1,关闭防火墙及selinux:
[root@master ~]# systemctl stop firewalld
[root@master ~]# setenforce 0
2. 安装软件包:
[root@slave ~]# yum install bind -y
主从服务器都需要进行以上操作
3.配置主服务器
服务文件:
options {
listen-on port 53 { 127.0.0.1; };//监听对象IPV4地址
listen-on-v6 port 53 { ::1; };//IPV6地址
directory "/var/named";//数据文件主要路径
dump-file "/var/named/data/cache_dump.db";//查询数据备份文件
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { localhost; };//允许哪些主机发起域名查询
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;//是否开启递归查询
dnssec-validation yes;
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};//域
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
配置服务文件并添加域(openlab.com):
options {
listen-on port 53 { 192.168.175.130; };//监听对象IPV4地址
listen-on-v6 port 53 { ::1; };//IPV6地址
directory "/var/named";//数据文件主要路径
dump-file "/var/named/data/cache_dump.db";//查询数据备份文件
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { any; };//允许哪些主机发起域名查询
allow-transfer { 192.168.91.133; };//默认不存在;允许向那个服务器同步资源信息
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;//是否开启递归查询
dnssec-validation yes;
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "openlab.com" IN {
type master;
file "openlab";
};//添加正向域
zone "175.168.192.in-addr.arpa" IN {
type master;
file "openlab_re";
};//添加反向域
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
创建并添加正向资源记录文件:
[root@master ~]# vim /var/named/openlab
$TTL 1D ;;将TTL值统一设置为1天
@ IN SOA openlab.com. admin.admin.com ( 2024011600
1M
1M
3M
1D )
IN NS dns.openlab.com.
dns IN A 192.168.175.130
www IN A 192.168.175.111
创建并添加反向资源记录文件:
[root@master ~]# vim /var/named/openlab_re
$TTL 1D ;;将TTL值统一设置为1天
@ IN SOA openlab.com. admin.admin.com ( 2024011600
1M
1M
3M
1D )
IN NS dns.openlab.com.
130 IN PTR dns.openlab.com
111 IN PTR www.openlab.com
重启服务后进行测试:
[root@master ~]# systemctl restart named
[root@master ~]# nslookup
> server 192.168.175.130
Default server: 192.168.175.130
Address: 192.168.175.130#53
> dns.openlab.com
Server: 192.168.175.130
Address: 192.168.175.130#53
Name: dns.openlab.com
Address: 192.168.175.130
> www.openlab.com
Server: 192.168.175.130
Address: 192.168.175.130#53
Name: www.openlab.com
Address: 192.168.175.111
> 192.168.175.130
130.175.168.192.in-addr.arpa name = dns.openlab.com.175.168.192.in-addr.arpa.
> 192.168.175.111
111.175.168.192.in-addr.arpa name = www.openlab.com.175.168.192.in-addr.arpa.
4. 配置从服务器
配置服务文件并添加域(openlab.com):
options {
listen-on port 53 { 192.168.175.134; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-validation yes;
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "openlab.com" IN {
type slave;
file "named.openlab";
masters { 192.168.175.130; };
};
zone "175.168.192.in-addr.arpa" IN {
type slave;
file "named.openlab_re";
masters { 192.168.175.130; };
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
不用添加资源文件,将会从主服务器同步过来:
[root@slave ~]# ll /var/named
total 36
drwxrwx---. 2 named named 4096 Jan 19 21:13 data
drwxrwx---. 2 named named 4096 Jan 19 21:14 dynamic
-rw-r-----. 1 root named 2253 Sep 22 02:33 named.ca
-rw-r-----. 1 root named 152 Sep 22 02:33 named.empty
-rw-r-----. 1 root named 152 Sep 22 02:33 named.localhost
-rw-r-----. 1 root named 168 Sep 22 02:33 named.loopback
-rw-r--r--. 1 named named 259 Jan 19 21:13 named.openlab //正向
-rw-r--r--. 1 named named 393 Jan 19 21:13 named.openlab_re //反向
drwxrwx---. 2 named named 4096 Sep 22 02:33 slaves
重启服务后进行测试:
[root@slave ~]# systemctl restart named
[root@slave ~]# nslookup
> server 192.168.175.134
Default server: 192.168.175.134
Address: 192.168.175.134#53
> dns.openlab.com
Server: 192.168.175.134
Address: 192.168.175.134#53
Name: dns.openlab.com
Address: 192.168.175.130
> www.openlab.com
Server: 192.168.175.134
Address: 192.168.175.134#53
Name: www.openlab.com
Address: 192.168.91.111
> 192.168.175.130
130.175.168.192.in-addr.arpa name = dns.openlab.com.175.168.192.in-addr.arpa.
> 192.168.175.111
111.175.168.192.in-addr.arpa name = www.openlab.com.175.168.192.in-addr.arpa.