DNS架构拓扑架构图:
正向解析区域、反向解析区域;主/从;子域配置;
环境准备,3台centos7.2系统,关闭防火墙,selinux,配置yum源,设置时间同步,设置DNS为主域名服务器IP(172.16.100.67)
--------------------------------------------------------------------------------------------------------------------------------------
一,主域名服务器配置(172.16.100.67):
(1)安装bind,并启动,设置开机自启动
~]# yum install bind –y
~]# systemctl start named.service
~]# systemctl enable named.service
(2)修改配置文件(仅列出有修改配置)
~]# vim /etc/named.conf
options {
listen-on port 53 { 127.0.0.1;172.16.100.67; };
// allow-query { localhost; };
dnssec-enable no;
dnssec-validation no;
(3)检查配置文件语法错误(默认/etc/named.conf),并重读配置文件
~]# named-checkconf
~]# rndc reload
(4)配置解析一个正向区域:
1)定义正向区域
~]# vim /etc/named.rfc1912.zones
zone "iecentury.com" IN {
type master;
file "iecentury.com.zone";
};
注意:区域名字即为域名;
2)建立区域数据文件(主要记录为A或AAAA记录,在/var/named目录下建立区域数据文件;)
~]# vim /var/named/iecentury.com.zone
$TTL 3600 $ORIGIN iecentury.com. @ IN SOA ns1.iecentury.com. dnsadmin.iecentury.com. ( 201812031 1H 10M 3D 1D ) IN NS ns1 IN MX 10 mx1 IN MX 20 mx2 IN A 172.16.100.67 ns1 IN A 172.16.100.67 mx1 IN A 172.16.100.68 mx2 IN A 172.16.100.69 www IN A 172.16.100.67 web IN CNAME www
权限及属组修改:
# chgrp named /var/named/iecentury.com.zone
# chmod o= /var/named/iecentury.com.zone
检查语法错误
]# named-checkconf
]# named-checkzone iecentury.com /var/named/iecentury.com.zone
3) 让服务器重载配置文件和区域数据文件(或 systemctl reload named.service)
# rndc reload
检查rndc状态(注意:语法正常,重读配置成功,区域增加并不代表区域正常工作,要用dig/nslookup/host等DNS测试工具测试)
~]# rndc status
version: 9.9.4-RedHat-9.9.4-61.el7_5.1 <id:8f9657aa>
CPUs found: 8
worker threads: 8
UDP listeners per interface: 8
number of zones: 102 成功+1(默认101)
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running
(5)配置解析一个反向区域
1) 定义区域 (在主配置文件中或主配置文件辅助配置文件中实现);
~]# vim /etc/named.rfc1912.zones
zone "100.16.172.in-addr.arpa" IN {
type master;
file "100.16.172.zone";
};
注意:反向区域的名字
反写的网段地址.in-addr.arpa
示例:100.16.172.in-addr.arpa
2)定义区域解析库文件(主要记录为PTR)
在/var/named目录下建立区域数据文件;示例:区域名称为100.16.172.in-addr.arpa;(反过来写IP)
~]# vim /var/named/100.16.172.zone
$TTL 3600 $ORIGIN 100.16.172.in-addr.arpa. @ IN SOA ns1.iecentury.com. nsadmin.iecentury.com. ( 201810032 1H 10M 3D 12H ) IN NS ns1.iecentury.com. 67 IN PTR ns1.iecentury.com. 68 IN PTR mx1.iecentury.com. 69 IN PTR mx2.iecentury.com. 67 IN PTR www.iecentury.com.
权限及属组修改:
~]# chmod o= /var/named/100.16.172.zone
~]# chgrp named /var/named/100.16.172.zone
检查语法错误、重读配置、rndc状态检查:
~]# named-checkzone 100.16.172.zone /var/named/100.16.172.zone
~]# named-checkconf
~]#rndc reload
[root@james ~]# rndc status
version: 9.9.4-RedHat-9.9.4-61.el7_5.1 <id:8f9657aa>
CPUs found: 8
worker threads: 8
UDP listeners per interface: 8
number of zones: 103 成功+1
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running
(6)测试正向解析及反向解析
~]# dig -t A www.iecentury.com
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> -t A www.iecentury.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45698
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.iecentury.com. IN A
;; ANSWER SECTION:
www.iecentury.com. 3600 IN A 172.16.100.67
;; AUTHORITY SECTION:
iecentury.com. 3600 IN NS ns1.iecentury.com.
