN      A       10.208.131.223

dns     IN      A       10.208.131.224



[[email protected] named]# vim 10.208.131.zone 

$TTL 1D

$ORIGIN 131.208.10.in-addr.arpa.

@       IN SOA  ns1.wupeng.com  admin.wupeng.com. (

                                        2017062802         ; serial

                                        1D              ; refresh

                                        1H              ; retry

                                        1W              ; expire

                                        3H )             ; minimum

     IN      NS      ns1.wupeng.com.

     IN      NS      ns2.wupeng.com.

222     IN      PTR    ns1.wupeng.com.

228     IN      PTR    ns2.wupeng.com.

223     IN      PTR    www.wupeng.com.

224     IN      PTR    dns.wupeng.com.


重新加载服务器

[[email protected] named]# rndc reload

server reload successful

重新加载从服务器

[[email protected] ~]# rndc reload wupeng.com 

zone refresh queued

[[email protected] ~]# rndc reload 131.208.10.in-addr.arpa

zone refresh queued

NOTE: rndc reload 在从服务器不生效 尝试过多次只能在后边加区域才生效


测试:

[[email protected] ~]# dig dns.wupeng.com @10.208.131.228


; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.2 <<>> dns.wupeng.com @10.208.131.228

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30389

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1


;; QUESTION SECTION:

;dns.wupeng.com. IN A


;; ANSWER SECTION:

dns.wupeng.com. 86400 IN A 10.208.131.224


;; AUTHORITY SECTION:

wupeng.com. 86400 IN NS ns1.wupeng.com.


;; ADDITIONAL SECTION:

ns1.wupeng.com. 86400 IN A 10.208.131.222


;; Query time: 0 msec

;; SERVER: 10.208.131.228#53(10.208.131.228)

;; WHEN: Wed Jun 28 22:29:46 2017

;; MSG SIZE  rcvd: 82


[[email protected] ~]# dig -x 10.208.131.224 @10.208.131.228


; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.2 <<>> -x 10.208.131.224 @10.208.131.228

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20995

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1


;; QUESTION SECTION:

;224.131.208.10.in-addr.arpa. IN PTR


;; ANSWER SECTION:

224.131.208.10.in-addr.arpa. 86400 IN PTR dns.wupeng.com.


;; AUTHORITY SECTION:

131.208.10.in-addr.arpa. 86400 IN NS ns1.wupeng.com.


;; ADDITIONAL SECTION:

ns1.wupeng.com. 86400 IN A 10.208.131.222


;; Query time: 1 msec

;; SERVER: 10.208.131.228#53(10.208.131.228)

;; WHEN: Wed Jun 28 22:30:07 2017

;; MSG SIZE  rcvd: 107


子域配置

在主机nod3上安装bind相关软件 并配置主文件

[[email protected] ~]# yum install bind bind-utils -y
[[email protected] ~]# vim /etc/named.conf
options {
        listen-on port 53 { 127.0.0.1; 10.208.131.229; };
//      listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { any; };
        recursion yes;
        dnssec-enable no;
        dnssec-validation no;
        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";
        managed-keys-directory "/var/named/dynamic";
};
[[email protected] ~]# vim /etc/named.rfc1912.zones 
zone "music.wupeng.com" IN {
        type master;
        file "music.wupeng.com.zone";
};
zone "wupeng.com" IN {                                    //设置了转发功能才能进行查询和传输区域文件
        type forward;
        forward only;
        forwarders { 10.208.131.222; 10.208.131.228; };
};


复制模板创建子域区域配置文件

[[email protected] named]# cp -p named.localhost music.wupeng.com.zone

[[email protected] named]# vim music.wupeng.com.zone

$TTL 1D

$ORIGIN music.wupeng.com.

@       IN SOA  ns3.music.wupeng.com. admin.music.wupeng.com. (

                                        2017062800      ; serial

                                        1D              ; refresh

                                        1H              ; retry

                                        1W              ; expire

                                        3H )            ; minimum

     IN      NS      ns3.music

ns3.music IN     A       10.208.131.229

www     IN      A       10.208.131.230

检测是否有配置错误


[[email protected] named]# named-checkzone music.wupeng.com /var/named/music.wupeng.com.zone 

zone music.wupeng.com/IN: loaded serial 2017062800

OK


在主服务器添加子域的NS和A记录

[[email protected] named]# vim /etc/named.conf

$TTL 1D

$ORIGIN wupeng.com.

@       IN SOA  ns1.wupeng.com. admin.wupeng.com. (

                                        2017062802      ; serial

                                        1D              ; refresh

                                        1H              ; retry

                                        1W              ; expire

                                        3H )            ; minimum

     IN      NS      ns1.wupeng.com.

     IN      NS      ns2.wupeng.com.

ns1     IN      A       10.208.131.222

ns2     IN      A       10.208.131.228

www     IN      A       10.208.131.223

dns     IN      A       10.208.131.224


ns3     IN      NS    ns3.music

ns3.music IN      A     10.208.131.229


重新加载主配置文件  启动nod3的bind的服务

[[email protected] named]# rndc reload

server reload successful


测试:

[[email protected] named]# dig www.music.wupeng.com @10.208.131.229


; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.2 <<>> www.music.wupeng.com @10.208.131.229

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46119

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1


;; QUESTION SECTION:

;www.music.wupeng.com. IN A


;; ANSWER SECTION:

www.music.wupeng.com. 86400 IN A 10.208.131.230


;; AUTHORITY SECTION:

music.wupeng.com. 86400 IN NS ns3.music.music.wupeng.com.


