准备:
关闭防火墙及selinux:
-
[root@master ~]# systemctl stop firewalld
-
[root@master ~]# setenforce 0
安装软件包(主从服务器都需要):
[root@slave ~]# yum install bind -y
该软件包服务名称为named。
配置主服务器
服务文件:
-
options {
-
listen-on port 53 { 127.0.0.1; };//监听对象IPV4地址
-
listen-on-v6 port 53 { ::1; };//IPV6地址
-
directory "/var/named";//数据文件主要路径
-
dump-file "/var/named/data/cache_dump.db";//查询数据备份文件
-
statistics-file "/var/named/data/named_stats.txt";
-
memstatistics-file "/var/named/data/named_mem_stats.txt";
-
secroots-file "/var/named/data/named.secroots";
-
recursing-file "/var/named/data/named.recursing";
-
allow-query { localhost; };//允许哪些主机发起域名查询
-
/*
-
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
-
- If you are building a RECURSIVE (caching) DNS server, you need to enable
-
recursion.
-
- If your recursive DNS server has a public IP address, you MUST enable access
-
control to limit queries to your legitimate users. Failing to do so will
-
cause your server to become part of large scale DNS amplification
-
attacks. Implementing BCP38 within your network would greatly
-
reduce such attack surface
-
*/
-
recursion yes;//是否开启递归查询
-
dnssec-validation yes;
-
managed-keys-directory "/var/named/dynamic";
-
pid-file "/run/named/named.pid";
-
session-keyfile "/run/named/session.key";
-
include "/etc/crypto-policies/back-ends/bind.config";
-
};
-
logging {
-
channel default_debug {
-
file "data/named.run";
-
severity dynamic;
-
};
-
};
-
zone "." IN {
-
type hint;
-
file "named.ca";
-
};//域
-
include "/etc/named.rfc1912.zones";
-
include "/etc/named.root.key";
配置服务文件并添加域(openlab.com):
-
options {
-
listen-on port 53 { 192.168.91.129; };//监听对象IPV4地址
-
listen-on-v6 port 53 { ::1; };//IPV6地址
-
directory "/var/named";//数据文件主要路径
-
dump-file "/var/named/data/cache_dump.db";//查询数据备份文件
-
statistics-file "/var/named/data/named_stats.txt";
-
memstatistics-file "/var/named/data/named_mem_stats.txt";
-
secroots-file "/var/named/data/named.secroots";
-
recursing-file "/var/named/data/named.recursing";
-
allow-query { any; };//允许哪些主机发起域名查询
-
allow-transfer { 192.168.91.133; };//默认不存在;允许向那个服务器同步资源信息
-
/*
-
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
-
- If you are building a RECURSIVE (caching) DNS server, you need to enable
-
recursion.
-
- If your recursive DNS server has a public IP address, you MUST enable access
-
control to limit queries to your legitimate users. Failing to do so will
-
cause your server to become part of large scale DNS amplification
-
attacks. Implementing BCP38 within your network would greatly
-
reduce such attack surface
-
*/
-
recursion yes;//是否开启递归查询
-
dnssec-validation yes;
-
managed-keys-directory "/var/named/dynamic";
-
pid-file "/run/named/named.pid";
-
session-keyfile "/run/named/session.key";
-
include "/etc/crypto-policies/back-ends/bind.config";
-
};
-
logging {
-
channel default_debug {
-
file "data/named.run";
-
severity dynamic;
-
};
-
};
-
zone "." IN {
-
type hint;
-
file "named.ca";
-
};
-
zone "openlab.com" IN {
-
type master;
-
file "openlab";
-
};//添加正向域
-
zone "91.168.192.in-addr.arpa" IN {
-
type master;
-
file "openlab_re";
-
};//添加反向域
-
include "/etc/named.rfc1912.zones";
-
include "/etc/named.root.key";
反向域的ip是一个区段,不写主机位且反着写。
创建并添加正向资源记录文件:
[root@master ~]# vim /var/named/openlab
-
$TTL 1D ;;将TTL值统一设置为1天
-
@ IN SOA openlab.com. admin.admin.com ( 2024011600
-
1M
-
1M
-
3M
-
1D )
-
IN NS dns.openlab.com.
-
dns IN A 192.168.91.129
-
www IN A 192.168.91.111
SOA资源记录类型和NA的域名要加上根域。
每行从左到右依次是:主机名 TTL(统一后就可以省略) INTER 资源记录类型 数据。
资源记录类型
A:通过域名能够查询到对应ipv4
AAAA:通过域名能够查询到对应ipv6
CNAME:别名资源记录
PTR:指针记录Ipv4/ipv6 查询到一个域名
NS:dns解析记录类型(标记本地dns服务器的主机名)
MX:邮件解析记录类型(标记邮件服务器的主机名)
SOA:起始授权记录(主从服同步),特殊的是它有7个数据:
masterdns TTL INTER 资源记录类型 数据 邮箱地址 (版本 检查时间 重试时间 失效时间 ttl)
创建并添加反向资源记录文件:
[root@master ~]# vim /var/named/openlab_re
-
$TTL 1D ;;将TTL值统一设置为1天
-
@ IN SOA openlab.com. admin.admin.com ( 2024011600
-
1M
-
1M
-
3M
-
1D )
-
IN NS dns.openlab.com.
