一般来说我们的DNS服务器为了安全不能对所有用户(如通过互联网访问的用户)进行递归,否则DNS服务器容易受到***,很不安全
用户请求有以下几种:
有主机通过互联网请求本地NS管理的主机(如ns1.fade.com)的权威答案,应该给予响应(此处不是递归)
有主机从互联网请求本地没有的主机(如请求www.baidu.com 此处是递归 )则不应该给予响应
本地用户通过本地的NS请求www.baidu.com的解析(此处是递归),但应该给予响应
#vim /etc/named.conf
options {
direcotry "/var/named";
allow-recursion{192.168.139.0/24}; 则只允许本地网段用户进行递归
};
用dig命令进行非递归一步步查询
[root@node1 bind]# dig +norecurse -t A www.sina.com @192.168.139.2
com. 172154 IN NS j.gtld-servers.net.
com. 172154 IN NS m.gtld-servers.net.
显示的为com.的解析
[root@node1 bind]# dig +norecurse -t A www.sina.com @m.gtld-servers.net.
sina.com. 172800 IN NS ns1.sina.com.cn.
sina.com. 172800 IN NS ns2.sina.com.cn.
显示的为sina.com.的解析
[root@node1 bind]# dig +norecurse -t A www.sina.com @m.ns1.sina.com.cn.
;; QUESTION SECTION:
;www.sina.com. IN A
;; ANSWER SECTION:
www.sina.com. 60 IN CNAME us.sina.com.cn.
us.sina.com.cn. 60 IN CNAME news.sina.com.cn.
news.sina.com.cn. 60 IN CNAME jupiter.sina.com.cn.
jupiter.sina.com.cn. 60 IN CNAME polaris.sina.com.cn.
polaris.sina.com.cn. 60 IN A 202.108.33.107
用dig命令直接进行递归查询www.google.com.hk,则一步就可以查询到结果
[root@node1 bind]# dig +recurse -t A www.google.com.hk @192.168.139.2
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.4 <<>> +recurse -t A www.google.com.hk @192.168.139.2
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58042
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 8, ADDITIONAL: 14
;; QUESTION SECTION:
;www.google.com.hk. IN A
;; ANSWER SECTION:
www.google.com.hk. 76 IN A 46.82.174.68
;; AUTHORITY SECTION:
hk. 172797 IN NS z.hkirc.net.hk.
hk. 172797 IN NS u.hkirc.net.hk.
hk. 172797 IN NS v.hkirc.net.hk.
hk. 172797 IN NS x.hkirc.net.hk.
hk. 172797 IN NS c.hkirc.net.hk.
hk. 172797 IN NS w.hkirc.net.hk.
hk. 172797 IN NS d.hkirc.net.hk.
hk. 172797 IN NS y.hkirc.net.hk.
;; ADDITIONAL SECTION:
c.hkirc.net.hk. 172797 IN A 203.119.2.218
c.hkirc.net.hk. 172797 IN AAAA 2001:dca:4000::cb77:2da
d.hkirc.net.hk. 172797 IN A 203.119.87.218
d.hkirc.net.hk. 172797 IN AAAA 2001:dca:2000::cb77:57da
u.hkirc.net.hk. 172797 IN A 210.201.138.58
u.hkirc.net.hk. 172797 IN AAAA 2404:0:10a0::58
v.hkirc.net.hk. 172797 IN A 204.61.216.46
v.hkirc.net.hk. 172797 IN AAAA 2001:500:14:6046:ad::1
w.hkirc.net.hk. 172797 IN A 202.12.28.140
w.hkirc.net.hk. 172797 IN AAAA 2001:dc0:1:0:4777::140
x.hkirc.net.hk. 172797 IN A 202.45.188.39
x.hkirc.net.hk. 172797 IN AAAA 2405:3001:1:3a::27
y.hkirc.net.hk. 172797 IN A 137.189.6.21
y.hkirc.net.hk. 172797 IN AAAA 2405:3000:3:6::15
对任何主机都不给予递归的设置
#vim /etc/named.conf
options {
directory "/var/named";
recursion no; 直接禁止进行递归
};
axfr:全区域传送
ixfr: 增量区域传送
[root@node1 bind]# dig -t axfr fade.com. 显示出fade.com这个区域内所有的记录
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.4 <<>> -t axfr fade.com.
;; global options: +cmd
fade.com. 600 IN SOA ns1.fade.com.fade.com. admin.fade.com. 2017022101 3600 300 86400 21600
fade.com. 600 IN NS ns1.fade.com.
fade.com. 600 IN MX 10 mail.fade.com.
ftp.fade.com. 600 IN CNAME www.fade.com.
