bind配置高可用

bind从192.168.126

[root@localhost yum.repos.d]#  yum -y install bind bind-utils

[root@slavenamed slaves]# which named-checkconf

/usr/sbin/named-checkconf

[root@localhost yum.repos.d]# rpm -qf `which named-checkconf`

bind-9.16.23-14.el9.x86_64

bind从192.168.8.126

[root@slavenamed slaves]# cat /etc/named.conf

//

// named.conf

//

// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS

// server as a caching only nameserver (as a localhost DNS resolver only).

//

// See /usr/share/doc/bind*/sample/ for example named configuration files.

//

options {

listen-on port 53 { 127.0.0.1; 192.168.8.126; };

listen-on-v6 port 53 { ::1; };

directory "/var/named";

dump-file "/var/named/data/cache_dump.db";

statistics-file "/var/named/data/named_stats.txt";

memstatistics-file "/var/named/data/named_mem_stats.txt";

secroots-file "/var/named/data/named.secroots";

recursing-file "/var/named/data/named.recursing";

allow-query     { localhost; 192.168.8.0/24; };  #限制客户端的查询

/*

 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.

 - If you are building a RECURSIVE (caching) DNS server, you need to enable

   recursion.

 - If your recursive DNS server has a public IP address, you MUST enable access

   control to limit queries to your legitimate users. Failing to do so will

   cause your server to become part of large scale DNS amplification

   attacks. Implementing BCP38 within your network would greatly

   reduce such attack surface

*/

recursion yes;

dnssec-validation yes;

managed-keys-directory "/var/named/dynamic";

geoip-directory "/usr/share/GeoIP";

pid-file "/run/named/named.pid";

session-keyfile "/run/named/session.key";

/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */

include "/etc/crypto-policies/back-ends/bind.config";

};

logging {

        channel default_debug {

                file "data/named.run";

                severity dynamic;

        };

};

zone "." IN {

type hint;

file "named.ca";

};

include "/etc/named.rfc1912.zones";

include "/etc/named.root.key";

#zone "jin.com" IN {

 #       type master;

  #      file "jin.com.zone";  

#};

zone "jin.com" IN {          #配置bind高可用

type slave;

file "slaves/jin.com.zone";

masters {  192.168.8.118; };

masterfile-format text;

};

检查区域配置文件

[root@masternamed named]# named-checkzone jin.com jin.com.zone

检查配置文件

[root@masternamed named]# named-checkconf /etc/named.conf

（2）部署bind master

bind主192.168.8.118

[root@localhost yum.repos.d]#  yum -y install bind bind-utils

[root@masternamed named]# pwd

/var/named

[root@masternamed named]# touch jin.com.zone

[root@masternamed named]# chown -R named. jin.com.zone

[root@masternamed named]# cat jin.com.zone

$TTL 7200

jin.com. IN SOA jin.com. admin.jin.com. (

2024012302

1H

10M

1W

1D )

jin.com. IN NS ns1.jin.com.

jin.com. IN NS ns2.jin.com.

ns1.jin.com. IN A 192.168.8.118

ns2.jin.com. IN A 192.168.8.126

www.jin.com. IN A 192.168.8.118

www.jin.com. IN A 192.168.8.126

ftp.jin.com. IN A 192.168.8.5

ftp.jin.com. IN A 192.168.8.6

[root@masternamed named]# cat /etc/named.conf

//

// named.conf

//

// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS

// server as a caching only nameserver (as a localhost DNS resolver only).

//

// See /usr/share/doc/bind*/sample/ for example named configuration files.

//

options {

listen-on port 53 { 127.0.0.1; 192.168.8.118;};

listen-on-v6 port 53 { ::1; };

directory "/var/named";

dump-file "/var/named/data/cache_dump.db";

statistics-file "/var/named/data/named_stats.txt";

memstatistics-file "/var/named/data/named_mem_stats.txt";

secroots-file "/var/named/data/named.secroots";

recursing-file "/var/named/data/named.recursing";

allow-query     { localhost; 192.168.8.0/24; };

/*

 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.

 - If you are building a RECURSIVE (caching) DNS server, you need to enable

   recursion.

 - If your recursive DNS server has a public IP address, you MUST enable access

   control to limit queries to your legitimate users. Failing to do so will

   cause your server to become part of large scale DNS amplification

   attacks. Implementing BCP38 within your network would greatly

   reduce such attack surface

*/

recursion yes;

dnssec-validation yes;

managed-keys-directory "/var/named/dynamic";

geoip-directory "/usr/share/GeoIP";

pid-file "/run/named/named.pid";

session-keyfile "/run/named/session.key";

/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */

include "/etc/crypto-policies/back-ends/bind.config";

};

logging {

        channel default_debug {

                file "data/named.run";

                severity dynamic;

        };

};

zone "." IN {

type hint;

file "named.ca";

};

include "/etc/named.rfc1912.zones";

include "/etc/named.root.key";

#zone "jin.com" IN {

# type master;

# file "jin.com.zone";

#};

zone "jin.com" IN {

type master;

file "jin.com.zone";       #配置bind主的配置

also-notify { 192.168.8.126;};

allow-transfer {  192.168.8.126;};

allow-update { none; };

notify yes;

};

修改bind主的区域配置文件

[root@masternamed named]# cat jin.com.zone

$TTL 7200

jin.com. IN SOA jin.com. admin.jin.com. (

2024012303 

1H

10M

1W

1D )

jin.com. IN NS ns1.jin.com.

jin.com. IN NS ns2.jin.com.

ns1.jin.com. IN A 192.168.8.118

ns2.jin.com. IN A 192.168.8.126

www.jin.com. IN A 192.168.8.118

www.jin.com. IN A 192.168.8.126

ftp.jin.com. IN A 192.168.8.5

ftp.jin.com. IN A 192.168.8.6

ftp.jin.com. IN A 192.168.8.7

重启服务

[root@masternamed named]# systemctl restart named

查看bind从slaves

[root@slavenamed slaves]# cat jin.com.zone

$ORIGIN .

$TTL 7200 ; 2 hours

jin.com IN SOA jin.com. admin.jin.com. (

2024012303 ; serial

3600       ; refresh (1 hour)

600        ; retry (10 minutes)

604800     ; expire (1 week)

86400      ; minimum (1 day)

)

NS ns1.jin.com.

NS ns2.jin.com.

$ORIGIN jin.com.

ftp A 192.168.8.5

A 192.168.8.6

A 192.168.8.7

ns1 A 192.168.8.118

ns2 A 192.168.8.126

www A 192.168.8.118

A 192.168.8.126

[root@slavenamed slaves]# pwd

/var/named/slaves