+++++++子域授权与编译安装
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了+++++++子域授权与编译安装相关的知识,希望对你有一定的参考价值。
子域授权、转发区域<子域解析父域>、DNS安全配置<acl定义,内置变量,acl安全指令>、dns使用view实现智能dns、CDN,全局负载均衡、编译安装bind、dns压力测试
一、恢复快照
二、缓存服务器
三、(正、反)区域解析库配置
四、主从同步
五、子域授权
六、转发区域
七、安全配置
八、view实现智能DNS
九、编译安装BIND
十、压力测试
拓扑模型
一、配置ntp服务器<192.168.58.131>
1、安装ntp
# yum -y -q install ntp
2、配置ntp
# cp -v /etc/ntp.conf{,.bak}
在文件中添加:
restrict 192.168.58.0 mask 255.255.255.0 nomodify notrap
3、启动ntp
# service ntpd start二、缓存服务器<192.168.58.131>
1、安装程序包
# yum -y -q install bind bind-utils bind-libs
2、修改配置
# cp -v /etc/named.conf{,.bak}
# vim /etc/named.conf
options {
listen-on port 53 { 192.168.58.129; 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion yes;
dnssec-enable no;
dnssec-validation no;
/* Path to ISC DLV key */
/*bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";*/
};
3、启动服务
# service named start
4、查看服务是否监听在53端口
# ss -tunlp | grep 53
udp UNCONN 0 0 192.168.58.131:53 *:* users:(("named",1784,513))
udp UNCONN 0 0 127.0.0.1:53 *:* users:(("named",1784,512))
udp UNCONN 0 0 ::1:53 :::* users:(("named",1784,514))
tcp LISTEN 0 3 ::1:53 :::* users:(("named",1784,22))
tcp LISTEN 0 3 192.168.58.131:53 *:* users:(("named",1784,21))
tcp LISTEN 0 3 127.0.0.1:53 *:* users:(("named",1784,20))
tcp LISTEN 0 128 ::1:953 :::* users:(("named",1784,24))
tcp LISTEN 0 128 127.0.0.1:953 *:* users:(("named",1784,23))三、(正、反)区域解析库配置
正向配置
1、配置/etc/named.rfc1912.zones
# vim + /etc/named.rfc1912.zones
zone "magedu.com" IN {
type master;
file "magedu.com.zone";
};
2、测试文件
# named-checkconf
3、添加区域解析库
# vim /var/named/magedu.com.zone
$TTL 1D
$ORIGIN magedu.com.
@ IN SOA @ lccnx.foxmail.com. (
20170917
1H
10M
1W
1D)
IN NS ns1
IN NS ns2
IN MX 10 mx1
IN MX 20 mx2
ns1 IN A 192.168.58.131
ns2 IN A 192.168.58.129
mx1 IN A 192.168.58.131
mx2 IN A 192.168.58.129
www IN A 192.168.58.131
www IN A 192.168.58.129
* IN A 192.168.58.131
magedu.com. IN A 192.168.58.131
ftp IN CNAME www
4、权限
# ls -l /var/named //显示文件的属主、权限
总用量 32
drwxrwx--- 2 named named 4096 9月 17 18:49 data
drwxrwx--- 2 named named 4096 9月 17 18:50 dynamic
-rw-r--r-- 1 root root 358 9月 17 18:56 magedu.com.zone
-rw-r----- 1 root named 3289 4月 11 23:01 named.ca
-rw-r----- 1 root named 152 12月 15 2009 named.empty
-rw-r----- 1 root named 152 6月 21 2007 named.localhost
-rw-r----- 1 root named 168 12月 15 2009 named.loopback
drwxrwx--- 2 named named 4096 7月 5 17:51 slaves
# ps axu | fgrep named //named进程名:named
named 1784 0.0 4.0 48040 10128 ? Ssl 18:49 0:00 /usr/sbin/named -u named
root 1806 0.0 0.2 5752 648 pts/0 S+ 18:57 0:00 fgrep named
# id named //named用户的组属于name
uid=25(named) gid=25(named) 组=25(named)
# chgrp named /var/named/magedu.com.zone
# chmod 640 /var/named/magedu.com.zone
# ls -l /var/named
总用量 32
drwxrwx--- 2 named named 4096 9月 17 18:49 data
drwxrwx--- 2 named named 4096 9月 17 18:50 dynamic
-rw-r----- 1 root named 358 9月 17 18:56 magedu.com.zone
-rw-r----- 1 root named 3289 4月 11 23:01 named.ca
-rw-r----- 1 root named 152 12月 15 2009 named.empty
-rw-r----- 1 root named 152 6月 21 2007 named.localhost
-rw-r----- 1 root named 168 12月 15 2009 named.loopback
drwxrwx--- 2 named named 4096 7月 5 17:51 slaves
5、测试文件
# named-checkzone "magedu.com" /var/named/magedu.com.zone
zone magedu.com/IN: loaded serial 20170917
OK
6、重载配置文件
# pgrep named
1784
# kill -HUP 1784
# rndc status
version: 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4
CPUs found: 1
worker threads: 1
number of zones: 20
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running
7、测试解析
# dig -t A www.magedu.com @192.168.58.131
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t A www.magedu.com @192.168.58.131
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32246
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;www.magedu.com. IN A
;; ANSWER SECTION:
www.magedu.com. 86400 IN A 192.168.58.129
www.magedu.com. 86400 IN A 192.168.58.131
;; AUTHORITY SECTION:
magedu.com. 86400 IN NS ns2.magedu.com.
magedu.com. 86400 IN NS ns1.magedu.com.
