域名服务bind构建与应用配置

 域名服务器是internat服务，在企业内部有着非常重要的作用，现在我就将其搭建与配置相关内容描述如下。

 一 安装

yum install bind   bind-chroot    bind-utils

      现在主要来实现主、从域名服务器，智能解析-分离解析功能。还有 域名应用实例 主要特例：基于域名解析的负载均衡，泛域名解析，子域授权。

二 环境拓扑

 三 主从复制过程

   master DNS服务器更新完配置后，首先会向slave DNS服务器发送notify消息。随后slave DNS服务器向master DNS服务器发送SOA查询请求，主DNS服务器返回结果给从DNS服务器，slave DNS服务器会对比其serial，如果小于自己的serial就结束同步过程。如果返回的查询结果中的serial号比自己的大，向master DNS服务器发送zone transfer请求，master DNS响应后会发送结果，slave DNS服务器接收数据，完成更新。

四 bind配置过程

1.将主从DNS服务器的域名设置成自己的ipaddress

master的/etc/reslov.conf加入：nameserver  192.168.4.44

slave的/etc/reslov.conf加入：nameserver  192.168.4.70

2.配置master DNS服务器

 2.1 其/etc/named.conf配置如下

// named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // options { listen-on port 53 {any;};    //监听ip,192.168.4.44  172.16.100.80 listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { any; }; recursion yes; forwarders {221.130.13.133;};  转发给上级DNS dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; //172.16.100.0/24模拟内网，192.168.4.0/24模拟外网。 key "lan" { algorithm hmac-md5 ; secret "1Zgap+bwH5Yjtj0mo+Bj9g=="; }; key "wan"{ algorithm hmac-md5; secret "1TK0ThAdgiQ8IrJBm+SQZA=="; }; view "lan" { match-clients { 172.16.100.0/24; };  //匹配客户端 server 172.16.100.70 {keys "lan";};  //slave服务器地址 allow-transfer {key lan;}; include "/etc/named/lan.conf";     //zone配置文件 }; view "wan"{ match-clients { any; }; server 192.168.4.70 {keys wan;}; allow-transfer {key wan;}; include "/etc/named/wan.conf"; };

 2.2 视图lan配置文件lan.conf

zone "longining.com." IN { type master; allow-transfer {172.16.100.70;}; file "/var/named/longining.lan"; }; zone "100.16.172.in-addr.arpa." IN { type master; allow-transfer {172.16.100.70;}; file "/var/named/100.16.172.arpa"; };

 2.3 视图wan配置文件wan.conf

zone "longining.com." IN { type master; allow-transfer {192.168.4.70;}; file "/var/named/longining.wan"; }; zone "4.168.192.in-addr.arpa." IN { type master; allow-transfer {192.168.4.70;}; file "/var/named/4.168.192.arpa"; };

2.4 lan.conf对应的正反向解析文件

 2.4.1 longining.lan内容如下

//longining.lan内容  $TTL 1D @ IN SOA dns.longining.com. root@longining.com ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum IN NS dns.longining.com. IN MX 10 mail.longining.com. dns  IN A 172.16.100.70 dns  IN A 192.168.4.44 www  IN A 192.168.4.44 time IN A 172.16.100.70 mail IN A 192.168.4.44

 2.4.2 100.16.172.arpa内容如下

$TTL 1D @ IN SOA dns.longining.com. root.longining.com (             0 ; serial            1D ; refresh            1H ; retry            1W ; expire            3H ) ; minimum    IN NS dns.longining.com. 70 IN PTR dns.longining.com.                                         70 IN PTR time.longining.com.                                         70 IN PTR ftp.longining.com.

 2.4.3 longining.wan配置如下

$TTL 1D @ IN SOA dns.longining.com. root@longining.com (                 0 ; serial                 1D ; refresh                 1H ; retry                 1W ; expire                 3H ) ; minimum       IN NS dns.longining.com.       IN MX 10 mail.longining.com. dns   IN A 192.168.4.44 dns   IN A 172.16.100.70    // 负载均衡 www   IN A 192.168.4.44 time  IN A 172.16.100.70 mail  IN A 192.168.4.44                                               *    IN A 192.168.4.44   //泛域名解析

 2.4.4 4.168.192.arpa配置如下

$TTL 1D @ IN SOA dns.longining.com. root.longining.com (                      0 ; serial                      1D ; refresh                      1H ; retry                      1W ; expire                      3H ) ; minimum    IN NS dns.longining.com. 44 IN PTR mail.longining.com. 44 IN PTR dns.longining.com. 44 IN PTR www.longining.com.

3 slave DNS服务器的配置

  3.1 /etc/named.conf配置如下

// // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // options { listen-on port 53 { 172.16.100.70;192.168.4.70;}; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { any; }; recursion yes; [root@Nodes01 ~]# cat /etc/named.conf // // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // options { listen-on port 53 { 172.16.100.70;192.168.4.70;}; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { any; }; recursion yes; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; key "lan" { algorithm hmac-md5 ; secret "1Zgap+bwH5Yjtj0mo+Bj9g=="; }; key "wan"{ algorithm hmac-md5; secret "1TK0ThAdgiQ8IrJBm+SQZA=="; }; view "lan" { match-clients { 172.16.100.0/24; }; server 172.16.100.80 {keys lan;}; allow-transfer {key lan;}; zone "longining.com" IN { type slave; masters {172.16.100.80;}; file "slaves/longining.lan"; }; zone "100.16.172.in-addr.arpa." IN { type slave; masters {172.16.100.80;}; file "slaves/100.16.172.arpa"; }; }; view "wan"{ match-clients { any; }; server 192.168.4.44 {keys wan;}; allow-transfer {key wan;}; zone "longining.com" IN { type slave; masters {192.168.4.44;}; file "slaves/longining.wan"; }; zone "4.168.192.in-addr.arpa." IN { type slave; masters {192.168.4.44;}; file "slaves/4.168.192.arpa "; }; };

  3.2 key生成方法 

    以lan密钥为例

[root@master ~]# dnssec-keygen -a HMAC-MD5 -b 128 -n HOST "lan" Klan.+157+47240 [root@master ~]# ls Klan.+157+47240.* Klan.+157+47240.key Klan.+157+47240.private

4 重启named服务

service named restart

查看zone是否同步成功

[root@Nodes01 ~]# ls /var/named/slaves/    //同步成功zone文件 100.16.172.arpa 4.168.192.arpa longining.lan longining.wan

如果没同步成功，请查看日志/var/log/messages

转载于:https://blog.51cto.com/seneagle/1168034