详细叙述ansible的工作原理
-
ansible架构:
- Host Inventory:主机管理清单/etc/ansible/hosts
- Playbooks:任务剧本(任务集),编排定义Ansible任务集的配置文件,由Ansible顺序依次执行,通常是JSON格式的YAML文件
- Modules:Ansible执行命令的功能模块,多数为内置核心模块,也可自定义
- Connection Plugins:负责与各被管主机进行通信
- API:供第三方程序调用的应用程序编程接口
- Ansible:组合了Inventory、API、Modules、Plugins的集合,可理解为是ansible命令工具,核心组件
-
ansible工作原理:
- 在管理节点加载自己的配置文件,默认为/etc/ansible/ansible.cfg;
- 加载自己对应的模块文件,如ping,command;
- 通过ansible 将模块或命令生成对应的临时py文件,并将该文件传输至远程服务器的对应执行用户$HOME/.ansible/tmp/ansible-tmp-[:digit:].PY文件
- 给文件赋予执行权限
- 执行并返回结果
- 删除临时py文件,sleep 0推出
- ansible的特性:
- 模块化:调用特定的模块,完成特定任务;
- 有Paramiko,PyYAML,Jinja2(模板语言)三个关键模块;
- 支持自定义模块;
- 基于Python语言实现;
- 部署简单,基于python和SSH,agentless;
- 安全,基于OpenSSH;
- 支持playbook编排任务;
- 幂等性:一个任务执行一遍和执行N遍效果一样,不因重复执行带来意外情况;
- 无需代理不依赖PKI(无需ssl);
- 可使用任何变成语言写模块;
- YAML格式,编排任务,支持丰富的数据结构;
- 较强大的多层解决方案;
使用ansible在多台机器上添加用户
[root@centos7 ~]\# vim /etc/ansible/hosts
[webservers]
192.168.79.17
192.168.79.27
[appservers]
192.168.79.27
192.168.79.37
root@centos7 ~]# ansible all -m user -a 'name=test comment="test user" uid=1005 home=/data/test'
192.168.79.27 | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": true,
"comment": "test user",
"create_home": true,
"group": 1005,
"home": "/data/test",
"name": "test",
"shell": "/bin/bash",
"state": "present",
"system": false,
"uid": 1005
}
192.168.79.37 | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": true,
"comment": "test user",
"create_home": true,
"group": 1005,
"home": "/data/test",
"name": "test",
"shell": "/bin/bash",
"state": "present",
"system": false,
"uid": 1005
}
192.168.79.17 | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": true,
"comment": "test user",
"create_home": true,
"group": 1005,
"home": "/data/test",
"name": "test",
"shell": "/bin/bash",
"state": "present",
"system": false,
"uid": 1005
}
[root@centos7 ~]# ansible all -m shell -a 'getent passwd test'
192.168.79.27 | CHANGED | rc=0 >>
test:x:1005:1005:test user:/data/test:/bin/bash
192.168.79.17 | CHANGED | rc=0 >>
test:x:1005:1005:test user:/data/test:/bin/bash
192.168.79.37 | CHANGED | rc=0 >>
test:x:1005:1005:test user:/data/test:/bin/bash
用ansible-play book编译安装nginx服务
以playbook的方式实现
编写如下playbook
[root@centos7 ansible-playbook]# vim nginx.yaml
- hosts: all
remote_user: root
tasks:
- name: "get nginx"
get_url:
url: http://192.168.79.7/nginx/nginx-1.10.3.tar.gz
dest: /root/nginx.tar.gz
- name: "get repo"
get_url:
url: http://192.168.79.7/nginx.repo
dest: /etc/yum.repos.d/nginx.repo
- name: "repo cache"
shell: rm -rf /etc/yum.repos.d/C* && yum clean all && yum makecache
- name: "install dependency"
yum:
name: "{{ packages }}"
state: present
vars:
packages:
- '@development tools'
- pcre-devel
- zlib-devel
- name: "unarchive nginx.tar.gz"
unarchive:
remote_src: yes
src: /root/nginx.tar.gz
dest: /root/
- name: "add group"
user:
