DNS 主从搭建

为什么80%的码农都做不了架构师？>>>   

环境:

操作系统: CentOS release 6.5 (Final)

master：10.59.77.27

slave: 10.59.77.29

需求 master建立test.com.cn域 其中dev.test.com.cn授权自己解析(同理也可授权其他机器)，slave 做从同步主.

域内：划分出小子域
授权：委派

test.com.cn
dev.test.com.cn
  dev.test.com.cn. IN NS ns.dev.test.com.cn.
  ns.dev.test.com. IN A 10.59.77.27

master 配置:

1.  安装bind9

[root@test-zabbix-agent ~]# yum install bind.x86_64 bind-chroot.x86_64  bind-libs.x86_64  bind-utils.x86_64

[root@test-zabbix-agent ~]# rpm -qc bind
/etc/logrotate.d/named
/etc/named.conf         #主配文件
/etc/named.iscdlv.key
/etc/named.rfc1912.zones  #区域配置文件
/etc/named.root.key     
/etc/rndc.conf          #接管bind工具
/etc/rndc.key           #区域传送的key
/etc/sysconfig/named    
/var/named/named.ca
/var/named/named.empty
/var/named/named.localhost
/var/named/named.loopback

2 修改主配文件:

[root@test-zabbix-agent ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
#	listen-on port 53 { 127.0.0.1; };
#	listen-on-v6 port 53 { ::1; };
	directory 	"/var/named";
	dump-file 	"/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
	 allow-query     { any; };                 #充许哪些客户机可以访问DNS服务
        allow-transfer  { 10.59.77.29; };        #如果有辅助，是否充许它可以同步zone文件
        also-notify     { 10.59.77.29; };        #如果是yes（默认），当一个授权的服务器修改了一个域后，DNS NOTIFY信息被发送出去。此信息将会发给列在域NS记录上的服务器（除了由SOA MNAME标示的主域名服务器）和任何列在also-notify选项中的服务器。
	recursion yes;

	dnssec-enable yes;
	dnssec-validation yes;
	dnssec-lookaside auto;

	/* Path to ISC DLV key */
	bindkeys-file "/etc/named.iscdlv.key";

	managed-keys-directory "/var/named/dynamic";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
        channel query_log {
                      file "data/query.log"    versions 3 size 50m;
                      severity    dynamic;
                      print-time    yes;
                      print-category  yes;
              };
              category queries {
                      query_log;
              };
};

zone "." IN {
	type hint;
	file "named.ca";
};

//test.com.cn
zone "test.com.cn" IN {
        type master;
        file "test.com.cn.zone";      #指定正向区域文件
        notify yes;
        allow-query { any; };
        allow-update { none; };       #指定哪些主机允许为主域名服务器提交动态 DNS 更新。默认为拒绝任何主机进行更新
};

//dev.test.com.cn
zone "dev.test.com.cn" IN {
        type master;
        file "dev/dev.test.com.cn.zone";
        notify yes;
};


include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

3 修改区域配置文件

[root@test-zabbix-agent ~]# cat /var/named/test.com.cn.zone 
$ttl    300
@               IN SOA  test.com.cn.  root.test.com.cn. (
                                      	2015062802
                                        3H
                                        15M
                                        1W
                                        1D )
                   	IN NS         ns.test.com.cn.
                   	IN MX    5    test.com.cn.
@		   	IN A		 10.59.77.27
ns		   	IN A		 10.59.77.27

; set ns record
dev		   	IN NS	ns.dev.test.com.cn.
;qa		   	IN NS	ns.qa.test.com.cn.

;dev1.test.com.cn. 	NS	ns.dev1.test.com.cn.
;dev2.test.com.cn. 	NS	ns.dev2.test.com.cn.
;dev3.test.com.cn. 	NS	ns.dev3.test.com.cn.

