rh358 004 bind反向,转发,主从,各种资源记录 unbound ansible部署bind unbound
- 2022 年 9 月 4 日
- 筆記
- rh358 服务管理自动化
通过bind实现正向,反向,转发,主从,各种资源记录
7> 部署反向解析 从ip解析到fqdn
vim /etc/named.conf
zone "250.25.172.in-addr.arpa" IN {
type master;
file "172.25.250.zone"; 指定方向解析的区域配置文件路径
};
[root@serverb ~]
[root@serverb ~]
[root@serverb ~]
[root@serverb ~]
$TTL 3H
@ IN SOA serverb.example.com. root.serverb.example.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS serverb.example.com.
10 IN PTR servera.example.com.
11 IN PTR serverb.example.com.
12 IN PTR serverc.example.com.
13 IN PTR serverd.example.com.
~
[root@serverb ~]
8> 测试
[root@servera ~]
serverb.example.com has address 172.25.250.11
[root@servera ~]
10.250.25.172.in-addr.arpa domain name pointer servera.example.com.
[root@servera ~]
11.250.25.172.in-addr.arpa domain name pointer serverb.example.com.
[root@servera ~]
12.250.25.172.in-addr.arpa domain name pointer serverc.example.com.
[root@servera ~]
13.250.25.172.in-addr.arpa domain name pointer serverd.example.com.
[root@servera ~]
[root@servera ~]
> set type=ptr
> 172.25.250.10
Server: 172.25.250.11
Address: 172.25.250.11
10.250.25.172.in-addr.arpa name = servera.example.com.
> set type=NS
> example.com
Server: 172.25.250.11
Address: 172.25.250.11
example.com nameserver = serverb.example.com.
> set type=A
> servera.example.com
Server: 172.25.250.11
Address: 172.25.250.11
Name: servera.example.com
Address: 172.25.250.10
>
也可以通过dig查找
-x反向解析
@跟着DNS服务器
A/NS/SOA/-x<ptr>
9> 主从同步:
修改配置文件在主DNS上配置
[root@serverc ~]
zone "example.com" IN {
type master ;
file "example.com";
allow-transfer { 172.25.250.12; };
};
zone "250.25.172.in-addr.arpa" IN {
type master;
file "172.25.250.zone";
allow-transfer { 172.25.250.12; };
};
[root@serverb ~]
在从DNS上<slave>
[root@serverc ~]
listen-on port 53 { any; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { any; };
recursion yes;
dnssec-enable no;
dnssec-validation no;
zone "example.com" IN {
type slave ; 类型是从DNS服务器
file "slaves/example.com";
masters { 172.25.250.11; };
};
zone "250.25.172.in-addr.arpa" IN {
type slave;
file "slaves/172.25.250.zone";
masters { 172.25.250.11; };
};
[root@serverc ~]
success
[root@serverc ~]
success
[root@serverc ~]
success
[root@serverc ~]
Created symlink /etc/systemd/system/multi-user.target.wants/named.service → /usr/lib/systemd/system/named.service.
[root@serverc ~]
确认:
[root@serverc ~]
total 8
-rw-r--r--. 1 named named 490 Sep 3 22:29 172.25.250.zone
-rw-r--r--. 1 named named 432 Sep 3 22:29 example.com
[root@serverc ~]
针对主从服务器做的修改
1> 添加从的DNS服务器
2> 每一次添加必须要把序列号+1,只有当序列号增加才会同步
$TTL 3H
@ IN SOA serverb.example.com. root.serverb.example.com. (
1 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS serverb.example.com.
@ IN NS serverc.example.com. 从的DNS
10 IN PTR servera.example.com.
11 IN PTR serverb.example.com.
12 IN PTR serverc.example.com.
13 IN PTR serverd.example.com.
[root@servera ~]
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el8 <<>> @serverb.example.com -x 172.25.250.11
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18840
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 2cf3b75f384904d1905d5fd16314985b59d1176e48d0a6b3 (good)
;; QUESTION SECTION:
;11.250.25.172.in-addr.arpa. IN PTR
;; ANSWER SECTION:
11.250.25.172.in-addr.arpa. 10800 IN PTR serverb.example.com.
;; AUTHORITY SECTION:
250.25.172.in-addr.arpa. 10800 IN NS serverc.example.com.
250.25.172.in-addr.arpa. 10800 IN NS serverb.example.com.