name: nginx
state: present
- name: "add user"
user:
name: nginx
state: present
- name: " confingure && make && make installi "
shell: cd /root/nginx-1.10.3/ && ./configure --prefix=/usr/local/nginx && make && make install
notify: start nginx
handles:
- name: start nginx
command: /usr/local/nginx/sbin/nginx
执行playbook
[root@centos7 ansible-playbook]# ansible-playbook nginx.yaml
这样nginx就以编译安装的方式成功安装在远程主机上。
以role的方式实现:
roles可用于层次性、结构化的组织playbook。roles能够根据层次型结构自动装载变量文件、tasks以及handles等。简单来讲,roles就是通过分别将变量、文件、任务、模板以及处理器放置于单独的目录中,并可以便捷的调用他们的一种机制。
- 目录结构
- /roles/project/:项目名称,有以下子目录
- files:存放由copy或script模块等调用的文件
- templates:template模块查找所需要的模板文件的目录
- tasks:定义task,role的基本元素,至少应该包含一个名为main.yml的文件;其它的文件需要在此文件中通过include进行调用
- handles:至少应该包含一个名为main.yml的文件;其他的文件需要在此文件中通过include进行包含或直接写明
- vars:定义变量
- meta:定义当前角色的特殊设定及其依赖关系
- default:设定默认变量时使用此目录中的main.yml文件
- /roles/project/:项目名称,有以下子目录
[root@centos7 ansible]# tree ./
./
├── ansible.cfg #ansible配置文件
├── hosts #主机列表
├── nginx.yaml #主yaml
└── roles
└── nginx #项目名称
├── default
├── files #存放由copy或script模块等调用的文件
│-- ├── nginx-1.10.3.tar.gz #源码包
│-- └── nginx.repo #yumrepo
├── handlers #触发器
│-- └── main.yml
├── meta
├── tasks #任务
│-- ├── dev_env.yml
│-- ├── getpackage.yml
│-- ├── groupadd.yml
│-- ├── install.yml
│-- ├── main.yml
│-- ├── repo.yml
│-- ├── unpack.yml
│-- └── useradd.yml
├── templates #模板
└── vars #变量
9 directories, 14 files
[root@centos7 ansible]# cat nginx.yaml
- hosts: all
remote_user: root
roles:
- nginx
[root@centos7 ansible]# cat hosts
[webservers]
192.168.79.17
192.168.79.27
[appservers]
192.168.79.37
[root@centos7 ansible]# cat roles/nginx/tasks/repo.yml
- name: getrepo
get_url:
url: http://192.168.79.7/nginx.repo
dest: /etc/yum.repos.d/nginx.repo
- name: repocache
shell: rm -rf /etc/yum.repos.d/C* && yum clean all && yum makecache
[root@centos7 ansible]# cat roles/nginx/tasks/unpack.yml
- name: unzip the package
unarchive:
remote_src: yes
src: /root/nginx-1.10.3.tar.gz
dest: /root/
[root@centos7 ansible]# cat roles/nginx/tasks/getpackage.yml
- name: copy nginx package to remote host
copy:
src: nginx-1.10.3.tar.gz
dest: /root/nginx-1.10.3.tar.gz
- name: copy conf to remote host
copy:
src: nginx.conf
dest: /etc/yum.repos.d/nginx.conf
[root@centos7 ansible]# cat roles/nginx/tasks/groupadd.yml
- name: add group nginx
group:
name: nginx
system: yes
state: present
[root@centos7 ansible]# cat roles/nginx/tasks/useradd.yml
- name: add user nginx
user:
name: nginx
system: yes
state: present
[root@centos7 ansible]# cat roles/nginx/tasks/dev_env.yml
- name: install_dev_env
yum:
name: "{{ packages }}"
state: present
vars:
packages:
- '@development tools'
- pcre-devel
- zlib-devel
[root@centos7 ansible]# cat roles/nginx/tasks/install.yml
- name: installnginx
shell: cd /root/nginx-1.10.3/ && ./configure --prefix=/usr/local/nginx && make && make install