;; ADDITIONAL SECTION:
ns1.magedu.com. 86400 IN A 192.168.58.131
ns2.magedu.com. 86400 IN A 192.168.58.129
;; Query time: 2 msec
;; SERVER: 192.168.58.131#53(192.168.58.131)
;; WHEN: Sun Sep 17 19:01:53 2017
;; MSG SIZE rcvd: 132
# host -t A www.magedu.com 192.168.58.131
Using domain server:
Name: 192.168.58.131
Address: 192.168.58.131#53
Aliases:
www.magedu.com has address 192.168.58.131
www.magedu.com has address 192.168.58.129反向配置
# pwd
/var/named
# cp -p magedu.com.zone lcc.org //复制,修改为反向区域解析库
# ls -l
总用量 36
drwxrwx--- 2 named named 4096 9月 17 18:49 data
drwxrwx--- 2 named named 4096 9月 17 18:50 dynamic
-rw-r----- 1 root named 358 9月 17 18:56 lcc.org
-rw-r----- 1 root named 358 9月 17 18:56 magedu.com.zone
-rw-r----- 1 root named 3289 4月 11 23:01 named.ca
-rw-r----- 1 root named 152 12月 15 2009 named.empty
-rw-r----- 1 root named 152 6月 21 2007 named.localhost
-rw-r----- 1 root named 168 12月 15 2009 named.loopback
drwxrwx--- 2 named named 4096 7月 5 17:51 slaves
1、添加配置
# vim + /etc/named.rfc1912.zones
zone "58.168.192.in-addr.arpa" IN {
type master;
file "lcc.org"; //directory目录起始的相对路径下的文件
};
2、测试文件
# named-checkconf
3、修改反向区域解析库
# vim /var/named/lcc.org
$TTL 1D
$ORIGIN 58.168.192.in-addr.arpa.
@ IN SOA @ lccnx.foxmail.com. (
20170917
1H
10M
1W
1D)
IN NS ns1.magedu.com.
IN NS ns2.magedu.com.
131 IN PTR ns1.magedu.com.
129 IN PTR ns2.magedu.com.
131 IN PTR mx1.magedu.com.
129 IN PTR mx2.magedu.com.
131 IN PTR www.magedu.com.
129 IN PTR
4、测试文件
# named-checkzone "58.168.192.in-addr.arpa" /var/named/lcc.org
zone 58.168.192.in-addr.arpa/IN: loaded serial 20170917
OK
5、重载配置文件
# rndc reload
server reload successful
# rndc status
version: 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4
CPUs found: 1
worker threads: 1
number of zones: 21 //多了一个zone
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running
6、测试
# nslookup
> server 192.168.58.131 //DNS服务器的IP
Default server: 192.168.58.131
Address: 192.168.58.131#53
> set q=PTR //测试类型
> 192.168.58.129 //需要解析的IP
Server: 192.168.58.131
Address: 192.168.58.131#53
129.58.168.192.in-addr.arpa name = ns2.magedu.com.
129.58.168.192.in-addr.arpa name = mx2.magedu.com.
129.58.168.192.in-addr.arpa name = www.magedu.com.
> 192.168.58.131
Server: 192.168.58.131
Address: 192.168.58.131#53
131.58.168.192.in-addr.arpa name = www.magedu.com.
131.58.168.192.in-addr.arpa name = ns1.magedu.com.
131.58.168.192.in-addr.arpa name = mx1.magedu.com.
> exit
#四、主从同步<192.168.3.129>
1、配置为缓存DNS服务器
dnssec-enable no;
dnssec-validation no;
时间同步: ntpdate 192.168.58.131
正从
2、配置/etc/named.rfc1912.zones
# vim + /etc/named.rfc1912.zones
zone "magedu.com" IN {
type slave;
masters { 192.168.58.131; };
file "slaves/magedu.com.zone";
};
3、测试语法
# named-checkconf
4、重载配置
# rndc reload
server reload successful
5、查看日志
# tail -f /var/log/messages
Sep 9 19:43:45 localhost named[26184]: reloading zones succeeded
Sep 9 19:43:45 localhost named[26184]: zone magedu.com/IN: Transfer started.
Sep 9 19:43:45 localhost named[26184]: transfer of ‘magedu.com/IN‘ from 192.168.58.131#53: connected using 192.168.58.129#37616
Sep 9 19:43:45 localhost named[26184]: zone magedu.com/IN: transferred serial 20170917
Sep 9 19:43:45 localhost named[26184]: transfer of ‘magedu.com/IN‘ from 192.168.58.131#53: Transfer completed: 1 messages, 15 records, 342 bytes, 0.005 secs (68400 bytes/sec)
Sep 9 19:43:45 localhost named[26184]: zone magedu.com/IN: sending notifies (serial 20170917)
6、查看文件
反从
7、配置/etc/named.rfc1912.zones
# vim + /etc/named.rfc1912.zones
zone "58.168.192.in-addr.arpa" IN {
type slave;
masters { 192.168.58.131; };
file "slaves/lcc.org";
};
8、测试文件
# named-checkconf
9、重载
# rndc reload
server reload successful
10、查看日志
# tail -f /var/log/messages
Sep 9 19:46:40 localhost named[26184]: reloading zones succeeded
Sep 9 19:46:40 localhost named[26184]: zone 58.168.192.in-addr.arpa/IN: Transfer started.
