一 实验环境
服务器:192.168.1.254/24 192.168.1.253/24
ns1.baidu.org.tw 192.168.1.254
ns2.baidu.org.tw 192.168.1.253
host1.baidu.org.tw 192.168.1.1
二 主域名服务器
1 安装软件包
# yum install bind bind-chroot caching-nameserver
2 主域名服务器
# vim /var/named/chroot/etc/named.caching-nameserver.conf
listen-on port 53 { any; };
allow-query { any; };
match-clients { any; };
match-destinations { any; };
# vim /var/named/chroot/etc/named.rfc1912.zones
zone "baidu.org.tw" {
type master;
file "baidu.org.tw.zone";
};
zone "1.168.192.in-addr.arpa" {
type master;
file "192.168.1.rev";
};
# cd /var/named/chroot/var/named/
# cp -a localhost.zone baidu.org.tw.zone
# vim baidu.org.tw.zone
@ IN NS ns1.baidu.org.tw.
ns1 IN A 192.168.1.254
host1 IN A 192.168.1.1
# cp -a named.local 192.168.1.rev
@ IN NS ns1.baidu.org.tw.
1 IN PTR host1.baidu.org.tw.
254 IN PTR ns1.baidu.org.tw.
#service named start
3 从域名服务器
# vim named.rfc1912.zones
zone "baidu.org.tw" {
type slave;
file "slaves/baidu.org.tw.zone";
masters { 192.168.1.254 ; } ;
};
zone "1.168.192.in-addr.arpa" {
type slave;
file "slaves/192.168.1.rev";
masters { 192.168.1.254 ; };
# service named start
4 转发域服务器
options {
allow-query { 192.168.1.0/24; };
forward first;
forwarders {61.175.153.129;};
};
allow-query-cache { any; };
forward only;
forwarders {
192.168.1.254;
};
5 视图与ACL
acl cnc { 192.168.1.101; };
acl tel { 192.168.1.102; };
view cncnet {
match-clients { cnc; };
recursion yes;
include “/etc/masacnc”;
};
view telnet {
match-clients { tel; };
recursion yes;
include “/etc/masatel”;
};
6 DNS主从数据transfer的TSIG方法
TSIG 事务签名的m 方式(Key)
dnssec-keygen -a hmac-md5 -b 128 -n HOST 名字.
master dns:
server 192.168.0.253 { keys { pgkey ; };
key pgkey {
algorithm hmac-md5;
secret "BmGdrEJzYDFegy4wM8TBdQ==";
};
zone "baidu.org.tw" IN {
type master;
file "baidu.org.tw.zone";
allow-transfer { key pgkey; };
};
slave dns:
server 192.168.0.254 { keys { pgkey ; };
key pgkey {
algorithm hmac-md5;
secret "BmGdrEJzYDFegy4wM8TBdQ==";
};
zone "baidu.org.tw" IN {
type slave;
file "slaves/baidu.org.tw.slave.zone";
masters { 192.168.1.254 key pgkey; };
};
7 子域授权
baidu.org.tw ns.baidu.org.tw 192.168.1.1
sales.baidu.org.tw ns.sales.baidu.org.tw 192.168.1.2
父域:
zone "baidu.org.tw" {
type master;
file "baidu.org.tw.zone";
};
@ IN NS ns1.baidu.org.tw.
ns1 IN A 192.168.1.1
sales IN NS ns.sales
ns.sales IN A 192.168.1.2
子域:
zone "sales.baidu.org.tw" {
type master;
file "sales.baidu.org.tw.zone";
};
@ IN NS ns.sales.baidu.org.tw.
ns IN A 192.168.1.2
www IN A 1.1.1.1
8 泛域名
* IN A 192.168.1.1
$GENERATE 1-253 stu$ IN A 192.168.1.$ 即:stu1的ip地址为:192.168.1.1