notify: start nginx
[root@centos7 ansible]# cat roles/nginx/tasks/main.yml
- include: repo.yml
- include: unpack.yml
- include: getpackage.yml
- include: groupadd.yml
- include: useradd.yml
- include: dev_env.yml
- include: install.yml
[root@centos7 ansible]# cat roles/nginx/handlers/main.yml
- name: start nginx
shell: /usr/local/nginx/sbin/nginx
[root@centos7 ansible]# ansible-playbook nginx.yaml -C #检查项目语法,不会真正执行
[root@centos7 ansible]# ansible-playbook nginx.yaml #执行playbook
4、描述域名劫持的解决方法
一般的域名劫持都是因为DNS指向为默认的DNS,其对查询过程进行限制或修改导致发生域名劫持
解决方法一般为手动指定公共DNS服务器,可有效避免DNS域名劫持
5、描述DNS的递归查询
-
假设客户机client想要访问www.xxx.com,访问的前提是建立连接进行通信,建立连接就需要获得对方的IP地址,DNS的作用就是我们输入的FQDN(域名)转换为IP地址,从而实现以IP地址进行连接进而访问该网页。
-
本地DNS:本地DNS是指TCP/IP参数设置中的首选DNS服务器。
-
DNS的查询分为递归查询和迭代查询;
- 递归查询:查询时要求所请求的DNS服务器应答给客户端所请求的域名和IP的对应关系,客户机向本地DNS服务器发出查询请求,然后等待返回结果,如果本地域名服务器无法解析,自己会以DNS客户机的身份向其他域名服务器查询,直到最终得到IP地址。一般来说客户机进行查询时使用递归查询。
- 迭代查询:查询时所请求的DNS服务器应答给客户端的不一定是域名和IP的对应关系,也可能是另一台DNS服务器,让客户端再将请求发送到另一台DNS服务器进行查询,每次都以客户机的身份去各个DNS服务器查询。一般用于DNS服务器之间。
-
DNS查询过程
client读取本机hosts文件看是否有对应的解析记录,如果有,则直接访问IP,如果没有,则向本地DNS服务器进行递归查询,若本地DNS服务器中有对应的解析记录,则查询结束,若无记录,则进行下面步骤
本地DNS服务器采用迭代查询,向一个根DNS服务器进行查询
根DNS服务器告诉本地DNS服务器,数据库中没有你所请求查询的记录,返回对应顶级域DNS服务器的IP地址
本地DNS服务器向顶级域DNS服务器请求查询
顶级域DNS服务器告诉本地DNS服务器,数据库中没有你所请求查询的记录,返回二级域DNS服务器的IP地址
本地DNS服务器向二级域DNS服务器请求查询
…
直至查到对应的解析记录,本地DNS服务器返回给客户机对应的IP地址,至此,查询结束。(递归查询)
6、dns区域转发与全局转发区别与实现方法
- DNS转发可分为全局转发和区域转发两种:
- 全局转发:对非本机所负责解析区域的请求,全部转发给指定的服务器
- 区域转发:仅转发特定区域的请求,比全局转发优先级高
- 全局转发:
- 主DNS服务器:192.168.79.7 #可连接Internet
- 从DNS服务器:192.168.79.17 #不可连接至Internet
- 辅主DNS服务器:192.168.79.37 #不可连接至Internet
- client地址:192.168.79.27 #不可连接至Internet
主DNS服务器进行配置
[root@centos7 ~]# vim /etc/named.conf
options {
# listen-on port 53 { 127.0.0.1; }; #监听本机所有ipv4地址的53端口,若不注释则表示只监听本机127.0.0.1地址的53端口
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
# allow-query { localhost; }; #允许所有主机进行查询,因为要实现转发功能,所以此项必须注释掉,否则表示仅本机进行查询
recursion yes; #开启请求者做递归
dnssec-enable no; #关闭dns安全解析
dnssec-validation no; #关闭dns安全解析
[root@centos7 ~]# systemctl restart named
从DNS服务器进行配置
[root@centos7 ~]# vim /etc/named.conf
options {
# listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
# allow-query { localhost; };
forward only; #转发使用only模式,only表示仅转发,并不在本机进行查询;使用first模式表示优先进行转发,本机查询优先级较低
forwarders { 192.168.79.7; }; #转发到远程DNS服务器上
recursion yes;
dnssec-enable no;
dnssec-validation no;
[root@centos7 ~]# systemctl restart named
client端测试DNS解析
[root@localhost ~]# dig www.baidu.com @192.168.79.17
; <<>> DiG 9.9.4-RedHat-9.9.4-72.el7 <<>> www.baidu.com @192.168.79.17
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6136
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 5, ADDITIONAL: 6
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.baidu.com. IN A
;; ANSWER SECTION:
www.baidu.com. 507 IN CNAME www.a.shifen.com.