-
129 IN PTR dns.openlab.com
-
111 IN PTR www.openlab.com
重启服务后进行测试:
-
[root@master ~]# systemctl restart named
-
[root@master ~]# nslookup
-
> server 192.168.91.129
-
Default server: 192.168.91.129
-
Address: 192.168.91.129#53
-
> dns.openlab.com
-
Server: 192.168.91.129
-
Address: 192.168.91.129#53
-
Name: dns.openlab.com
-
Address: 192.168.91.129
-
> www.openlab.com
-
Server: 192.168.91.129
-
Address: 192.168.91.129#53
-
Name: www.openlab.com
-
Address: 192.168.91.111
-
> 192.168.91.129
-
129.91.168.192.in-addr.arpa name = dns.openlab.com.91.168.192.in-addr.arpa.
-
> 192.168.91.111
-
111.91.168.192.in-addr.arpa name = www.openlab.com.91.168.192.in-addr.arpa.
nslookup:可以指定dns服务器进行域名解析。
配置从服务器
配置服务文件并添加域(openlab.com):
-
options {
-
listen-on port 53 { 192.168.91.133; };
-
listen-on-v6 port 53 { ::1; };
-
directory "/var/named";
-
dump-file "/var/named/data/cache_dump.db";
-
statistics-file "/var/named/data/named_stats.txt";
-
memstatistics-file "/var/named/data/named_mem_stats.txt";
-
secroots-file "/var/named/data/named.secroots";
-
recursing-file "/var/named/data/named.recursing";
-
allow-query { any; };
-
/*
-
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
-
- If you are building a RECURSIVE (caching) DNS server, you need to enable
-
recursion.
-
- If your recursive DNS server has a public IP address, you MUST enable access
-
control to limit queries to your legitimate users. Failing to do so will
-
cause your server to become part of large scale DNS amplification
-
attacks. Implementing BCP38 within your network would greatly
-
reduce such attack surface
-
*/
-
recursion yes;
-
dnssec-validation yes;
-
managed-keys-directory "/var/named/dynamic";
-
pid-file "/run/named/named.pid";
-
session-keyfile "/run/named/session.key";
-
include "/etc/crypto-policies/back-ends/bind.config";
-
};
-
logging {
-
channel default_debug {
-
file "data/named.run";
-
severity dynamic;
-
};
-
};
-
zone "." IN {
-
type hint;
-
file "named.ca";
-
};
-
zone "openlab.com" IN {
-
type slave;
-
file "named.openlab";
-
masters { 192.168.91.129; };
-
};
-
zone "91.168.192.in-addr.arpa" IN {
-
type slave;
-
file "named.openlab_re";
-
masters { 192.168.91.129; };
-
};
-
include "/etc/named.rfc1912.zones";
-
include "/etc/named.root.key";
不用添加资源文件,将会从主服务器同步过来:
-
[root@slave ~]# ll /var/named
-
total 36
-
drwxrwx---. 2 named named 4096 Jan 16 21:13 data
-
drwxrwx---. 2 named named 4096 Jan 16 21:14 dynamic
-
-rw-r-----. 1 root named 2253 Sep 22 02:33 named.ca
-
-rw-r-----. 1 root named 152 Sep 22 02:33 named.empty
-
-rw-r-----. 1 root named 152 Sep 22 02:33 named.localhost
-
-rw-r-----. 1 root named 168 Sep 22 02:33 named.loopback
-
-rw-r--r--. 1 named named 259 Jan 16 21:13 named.openlab //正向
-
-rw-r--r--. 1 named named 393 Jan 16 21:13 named.openlab_re //反向
-
drwxrwx---. 2 named named 4096 Sep 22 02:33 slaves
重启服务后进行测试:
-
[root@slave ~]# systemctl restart named
-
[root@slave ~]# nslookup
-
> server 192.168.91.133
-
Default server: 192.168.91.133
-
Address: 192.168.91.133#53
-
> dns.openlab.com
-
Server: 192.168.91.133
-
Address: 192.168.91.133#53
-
Name: dns.openlab.com
-
Address: 192.168.91.129
-
> www.openlab.com
-
Server: 192.168.91.133
-
Address: 192.168.91.133#53
-
Name: www.openlab.com
-
Address: 192.168.91.111
-
> 192.168.91.129
-
129.91.168.192.in-addr.arpa name = dns.openlab.com.91.168.192.in-addr.arpa.
-
> 192.168.91.111
-
111.91.168.192.in-addr.arpa name = www.openlab.com.91.168.192.in-addr.arpa.
修改资源文件尝试进行主从同步
在主服务器中添加正向解析并修改版本号为(2024011601):
ftp IN A 192.168.91.222
在主服务器中添加反向解析并修改版本号为(2024011601):
222 IN PTR ftp.openlab.com
主服务器测试:
-
[root@master ~]# systemctl restart named
-
[root@master ~]# nslookup
-
> server 192.168.91.129
-
Default server: 192.168.91.129
-
Address: 192.168.91.129#53
-
> ftp.openlab.com
-
Server: 192.168.91.129
-
Address: 192.168.91.129#53
-
Name: ftp.openlab.com
-
Address: 192.168.91.222
-
> 192.168.91.222
-
222.91.168.192.in-addr.arpa name = ftp.openlab.com.91.168.192.in-addr.arpa.
因为检查时间设置为1分钟,所以我们等待1分钟后在从服务器中尝试:
-
[root@slave ~]# nslookup
-
> server 192.168.91.133
-
Default server: 192.168.91.133
-
Address: 192.168.91.133#53
-
> 192.168.91.222
-
222.91.168.192.in-addr.arpa name = ftp.openlab.com.91.168.192.in-addr.arpa.
-
> ftp.openlab.com
-
Server: 192.168.91.133
-
Address: 192.168.91.133#53
-
Name: ftp.openlab.com
-
Address: 192.168.91.222
13.同步成功!