一、DNS反向解析
1.安装bind软件
| [root@localhost named]# yum install bind |
2.修改主配置文件
| [root@www ~]# vim /etc/named.conf.bak // // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // options { // listen-on port 53 { 127.0.0.1; }; // listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; // allow-query { localhost; }; recursion yes; // dnssec-enable yes; // dnssec-validation yes; // dnssec-lookaside auto; /* Path to ISC DLV key */ // bindkeys-file "/etc/named.iscdlv.key"; // managed-keys-directory "/var/named/dynamic"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; |
3.修改区域配置文件
[root@www named]# vim /etc/named.rfc1912.zones zone "1.0.0.127.in-addr.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "0.in-addr.arpa" IN { type master; file "named.empty"; allow-update { none; }; }; zone "magelinux.com." IN { type master; file "magelinux.com.zone"; }; zone "magelinux.com." IN { type master; file "magelinux.com.zone"; }; zone "1.168.192.in-addr.arpa" IN { type master; file "192.168.1.zone"; }; |
4.创建区域数据库文件
[root@www named]# cd /var/named/ [root@www named]# vim 192.168.1.zone$TTL 600 @ IN SOA dns.magelinux.com. dnsadmin.magelinux.com. ( 2015093001 1H 5M 3D 12H ) @ IN NS dns.magelinux.com. 106 IN PTR dns.magelinux.com. 107 IN PTR mail.magelinux.com. 108 IN PTR www.magelinux.com. |
5.修改区域数据文件属性
[root@www named]# chown root:named 192.168.1.zone [root@www named]# chmod 640 192.168.1.zone [root@www named]# ls -l 192.168.1.zone -rw-r----- 1 root named 221 Sep 30 01:46 192.168.1.zone |
6.检查配置文件和区域文件语法
[root@www named]# named-checkconf [root@www named]# named-checkzone "1.168.192.in-addr.arpa" /var/named/192.168.1.zone zone 1.168.192.in-addr.arpa/IN: loaded serial 2015093001 OK |
7.重启DNS服务
[root@www named]# service named restart Stopping named: . [ OK ] Starting named: [ OK ] |
8.测试DNS反向解析
[root@www named]# dig -x 192.168.1.106 @192.168.1.106 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6_7.4 <<>> -x 192.168.1.106 @192.168.1.106 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52430 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;106.1.168.192.in-addr.arpa. IN PTR ;; ANSWER SECTION: 106.1.168.192.in-addr.arpa. 600 IN PTR dns.magelinux.com. ;; AUTHORITY SECTION: 1.168.192.in-addr.arpa. 600 IN NS dns.magelinux.com. ;; ADDITIONAL SECTION: dns.magelinux.com. 600 IN A 192.168.1.106 ;; Query time: 1 msec ;; SERVER: 192.168.1.106#53(192.168.1.106) ;; WHEN: Wed Sep 30 02:08:35 2015 ;; MSG SIZE rcvd: 105 [root@www named]# dig -x 192.168.1.107 @192.168.1.106 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6_7.4 <<>> -x 192.168.1.107 @192.168.1.106 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38939 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;107.1.168.192.in-addr.arpa. IN PTR ;; ANSWER SECTION: 107.1.168.192.in-addr.arpa. 600 IN PTR mail.magelinux.com. ;; AUTHORITY SECTION: 1.168.192.in-addr.arpa. 600 IN NS dns.magelinux.com. ;; ADDITIONAL SECTION: dns.magelinux.com. 600 IN A 192.168.1.106 ;; Query time: 0 msec ;; SERVER: 192.168.1.106#53(192.168.1.106) ;; WHEN: Wed Sep 30 02:09:22 2015 ;; MSG SIZE rcvd: 110 |
二、DNS主从同步
1.主从DNS服务器特性:
(1)主DNS服务器bind版本可以低于从DNS服务器bind版本
(2)主DNS服务器和从DNS服务器可以不在同一网段
2.向区域中添加从服务器的关键两步:
(1)在上级获得授权
(2)在区域数据文件中为从服务器添加一条NS记录和对应的A或PTR记录
3.修改主DNS服务器区域数据文件
区域数据文件中添加一条NS记录和对应的A记录
[root@www named]# vim /var/named/magelinux.com.zone $TTL 600 @ IN SOA dns.magelinux.com. admin.magelinux.com. ( 2015092901 2H 10M 7D 1D) @ IN NS dns @ IN NS dns2 @ IN MX 10 mail dns IN A 192.168.1.106 dns2 IN A 192.168.1.109 mail IN A 192.168.1.107 www IN A 192.168.1.108 pop IN CNAME mail ftp IN CNAME ww |