;; ADDITIONAL SECTION:

ns3.music.music.wupeng.com. 86400 IN A 10.208.131.229


;; Query time: 0 msec

;; SERVER: 10.208.131.229#53(10.208.131.229)

;; WHEN: Wed Jun 28 23:28:55 2017

;; MSG SIZE  rcvd: 94


[[email protected] named]# dig www.wupeng.com @10.208.131.229


; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.2 <<>> www.wupeng.com @10.208.131.229

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25255

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2


;; QUESTION SECTION:

;www.wupeng.com. IN A


;; ANSWER SECTION:

www.wupeng.com. 86365 IN A 10.208.131.223


;; AUTHORITY SECTION:

wupeng.com. 86365 IN NS ns1.wupeng.com.

wupeng.com. 86365 IN NS ns2.wupeng.com.


;; ADDITIONAL SECTION:

ns1.wupeng.com. 86365 IN A 10.208.131.222

ns2.wupeng.com. 86365 IN A 10.208.131.228


;; Query time: 13 msec

;; SERVER: 10.208.131.229#53(10.208.131.229)

;; WHEN: Wed Jun 28 23:29:06 2017

;; MSG SIZE  rcvd: 116


[[email protected] named]# dig -t axfr wupeng.com @10.208.131.222        //全量区域传送


; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.2 <<>> -t axfr wupeng.com @10.208.131.222

;; global options: +cmd

wupeng.com. 86400 IN SOA ns1.wupeng.com. admin.wupeng.com. 2017062802 86400 3600

 604800 10800wupeng.com. 86400 IN NS ns1.wupeng.com.

wupeng.com. 86400 IN NS ns2.wupeng.com.

dns.wupeng.com. 86400 IN A 10.208.131.224

ns3.music.wupeng.com. 86400 IN A 10.208.131.229

ns1.wupeng.com. 86400 IN A 10.208.131.222

ns2.wupeng.com. 86400 IN A 10.208.131.228

ns3.wupeng.com. 86400 IN NS ns3.music.wupeng.com.

www.wupeng.com. 86400 IN A 10.208.131.223

wupeng.com. 86400 IN SOA ns1.wupeng.com. admin.wupeng.com. 2017062802 86400 3600

 604800 10800;; Query time: 4 msec

;; SERVER: 10.208.131.222#53(10.208.131.222)

;; WHEN: Wed Jun 28 23:41:31 2017

;; XFR size: 10 records (messages 1, bytes 258)


可以进行全量传输区域数据 一般是不允许的 所以我们要进行安全配置


在主机nod1主配置文件上配置acl 只允许从服务器传输 全局之外定义

[[email protected] named]# vim /etc/named.conf
acl slaves {
        10.208.131.228;
};
[[email protected] named]# vim /etc/named.rfc1912.zones 
zone "wupeng.com" IN {
        type master;
        file "wupeng.com.zone";
        allow-transfer { slaves; };
        allow-update { none; };
};
zone "131.208.10.in-addr.arpa" IN {
        type master;
        file "10.208.131.zone";
        allow-transfer { slaves; };
        allow-update { none; };
};

重新加载服务

[[email protected] named]# rndc reload

server reload successful


在主机nod2上配置文件不进行更新

zone "wupeng.com" IN {
        type slave;
        file "slaves/wupeng.com";
        masters { 10.208.131.222; };
        allow-transfer { none; };
        allow-update { none; };
};
zone "131.208.10.in-addr.arpa" IN {
        type slave;
        file "slaves/10.208.131.zone";
        masters { 10.208.131.222; };
        allow-transfer { none; };
        allow-update { none; };
};

重新加载服务

[[email protected] slaves]# rndc reload

server reload successful


测试

[[email protected] named]# dig -t axfr wupeng.com @10.208.131.222


; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.2 <<>> -t axfr wupeng.com @10.208.131.222

;; global options: +cmd

; Transfer failed.


[[email protected] named]# dig -t axfr wupeng.com @10.208.131.228


; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.2 <<>> -t axfr wupeng.com @10.208.131.228

;; global options: +cmd

; Transfer failed.


本文出自 “吴鹏的博客” 博客,请务必保留此出处http://sedlock.blog.51cto.com/3030387/1942884

以上是关于[服务搭建] bind正反向配置 主从配置 子域配置 基本安全设置的主要内容,如果未能解决你的问题,请参考以下文章

主从DNS服务器的搭建八步骤

CentOS7 搭建 DNS 域名解析服务器

DNS域名解析服务----正向解析反向解析主从服务器搭建

Linux----DNS服务器构建(反向解析,缓存服务器,主从服务器)!

Linux——DNS(正向解析+反向解析+多域配置+主从配置)

DNS服务器正反向解析&配置主从DNS服务器