;; ADDITIONAL SECTION:
ns1.iecentury.com. 3600 IN A 172.16.100.67
;; Query time: 21 msec
;; SERVER: 172.16.100.67#53(172.16.100.67)
;; WHEN: 日 11月 04 00:14:56 CST 2018
;; MSG SIZE rcvd: 96
~]# dig -x 172.16.100.67
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> -x 172.16.100.67
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56457
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;67.100.16.172.in-addr.arpa. IN PTR
;; ANSWER SECTION:
67.100.16.172.in-addr.arpa. 3600 IN PTR ns1.iecentury.com.
67.100.16.172.in-addr.arpa. 3600 IN PTR www.iecentury.com.
;; AUTHORITY SECTION:
100.16.172.in-addr.arpa. 3600 IN NS ns1.iecentury.com.
;; ADDITIONAL SECTION:
ns1.iecentury.com. 3600 IN A 172.16.100.67
;; Query time: 1 msec
;; SERVER: 172.16.100.67#53(172.16.100.67)
;; WHEN: 日 11月 04 00:15:13 CST 2018
;; MSG SIZE rcvd: 134
--------------------------------------------------------------------------------------------------------------------------------------
二 、辅域名服务器配置:(172.16.100.68)
(1)安装bind,修改配置文件
~]# yum install bind -y
~]# vim /etc/named.conf
options {
listen-on port 53 { 127.0.0.1;172.16.100.68;};
dnssec-enable no;
dnssec-validation no;
(2)Master(172.16.100.67)上配置一个正向从区域和反向从区域:
在Master上,确保区域数据文件中为每个从服务配置NS记录,并且在正向区域文件需要每个从服务器的NS记录的主机名配置一个A记录,且此A后面的地址为真正的从服务器的IP地址;
[root@james ~]# vim /var/named/iecentury.com.zone
$TTL 3600 $ORIGIN iecentury.com. @ IN SOA ns1.iecentury.com. dnsadmin.iecentury.com. ( 201812031 1H 10M 3D 1D ) IN NS ns1 IN NS ns2 #从服务器NS记录 IN MX 10 mx1 IN MX 20 mx2 IN A 172.16.100.67 ns1 IN A 172.16.100.67 #从服务器A记录 ns2 IN A 172.16.100.68 mx1 IN A 172.16.100.68 mx2 IN A 172.16.100.69 www IN A 172.16.100.67 web IN CNAME www 反向区域 ~]# vim /var/named/100.16.172.zone $TTL 3600 $ORIGIN 100.16.172.in-addr.arpa. @ IN SOA ns1.iecentury.com. nsadmin.iecentury.com. ( 2014100801 1H 10M 3D 12H ) IN NS ns1.iecentury.com. IN NS ns2.iecentury.com. #反向NS2记录 67 IN PTR ns1.iecentury.com. 68 IN PTR ns2.iecentury.com. #反向A记录 68 IN PTR mx1.iecentury.com. 69 IN PTR mx2.iecentury.com. 67 IN PTR www.iecentury.com.