4.编辑从DNS服务器配置文件
| [root@www ~]# vim /etc/named.conf.bak // // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // options { // listen-on port 53 { 127.0.0.1; }; // listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; // allow-query { localhost; }; recursion yes; // dnssec-enable yes; // dnssec-validation yes; // dnssec-lookaside auto; /* Path to ISC DLV key */ // bindkeys-file "/etc/named.iscdlv.key"; // managed-keys-directory "/var/named/dynamic"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; |
[root@www ~]# vim /etc/named.rfc1912.zones // named.rfc1912.zones: // // Provided by Red Hat caching-nameserver package // // ISC BIND named zone configuration for zones recommended by // RFC 1912 section 4.1 : localhost TLDs and address zones // and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt // (c)2007 R W Franks // // See /usr/share/doc/bind*/sample/ for example named configuration files. // zone "localhost.localdomain" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "localhost" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "1.0.0.127.in-addr.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "0.in-addr.arpa" IN { type master; file "named.empty"; allow-update { none; }; }; zone "magelinux.com" IN { type slave; masters { 192.168.1.106; }; file "slaves/magelinux.zone"; }; |
5.启动DNS服务
[root@www ~]# service named start Starting named: [ OK ] |
6.查看从DNS服务器区域数据文件
| [root@www ~]# cat /var/named/slaves/magelinux.zone $ORIGIN . $TTL 600 ; 10 minutes magelinux.com IN SOA dns.magelinux.com. admin.magelinux.com. ( 2015092901 ; serial 7200 ; refresh (2 hours) 600 ; retry (10 minutes) 604800 ; expire (1 week) 86400 ; minimum (1 day) ) NS dns.magelinux.com. MX 10 mail.magelinux.com. $ORIGIN magelinux.com. dns A 192.168.1.106 ftp CNAME www mail A 192.168.1.107 pop CNAME mail www A 192.168.1.108 |
7.测试从DNS服务器
[root@www ssh]# dig -t A www.magelinux.com @192.168.1.109 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6 <<>> -t A www.magelinux.com @192.168.1.109 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26691 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;www.magelinux.com.INA ;; ANSWER SECTION: www.magelinux.com.600INA192.168.1.108 ;; AUTHORITY SECTION: magelinux.com.600INNSdns.magelinux.com. magelinux.com.600INNSdns2.magelinux.com. ;; ADDITIONAL SECTION: dns.magelinux.com.600INA192.168.1.106 dns2.magelinux.com.600INA192.168.1.109 ;; Query time: 1 msec ;; SERVER: 192.168.1.109#53(192.168.1.109) ;; WHEN: Sun Sep 6 19:21:03 2015 ;; MSG SIZE rcvd: 120 |
8.测试主从同步
修改主服务器区域数据文件:
[root@www named]# vim /var/named/magelinux.com.zone $TTL 600 @ IN SOA dns.magelinux.com. admin.magelinux.com. ( 2015092909 2H 10M 7D 1D ) @ IN NS dns @ IN NS dns2 @ IN MX 10 mail dns IN A 192.168.1.106 dns2 IN A 192.168.1.109 mail IN A 192.168.1.107 www IN A 192.168.1.108 pop IN CNAME mail ftp IN CNAME www [root@www named]# tail /var/log/messages Sep 30 04:20:05 www named[3294]: zone magelinux.com/IN: sending notifies (serial 2015092909) Sep 30 04:20:05 www named[3294]: running Sep 30 04:20:05 www named[3294]: client 192.168.1.109#33603: transfer of 'magelinux.com/IN': AXFR-style IXFR started Sep 30 04:20:05 www named[3294]: client 192.168.1.109#33603: transfer of 'magelinux.com/IN': AXFR-style IXFR ended |
查看从DNS服务器区域数据文件:
