操作系统 | IP | 服务 |
CentOS 9 | 192.168.8.193 | Bind 主服务器 |
CentOS 9 | 192.168.8.192 | Bind 从服务器 |
CentOS 9 | 192.168.8.191 | openrestry 代理 |
CentOS 9 | 192.168.8.190 | openrestry 代理 |
安装前把firewalld selinux iptables关闭
Bind 主从
yum -y install bind bind-utils
安装完进入主配置文件添加域名区域配置文件
[root@Bind-master-193 ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { 127.0.0.1; 192.168.8.193;};
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { localhost; 192.168.8.0/24;};
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-validation yes;
managed-keys-directory "/var/named/dynamic";
geoip-directory "/usr/share/GeoIP";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "haonan.com" IN {
type master;
file "haonan.com.zone";
also-notify{ 192.168.8.192; };
allow-transfer{192.168.8.192; };
allow-update{ none; };
notify yes;
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
之后再区域配置文件里面配置A记录解析文件,每次同步序列号加1
[root@Bind-master-193 named]# cat haonan.com.zone
$TTL 7200
haonan.com. IN SOA haonan.com. admin.haonan.com. (
2024012311
1H
10M
1W
1D )
haonan.com. IN NS ns1.haonan.com.
haonan.com. IN NS ns2.haonan.com.
ns1.haonan.com. IN A 192.168.8.193
ns2.haonan.com. IN A 192.168.8.192
www.haonan.com. IN A 192.168.8.193
www.haonan.com. IN A 192.168.8.192
检查语法
检查主配置文件:named-checkconf
检查区域配置文件:named-checkzone haonan.com haonan.com.zone
修改区域配置文件的属主和属组
chown -R named. haonan.com.zone
[root@Bind-master-193 ~]# ll /var/named/
总用量 20
drwxrwx--- 2 named named 23 1月 23 09:52 data
drwxrwx--- 2 named named 60 1月 23 11:47 dynamic
-rw-r--r-- 1 named named 348 1月 23 11:38 haonan.com.zone
-rw-r----- 1 root named 2253 11月 30 22:36 named.ca
-rw-r----- 1 root named 152 11月 30 22:36 named.empty
-rw-r----- 1 root named 152 11月 30 22:36 named.localhost
-rw-r----- 1 root named 168 11月 30 22:36 named.loopback
drwxrwx--- 2 named named 6 11月 30 22:36 slaves
从的主配置文件里面进行修改
[root@Bind-slave-192 ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { 127.0.0.1; 192.168.8.192;};
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { localhost; 192.168.8.0/24;};
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-validation yes;
managed-keys-directory "/var/named/dynamic";
geoip-directory "/usr/share/GeoIP";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "haonan.com" IN {
type slave;
file "slaves/haonan.com.zone";
masters { 192.168.8.193; };
masterfile-format text;
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
之后重新启动主从服务,查看从的/var/named/slaves是否同步过来
[root@Bind-slave-192 slaves]# ll
总用量 4
-rw-r--r-- 1 named named 396 1月 23 11:46 haonan.com.zone
openrestry代理
OpenResty - 安装 官方网站
在预编译的时候,添加stream模块
在主配置文件里面配置以下内容
[root@dns-master190 ~]# cat /usr/local/openresty/nginx/conf/nginx.conf
stream {
upstream bind-ms {
server 192.168.8.193:53;
server 192.168.8.142:53;
}
server {
listen 53 udp;
proxy_pass bind-ms;
proxy_timeout 120s;
error_log logs/proxy-bind-error.log error;
}
}
修改/etc/resolv.conf里面添加openrestry代理
# Generated by NetworkManager
nameserver 192.168.8.190
nameserver 192.168.8.191
最后重新启动openrestry服务