DNS服务的配置与使用
- 环境准备
- Kylin机器
文中假设两台机器分别为A(192.168.209.100)和B(192.168.209.101)假设192.168.209.100作为服务端,192.168.209.101作为客户端,映射IP为10.229.42.179(10.229.42.179拼不通的ip)。客户端可以通过dns找到管理节点(类似zk通知管理节点地址),dns是指向浮动ip,浮动ip资源是由ha集群管理。
- 关闭防火墙
临时关闭防火墙,重启后防火墙会自动启动:systemctl stop firewalld
永久关闭防火墙,重启后防火墙不会自动启动:systemctl disable firewalld
只要在服务器上配置一下253这个service就可以,跳到第四章/etc/resolv.conf
- 软件安装
Kylin V10系统自带的bind软件即可
- DNS配置
以root用户登陆服务端机器A(192.168.209.100),假设配置域名为dns.manager.com, 所映射的IP为10.229.42.179
- 编辑/etc/named.conf, 内容如下:
options {
listen-on port 53 {10.229.42.53; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "manager.com" IN {
type master;
file "goldendb.com.zone";
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
---------
对于新建的/etc/named.conf应该要改变属组和权限。
# chown root:named /etc/named.conf
chmod 640 /etc/named.conf
使用named-checkconf检查输入是否有误,如果没有错误,什么也不显示。
- 编辑/etc/named.rfc1912.zones 内容如下:
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
使用named-checkconf检查输入是否有误,如果没有错误,什么也不显示。(不用改什么)
- 编辑域名文件 vim /var/named/goldendb.com.zone。
# cd /var/named
vim /var/named/goldendb.com.zone
(cd /var/named/,cp goldendb.com.zone gdb.com.zone, systemctl restart named)
内容如下:
$TTL 6h
@ IN SOA dnsserver xyz ( 1 3h 1h 1w 1h )
@ IN NS dnsserver
dnsserver IN A 10.229.42.53
dns IN A 10.229.42.179
NS IN CNAME dns
对于新建的/var/named/goldendb.com.zone应该要改变属组和权限
chmod 640 /var/named/goldendb.com.zone
chown root:named /var/named/goldendb.com.zone
使用named-compilezone -o - manager.com /var/named/goldendb.com.zone编译检查goldendb.com.zone是否有误,正常显示如下:
zone manager.com/IN: loaded serial 1
manager.com. 21600 IN SOA dnsserver.manager.com. xyz.manager.com. 1 10800 3600 604800 3600
manager.com. 21600 IN NS dnsserver.manager.com.
dns.manager.com. 21600 IN A 10.229.42.179
dnsserver.manager.com. 21600 IN A 10.229.42.53
NS.manager.com. 21600 IN CNAME dns.manager.com.
OK
- 启动域名服务
# systemctl start named.service 或者service named start
- 查看域名服务是否启动
# netstat -tnlup | grep named
正常如下:
tcp 0 010.229.42.53:53 0.0.0.0:* LISTEN 13805/named
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 13805/named
tcp6 0 0 ::1:53 :::* LISTEN 13805/named
tcp6 0 0 ::1:953 :::* LISTEN 13805/named
udp 0 010.229.42.53:53 0.0.0.0:* 13805/named
udp6 0 0 ::1:53 :::* 13805/named
- 配置机器B以机器A 为DNS服务器
- 以root用户登陆机器B(192.168.209.101)
- 编辑/etc/resolv.conf , 在resolv.conf中添加nameserver 10.229.42.53
- 锁定resolv.conf避免被修改
# chattr +i /etc/resolv.conf
(解除锁定方法:chattr -i /etc/resolv.conf)
- 修改sshd配置以避免因配置DNS造成的ssh/sftp操作卡顿的现象
# vi /etc/ssh/sshd_config
添加或修改:
UseDNS no
GSSAPIAuthentication no
service sshd restart 重启下ssh服务
- 域名验证
在机器B(192.168.209.101)执行nslookup命令查看域名解析结果:
# nslookup dns.manager.com
Server: 192.168.209.100
Address: 192.168.209.100#53
Name: dns.manager.com
Address: 10.229.42.179
若解析成功则DNS服务配置成功。