www.a.shifen.com. 300 IN A 61.135.169.121
www.a.shifen.com. 300 IN A 61.135.169.125
;; AUTHORITY SECTION:
a.shifen.com. 507 IN NS ns5.a.shifen.com.
a.shifen.com. 507 IN NS ns2.a.shifen.com.
a.shifen.com. 507 IN NS ns3.a.shifen.com.
a.shifen.com. 507 IN NS ns4.a.shifen.com.
a.shifen.com. 507 IN NS ns1.a.shifen.com.
;; ADDITIONAL SECTION:
ns5.a.shifen.com. 507 IN A 180.76.76.95
ns2.a.shifen.com. 507 IN A 220.181.33.32
ns3.a.shifen.com. 507 IN A 112.80.255.253
ns4.a.shifen.com. 507 IN A 14.215.177.229
ns1.a.shifen.com. 507 IN A 61.135.165.224
;; Query time: 190 msec
;; SERVER: 192.168.79.17#53(192.168.79.17)
;; WHEN: Mon Jun 03 01:05:13 CST 2019
;; MSG SIZE rcvd: 271
- 区域转发
主DNS服务器配置,与上面的全局转发一致
[root@centos7 ~]# vim /etc/named.conf
options {
# listen-on port 53 { 127.0.0.1; };
# listen-on port 53 { 192.168.79.7; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
# allow-query { localhost; };
dnssec-enable yes;
dnssec-validation yes;
从服务器配置
[root@centos7 ~]# vim /etc/named.conf
options {
# listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
# allow-query { localhost; };
forward only;
forwarders { 192.168.79.7; };
recursion yes;
dnssec-enable no;
dnssec-validation no;
[root@centos7 ~]# vim /etc/named.rfc1912.zones #添加test.com区域信息
zone "test.com" IN {
type forward; #类型为转发
forward only; #只转发
forwarders { 192.168.79.37; }; #转发到远程主机,辅主DNS
[root@centos7 named]# rndc reload
辅主DNS配置
[root@localhost named]# vim /etc/named.conf
options {
# listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
# allow-query { localhost; };
recursion yes;
dnssec-enable no;
dnssec-validation no;
[root@localhost named]# vim /etc/named.rfc1912.zones
zone "test.com" IN {
type master;
file "test.com.zone";
};
[root@localhost named]# vim /var/named/test.com.zone #给辅主DNS添加test.com区域解析记录
$TTL 1D
@ IN SOA ns1.test.com. admin.test.com (
20190603
1H
5M
7D
1D )
IN NS ns1.test.com.
ns1 IN A 192.168.79.37
www IN A 192.168.79.37
@ IN A 192.168.79.37
[root@localhost named]# rndc reload #重载配置文件
client客户机进行测试
[root@localhost ~]# dig www.test.com @192.168.79.17 #通过192.168.79.17对www.test.com进行解析,得到192.168.79.37辅主DNS上的解析记录
; <<>> DiG 9.9.4-RedHat-9.9.4-72.el7 <<>> www.test.com @192.168.79.17
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26945
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.test.com. IN A
;; ANSWER SECTION:
www.test.com. 86400 IN A 192.168.79.37
;; AUTHORITY SECTION:
test.com. 86400 IN NS ns1.test.com.
