安装与配置DNS服务
首先,基础环境
1、改主机名
我的主服务器是192.168.200.80
从服务器是 192.168.200.70
main节点
[root@localhost ~]# hostnamectl set-hostname mail
[root@localhost ~]# bash
[root@mail ~]#
dns节点
[root@localhost ~]# hostnamectl set-hostname dns
[root@localhost ~]# bash
[root@dns ~]#
2、关闭防火墙
main节点
[root@mail ~]# systemctl stop firewalld
[root@mail ~]# systemctl disable firewalld
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
Removed symlink /etc/systemd/system/basic.target.wants/firewalld.service.
[root@mail ~]# setenforce 0
dns节点
[root@dns ~]# systemctl stop firewalld
[root@dns ~]# systemctl disable firewalld
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
Removed symlink /etc/systemd/system/basic.target.wants/firewalld.service.
[root@dns ~]# setenforce 0
3、测试yum源(网络)
main节点
[root@mail ~]# yum list
dns节点
[root@dns ~]# yum list
安装DNS
1、安装dns服务器
main节点
[root@mail ~]# yum install bind-chroot bind-utils -y
dns节点
[root@dns ~]# yum install bind-chroot bind-utils -y
2、启动服务
main和dns节点都要安装
[root@mail ~]# systemctl restart named
然后检查两节点是否启动成功
例如在main节点
(1)查看状态
[root@mail ~]# systemctl status named
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled)
Active: active (running) since Fri 2020-11-06 18:08:16 CST; 8min ago
Process: 29467 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
Process: 29463 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
Main PID: 29469 (named)
CGroup: /system.slice/named.service
└─29469 /usr/sbin/named -u named -c /etc/named.conf
Nov 06 18:08:16 mail named[29469]: network unreachable resolvi...3
Nov 06 18:08:16 mail named[29469]: network unreachable resolvi...3
Nov 06 18:08:16 mail named[29469]: network unreachable resolvi...3
Nov 06 18:08:18 mail named[29469]: network unreachable resolvi...3
Nov 06 18:08:18 mail named[29469]: network unreachable resolvi...3
Nov 06 18:08:18 mail named[29469]: validating ./DNSKEY: veri...n
Nov 06 18:08:18 mail named[29469]: validating ./DNSKEY: unab...'
Nov 06 18:08:18 mail named[29469]: broken trust chain resolvin...3
Nov 06 18:08:18 mail named[29469]: resolver priming query complete
Nov 06 18:08:53 mail named[29469]: managed-keys-zone: Unable t...t
Hint: Some lines were ellipsized, use -l to show in full.
(2)查看端口
我还没安装工具
[root@mail ~]# yum install net-tools -y
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.ustc.edu.cn
* extras: mirrors.ustc.edu.cn
* updates: mirrors.ustc.edu.cn
Resolving Dependencies
--> Running transaction check
---> Package net-tools.x86_64 0:2.0-0.25.20131004git.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
==================================================================
Package Arch Version Repository
Size
==================================================================
Installing:
net-tools x86_64 2.0-0.25.20131004git.el7 base 306 k
Transaction Summary
==================================================================
Install 1 Package
Total download size: 306 k
Installed size: 917 k
Downloading packages:
net-tools-2.0-0.25.20131004git.el7.x86_64.rp | 306 kB 00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : net-tools-2.0-0.25.20131004git.el7.x86_64 1/1
Verifying : net-tools-2.0-0.25.20131004git.el7.x86_64 1/1
Installed:
net-tools.x86_64 0:2.0-0.25.20131004git.el7
Complete!
查看端口都已启动
[root@mail ~]# netstat -lnpt | grep named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 29469/named
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 29469/named
tcp6 0 0 ::1:53 :::* LISTEN 29469/named
tcp6 0 0 ::1:953 :::* LISTEN 29469/named
3、配置文件
在两节点都修改,把文件里
listen-on port 53 { 127.0.0.1; };
allow-query { localhost; };
改成
listen-on port 53 { any; };
allow-query { any; };
[root@mail ~]# vi /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
配置DNS
修改完配置文件,不要先重启,配置正向解析与反向解析
正向解析:根据主机名(域名)查找对应的ip地址。
反向解析:根据IP地址查找对应的主机名(域名)。反向解析的作用是将用户提交的IP地址解析为对应的域名信息,它一般用于对某个IP地址上绑定的所有域名进行整体屏蔽,屏蔽由某些域名发送的垃圾邮件。也可以判断某虚拟主机上运行了多少个网站。
1、正向区域
在主dns节点配置
(1)创建转发域
进入/var/named/下,拷贝模板named.localhost文件为testmain.com.zone
[root@dns ~]# cd /var/named/
[root@dns named]# ll
total 16
drwxr-x---. 7 root named 56 Nov 26 05:56 chroot
drwxrwx---. 2 named named 22 Nov 26 05:57 data
drwxrwx---. 2 named named 58 Nov 26 06:59 dynamic
-rw-r-----. 1 root named 2253 Apr 5 2018 named.ca
-rw-r-----. 1 root named 152 Dec 15 2009 named.empty
-rw-r-----. 1 root named 152 Jun 21 2007 named.localhost
-rw-r-----. 1 root named 168 Dec 15 2009 named.loopback
drwxrwx---. 2 named named 6 Dec 16 2020 slaves
[root@dns named]# cp -rf named.localhost testmail.com.zone
(2)编辑testmail.com.zone文件
[root@dns named]# vi testmail.com.zone
$TTL 1D
@ IN SOA testmain.com. dns.testmain.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
IN NS dns.testmail.com.