mail.fade.com. 600 IN A 192.168.139.14
ns1.fade.com. 600 IN A 192.168.139.11
www.fade.com. 600 IN A 192.168.139.12
www.fade.com. 600 IN A 192.168.139.13
fade.com. 600 IN SOA ns1.fade.com.fade.com. admin.fade.com. 2017022101 3600 300 86400 21600
;; Query time: 16 msec
;; SERVER: 192.168.139.2#53(192.168.139.2)
;; WHEN: Tue Feb 21 17:01:15 2017
;; XFR size: 9 records (messages 1, bytes 242)
[root@node1 bind]# dig -t ixfr=2017022101 fade.com. 显示出当前版本号为2017022101时改变的数据
区域传送时为了DNS服务器的安全,只允许从服务器进行区域传送,其他的都不允许
#vim /etc/named.conf
options {
direcotry "/var/named";
allow-recursion{192.168.139.0/24}; 则只允许本地网段用户进行递归
allow-transfer {192.168.139.4;}; 只允许192.168.139.4主机进行区域传送(从DNS),且这是一个全局定义,即所有区域的传送都只允许192.168.139.4主机进行
};
要想只定义某个区域的区域传送对象,则在此区域内定义一个allow-transfer便可;none表示谁都不能传送
如
#vim /etc/named.conf
zone "fade.com" IN {
type master;
file "fade.com.zone";
allow-transfer{192.168.139.4;};
既fade.com区域中止允许 192.168.139.4进行区域传送
};
构建主从服务器
192.168.139.2 node1 主
192.168.139.4 node2 从
[root@node1 bind]# vim /etc/named.conf //主服务器(node1)的配置
options {
directory "/var/named";
notify yes;
};
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "named.localhost";
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
};
zone "fade.com" IN { type master;
file "fade.com.zone";
};
zone "139.168.192.in-addr.arpa" IN {
type master;
file "192.168.139.zone
[root@node1 bind]# vim /var/named/fade.com.zone 正向区域资源记录文件
$TTL 600
fade.com. IN SOA ns1.fade.com admin.fade.com. (
2017022102
1H
5M
1D
6H)
fade.com. IN NS ns1.fade.com.
fade.com. IN NS ns2.fade.com.
IN MX 10 mail
ns1 IN A 192.168.139.2
ns2 IN A 192.168.139.4
mail IN A 192.168.139.14
www IN A 192.168.139.12
www IN A 192.168.139.13
ftp IN CNAME www
[root@node1 bind]# vim /var/named/192.168.139.zone 反向区域资源记录文件
$TTL 600
@ IN SOA ns1.fade.com admin.fade.com.(
2017022101
1H
5M
1D
6H)
IN NS ns1.fade.com.
IN NS ns2.fade.com.
2 IN PTR ns1.fade.com.
4 IN PTR ns2.fade.com.
12 IN PTR www.fade.com.
13 IN PTR www.fade.com.
14 IN PTR mail.fade.com.
在node2上安装bind
[root@node2 ~]# yum install bind bind-libs bind-utils
[root@node2 ~]# ls -ld /var/named/
drwxr-x---. 5 root named 4096 Feb 21 17:26 /var/named/
[root@node2 ~]# ls -ld /var/named/slaves/
drwxrwx---. 2 named named 4096 Jan 17 21:04 /var/named/slaves/
可以看到named对/var/named是没有写入权限的,而进行主从区域传送时是以named用户身份进行的,无法将dns主从区域传送的内容写入/var/named目录下;只能写到/var/named/slaves/目录下,或者要修改权限
[root@node2 ~]# mv /etc/named.conf /etc/named.conf.bak
[root@node2 ~]# scp 192.168.139.2:/etc/named.conf /etc/
[root@node2 ~]# vim /etc/named.conf
options {
directory "/var/named";
allow-recursion { 192.168.139.0/16;};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-transfer { none;};
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-transfer { none;};
};
zone "fade.com" IN { type slave;
file "slaves/fade.com.zone";
masters { 192.168.139.2;};
allow-transfer { none;};
};
zone "139.168.192.in-addr.arpa" IN {
type slave;
file "slaves/192.168.139.zone";
masters { 192.168.139.2;};
allow-transfer { none;};
};
[root@node2 ~]# ll /etc/named.conf 这个目录属于root,named用户无法读
-rw-r-----. 1 root root 1212 Feb 21 17:43 /etc/named.conf
[root@node2 ~]# chgrp named /etc/named.conf 将组改为named
[root@node2 ~]# service named restart
Stopping named: [ OK ]
Starting named: [ OK ]
返回192.168.139.2(主服务器)
[root@node1 bind]# tail /var/log/messages
Feb 21 17:45:11 node1 named[3173]: client 192.168.139.4#41679: transfer of 'fade.com/IN': AXFR started
Feb 21 17:45:11 node1 named[3173]: client 192.168.139.4#41679: transfer of 'fade.com/IN': AXFR ended
Feb 21 17:45:11 node1 named[3173]: client 192.168.139.4#35693: transfer of '139.168.192.in-addr.arpa/IN': AXFR started //AXFR全区域传送开始
Feb 21 17:45:11 node1 named[3173]: client 192.168.139.4#35693: transfer of '139.168.192.in-addr.arpa/IN': AXFR ended //AXFR全区域传送结束
node2上
[root@node2 ~]# tail /var/log/messages
Feb 21 17:45:17 node2 named[2693]: transfer of 'fade.com/IN' from 192.168.139.2#53: connected using 192.168.139.4#41679
Feb 21 17:45:17 node2 named[2693]: zone fade.com/IN: transferred serial 2017022101
Feb 21 17:45:17 node2 named[2693]: transfer of 'fade.com/IN' from 192.168.139.2#53: Transfer completed: 1 messages, 10 records, 264 bytes, 0.007 secs (37714 bytes/sec)
Feb 21 17:45:17 node2 named[2693]: zone fade.com/IN: sending notifies (serial 2017022101)
Feb 21 17:45:18 node2 named[2693]: zone 139.168.192.in-addr.arpa/IN: Transfer started.