Sep 9 19:46:40 localhost named[26184]: transfer of ‘58.168.192.in-addr.arpa/IN‘ from 192.168.58.131#53: connected using 192.168.58.129#42508
Sep 9 19:46:40 localhost named[26184]: zone 58.168.192.in-addr.arpa/IN: transferred serial 20170917
Sep 9 19:46:40 localhost named[26184]: transfer of ‘58.168.192.in-addr.arpa/IN‘ from 192.168.58.131#53: Transfer completed: 1 messages, 10 records, 277 bytes, 0.005 secs (55400 bytes/sec)
Sep 9 19:46:40 localhost named[26184]: zone 58.168.192.in-addr.arpa/IN: sending notifies (serial 20170917)
11、查看文件
# ls /var/named/slaves/
lcc.org magedu.com.zone
12、修改主dns的serial和Resource Record
$TTL 1D
$ORIGIN 58.168.192.in-addr.arpa.
@ IN SOA @ lccnx.foxmail.com. (
20170918 //修改Serial
1H
10M
1W
1D)
IN NS ns1.magedu.com.
IN NS ns2.magedu.com.
131 IN PTR ns1.magedu.com.
129 IN PTR ns2.magedu.com.
131 IN PTR mx1.magedu.com.
129 IN PTR mx2.magedu.com.
131 IN PTR www.magedu.com.
129 IN PTR www.magedu.com.
129 IN PTR ftp.magedu.com. //添加一个RR
rndc reload
13、在从DNS查看结果<192.168.58.129>
$ORIGIN .
$TTL 86400 ; 1 day
58.168.192.in-addr.arpa IN SOA 58.168.192.in-addr.arpa. lccnx.foxmail.com. (
20170918 ; serial
3600 ; refresh (1 hour)
600 ; retry (10 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS ns1.magedu.com.
NS ns2.magedu.com.
$ORIGIN 58.168.192.in-addr.arpa.
129 PTR ns2.magedu.com.
PTR mx2.magedu.com.
PTR www.magedu.com.
PTR ftp.magedu.com.
131 PTR ns1.magedu.com.
PTR mx1.magedu.com.
PTR
14、修改主DNS<192.168.58.131>
# vim magedu.com.zone
$TTL 1D
$ORIGIN magedu.com.
@ IN SOA @ lccnx.foxmail.com. (
20170918 //序列号+1
1H
10M
1W
1D)
IN NS ns1
IN NS ns2
IN MX 10 mx1
IN MX 20 mx2
ns1 IN A 192.168.58.131
ns2 IN A 192.168.58.129
mx1 IN A 192.168.58.131
mx2 IN A 192.168.58.129
www IN A 192.168.58.131
www IN A 192.168.58.129
* IN A 192.168.58.131
magedu.com. IN A 192.168.58.131
ftp IN CNAME www
pop3 IN CNAME www //添加一个pop3RR
15、测试配置文件
# named-checkzone "magedu.com" magedu.com.zone
zone magedu.com/IN: loaded serial 20170918
OK
16、重
# rndc reload
server reload successful
17、查看从DNS
$ORIGIN .
$TTL 86400 ; 1 day
magedu.com IN SOA magedu.com. lccnx.foxmail.com. (
20170918 ; serial //可见+1
3600 ; refresh (1 hour)
600 ; retry (10 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS ns1.magedu.com.
NS ns2.magedu.com.
A 192.168.58.131
MX 10 mx1.magedu.com.
MX 20 mx2.magedu.com.
$ORIGIN magedu.com.
* A 192.168.58.131
ftp CNAME www
mx1 A 192.168.58.131
mx2 A 192.168.58.129
ns1 A 192.168.58.131
ns2 A 192.168.58.129
pop3 CNAME www //pop3记录已经同步过来了
www A 192.168.58.131
A 192.168.58.129五、子域授权<192.168.58.130>
1、在主DNS中,授权
# vim magedu.com.zone
$TTL 1D
$ORIGIN magedu.com.
@ IN SOA @ lccnx.foxmail.com. (
20170918
1H
10M
1W
1D)
IN NS ns1
IN NS ns2
IN MX 10 mx1
IN MX 20 mx2
ns1 IN A 192.168.58.131
ns2 IN A 192.168.58.129
mx1 IN A 192.168.58.131
mx2 IN A 192.168.58.129
www IN A 192.168.58.131
www IN A 192.168.58.129
* IN A 192.168.58.131
magedu.com. IN A 192.168.58.131
ftp IN CNAME www
pop3 IN CNAME www
ops IN NS ns1.ops.magedu.com.
ops IN NS ns2.ops.magedu.com.
ns1.ops IN A 192.168.58.130
ns2.ops IN A 192.168.58.139
2、在另一个主机上配置
1)配置缓存DNS服务器
# yum -q -y install bind bind-libs bind-utils
2)配置/etc/named.conf文件
# cp -v /etc/named.conf{,.bak}
3)启动: # service named start
4)查看:# ss -tunlp | fgrep 53
5)配置/etc/named.rfc1912.zones
zone "ops.magedu.com" IN {
type master;
file "ops.magedu.com.zone";
};
6)测试: # named-checkconf
7)区域解析库:
$TTL 1D
$ORIGIN ops.magedu.com.