IN MX 10 mail
dns IN A 192.168.200.70 ### 差点忘了改成自己的从服务器地址
mail IN A 192.168.200.70
www IN A 192.168.200.70
smtp IN A 192.168.200.70
~
~
~
~
~
~
~
"testmail.com.zone" 13L, 294C written
(3)赋予testmail.com.zone 文件所有权限
[root@dns named]# chmod 777 testmail.com.zone
(4)修改区域配置文件 /etc/named.rfc1912.zones
添加 zone “testmail.com” IN {
type master;
file “testmail.com.zone”;
};
[root@dns named]# vi /etc/named.rfc1912.zones
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};
zone "testmail.com" IN {
type master;
file "testmail.com.zone";
};
~
"/etc/named.rfc1912.zones" 46L, 1014C written
(5)检查配置
[root@dns named]# named-checkzone testmail.com testmail.com.zone
testmail.com.zone:10: unknown RR type 'dns'
testmail.com.zone:11: unknown RR type 'mail'
testmail.com.zone:12: unknown RR type 'www'
testmail.com.zone:13: unknown RR type 'smtp'
zone testmail.com/IN: loading from master file testmail.com.zone failed: unknown class/type
zone testmail.com/IN: not loaded due to errors.
[root@dns named]# named-checkzone /etc/named.conf
usage: named-checkzone [-djqvD] [-c class] [-f inputformat] [-F outputformat] [-J filename] [-t directory] [-w directory] [-k (ignore|warn|fail)] [-n (ignore|warn|fail)] [-m (ignore|warn|fail)] [-r (ignore|warn|fail)] [-i (full|full-sibling|local|local-sibling|none)] [-M (ignore|warn|fail)] [-S (ignore|warn|fail)] [-W (ignore|warn)] [-o filename] zonename filename
突然出现的错误把我搞蒙了!认真看了看,尝试改正
a、testmail.com.zone 文件 我把 10,11,12,13行前面的空格都删掉了
b、命令写错了
然后就好了
[root@dns named]# named-checkzone testmail.com testmail.com.zone
zone testmail.com/IN: loaded serial 0
OK
[root@dns named]# named-checkconf /etc/named.conf
这时候可以重启了,重启后配置/etc/resolv.conf 文件,把你需要解析的虚拟机IP写在前面
[root@mail slaves]# vi /etc/resolv.conf
# Generated by NetworkManager
nameserver 192.168.200.70
nameserver 192.168.200.80
nameserver 114.114.114.114
然后试一试是否能ping通
能ping通说明正向解析配置成功
[root@dns named]# ping dns.testmail.com
PING dns.testmail.com (192.168.200.70) 56(84) bytes of data.
64 bytes from 192.168.200.70: icmp_seq=1 ttl=64 time=0.672 ms
64 bytes from 192.168.200.70: icmp_seq=2 ttl=64 time=1.11 ms
64 bytes from 192.168.200.70: icmp_seq=3 ttl=64 time=3.74 ms
64 bytes from 192.168.200.70: icmp_seq=4 ttl=64 time=3.00 ms
64 bytes from 192.168.200.70: icmp_seq=5 ttl=64 time=2.18 ms
64 bytes from 192.168.200.70: icmp_seq=6 ttl=64 time=0.506 ms
^C
--- dns.testmail.com ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5012ms
rtt min/avg/max/mdev = 0.506/1.871/3.744/1.209 ms
2、反向区域
(1)修改区域配置文件
添加
zone “200.168.192.in-addr.arpa” IN {
type master;
file “70.200.168.192.in-addr.arpa.local”;
[root@dns named]# vi /etc/named.rfc1912.zones
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};
zone "testmail.com" IN {
type master;
file "testmail.com.zone";
};
zone "200.168.192.in-addr.arpa" IN {
type master;
file "70.200.168.192.in-addr.arpa.local";
};
"/etc/named.rfc1912.zones" 51L, 1126C written
(2)配置70.200.168.192.in-addr.arpa.local 文件(该文件必须于区域配置文件里写的文件名一样)
[root@dns named]# cp -p testmain.com.zone 70.200.168.192.in-addr.arpa.local
[root@dns named]# vi 70.200.168.192.in-addr.arpa.local
$TTL 1D
@ IN SOA testmail.com. admin.testmail.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
IN NS dns.testmail.com.
70 IN PTR mail.testmail.com.
70 IN PTR www.testmail.com.
~
~
~
~
~
~
~
~
"70.200.168.192.in-addr.arpa.local" 10L, 222C written
(3)测试
[root@dns named]# named-checkconf /etc/named.conf
[root@dns named]# named-checkzone mail.testmail.com 70.200.168.192.in-addr.arpa.local
zone mail.testmail.com/IN: loaded serial 0
OK
[root@dns named]# systemctl restart named
[root@dns named]# ping www.testmail.com ## 可以ping通反向解析没有问题
PING www.testmail.com (192.168.200.70) 56(84) bytes of data.
64 bytes from 192.168.200.70: icmp_seq=1 ttl=64 time=0.354 ms
64 bytes from 192.168.200.70: icmp_seq=2 ttl=64 time=0.605 ms
64 bytes from 192.168.200.70: icmp_seq=3 ttl=64 time=0.596 ms
^C
--- www.testmail.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 0.354/0.518/0.605/0.117 ms