Feb 21 17:45:18 node2 named[2693]: transfer of '139.168.192.in-addr.arpa/IN' from 192.168.139.2#53: connected using 192.168.139.4#35693
Feb 21 17:45:18 node2 named[2693]: zone 139.168.192.in-addr.arpa/IN: transferred serial 2017022101
Feb 21 17:45:18 node2 named[2693]: transfer of '139.168.192.in-addr.arpa/IN' from 192.168.139.2#53: Transfer completed: 1 messages, 7 records, 236 bytes, 0.001 secs (236000 bytes/sec)
Feb 21 17:45:18 node2 named[2693]: zone 139.168.192.in-addr.arpa/IN: sending notifies (serial 2017022101)
Feb 21 17:45:18 node2 named[2693]: dumping master file: tmp-oztkOxYEv1: open: permission denied
[root@node2 ~]# cd /var/named/slaves/
[root@node2 slaves]# ls
192.168.139.zone fade.com.zone
[root@node2 slaves]# vim fade.com.zone 正向区域传送文件
$ORIGIN .
$TTL 600 ; 10 minutes
fade.com IN SOA ns1.fade.com.fade.com. admin.fade.com. (
2017022101 ; serial
3600 ; refresh (1 hour)
300 ; retry (5 minutes)
86400 ; expire (1 day)
21600 ; minimum (6 hours)
)
NS ns1.fade.com.
NS ns2.fade.com.
MX 10 mail.fade.com.
$ORIGIN fade.com.
ftp CNAME www
mail A 192.168.139.14
ns1 A 192.168.139.2
ns2 A 192.168.139.4
www A 192.168.139.12
A 192.168.139.13
[root@node2 slaves]# vim 192.168.139.zone 反向区域传送文件
$ORIGIN .
$TTL 600 ; 10 minutes
139.168.192.in-addr.arpa IN SOA ns1.fade.com.139.168.192.in-addr.arpa. admin.fade.com. (
2017022101 ; serial
3600 ; refresh (1 hour)
300 ; retry (5 minutes)
86400 ; expire (1 day)
21600 ; minimum (6 hours)
)
NS ns1.fade.com.
NS ns2.fade.com.
$ORIGIN 139.168.192.in-addr.arpa.
12 PTR www.fade.com.
13 PTR www.fade.com.
14 PTR mail.fade.com.
2 PTR ns1.fade.com.
4 PTR ns2.fade.com.
修改node1的正向资源文件记录和版本号,再重新reload
[root@node1 bind]# vim /var/named/fade.com.zone
添加下面两个记录
序列号从2017022101 改为 2017022102
node1 IN A 192.168.139.15
node2 IN A 192.168.139.16
[root@node1 bind]# service named reload
[root@node1 bind]# tail /var/log/messages
Feb 21 18:13:49 node1 named[3173]: reloading configuration succeeded
Feb 21 18:13:49 node1 named[3173]: reloading zones succeeded
Feb 21 18:13:49 node1 named[3173]: zone fade.com/IN: loaded serial 2017022102
Feb 21 18:13:49 node1 named[3173]: zone fade.com/IN: sending notifies (serial 2017022102)
发出了通知,让192.168.139.4(从)前来同步
Feb 21 18:13:49 node1 named[3173]: client 192.168.139.4#42545: transfer of 'fade.com/IN': AXFR-style IXFR started
Feb 21 18:13:49 node1 named[3173]: client 192.168.139.4#42545: transfer of 'fade.com/IN': AXFR-style IXFR ended
Feb 21 18:13:50 node1 named[3173]: client 192.168.139.4#19213: received notify for zone 'fade.com'
[root@node2 slaves]# vim fade.com.zone 数据已近同步
$ORIGIN .
$TTL 600 ; 10 minutes
fade.com IN SOA ns1.fade.com.fade.com. admin.fade.com. (
2017022102 ; serial
3600 ; refresh (1 hour)
300 ; retry (5 minutes)
86400 ; expire (1 day)
21600 ; minimum (6 hours)
)
NS ns1.fade.com.
NS ns2.fade.com.
MX 10 mail.fade.com.
$ORIGIN fade.com.
ftp CNAME www
mail A 192.168.139.14
node1 A 192.168.139.15
node2 A 192.168.139.16
ns1 A 192.168.139.2
ns2 A 192.168.139.4
www A 192.168.139.12
A 192.168.139.13
这样一个带有更新通知和自动同步的DNS主从服务器就构成了
转载于:https://blog.51cto.com/11107124/1899940
3733
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
