环境:
操作系统: CentOS release 6.5 (Final)
master:10.59.77.27
slave: 10.59.77.29
需求 master建立test.com.cn域 其中dev.test.com.cn授权自己解析(同理也可授权其他机器),slave 做从同步主.
域内:划分出小子域
授权:委派
test.com.cn
dev.test.com.cn
dev.test.com.cn. IN NS ns.dev.test.com.cn.
ns.dev.test.com. IN A 10.59.77.27
master 配置:
1. 安装bind9
[root@test-zabbix-agent ~]# yum install bind.x86_64 bind-chroot.x86_64 bind-libs.x86_64 bind-utils.x86_64
[root@test-zabbix-agent ~]# rpm -qc bind
/etc/logrotate.d/named
/etc/named.conf #主配文件
/etc/named.iscdlv.key
/etc/named.rfc1912.zones #区域配置文件
/etc/named.root.key
/etc/rndc.conf #接管bind工具
/etc/rndc.key #区域传送的key
/etc/sysconfig/named
/var/named/named.ca
/var/named/named.empty
/var/named/named.localhost
/var/named/named.loopback
2 修改主配文件:
[root@test-zabbix-agent ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
# listen-on port 53 { 127.0.0.1; };
# listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; }; #充许哪些客户机可以访问DNS服务
allow-transfer { 10.59.77.29; }; #如果有辅助,是否充许它可以同步zone文件
also-notify { 10.59.77.29; }; #如果是yes(默认),当一个授权的服务器修改了一个域后,DNS NOTIFY信息被发送出去。此信息将会发给列在域NS记录上的服务器(除了由SOA MNAME标示的主域名服务器)和任何列在also-notify选项中的服务器。
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
channel query_log {
file "data/query.log" versions 3 size 50m;
severity dynamic;
print-time yes;
print-category yes;
};
category queries {
query_log;
};
};
zone "." IN {
type hint;
file "named.ca";
};
//test.com.cn
zone "test.com.cn" IN {
type master;
file "test.com.cn.zone"; #指定正向区域文件
notify yes;
allow-query { any; };
allow-update { none; }; #指定哪些主机允许为主域名服务器提交动态 DNS 更新。默认为拒绝任何主机进行更新
};
//dev.test.com.cn
zone "dev.test.com.cn" IN {
type master;
file "dev/dev.test.com.cn.zone";
notify yes;
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
[root@test-zabbix-agent ~]# cat /var/named/test.com.cn.zone
$ttl 300
@ IN SOA test.com.cn. root.test.com.cn. (
2015062802
3H
15M
1W
1D )
IN NS ns.test.com.cn.
IN MX 5 test.com.cn.
@ IN A 10.59.77.27
ns IN A 10.59.77.27
; set ns record
dev IN NS ns.dev.test.com.cn.
;qa IN NS ns.qa.test.com.cn.
;dev1.test.com.cn. NS ns.dev1.test.com.cn.
;dev2.test.com.cn. NS ns.dev2.test.com.cn.
;dev3.test.com.cn. NS ns.dev3.test.com.cn.
; set ns server record
ns.dev IN A 10.59.77.27
;ns.qa IN A 10.59.77.27
;ns.dev1 IN A 10.59.78.21
;ns.dev2 IN A 10.59.78.135
;ns.dev3 IN A 10.59.79.24
;set other record
master IN A 192.168.10.6
daily IN A 10.59.72.21
;
qa1 IN A 10.59.80.148
*.qa1 IN A 10.59.80.148
;
qa2 IN A 10.59.81.4
*.qa2 IN A 10.59.81.4
;
qa3 IN A 10.59.81.130
*.qa3 IN A 10.59.81.129
根据上面配置dev.test.com.cn ns记录 指定本机授权解析,需要配置以下文件方能解析.
[root@test-zabbix-agent ~]# cat /var/named/dev/dev.test.com.cn.zone
$TTL 600 ; 10 minutes
;dev.test.com.cn. IN SOA ns.dev.test.com.cn. admin.dev.test.com.cn. (
@ IN SOA ns.dev.test.com.cn. admin.dev.test.com.cn. ( #注意.结尾
2015052703 ; serial
10800 ; refresh (3 hours)
900 ; retry (15 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS ns.dev.test.com.cn.
@ IN A 10.59.77.27
ns IN A 10.59.77.27
*.release IN A 10.59.77.27
xd.bis IN A 10.59.77.27
service-xd.bis IN A 10.59.77.27
It turns out that to disable the IPv6 lookups you have to edit :
[root@test-zabbix-agent named]# vim /etc/sysconfig/named
...
OPTIONS="-4"
注意属组named
[root@test-zabbix-agent ~]# ls -l /var/named/test.com.cn.zone /var/named/dev/dev.test.com.cn.zone
-rw-r--r-- 1 named named 748 Jul 14 18:50 /var/named/dev/dev.test.com.cn.zone
-rw-r--r-- 1 named named 1066 Jul 14 18:37 /var/named/test.com.cn.zone
检查区域配置文件语法:
[root@test-zabbix-agent ~]# named-checkzone test.com.cn /var/named/test.com.cn.zone
zone test.com.cn/IN: loaded serial 2015062802
OK
[root@test-zabbix-agent ~]# named-checkconf
重启服务:
[root@test-zabbix-agent named]# /etc/init.d/named restart
[root@test-zabbix-agent named]# dig test.com.cn @10.59.77.27
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3 <<>> test.com.cn @10.59.77.27
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25595
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;test.com.cn. IN A
;; ANSWER SECTION:
test.com.cn. 300 IN A 10.59.77.27
;; AUTHORITY SECTION:
test.com.cn. 300 IN NS ns.test.com.cn.