;; ADDITIONAL SECTION:
serverb.example.com. 10800 IN A 172.25.250.11
serverc.example.com. 10800 IN A 172.25.250.12
;; Query time: 2 msec
;; SERVER: 172.25.250.11
;; WHEN: Sun Sep 04 20:21:47 CST 2022
;; MSG SIZE rcvd: 184
[root@servera ~]
同步后,可以使用dig,发现有两个dns权威地址了。那么就是配置文件更改后,同步成功
10> 对于一个转发的DNS服务器来说,在正常情况下,如果我们没有配置转发,当这个DNS需要解析其他域的FQDN的时候。首先是去根域服务器。可以通过forwders来改变装法对象
[root@serverd ~]
success
[root@serverd ~]
success
[root@serverd ~]
success
[root@serverd ~]
listen-on port 53 { any; };
allow-query { any; };
forwarders { 172.25.250.12 ;};
dnssec-enable no;
dnssec-validation no;
这两个可以删掉,也是zone地址。用不上
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
systemctl restart named
[root@serverd ~]
> set type=A
> servera.example.com
Server: 172.25.250.13
Address: 172.25.250.13
Non-authoritative answer: 这里做了转发所以不一样。非授权机构
Name: servera.example.com
Address: 172.25.250.10
>
邮件服务器
邮件服务器要做转发,所以得找到邮件服务器
正
@ IN MX 10 classroom.example.com.
254 IN PTR classroom.example.com.
反
@ IN MX 10 classroom.example.com.
254 IN PTR classroom.example.com.
[root@serverb named]
> set type=MX
> example.com
Server: 172.25.250.13
Address: 172.25.250.13
Non-authoritative answer:
example.com mail exchanger = 10 classroom.example.com.
Authoritative answers can be found from:
example.com nameserver = serverb.example.com.
example.com nameserver = serverc.example.com.
classroom.example.com internet address = 172.25.250.254
serverb.example.com internet address = 172.25.250.11
serverc.example.com internet address = 172.25.250.12
12> 仅缓存的DNS服务器:unbond
删除原来的unbound
[root@workstation ~]
[root@servera ~]
[root@servera ~]
success
[root@servera ~]
success
[root@servera ~]
[root@servera ~]
interface: 172.25.250.10
access-control: 172.25.250.0/24 allow
domain-insecure: "example.com"
interface-automatic: no
forward-zone:
name: .
forward-addr: 172.25.250.254
[root@servera ~]
[root@servera ~]
[root@servera ~]
PING servera.lab.example.com (172.25.250.10) 56(84) bytes of data.
64 bytes from servera.lab.example.com (172.25.250.10): icmp_seq=1 ttl=64 time=0.073 ms
^C
--- servera.lab.example.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.073/0.073/0.073/0.000 ms
[root@servera ~]
PING workstation.lab.example.com (172.25.250.9) 56(84) bytes of data.
64 bytes from workstation.lab.example.com (172.25.250.9): icmp_seq=1 ttl=64 time=1.17 ms
^C
--- workstation.lab.example.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.165/1.165/1.165/0.000 ms
[root@servera ~]
START_RRSET_CACHE
;rrset 38 1 0 7 3
lab.example.com. 38 IN SOA bastion.lab.example.com. root.bastion.lab.example.com. 2020040800 3600 300 604800 60
;rrset 38 1 0 7 3
example.com. 38 IN SOA classroom.example.com. root.classroom.example.com. 2015071700 3600 300 604800 60
END_RRSET_CACHE
START_MSG_CACHE
msg servera.example.com.example.com. IN A 33155 1 38 3 0 1 0
example.com. IN SOA 4
msg servera.example.com. IN A 33155 1 38 3 0 1 0
example.com. IN SOA 4
msg servera.example.com.lab.example.com. IN A 33155 1 38 3 0 1 0
lab.example.com. IN SOA 4
msg servera.example.com.example.com. IN AAAA 33155 1 38 3 0 1 0
example.com. IN SOA 4
msg servera.example.com.lab.example.com. IN AAAA 33155 1 38 3 0 1 0
lab.example.com. IN SOA 4
msg servera.example.com. IN AAAA 33155 1 38 3 0 1 0
example.com. IN SOA 4
END_MSG_CACHE
EOF
[root@servera ~]
search lab.example.com example.com
nameserver 172.25.250.10
[root@servera ~]
有缓存后,可以不依赖转发
清空缓存
[root@servera ~]
缓存,和forward上的服务器都没了,就无法再ping通了
导出
unbound-control dump_cache > aa
unbound-control load_cache < aa
ansible 部署DNS unbound
[root@workstation ~]# lab dns-automation start
[student@workstation dns-auto]$ cat unbound.yml
- name: configure cache dns on servera
hosts: caching_dns
become: true
tasks:
- name: install the unbound package
yum:
name: unbound
state: present
- name: prepare configureation file for unbound
template:
src: unbound.conf.j2
dest: /etc/unbound/unbound.conf
owner: root
group: unbound
mode: '0644'
setype: named_conf_t
notify: restart service
- name: start service
service:
name: unbound
state: started
enabled: true
- name: config firewalld for unbond
firewalld:
service: dns
state: enabled
immediate: yes
permanent: yes
handlers:
- name: restart service
service:
name: unbond
state: restarted
[student@workstation dns-auto]$ cat templates/unbound.conf.j2
server:
{% for ip in ansible_facts['all_ipv4_addresses'] %}
interface: {{ ip }}
{% endfor %}
interface-automatic: no
access-control: 172.25.250.0/24 allow
domain-insecure: example.com
forward-zone:
name: .
