1 安装部署dns
yum install bind -y
systemctl start named
systemctl enable named
systemctl stop firewalld
systemctl disable firewalld
在真机上直接dig 百度
主配置文件: /etc/named.conf
子配置文件: /etc/name.rfc1912.zones
数据目录: /var/named
2高速缓存dns
vim /etc/named.conf
11 listen-on port 53 { any; }; ##网络接口对所有人开放
17 allow-query { any; }; ##对所有人开放
18 forwarders {172.25.254.250; }; ##找不到了都去问250
systemctl restart named
测试:
在客户主机
vim /etc/resolv.conf
nameserver 172.25.254.127
3 正向解析
4 反向解析
5 内外网
在企业中,会有内部网与外网之分,若企业人员也使用外网进行工作,会时工作效率大大降低。在此实现dns的双向解析。
修改主配置文件,设置添加内外网访问不同子配置文件 vim /etc/named.conf
50 view localnet {
51 match-clients { 172.25.254.66; };
52 zone “.” IN {
53 type hint;
54 file “named.ca”;
55 };
56
57 include “/etc/named.rfc1912.zones”;
58 include “/etc/named.root.key”;
59 };
60
61 view any {
62 match-clients { any; };
63 zone “.” IN {
64 type hint;
65 file “named.ca”;
66 };
67
68 include “/etc/named.rfc1912.zones.inter”;
69 include “/etc/named.root.key”;
70 };
建立修改子配置文件,让其访问不同文件 vim /etc/named.rfc1912.zones.inter
25 zone “westos.com” IN {
26 type master;
27 file “westos.com.inter”;
28 allow-update { none; };
29 };
修改文件中的地址 vim /var/named/westos.com.inter
1 $TTL 1D
2 @ IN SOA dns.westos.com. root.westos.com. (
3 0 ; serial
4 1D ; refresh
5 1H ; retry
6 1W ; expire
7 3H ) ; minimum
8 NS dns.westos.com.
9 dns A 1.1.1.1
10 www A 172.25.254.222
当你dig 的是内网的时候也就是用 11 这台主机去dig的时候 就会出现
当你dig 的是外网的时候也就是用 66 这台主机去dig的时候 就会出现
6 辅助dns
主dns的设定
vim /etc/named.rfc1912.zones.inter
25 zone “westos.com” IN {
26 type master;
27 file “westos.com.inter”;
28 allow-update { none; };
29 also-notify { 172.25.254.11; };
30 };
systemctl restart named
辅助dns上
yum install bind -y
vim /etc/named.conf
11 // listen-on port 53 { 127.0.0.1; };
17 // allow-query { localhot
vim /etc/named.rfc1912.zones
25 zone “westos.com” IN {
26 type slave;
27 masters { 172.25.254.10; };
28 file “slaves/westos.com.inter”;
29 allow-update { none; };
30 };
systemctl stop firewalld
systemctl start named
测试;
vim /etc/resolv.conf
nameserver 172.25.254.11
dig www.westos.com
7 dns的远程更新
基于ip
vim /etc/named.rfc1912.zones.inter
25 zone “westos.com” IN {
26 type master;
27 file “westos.com.inter”;
28 allow-update { 172.25.254.11; };
29 also-notify { 172.25.254.11;};
30 };
systemctl restart named
测试:
在11这台主机上
[root@desktop ~]# nsupdate
> server 172.25.254.11
> update add bbs.westos.com 86400 A 1.1.1.3
> send
update failed: SERVFAIL #给目录加权限 /var/named
> server 172.25.254.11
> update add hello.westos.com 86400 A 1.1.1.3 #添加
> send
> server 172.25.254.11
> update delete hello.westos.com #删除
> send
cat /var/named/westos.com.inter
基于key
远程更新的ip是可以被别的主机进行冒充,会造成不安全的行为所以在此制作一个key,将公钥与私钥传给需要远程更新的主机。
cp -p /etc/rndc.key /etc/westos.key
chgrp named /etc/westos.key
dnssec-keygen -a HMAC-MD5 -b 512 -n HOST wesots
cat Khaha.+157+61640.key
vim /etc/wesots.key
1 key “westos” { ###westos
2 algorithm hmac-md5;
3 secret “Ky+cJHy4RfjnPeDsZvaovFV7ppMwgExBfj88mp4wbUvD7f5rnbZPlU0J HmM D4v++4yVD3v0+8SSpiXHmAM/5yA==”; ##钥匙
4 };
vim /etc/named.conf
42 include “/etc/westos.key”;
vim /etc/named.rfc1912.zones.inter
28 allow-update { key haha; };
scp Khaha.+157+61640.* root@172.25.254.11:/mnt
测试
[root@desktop mnt]# nsupdate -k Khaha.+157+61640.private
> server 172.25.254.11
> update add bbs.westos.com 86400 A 1.1.1.3
> send