;; ADDITIONAL SECTION:
ns1.test.com. 86400 IN A 192.168.79.37
;; Query time: 3 msec
;; SERVER: 192.168.79.17#53(192.168.79.17)
;; WHEN: Mon Jun 03 01:28:41 CST 2019
;; MSG SIZE rcvd: 91
[root@localhost ~]# dig www.baidu.com @192.168.79.17 #通过192.168.79.17对www.baidu.com进行解析,得到192.168.79.7即公网的解析记录
; <<>> DiG 9.9.4-RedHat-9.9.4-72.el7 <<>> www.baidu.com @192.168.79.17
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17568
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 5, ADDITIONAL: 6
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.baidu.com. IN A
;; ANSWER SECTION:
www.baidu.com. 611 IN CNAME www.a.shifen.com.
www.a.shifen.com. 300 IN A 61.135.169.121
www.a.shifen.com. 300 IN A 61.135.169.125
;; AUTHORITY SECTION:
a.shifen.com. 611 IN NS ns2.a.shifen.com.
a.shifen.com. 611 IN NS ns4.a.shifen.com.
a.shifen.com. 611 IN NS ns5.a.shifen.com.
a.shifen.com. 611 IN NS ns3.a.shifen.com.
a.shifen.com. 611 IN NS ns1.a.shifen.com.
;; ADDITIONAL SECTION:
ns2.a.shifen.com. 611 IN A 220.181.33.32
ns1.a.shifen.com. 611 IN A 61.135.165.224
ns3.a.shifen.com. 611 IN A 112.80.255.253
ns5.a.shifen.com. 611 IN A 180.76.76.95
ns4.a.shifen.com. 611 IN A 14.215.177.229
;; Query time: 64 msec
;; SERVER: 192.168.79.17#53(192.168.79.17)
;; WHEN: Mon Jun 03 01:36:21 CST 2019
;; MSG SIZE rcvd: 271
7、实现智能DNS
智能DNS根据客户机IP地址贵是区域进行区别相应解析
[root@localhost named]# vim /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
acl beijing {
192.168.79.0/24;
};
acl shanghai {
192.168.19.0/24;
};
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
acl beijing {
192.168.79.0/24;
};
acl shanghai {
192.168.19.0/24;
};
acl other {
any;
};
options {
# listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
# allow-query { any;};
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable no;
dnssec-validation no;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
#zone "." IN {
# type hint;
# file "named.ca";
#};
#include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
view view_beijing {
match-clients { beijing; };
zone "." IN {
type hint;
file "named.ca";
};
zone "test.com.beijing" {
type master;
file "test.com.zone.beijing";
};
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};
};
view view_shanghai {
match-clients { shanghai; };
zone "." IN {
type hint;
file "named.ca";
};
zone "test.com.shanghai" {
type master;
file "test.com.zone.shanghai";
};
#include "/etc/named.rfc1912.zones.shanghai";
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};
};
view view_other {
match-clients { other; };
zone "." IN {
type hint;
file "named.ca";
};
zone "test.com" {
type master;
file "test.com.zone";
};
#include "/etc/named.rfc1912.zones";
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};
};
[root@localhost named]# vim /var/named/test.com.zone.beijing
$TTL 1D
@ IN SOA ns1.test.com. admin.test.com (
20190603
1H
5M
7D
1D )
IN NS ns1.test.com.
ns1 IN A 192.168.79.37
www IN A 192.168.79.37
@ IN A 192.168.79.37
[root@localhost named]# vim /var/named/test.com.zone.shanghai
$TTL 1D
@ IN SOA ns1.test.com. admin.test.com (
20190603
1H
5M
7D
1D )
IN NS ns1.test.com.
ns1 IN A 192.168.19.128
www IN A 192.168.19.128
@ IN A 192.168.19.128