@ IN SOA @ lccnx.foxmail.com. (
20170917
1H
10M
1W
1D)
IN NS ns1
IN NS ns2
ns1 IN A 192.168.58.130
ns2 IN A 192.168.58.139
www IN A 192.168.58.130
www IN A 192.168.58.139
8)权限
# chmod 640 ops.magedu.com.zone
# chown :named ops.magedu.com.zone
9)测试
# named-checkzone "ops.magedu.com" ops.magedu.com.zone
zone ops.magedu.com/IN: loaded serial 20170917
OK
10)重载
# rndc reload
11)测试
# dig -t A www.ops.magedu.com @192.168.58.130
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t A www.ops.magedu.com @192.168.58.130
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33988
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;www.ops.magedu.com. IN A
;; ANSWER SECTION:
www.ops.magedu.com. 86400 IN A 192.168.58.139
www.ops.magedu.com. 86400 IN A 192.168.58.130
;; AUTHORITY SECTION:
ops.magedu.com. 86400 IN NS ns2.ops.magedu.com.
ops.magedu.com. 86400 IN NS ns1.ops.magedu.com.
;; ADDITIONAL SECTION:
ns1.ops.magedu.com. 86400 IN A 192.168.58.130
ns2.ops.magedu.com. 86400 IN A 192.168.58.139
;; Query time: 1 msec
;; SERVER: 192.168.58.130#53(192.168.58.130)
;; WHEN: Sun Sep 17 22:10:00 2017
;; MSG SIZE rcvd: 1361、父域解析子域<192.168.58.131> # dig -t A www.ops.magedu.com @192.168.58.131 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t A www.ops.magedu.com @192.168.58.131 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15973 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;www.ops.magedu.com. IN A ;; ANSWER SECTION: www.ops.magedu.com. 86400 IN A 192.168.58.130 www.ops.magedu.com. 86400 IN A 192.168.58.139 ;; AUTHORITY SECTION: ops.magedu.com. 86400 IN NS ns2.ops.magedu.com. ops.magedu.com. 86400 IN NS ns1.ops.magedu.com. ;; ADDITIONAL SECTION: ns1.ops.magedu.com. 86400 IN A 192.168.58.130 ns2.ops.magedu.com. 86400 IN A 192.168.58.139 ;; Query time: 15 msec ;; SERVER: 192.168.58.131#53(192.168.58.131) ;; WHEN: Sun Sep 17 22:12:10 2017 ;; MSG SIZE rcvd: 136 2、子域解析父域 # dig -t A www.magedu.com @192.168.58.130 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t A www.magedu.com @192.168.58.130 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 562 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 16 ;; QUESTION SECTION: ;www.magedu.com. IN A ;; ANSWER SECTION: www.magedu.com. 477 IN A 101.200.188.230 ;; AUTHORITY SECTION: magedu.com. 172677 IN NS ns1.alidns.com. magedu.com. 172677 IN NS ns2.alidns.com. ;; ADDITIONAL SECTION: ns1.alidns.com. 172677 IN A 106.11.141.121 ns1.alidns.com. 172677 IN A 106.11.211.51 ns1.alidns.com. 172677 IN A 106.11.211.61 ns1.alidns.com. 172677 IN A 140.205.41.11 ns1.alidns.com. 172677 IN A 140.205.41.21 ns1.alidns.com. 172677 IN A 140.205.81.11 ns1.alidns.com. 172677 IN A 140.205.81.21 ns1.alidns.com. 172677 IN A 106.11.141.111 ns2.alidns.com. 172677 IN A 106.11.211.52 ns2.alidns.com. 172677 IN A 106.11.211.62 ns2.alidns.com. 172677 IN A 140.205.41.12 ns2.alidns.com. 172677 IN A 140.205.41.22 ns2.alidns.com. 172677 IN A 140.205.81.12 ns2.alidns.com. 172677 IN A 140.205.81.22 ns2.alidns.com. 172677 IN A 106.11.141.112 ns2.alidns.com. 172677 IN A 106.11.141.122 ;; Query time: 1 msec ;; SERVER: 192.168.58.130#53(192.168.58.130) ;; WHEN: Sun Sep 17 22:12:59 2017 ;; MSG SIZE rcvd: 347
六、转发区域<192.168.1.130>
1、全部转发
# vim /etc/named.conf
options {
listen-on port 53 { 192.168.58.0/24; 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion yes;
forward first;
forwarders { 192.168.58.131; };
dnssec-enable no;
dnssec-validation no;
/* Path to ISC DLV key */
// bindkeys-file "/etc/named.iscdlv.key";
// managed-keys-directory "/var/named/dynamic";
};
# named-checkconf
# rndc reload
# dig -t A www.magedu.com @192.168.58.130
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t A www.magedu.com @192.168.58.130
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15274
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;www.magedu.com. IN A
;; ANSWER SECTION:
www.magedu.com. 86400 IN A 192.168.58.129
www.magedu.com. 86400 IN A 192.168.58.131
;; AUTHORITY SECTION:
magedu.com. 86400 IN NS ns2.magedu.com.
magedu.com. 86400 IN NS ns1.magedu.com.