; set ns server record
ns.dev		  	IN  A	10.59.77.27 
;ns.qa		  	IN  A	10.59.77.27 

;ns.dev1			IN  A	10.59.78.21
;ns.dev2			IN  A	10.59.78.135
;ns.dev3			IN  A	10.59.79.24

;set other record
master			IN  A	192.168.10.6
daily			IN  A	10.59.72.21

; 
qa1			IN  A	10.59.80.148
*.qa1			IN  A	10.59.80.148

; 
qa2			IN  A	10.59.81.4
*.qa2			IN  A	10.59.81.4

; 
qa3			IN  A	10.59.81.130
*.qa3			IN  A	10.59.81.129

根据上面配置dev.test.com.cn   ns记录  指定本机授权解析,需要配置以下文件方能解析.

[root@test-zabbix-agent ~]# cat /var/named/dev/dev.test.com.cn.zone 
$TTL 600        ; 10 minutes
;dev.test.com.cn.          IN SOA  ns.dev.test.com.cn. admin.dev.test.com.cn. (
@          IN SOA  ns.dev.test.com.cn. admin.dev.test.com.cn. (                  #注意.结尾
                                2015052703 ; serial
                                10800      ; refresh (3 hours)
                                900        ; retry (15 minutes)
                                604800     ; expire (1 week)
                                86400      ; minimum (1 day)
                                )

                        NS      ns.dev.test.com.cn.


@               	IN A    10.59.77.27
ns              	IN A    10.59.77.27
*.release             IN A    10.59.77.27
xd.bis  		IN A    10.59.77.27
service-xd.bis  	IN A    10.59.77.27

It turns out that to disable the IPv6 lookups you have to edit :

[root@test-zabbix-agent named]# vim /etc/sysconfig/named 
...
OPTIONS="-4"

注意属组named

[root@test-zabbix-agent ~]# ls -l /var/named/test.com.cn.zone /var/named/dev/dev.test.com.cn.zone 
-rw-r--r-- 1 named named  748 Jul 14 18:50 /var/named/dev/dev.test.com.cn.zone
-rw-r--r-- 1 named named 1066 Jul 14 18:37 /var/named/test.com.cn.zone

检查区域配置文件语法:

[root@test-zabbix-agent ~]# named-checkzone test.com.cn /var/named/test.com.cn.zone 
zone test.com.cn/IN: loaded serial 2015062802
OK
[root@test-zabbix-agent ~]# named-checkconf 

重启服务:

[root@test-zabbix-agent named]# /etc/init.d/named restart

4 测试:

[root@test-zabbix-agent named]# dig test.com.cn @10.59.77.27

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3 <<>> test.com.cn @10.59.77.27
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25595
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;test.com.cn.			IN	A

;; ANSWER SECTION:
test.com.cn.		300	IN	A	10.59.77.27

;; AUTHORITY SECTION:
test.com.cn.		300	IN	NS	ns.test.com.cn.

;; ADDITIONAL SECTION:
ns.test.com.cn.		300	IN	A	10.59.77.27



[root@test-zabbix-agent named]# dig dev.test.com.cn @10.59.77.27

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3 <<>> dev.test.com.cn @10.59.77.27
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37923
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;dev.test.com.cn.		IN	A

;; ANSWER SECTION:
dev.test.com.cn.	600	IN	A	10.59.77.27

;; AUTHORITY SECTION:
dev.test.com.cn.	600	IN	NS	ns.dev.test.com.cn.

;; ADDITIONAL SECTION:
ns.dev.test.com.cn.	600	IN	A	10.59.77.27


[root@test-zabbix-agent named]# dig master.test.com.cn @10.59.77.27

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3 <<>> master.test.com.cn @10.59.77.27
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62841
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;master.test.com.cn.		IN	A

;; ANSWER SECTION:
master.test.com.cn.	300	IN	A	192.168.10.6

;; AUTHORITY SECTION:
test.com.cn.		300	IN	NS	ns.test.com.cn.

;; ADDITIONAL SECTION:
ns.test.com.cn.		300	IN	A	10.59.77.27



[root@test-zabbix-agent named]# dig xd.bis.dev.test.com.cn @10.59.77.27

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3 <<>> xd.bis.dev.test.com.cn @10.59.77.27
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50019
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;xd.bis.dev.test.com.cn.		IN	A

;; ANSWER SECTION:
xd.bis.dev.test.com.cn.	600	IN	A	10.59.77.27

;; AUTHORITY SECTION:
dev.test.com.cn.	600	IN	NS	ns.dev.test.com.cn.