[root@www ssh]# cat /var/named/slaves/magelinux.zone $ORIGIN . $TTL 600; 10 minutes magelinux.com IN SOA dns.magelinux.com. admin.magelinux.com. ( 2015092909 ; serial 7200 ; refresh (2 hours) 600 ; retry (10 minutes) 604800 ; expire (1 week) 86400 ; minimum (1 day) ) NS dns.magelinux.com. NS dns2.magelinux.com. MX 10 mail.magelinux.com. $ORIGIN magelinux.com. dns A 192.168.1.106 dns2 A 192.168.1.109 ftp CNAME www mail A 192.168.1.107 pop CNAME mail www A 192.168.1.108 |
三、DNS区域传送
1.查看区域资源记录
dig命令模拟完全区域传送,如下:
| [root@www named]# dig -t axfr "magelinux.com" @192.168.1.106 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6_7.4 <<>> -t axfr magelinux.com @192.168.1.106 ;; global options: +cmd magelinux.com. 600 IN SOA dns.magelinux.com. admin.magelinux.com. 2015092901 7200 600 604800 86400 magelinux.com. 600 IN NS dns.magelinux.com. magelinux.com. 600 IN MX 10 mail.magelinux.com. dns.magelinux.com. 600 IN A 192.168.1.106 ftp.magelinux.com. 600 IN CNAME www.magelinux.com. mail.magelinux.com. 600 IN A 192.168.1.107 pop.magelinux.com. 600 IN CNAME mail.magelinux.com. www.magelinux.com. 600 IN A 192.168.1.108 magelinux.com. 600 IN SOA dns.magelinux.com. admin.magelinux.com. 2015092901 7200 600 604800 86400 ;; Query time: 1 msec ;; SERVER: 192.168.1.106#53(192.168.1.106) ;; WHEN: Wed Sep 30 02:12:40 2015 ;; XFR size: 9 records (messages 1, bytes 236) [root@www named]# dig -t axfr "1.168.192.in-addr.arpa" @192.168.1.106 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6_7.4 <<>> -t axfr 1.168.192.in-addr.arpa @192.168.1.106 ;; global options: +cmd 1.168.192.in-addr.arpa. 600 IN SOA dns.magelinux.com. dnsadmin.magelinux.com. 2015093001 3600 300 259200 43200 1.168.192.in-addr.arpa. 600 IN NS dns.magelinux.com. 106.1.168.192.in-addr.arpa. 600 IN PTR dns.magelinux.com. 107.1.168.192.in-addr.arpa. 600 IN PTR mail.magelinux.com. 108.1.168.192.in-addr.arpa. 600 IN PTR www.magelinux.com. 1.168.192.in-addr.arpa. 600 IN SOA dns.magelinux.com. dnsadmin.magelinux.com. 2015093001 3600 300 259200 43200 ;; Query time: 1 msec ;; SERVER: 192.168.1.106#53(192.168.1.106) ;; WHEN: Wed Sep 30 02:13:40 2015 ;; XFR size: 6 records (messages 1, bytes 215) |
2.区域传送安全控制
为了防止DNS区域数据信息泄露,需要控制可以传送的IP,使用allow-transfer
格式:allow-transfer{ IP }
修改主DNS服务器区域配置文件:
[root@www named]# vim /etc/named.rfc1912.zones zone "magelinux.com." IN { type master; file "magelinux.com.zone"; allow-transfer { 127.0.0.1; 192.168.1.109; }; }; zone "1.168.192.in-addr.arpa" IN { type master; file "192.168.1.zone"; allow-transfer { 127.0.0.1; 192.168.1.109; }; }; |
使用dig命令测试区域传送:
| [root@www named]# dig -t axfr magelinux.com @192.168.1.106 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6_7.4 <<>> -t axfr magelinux.com @192.168.1.106 ;; global options: +cmd ; Transfer failed. [root@www named]# dig -t axfr magelinux.com @127.0.0.1 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6_7.4 <<>> -t axfr magelinux.com @127.0.0.1 ;; global options: +cmd magelinux.com.600INSOAdns.magelinux.com. admin.magelinux.com. 2015092909 7200 600 604800 86400 magelinux.com.600INNSdns.magelinux.com. magelinux.com.600INNSdns2.magelinux.com. magelinux.com.600INMX10 mail.magelinux.com. dns.magelinux.com.600INA192.168.1.106 dns2.magelinux.com.600INA192.168.1.109 ftp.magelinux.com.600INCNAMEwww.magelinux.com. mail.magelinux.com.600INA192.168.1.107 pop.magelinux.com.600INCNAMEmail.magelinux.com. www.magelinux.com.600INA192.168.1.108 magelinux.com.600INSOAdns.magelinux.com. admin.magelinux.com. 2015092909 7200 600 604800 86400 ;; Query time: 2 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Sep 30 04:46:15 2015 ;; XFR size: 11 records (messages 1, bytes 271) |
转载于:https://blog.51cto.com/zhaibo/1699464
扫一扫
957
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