;; ADDITIONAL SECTION:
ns2.magedu.com. 86400 IN A 192.168.58.129
ns1.magedu.com. 86400 IN A 192.168.58.131
;; Query time: 6 msec
;; SERVER: 192.168.58.130#53(192.168.58.130)
;; WHEN: Sun Sep 17 22:21:14 2017
;; MSG SIZE rcvd: 132
2、区域转发
# vim /etc/named.rfc1912.zones
zone "magedu.com" IN {
type forward;
forward first;
forwarders { 192.168.58.129; };
};
# named-checkconf
# rndc reload
在从DNS上查询<192.168.58.129>
首先改变主DNSserial, rndc reload,同步之后
在从DNS上开启查询日志: rndc querylog
Sep 17 22:24:13 localhost named[26184]: query logging is now on
Sep 17 22:24:31 localhost named[26184]: client 192.168.58.130#30952: query: www.magedu.com IN A +EDC (192.168.58.129)
在进行查询
[[email protected] named]# dig -t A www.magedu.com @192.168.58.130
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t A www.magedu.com @192.168.58.130
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62811
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;www.magedu.com. IN A
;; ANSWER SECTION:
www.magedu.com. 86400 IN A 192.168.58.129
www.magedu.com. 86400 IN A 192.168.58.131
;; AUTHORITY SECTION:
magedu.com. 86400 IN NS ns2.magedu.com.
magedu.com. 86400 IN NS ns1.magedu.com.
;; ADDITIONAL SECTION:
ns2.magedu.com. 86400 IN A 192.168.58.129
ns1.magedu.com. 86400 IN A 192.168.58.131
;; Query time: 9 msec
;; SERVER: 192.168.58.130#53(192.168.58.130)
;; WHEN: Sun Sep 17 22:24:41 2017
;; MSG SIZE rcvd: 132七、安全配置
1、查询 allow-query { any; };
2、传送:主DNS仅允许从
allow-transfer { 192.168.58.129; };
其它: allow-transfer { none; };
acl slaves { //在options之上
192.168.58.129;
};
zone
allow-transfer { slaves; };
3、递归,只为内部主机递归
acl mynet { //在options之上
192.168.58.0/24;
127.0.0.1;
};
options {
allow-transfer { mynet; };
};
4、查询只允许dhcp服务器,一般都不允许
zone
allow-update { none; };模型
八、view实现智能DNS
1、搭建实验环境<恢复快照>
1)不开snat和net.ipv4.ip_forward,从172.16网络的主机ping192.168.1网络内的主机
2)打开net.ipv4.ip_forward,从172.16网络的主机ping192.168.1网络内的主机
1、在172.16.128.1主机之上配置DNS
1、挂载光盘
# [ -d /media/cdrom ] || install -d /media/cdrom
# mount -r /dev/cdrom /media/cdrom
2、配置yum源
# rm -rf /etc/yum.repos.d/*
# vim /etc/yum.repos.d/CentOS-Base.repo
[Base]
name=Base repo for CentOS 6.9
failovermethod=priority
baseurl=file:///media/cdrom
gpgcheck=1
gpgkey=file:///media/cdrom/RPM-GPG-KEY-CentOS-6
enabled=1
3、重建缓存
# yum makecache
4、缓存服务器
# yum install bind bind-utils bind-libs
# cp -v /etc/ntp.conf{,.bak}
# vim
# service ntpd start
# cp -v /etc/named.conf{,.bak}
# vim /etc/named.conf
# named-checkconf
# service named start
# ss -tunlp | fgrep 53
5、配置view
所有zone在同一个文件中
1、删除/etc/named.conf文件中根域
2、在/etc/named.rfc1912.zones添加根域<仅在匹配的客户端可以递归的客户端的VIEW中添加根域>
3、添加后测试语法
# named-checkconf
4、添加正向解析区域
1)配置
zone "magedu.com" IN {
type master;
file "magedu.com.zone";
allow-update { none; };
allow-transfer { 127.0.0.1; };
};
2)解析库
# vim /var/named/magedu.com.zone
$TTL 1D
$ORIGIN magedu.com.
@ IN SOA @ lccnx.foxmail.com. (
20170918
1H
10M
1W
1D)
IN NS ns1.magedu.com.
ns1 IN A 172.16.128.1
www IN A 172.16.100.13
3)权限
# chmod 640 /var/named/magedu.com.zone
# chown :named /var/named/magedu.com.zone
4)重载配置文件
# rndc reload
5)测试
# dig -t A www.magedu.com @172.16.128.1
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6 <<>> -t A www.magedu.com @172.16.128.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12511
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;www.magedu.com. IN A
;; ANSWER SECTION:
www.magedu.com. 86400 IN A 172.16.100.13
;; AUTHORITY SECTION:
magedu.com. 86400 IN NS ns1.magedu.com.