;; ADDITIONAL SECTION:
ns.dev.test.com.cn.	600	IN	A	10.59.77.27

slave 配置:

1 安装

[root@test-zabbix-proxy-agent slaves] yum install bind bind-utils -y

2 修改主配文件

[root@test-zabbix-proxy-agent slaves]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
//	listen-on port 53 { 127.0.0.1; };
//	listen-on-v6 port 53 { ::1; };
	directory 	"/var/named";
	dump-file 	"/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
	allow-query     { any; };
	recursion yes;

	dnssec-enable yes;
	dnssec-validation yes;
	dnssec-lookaside auto;

	/* Path to ISC DLV key */
	bindkeys-file "/etc/named.iscdlv.key";

	managed-keys-directory "/var/named/dynamic";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "test.com.cn" IN {                    #新增从区域配置
        type slave;                        #slave    
        file "slaves/test.com.cn.zone";
        masters { 10.59.77.27; };          #masters ip
};

zone "dev.test.com.cn" IN {
        type slave;
        file "slaves/dev.test.com.cn.zone";
        masters { 10.59.77.27; };
};

zone "." IN {
	type hint;
	file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

3 启动服务:

[root@test-zabbix-proxy-agent slaves]# /etc/init.d/named start

4 测试:

查看区域文件是否同步过来:

[root@test-zabbix-proxy-agent named]# ls -l /var/named/slaves/
total 8
-rw-r--r-- 1 named named  480 Jul 15 14:47 dev.test.com.cn.zone
-rw-r--r-- 1 named named 1042 Jul 15 14:45 test.com.cn.zone

解析测试

[root@test-zabbix-proxy-agent named]# dig test.com.cn @10.59.77.29

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3 <<>> test.com.cn @10.59.77.29
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34046
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;test.com.cn.			IN	A

;; ANSWER SECTION:
test.com.cn.		300	IN	A	10.59.77.27

;; AUTHORITY SECTION:
test.com.cn.		300	IN	NS	ns.test.com.cn.

;; ADDITIONAL SECTION:
ns.test.com.cn.		300	IN	A	10.59.77.27


[root@test-zabbix-proxy-agent named]# dig dev.test.com.cn @10.59.77.29

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3 <<>> dev.test.com.cn @10.59.77.29
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15864
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;dev.test.com.cn.		IN	A

;; ANSWER SECTION:
dev.test.com.cn.	600	IN	A	10.59.77.27

;; AUTHORITY SECTION:
dev.test.com.cn.	600	IN	NS	ns.dev.test.com.cn.

;; ADDITIONAL SECTION:
ns.dev.test.com.cn.	600	IN	A	10.59.77.27


[root@test-zabbix-proxy-agent named]# dig master.test.com.cn @10.59.77.29

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3 <<>> master.test.com.cn @10.59.77.29
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30724
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;master.test.com.cn.		IN	A

;; ANSWER SECTION:
master.test.com.cn.	300	IN	A	192.168.10.6

;; AUTHORITY SECTION:
test.com.cn.		300	IN	NS	ns.test.com.cn.

;; ADDITIONAL SECTION:
ns.test.com.cn.		300	IN	A	10.59.77.27


[root@test-zabbix-proxy-agent named]# dig xd.bis.dev.test.com.cn @10.59.77.29

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3 <<>> xd.bis.dev.test.com.cn @10.59.77.29
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22126
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;xd.bis.dev.test.com.cn.		IN	A

;; ANSWER SECTION:
xd.bis.dev.test.com.cn.	600	IN	A	10.59.77.27

;; AUTHORITY SECTION:
dev.test.com.cn.	600	IN	NS	ns.dev.test.com.cn.

;; ADDITIONAL SECTION:
ns.dev.test.com.cn.	600	IN	A	10.59.77.27

转载于:https://my.oschina.net/davehe/blog/478802