DNS安装与设置(3)

  • 2020 年 1 月 13 日
  • 筆記

DNS安装与设置(3)

主要实现DNS从服务器及配置转发服务器配置与实现

测试环境还是参照1,2来实现从服务器配置

1:测试环境

    DNS版本:version: 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6

    主服务器:10.1.77.85    

    从服务器:192.168.7.74

2:安装从服务器和转发服务器之前需要知道的

    1-1.如何创建从服务器?

        如果有多台DNS从服务器,必须为每个DNS服务器建立NS记录,否则主DNS不能向从服务器发送通知。

    区域定义:

        zone "区域名称" IN {

            type slave;

            file "slaves/ZONE_NAME.zone";

            master {

                master_dns_ip;

                master_dns2_ip;};

            };

 在主服务器/etc/named.rfc1912.zones 设置从服务器可以请求数据allow-transfer { IP; };

    1-2.bind访问控制列表

        acl string { address_match_clement;….  };

            ang, none,local,localnet  这几个参数都可以选择

    2-2.如何将请求转发出去解析:

        转发类型:

        转发所有针对非本机负责解析的区域的请求;

                options {                 

        forwarders { 192.168.211.116; };

        forward only;

                 };

        仅针对特定区域进行转发:

                zone {

                    type forward;

                    };

PS:转发的前提,接受请求的服务器必须能够为请求者做递归查询;

        forwarders { IP; };

        forward only | first;

3:现在根据前面的提示开始设置

    1-1:在主服务器设置 allow-transfer

[root@erickpuppet77_85 ~]# less /etc/named.rfc1912.zones

zone "luhaigang.com" IN {

        type master;

        file "luhaigang.com.zone";

allow-transfer { 192.168.7.74; };

};

zone "luhaigang.cn" IN {

        type master;

        file "luhaigang.cn.zone";

allow-transfer { 192.168.7.74; };

};

zone "77.1.10.in-addr.arpa" IN {

        type master;

        file "77.1.10.zone";

allow-transfer { 192.168.7.74; };

};

    1-2:在192.168.7.74安装 DNS从服务器

[root@erickagent ~]#yum -y install bind*

    修改配置文件之前不要启动named

    修改从服务器192.168.7.74的DNS配置文件/etc/named.rfc1912.zones

[root@erickagent ~]# less /etc/named.rfc1912.zones 

        allow-update { none; };

};

zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {

        type master;

        file "named.loopback";

        allow-update { none; };

};

zone "1.0.0.127.in-addr.arpa" IN {

        type master;

        file "named.loopback";

        allow-update { none; };

};

zone "0.in-addr.arpa" IN {

        type master;

        file "named.empty";

        allow-update { none; };

};

zone "luhaigang.com" IN {

        type slave;//类型为从服务器

        file "slaves/luhaigang.com.zone";//从服务器的区域文件

        allow-transfer { none; };//从服务器不允许其它DNS请求

        masters { 10.1.77.85; };//指明主服务器的IP地址        

};

zone "luhaigang.cn" IN {

        type slave;

        file "slaves/luhaigang.cn.zone";

        allow-transfer { none; };

        masters { 10.1.77.85; };

};

zone "77.1.10.in-addr.arpa" {

        type slave;

        file "slaves/77.1.10.zone";

        allow-transfer { none; };

        masters { 10.1.77.85; };

};

在从服务器192.168.7.74创建slaves这个目录即可

#makdir /var/named/slaves

#chown named:named /var/named/slaves

#chmod 640 /var/named/slaves

以上步骤做完之后即可在从服务器192.168.7.74启动named程序:

#service named start

启动之后,去从服务器192.168.7.74下的/var/named/slaves会看到两个正向解析文件和一个反向解析文件都会同步到从服务器

[root@erickagent ~]# ll /var/named/slaves/

总用量 12

-rw-r–r– 1 named named 491 3月  25 13:45 77.1.10.zone

-rw-r–r– 1 named named 437 3月  25 13:48 luhaigang.cn.zone

-rw-r–r– 1 named named 443 3月  25 14:19 luhaigang.com.zone

[root@erickagent ~]# less /var/named/slaves/luhaigang.cn.zone 

$ORIGIN .

$TTL 3600       ; 1 hour

luhaigang.cn            IN SOA  dns.luhaigang.cn. admin.luhaigang.cn. (

                                2015032315 ; serial

                                3600       ; refresh (1 hour)

                                300        ; retry (5 minutes)

                                259200     ; expire (3 days)

                                10800      ; minimum (3 hours)

                                )

                        NS      dns.luhaigang.cn.

                        MX      10 mail.luhaigang.cn.

$ORIGIN luhaigang.cn.

dns                     A       10.1.77.85

mail                    A       10.1.77.89

web                     CNAME   www

www                     A       10.1.77.86

                        A       10.1.77.87

                        A       10.1.77.88

把从服务器192.168.7.74的本地dns配置文件修改成自己的地址

[root@erickagent ~]# less /etc/resolv.conf

nameserver 192.168.7.74

如果一切顺利,现在测试是否可以解析到luhaigang.com(正向),luhaigang.cn(正向),192.168.7.74(反向),10.1.77.85(反向)

[root@erickagent ~]# dig -t A luhaigang.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6 <<>> -t A luhaigang.com

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14140

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:

;luhaigang.com. IN A

;; AUTHORITY SECTION:

luhaigang.com. 3600 IN SOA dns.luhaigang.com. admin.luhaigang.com. 2015032315 3600 300 259200 10800

;; Query time: 0 msec

;; SERVER: 192.168.7.74#53(192.168.7.74)