;; ADDITIONAL SECTION:
ns1.magedu.com. 86400 IN A 172.16.128.1
;; Query time: 4 msec
;; SERVER: 172.16.128.1#53(172.16.128.1)
;; WHEN: Sun Sep 17 19:27:22 2017
;; MSG SIZE rcvd: 82
# nslookup
> server 172.16.128.1
Default server: 172.16.128.1
Address: 172.16.128.1#53
> set q=A
> www.magedu.com
Server: 172.16.128.1
Address: 172.16.128.1#53
Name: www.magedu.com
Address: 172.16.100.13
> exit
5、添加view
172.16解析至内网
192.168.3其他解析至外网
172.16解析至内网
# vim /etc/named.conf
acl mynet {
172.16.0.0/16;
127.0.0.1;
};
options {};
# vim /etc/named.rfc1912.zones
view internal {
match-clients { mynet; };
recursion yes;
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};
zone "magedu.com" IN {
type master;
file "magedu.com.zone";
allow-update { none; };
allow-transfer { 127.0.0.1; };
};
};
# named-checkconf
# rndc reload
# dig -t A www.magedu.com @172.16.128.1
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6 <<>> -t A www.magedu.com @172.16.128.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64602
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;www.magedu.com. IN A
;; ANSWER SECTION:
www.magedu.com. 86400 IN A 172.16.100.13
;; AUTHORITY SECTION:
magedu.com. 86400 IN NS ns1.magedu.com.
;; ADDITIONAL SECTION:
ns1.magedu.com. 86400 IN A 172.16.128.1
;; Query time: 2 msec
;; SERVER: 172.16.128.1#53(172.16.128.1)
;; WHEN: Sun Sep 17 19:34:33 2017
;; MSG SIZE rcvd: 82
192.168.3其他解析至外网
# vim /etc/named.rfc1912.zones
view external {
match-clients { any; };
recursion no;
zone "magedu.com" IN {
type master;
file "magedu.com.external";
allow-update { none; };
allow-transfer { 127.0.0.1; };
};
};
# named-checkconf
# rndc reload
server reload successful
# cp -p /var/named/magedu.com.zone /var/named/magedu.com.external //权限
# vim /var/named/magedu.com.external
$TTL 1D
$ORIGIN magedu.com.
@ IN SOA @ lccnx.foxmail.com. (
20170918
1H
10M
1W
1D)
IN NS ns1.magedu.com.
ns1 IN A 172.16.128.1
www IN A 2.2.2.2
测试
# named-checkzone "magedu.com" magedu.com.external
zone magedu.com/IN: loaded serial 20170918
OK
重载
# rndc reload
在192.168.3网络内的3.3主机上测试
九、编译安装BIND
1、恢复快照
2、下载bind , C源码
# wget -c -nc https://www.isc.org/downloads/file/bind-9-10-6/
3、展开编译
4、编译后操作
5、配置文件
6、区域解析库
7、rndc文件
8、准备一个服务脚本
3、展开编译
# tar xf bind-9.10.6.tar.gz
# cd bind-9.10.6
# yum groupinstall "Development Tools" "Server Platform Development"
# groupadd -r -g 53 named
# useradd -r -g 53 -u 53 named
# ./configure --prefix=/usr/local/bind9 --sysconfdir=/etc/named/ --disable-ipv6 --disable-chroot --enable-threads
--disable-chroot chroot不方便使用
--prefix= 便于删除
--enable-threads 多核CPU,更好使用
# make -j 4 && make install
4、编译后操作
导出PATH
# ls /usr/local/bind9/
bin include lib sbin share var
# vim /etc/profile.d/named.sh
declare -x PATH=/usr/local/bind9/bin:/usr/local/bind9/sbin:$PATH
# . /etc/profile.d/named.sh
库
# vim /etc/ld.so.conf.d/named.conf
/usr/local/bind9/lib
# ldconfig -v
头文件
# ln -sv /usr/local/bind9/include /usr/include/named
MAN手册
# vim /etc/man.config
MANPATH /usr/man
MANPATH /usr/share/man
MANPATH /usr/local/man
MANPATH /usr/local/share/man
MANPATH /usr/X11R6/man
MANPATH /usr/local/bind9/share/man
5、配置文件
# vim /etc/named/named.conf
options {
directory "/var/named";
allow-query { any; };
allow-recursion { any; };
};
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { any; };
};
zone "0.0.127.in-addr.arpa" {
type master;
file "named.loopback";
allow-update { any; };
};
6、区域解析库
# install -d /var/named
# vim /var/named/named.localhost
$TTL 1D
$ORIGIN localhost.
@ IN SOA @ lccnx.foxmail.com (
20170918
1H
10M
1W
1D)
IN NS localhost.
IN A 127.0.0.1
# vim /var/named/named.loopback
$TTL 1D
$ORIGIN 0.0.127.in-addr.arpa.
@ IN SOA @ lccnx.foxmail.com. (
20170918
1H
10M
1W
1D)
IN NS localhost.