语法检查并重新配置
~]# named-checkzone iecentury.com /var/named/iecentury.com.zone
~]# rndc reload
(3)在slave DNS上定义iecentury.com域名正向区域(masters为NS1)和反向解析区域
~]# vim /etc/named.rfc1912.zones
zone "iecentury.com" IN {
type slave;
file "slaves/iecentury.con.zone";
masters { 172.16.100.67; };
};
zone "100.16.172.in-addr.arpa" IN {
type slave;
file "slaves/100.16.172.zone";
masters { 172.16.100.67; };
};
语法检查、重载配置
|
1
2
|
配置文件语法检查
named-checkconf
|
|
1
2
|
重载配置
rndc reload
|
验证:(1)在/var/named/slaves目录下自动同步iecentury.zone区域
~]# ls /var/named/slaves
iecentury.com.zone
(2)测试slave正反向解析
~]# dig -x 172.16.100.67
~]# dig -t A www.iecentury.com
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> -t A www.iecentury.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13394
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.iecentury.com.INA
;; ANSWER SECTION:
www.iecentury.com.3600INA172.16.100.67
;; AUTHORITY SECTION:
iecentury.com.3600INNSns1.iecentury.com.
iecentury.com.3600INNSns2.iecentury.com.
;; ADDITIONAL SECTION:
ns1.iecentury.com.3600INA172.16.100.67
ns2.iecentury.com.3600INA172.16.100.68
;; Query time: 0 msec
;; SERVER: 172.16.100.68#53(172.16.100.68)
;; WHEN: 日 11月 04 13:13:24 CST 2018
;; MSG SIZE rcvd: 130
至此,辅域名服务器配置完毕
--------------------------------------------------------------------------------------------------------------------------------------
三、子域服务器(ops.iecentury.com)
master上(172.16.100.67)子域授权
~]# vim /var/named/iecentury.com.zone
$TTL 3600 $ORIGIN iecentury.com. @ IN SOA ns1.iecentury.com. dnsadmin.iecentury.com. ( 201811033 #序列号手动+1 1H 10M 3D 1D ) IN NS ns1 IN NS ns2 IN MX 10 mx1 IN MX 20 mx2 IN A 172.16.100.67 ns1 IN A 172.16.100.67 ns2 IN A 172.16.100.68 mx1 IN A 172.16.100.68 mx2 IN A 172.16.100.69 www IN A 172.16.100.67 web IN CNAME www ops IN NS ns1.ops #添加子域ns记录 ns1.ops IN A 172.16.100.69 #添加子域A记录 重载配置
~]# rndc reload
子域服务器配置(172.16.100.69)
(1)安装bind,并启动,设置开机自启动
~]# yum install bind –y
~]# systemctl start named.service
~]# systemctl enable named.service
(2)修改配置文件(仅列出有修改配置)
~]# vim /etc/named.conf
options {
listen-on port 53 { 127.0.0.1;172.16.100.69; };
// allow-query { localhost; };
dnssec-enable no;
dnssec-validation no;
(3)检查配置文件语法错误(默认/etc/named.conf),并重读配置文件
~]# named-checkconf
~]# rndc reload
(4)配置解析一个子域正向区域:
1)定义正向区域
~]# vim /etc/named.rfc1912.zones
zone "ops.iecentury.com" IN {
type master;
file "ops.iecentury.com.zone";
};
2)建立区域数据文件(主要记录为A或AAAA记录,在/var/named目录下建立区域数据文件;)
~]# vim /var/named/iecentury.com.zone
$TTL 3600 $ORIGIN ops.iecentury.com. @ IN SOA ns1.ops.iecentury.com. dnsadmin.ops.iecentury.com. ( 201811034 1H 10M 3D 1D ) IN NS ns1 ns1 IN A 172.16.100.69 www IN A 172.16.100.69
权限及属组修改:
~]# chmod o= /var/named/ops.iecentury.com.zone
~]# chgrp named /var/named/ops.iecentury.com.zone
子域测试:
~]# dig -t A www.ops.iecentury.com
设置子域对父域的转发
~]# vim /etc/named.rfc1912.zones
zone "iecentury.com" IN {
type forward;
forward only;
forwarders { 172.16.100.67;172.16.100.68; };
};
主从域服务器测试子域解析:
~]# dig -t A www.ops.iecentury.com
备注:如从域不测试不成功,可尝试重启named服务
~]# systemctl restart named.service
以上是正向解析区域、反向解析区域;主/从;子域配置;bind acl基本安全控制,非DNS服务商,可不做深入了解!
转载于:https://blog.51cto.com/jameszhan/2312612
扫一扫
456
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