;; WHEN: Wed Mar 25 14:45:20 2015

;; MSG SIZE  rcvd: 77

[root@erickagent ~]# dig -t A luhaigang.con

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6 <<>> -t A luhaigang.con

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 26850

;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:

;luhaigang.con. IN A

;; AUTHORITY SECTION:

. 10800 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2015032401 1800 900 604800 86400

;; Query time: 230 msec

;; SERVER: 192.168.7.74#53(192.168.7.74)

;; WHEN: Wed Mar 25 14:45:27 2015

;; MSG SIZE  rcvd: 106

[root@erickagent ~]# dig -x 192.168.7.74

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6 <<>> -x 192.168.7.74

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 58440

;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:

;74.7.168.192.in-addr.arpa. IN PTR

;; Query time: 415 msec

;; SERVER: 192.168.7.74#53(192.168.7.74)

;; WHEN: Wed Mar 25 14:45:47 2015

;; MSG SIZE  rcvd: 43

[root@erickagent ~]# dig -x 10.1.77.85

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6 <<>> -x 10.1.77.85

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32824

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:

;85.77.1.10.in-addr.arpa. IN PTR

;; ANSWER SECTION:

85.77.1.10.in-addr.arpa. 3600 IN PTR dns.luhaigang.com.

;; AUTHORITY SECTION:

77.1.10.in-addr.arpa. 3600 IN NS dns.luhaigang.com.

;; ADDITIONAL SECTION:

dns.luhaigang.com. 3600 IN A 10.1.77.85

;; Query time: 0 msec

;; SERVER: 192.168.7.74#53(192.168.7.74)

;; WHEN: Wed Mar 25 14:45:56 2015

;; MSG SIZE  rcvd: 102

[root@erickagent ~]#

4:以上实现了从服务器的配置与实现,以下开始实现转发功能

    1:在主DNS服务器10.1.77.85编辑named.conf配置文件

[root@erickpuppet77_85 ~]# less /etc/named.conf 

//

// named.conf

//

// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS

// server as a caching only nameserver (as a localhost DNS resolver only).

//

// See /usr/share/doc/bind*/sample/ for example named configuration files.

//

options {

//      listen-on port 53 { 127.0.0.1; };

//      listen-on-v6 port 53 { ::1; };

        directory       "/var/named";

        dump-file       "/var/named/data/cache_dump.db";

        statistics-file "/var/named/data/named_stats.txt";

        memstatistics-file "/var/named/data/named_mem_stats.txt";

//      allow-query     { localhost; };

        recursion yes;

        forwarders { 192.168.211.116; };

        forward only;

        dnssec-enable yes;

        dnssec-validation yes;

        dnssec-lookaside auto;

        /* Path to ISC DLV key */

        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";

};

logging {

        channel default_debug {

                file "data/named.run";

                severity dynamic;

        };

};

配置文件修改完成之后重启下named   #service named restart

这个Ip地址是我们内网的一个DNS服务器

现在测试一下是否可以解析211.116这个dns服务器负责的域名解析

1:主DNS服务器测试是否可以转发

[root@erickpuppet77_85 ~]# dig -t A www.baidu.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.2 <<>> -t A www.baidu.com

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41941

;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:

;www.baidu.com. IN A

;; ANSWER SECTION:

www.baidu.com. 1200 IN CNAME www.a.shifen.com.

www.a.shifen.com. 299 IN A 115.239.210.27

www.a.shifen.com. 299 IN A 115.239.211.112

;; Query time: 1145 msec

;; SERVER: 10.1.77.85#53(10.1.77.85)

;; WHEN: Wed Mar 25 15:11:39 2015

;; MSG SIZE  rcvd: 90

You have new mail in /var/spool/mail/root

[root@erickpuppet77_85 ~]#

2:从服务器测试是否可以转发

[root@erickagent ~]#  dig -t A www.baidu.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6 <<>> -t A www.baidu.com

;; global options: +cmd

;; connection timed out; no servers could be reached

[root@erickagent ~]# service named start

Starting named:                                            [  OK  ]

[root@erickagent ~]#  dig -t A www.baidu.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6 <<>> -t A www.baidu.com

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24832

;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 5, ADDITIONAL: 5

;; QUESTION SECTION:

;www.baidu.com. IN A

;; ANSWER SECTION:

www.baidu.com. 1200 IN CNAME www.a.shifen.com.

www.a.shifen.com. 300 IN A 115.239.210.27

www.a.shifen.com. 300 IN A 115.239.211.112

;; AUTHORITY SECTION:

a.shifen.com. 1200 IN NS ns1.a.shifen.com.

a.shifen.com. 1200 IN NS ns2.a.shifen.com.

a.shifen.com. 1200 IN NS ns3.a.shifen.com.

a.shifen.com. 1200 IN NS ns4.a.shifen.com.

a.shifen.com. 1200 IN NS ns5.a.shifen.com.

;; ADDITIONAL SECTION:

ns4.a.shifen.com. 1200 IN A 115.239.210.176

ns1.a.shifen.com. 1200 IN A 61.135.165.224

ns3.a.shifen.com. 1200 IN A 61.135.162.215

ns2.a.shifen.com. 1200 IN A 180.149.133.241

ns5.a.shifen.com. 1200 IN A 119.75.222.17

;; Query time: 1694 msec

;; SERVER: 192.168.7.74#53(192.168.7.74)

;; WHEN: Wed Mar 25 15:12:34 2015

;; MSG SIZE  rcvd: 260

现在主从都可以通过211.116转发请求到www.baidu.com的A记录

下一章节就开始实现DNS的日志系统的实现