1 IN PTR localhost.
# dig -t NS . > /var/named/named.ca
权限
# chmod 640 /var/named/named.ca
# chown :named /var/named/named.ca
# ls -l /var/named/named.ca
-rw-r----- 1 root named 2188 Sep 9 20:40 /var/named/named.ca
# chown :named /etc/named/named.conf /var/named/named.lo*
# chmod 640 /etc/named/named.conf /var/named/named.lo*
# ls -l /etc/named/named.conf /var/named/named.lo*
-rw-r----- 1 root named 512 Sep 9 20:25 /etc/named/named.conf
-rw-r----- 1 root named 125 Sep 9 20:27 /var/named/named.localhost
-rw-r----- 1 root named 143 Sep 9 20:30 /var/named/named.loopback
7、rndc文件
# rndc-confgen -r /dev/urandom > /etc/named/rndc.conf
key "rndc-key" {
algorithm hmac-md5;
secret "ZaRjlHwFaun/mfn648NDGQ==";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
8、测试起动
# chown root.named /usr/local/bind9/var/run
# ls -ld /usr/local/bind9/var/run
drwxr-xr-x 2 root named 4096 Sep 9 19:58 /usr/local/bind9/var/run
# chmod g+w /usr/local/bind9/var/run
# named -u named -f -g -d 3
9、查看监听端口
[[email protected] ~]# ss -tunlp | fgrep 53
udp UNCONN 0 0 192.168.1.100:53 *:* users:(("named",6870,513))
udp UNCONN 0 0 127.0.0.1:53 *:* users:(("named",6870,512))
tcp LISTEN 0 10 192.168.1.100:53 *:* users:(("named",6870,22))
tcp LISTEN 0 10 127.0.0.1:53 *:* users:(("named",6870,21))
tcp LISTEN 0 128 127.0.0.1:953 *:* users:(("named",6870,23))
10、服务脚本
# install -d /usr/local/bind9/var/lock
#!/bin/bash
#
# Author: lcc.org
# Verion: 1.1.1
# chkconfig: - 12 88
# Description: BIND(Berkerley Information Name Domain)
prog=$(echo $0 | sed ‘s,/$,,‘ | sed -r ‘[email protected](.*/)([^/]+)@\[email protected]‘)
lockfile=/var/lock/subsys/$prog
start() {
if killall -0 $prog 2> /dev/null; then
if [ -e $lockfile ]; then
echo "$prog is already started"
return 0
fi
else
if named -u named; then
[ ! -e $lockfile ] && touch $lockfile
echo "start $prog finished"
fi
fi
}
stop() {
[ -e $lockfile ] && rm -rf $lockfile
if killall -0 $prog 2> /dev/null; then
pkill named && echo "stop $prog ok"
else
echo "stop $prog ok"
fi
}
status() {
if [ -e $lockfile ] && killall -0 named 2> /dev/null; then
echo "$prog is running...."
elif [ ! -e $lockfile ] && ! killall -0 named 2> /dev/null; then
echo "$prog is stpped yet..."
else
echo "WARINING....."
stop
fi
}
reload() {
rndc reload 2> /dev/null
}
case $1 in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
status)
status
;;
reload)
reload
;;
*)
echo "Usage: $0 {start|stop|restart|status|reload}"
;;
esac
11、添加进/etc/rc.d/init.d/中
# chmod +x named
# cp -p named /etc/init.d/named
# chkconfig --add named
# chkconfig --list named
named 0:off 1:off 2:off 3:off 4:off 5:off 6:off
12、手动测试配置正反向解析区域,看是否有任何差错
.....十、压力测试
1、进入源码目录中的contrib目录中 # cd ~/bind-9.10.6/contrib/ 2、进入queryperf目录中 # cd queryperf 3、编译 # less README # ./configure # make 4、复制 # cp -a queryperf /usr/local/bind9/bin/ 5、benchmark
queryperf命令<DNS Bench Mark>
Usage: queryperf [-d datafile] [-s server_addr]
[[email protected] queryperf]# queryperf -d file -s 192.168.1.100 DNS Query Performance Testing Tool Version: $Id: queryperf.c,v 1.12 2007/09/05 07:36:04 marka Exp $ [Status] Processing input data [Status] Sending queries (beginning with 192.168.1.100) [Status] Testing complete Statistics: Parse input file: once Ended due to: reaching end of file Queries sent: 702000 queries Queries completed: 702000 queries Queries lost: 0 queries Queries delayed(?): 0 queries RTT max: 0.184500 sec RTT min: 0.000148 sec RTT average: 0.003078 sec RTT std deviation: 0.001178 sec RTT out of range: 0 queries Percentage completed: 100.00% Percentage lost: 0.00% Started at: Sun Sep 10 03:13:45 2017 Finished at: Sun Sep 10 03:15:34 2017 Ran for: 109.150809 seconds Queries per second: 6431.468593 qps TOP PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 7774 named 20 0 50152 12m 2748 S 53.4 5.3 2:06.29 named 22591 root 20 0 20032 17m 676 S 45.2 7.4 0:05.06 queryperf VMSTAT procs -----------memory---------- ---swap-- -----io---- --system-- -----cpu----- r b swpd free buff cache si so bi bo in cs us sy id wa st 2 0 4160 3876 8032 150904 0 0 74 75 62 128 2 3 90 6 0 2 0 4160 3868 8032 150904 0 0 0 0 965 12360 