;; ADDITIONAL SECTION:
ns.test.com.cn. 300 IN A 10.59.77.27
[root@test-zabbix-agent named]# dig dev.test.com.cn @10.59.77.27
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3 <<>> dev.test.com.cn @10.59.77.27
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37923
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;dev.test.com.cn. IN A
;; ANSWER SECTION:
dev.test.com.cn. 600 IN A 10.59.77.27
;; AUTHORITY SECTION:
dev.test.com.cn. 600 IN NS ns.dev.test.com.cn.
;; ADDITIONAL SECTION:
ns.dev.test.com.cn. 600 IN A 10.59.77.27
[root@test-zabbix-agent named]# dig master.test.com.cn @10.59.77.27
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3 <<>> master.test.com.cn @10.59.77.27
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62841
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;master.test.com.cn. IN A
;; ANSWER SECTION:
master.test.com.cn. 300 IN A 192.168.10.6
;; AUTHORITY SECTION:
test.com.cn. 300 IN NS ns.test.com.cn.
;; ADDITIONAL SECTION:
ns.test.com.cn. 300 IN A 10.59.77.27
[root@test-zabbix-agent named]# dig xd.bis.dev.test.com.cn @10.59.77.27
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3 <<>> xd.bis.dev.test.com.cn @10.59.77.27
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50019
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;xd.bis.dev.test.com.cn. IN A
;; ANSWER SECTION:
xd.bis.dev.test.com.cn. 600 IN A 10.59.77.27
;; AUTHORITY SECTION:
dev.test.com.cn. 600 IN NS ns.dev.test.com.cn.
;; ADDITIONAL SECTION:
ns.dev.test.com.cn. 600 IN A 10.59.77.27
slave 配置:
1 安装
[root@test-zabbix-proxy-agent slaves] yum install bind bind-utils -y
2 修改主配文件
[root@test-zabbix-proxy-agent slaves]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
// listen-on port 53 { 127.0.0.1; };
// listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "test.com.cn" IN { #新增从区域配置
type slave; #slave
file "slaves/test.com.cn.zone";
masters { 10.59.77.27; }; #masters ip
};
zone "dev.test.com.cn" IN {
type slave;
file "slaves/dev.test.com.cn.zone";
masters { 10.59.77.27; };
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
[root@test-zabbix-proxy-agent slaves]# /etc/init.d/named start
4 测试:
查看区域文件是否同步过来:
[root@test-zabbix-proxy-agent named]# ls -l /var/named/slaves/
total 8
-rw-r--r-- 1 named named 480 Jul 15 14:47 dev.test.com.cn.zone
-rw-r--r-- 1 named named 1042 Jul 15 14:45 test.com.cn.zone
解析测试
[root@test-zabbix-proxy-agent named]# dig test.com.cn @10.59.77.29
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3 <<>> test.com.cn @10.59.77.29
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34046
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;test.com.cn. IN A
;; ANSWER SECTION:
test.com.cn. 300 IN A 10.59.77.27
;; AUTHORITY SECTION:
test.com.cn. 300 IN NS ns.test.com.cn.
;; ADDITIONAL SECTION:
ns.test.com.cn. 300 IN A 10.59.77.27
[root@test-zabbix-proxy-agent named]# dig dev.test.com.cn @10.59.77.29
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3 <<>> dev.test.com.cn @10.59.77.29
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15864
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;dev.test.com.cn. IN A
;; ANSWER SECTION:
dev.test.com.cn. 600 IN A 10.59.77.27
;; AUTHORITY SECTION:
dev.test.com.cn. 600 IN NS ns.dev.test.com.cn.
;; ADDITIONAL SECTION:
ns.dev.test.com.cn. 600 IN A 10.59.77.27
[root@test-zabbix-proxy-agent named]# dig master.test.com.cn @10.59.77.29
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3 <<>> master.test.com.cn @10.59.77.29
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30724
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;master.test.com.cn. IN A
;; ANSWER SECTION:
master.test.com.cn. 300 IN A 192.168.10.6
;; AUTHORITY SECTION:
test.com.cn. 300 IN NS ns.test.com.cn.
;; ADDITIONAL SECTION:
ns.test.com.cn. 300 IN A 10.59.77.27
[root@test-zabbix-proxy-agent named]# dig xd.bis.dev.test.com.cn @10.59.77.29
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3 <<>> xd.bis.dev.test.com.cn @10.59.77.29
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22126
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;xd.bis.dev.test.com.cn. IN A
;; ANSWER SECTION:
xd.bis.dev.test.com.cn. 600 IN A 10.59.77.27
;; AUTHORITY SECTION:
dev.test.com.cn. 600 IN NS ns.dev.test.com.cn.
;; ADDITIONAL SECTION:
ns.dev.test.com.cn. 600 IN A 10.59.77.27