forward-addr: 172.25.250.254
remote-control:
control-enable: yes
[student@workstation dns-auto]$
[student@workstation dns-auto]$ ls
ansible.cfg inventory playbook.yml unbound.conf.j2
ansible 部署bind
bind的YML文件
---
- name: config bind
hosts: primary_dns,secondary_dns
become: true
tasks:
- name: install package
yum:
name: bind
state: present
- name: config for primary
copy:
src: files/primary_dns.conf
dest: /etc/named.conf
notify: restart service
when: inventory_hostname == "serverb.lab.example.com"
- name: config
copy:
src: files/secondary_dns.conf
dest: /etc/named.conf
notify: restart service
when: inventory_hostname == "serverc.lab.example.com"
- name: zone file
copy:
src: files/example.com
dest: /var/named/example.com
owner: root
group: named
when: inventory_hostname == "serverb.lab.example.com"
- name: zone file re
copy:
src: files/172.25.250.zone
dest: /var/named/172.25.250.zone
owner: root
group: named
when: inventory_hostname == "serverb.lab.example.com"
- name: start service
service:
name: named
state: started
enabled: true
- name: firewalld
firewalld:
service: dns
state: enabled
immediate: yes
permanent: yes
handlers:
- name: restart service
service:
name: named
state: restarted
[student@workstation dns-auto]$
主named的配置文件
[student@workstation dns-auto]$ cat files/primary_dns.conf
options {
listen-on port 53 { any; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { any; };
recursion yes;
dnssec-enable no;
dnssec-validation no;
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "example.com" IN {
type master;
file "example.com";
allow-transfer { 172.25.250.12;};
};
zone "250.25.172.in-addr.arpa" {
type master;
file "172.25.250.zone";
allow-transfer { 172.25.250.12;};
};
从named的配置文件
[student@workstation files]$ cat secondary_dns.conf
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { any; };
recursion yes;
dnssec-enable no;
dnssec-validation no;
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "example.com" IN {
type slave;
masters { 172.25.250.11; };
file "slaves/example.com";
};
zone "250.25.172.in-addr.arpa" IN {
type slave;
masters { 172.25.250.11; };
file "slaves/172.25.250.zone";
};
主的区域配置文件(正)
[student@workstation dns-auto]$ cat files/example.com
$TTL 3H
@ IN SOA serverb.example.com. root.serverb.example.com. (
1 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS serverb.example.com.
@ IN NS serverc.example.com.
servera IN A 172.25.250.10
serverb IN A 172.25.250.11
serverc IN A 172.25.250.12
serverd IN A 172.25.250.13
主的区域配置文件(反)
[student@workstation dns-auto]$ cat files/172.25.250.zone
$TTL 3H
@ IN SOA serverb.example.com. root.serverb.example.com. (
1 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS serverb.example.com.
@ IN NS serverc.example.com.
10 IN PTR servera.example.com.
11 IN PTR servera.example.com.
12 IN PTR servera.example.com.
13 IN PTR servera.example.com.
[student@workstation dns-auto]$ cat inventory
[control_node]
workstation.lab.example.com
[caching_dns]
servera.lab.example.com
[primary_dns]
serverb.lab.example.com
[secondary_dns]
serverc.lab.example.com
任何一种服务的自动化配置:
一: 安装包
二: 配置文件 1: jiaj2模板的形式配置:unbound,2: file: bind, 3: notify restart service
三: 要读取数据文件路径: 基本都有
四: 服务
五: 防火墙
六: Handlers : 接收配置的文件改变从而去重新启动服务