4 96 0 0 0 2 0 4160 3808 8032 150960 0 0 68 0 988 11908 20 80 0 0 0 2 0 4160 3688 8040 151040 0 0 72 12 981 11791 4 96 0 0 0 2 0 4160 3688 8040 151044 0 0 0 0 990 11952 4 96 0 0 0 2 0 4160 3628 8040 151044 0 0 0 0 979 11990 3 97 0 0 0 2 0 4160 3628 8040 151044 0 0 0 0 991 12712 16 84 0 0 0 iosTAT # iostat 1 Linux 2.6.32-696.el6.i686 (localhost.localdomain) 09/10/2017 _i686_ (1 CPU) avg-cpu: %user %nice %system %iowait %steal %idle 1.25 0.46 2.62 5.61 0.00 90.06 Device: tps Blk_read/s Blk_wrtn/s Blk_read Blk_wrtn scd0 0.00 0.01 0.00 376 0 sda 3.91 146.89 150.43 5265774 5392628 dm-0 4.04 20.10 28.64 720634 1026544 dm-1 0.05 0.18 0.25 6520 9032 dm-2 0.01 0.06 0.00 2018 56 dm-3 14.64 106.06 97.85 3802226 3507896 dm-4 3.30 20.31 23.68 728258 849040 avg-cpu: %user %nice %system %iowait %steal %idle 19.39 2.04 78.57 0.00 0.00 0.00 Device: tps Blk_read/s Blk_wrtn/s Blk_read Blk_wrtn scd0 0.00 0.00 0.00 0 0 sda 117.35 4693.88 57.14 4600 56 dm-0 72.45 3126.53 0.00 3064 0 dm-1 0.00 0.00 0.00 0 0 dm-2 0.00 0.00 0.00 0 0 dm-3 4.08 146.94 0.00 144 0 dm-4 67.35 481.63 57.14 472 56
[[email protected] queryperf]# rndc querylog [[email protected] queryperf]# rndc status version: BIND 9.10.6 <id:9d1ea0b> boot time: Sat, 09 Sep 2017 17:45:08 GMT last configured: Sat, 09 Sep 2017 18:04:13 GMT CPUs found: 1 worker threads: 1 UDP listeners per interface: 1 number of zones: 103 debug level: 0 xfers running: 0 xfers deferred: 0 soa queries in progress: 0 query logging is ON //开启查询日志,每次请求都会有IO产生 recursive clients: 0/0/1000 tcp clients: 0/100 server is up and running [[email protected] queryperf]# queryperf -d file -s 192.168.1.100 DNS Query Performance Testing Tool Version: $Id: queryperf.c,v 1.12 2007/09/05 07:36:04 marka Exp $ [Status] Processing input data [Status] Sending queries (beginning with 192.168.1.100) top[Status] Testing complete Statistics: Parse input file: once Ended due to: reaching end of file Queries sent: 702000 queries Queries completed: 702000 queries Queries lost: 0 queries Queries delayed(?): 0 queries RTT max: 1.141619 sec RTT min: 0.000149 sec RTT average: 0.006632 sec RTT std deviation: 0.008464 sec RTT out of range: 0 queries Percentage completed: 100.00% Percentage lost: 0.00% Started at: Sun Sep 10 03:22:50 2017 Finished at: Sun Sep 10 03:26:45 2017 Ran for: 235.257594 seconds Queries per second: 2983.963187 qps
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 7774 named 20 0 50152 13m 2784 S 50.8 5.4 3:39.84 named 23274 root 20 0 20032 17m 672 S 24.5 7.4 0:17.01 queryperf # vmstat 1 procs -----------memory---------- ---swap-- -----io---- --system-- -----cpu----- r b swpd free buff cache si so bi bo in cs us sy id wa st 2 0 4160 8052 6944 148324 0 0 77 78 67 187 2 3 89 6 0 2 0 4160 8060 6944 148352 0 0 24 12 999 13770 4 96 0 0 0 1 1 4160 8052 6944 148348 0 0 12 0 977 12900 4 96 0 0 0 2 0 4160 7992 6952 148428 0 0 56 52 988 12689 21 79 0 0 0 2 0 4160 7872 6960 148436 0 0 0 56 989 14114 3 97 0 0 0 1 1 4160 7880 6960 148440 0 0 16 56 974 13079 3 97 0 0 0 1 1 4160 7872 6960 148528 0 0 84 88 1008 13114 8 92 0 0 0 2 0 4160 7880 6960 148540 0 0 0 0 981 13744 15 85 0 0 0 2 1 4160 7700 6968 148776 0 0 232 52 1013 14028 2 98 0 0 0 # iostat 1 Linux 2.6.32-696.el6.i686 (localhost.localdomain) 09/10/2017 _i686_ (1 CPU) avg-cpu: %user %nice %system %iowait %steal %idle 1.27 0.54 3.01 5.79 0.00 89.40 Device: tps Blk_read/s Blk_wrtn/s Blk_read Blk_wrtn scd0 0.00 0.01 0.00 376 0 sda 4.04 154.73 156.98 5587614 5669060 dm-0 4.09 20.75 28.96 749330 1045720 dm-1 0.05 0.18 0.25 6520 9032 dm-2 0.01 0.06 0.00 2018 56 dm-3 15.51 113.36 104.19 4093554 3762752 dm-4 3.29 20.19 23.58 729154 851440 avg-cpu: %user %nice %system %iowait %steal %idle 3.12 1.04 95.83 0.00 0.00 0.00 Device: tps Blk_read/s Blk_wrtn/s Blk_read Blk_wrtn scd0 0.00 0.00 0.00 0 0 sda 3.12 41.67 75.00 40 72 dm-0 0.00 0.00 0.00 0 0 dm-1 0.00 0.00 0.00 0 0 dm-2 0.00 0.00 0.00 0 0 dm-3 11.46 41.67 75.00 40 72 dm-4 0.00 0.00 0.00 0 0
本文出自 “Reading” 博客,请务必保留此出处http://sonlich.blog.51cto.com/12825953/1966447
以上是关于+++++++子域授权与编译安装的主要内容,如果未能解决你的问题,请参考以下文章
DNS解析与Bind的使用——子域授权转发及访问控制列表配置