(1)节点信息
| console01 | 主DNS | 192.168.80.3 | 192.168.10.3 |
|---|---|---|---|
| console02 | 从DNS | 192.168.80.4 | 192.168.10.4 |
(2)环境部署
# yum -y install bind bind-chroot bind-util bind-libs
# service iptables stop
# setenforce 0
(3)配置主DNS
1.编辑DNS主配置文件/etc/named.conf
# vim /etc/named.conf
options {
listen-on port 53 { 192.168.10.3; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
2.编辑区域配置文件/etc/name.rfc1912.zones
# vim /etc/name.rfc1912.zones
在最后添加以下内容:
zone "liwanliang.com" IN {
type master;
file "liwanliang.com.zone";
notify yes;
also-notify { 192.168.10.4; };
allow-transfer { 192.168.10.4; };
};
zone "10.168.192.in-addr.arpa." IN {
type master;
file "192.168.10.3.zone";
notify yes;
also-notify { 192.168.10.4; };
allow-transfer { 192.168.10.4; };
};
3.编辑区域文件的资源记录
# cd /var/named
# vim liwanliang.com.zone
添加如下内容:
$TTL 600
@ IN SOA ns1.liwanliang.com mail.liwanliang.com (
2017070713 ;serial
2H ;refresh
4M ;retry
1D ;expire
2D ) ;minumum
@ IN NS ns1.liwanliang.com.
@ IN NS ns2.liwanliang.com.
@ IN MX 10 mail.liwanliang.com.
ns1 IN A 192.168.10.3
ns2 IN A 192.168.10.4
mail IN A 192.168.10.3
www IN A 192.168.10.3
ftp IN A 192.168.10.3
dhcp IN A 192.168.10.3
# vim 192.168.10.3.zone
添加以下内容:
$TTL 600
@ IN SOA ns1.liwanliang.com mail.liwanliang.com (
2017070713 ;serial
2H ;refresh
4M ;retry
1D ;expire
2D ) ;minimum
@ IN NS ns1.liwanliang.com.
@ IN NS ns2.liwanliang.com.
@ IN MX 10 mail.liwanliang.com.
3 IN PTR ns1.liwanliang.com.
4 IN PTR ns2.liwanliang.com.
3 IN PTR mail.liwanliang.com.
3 IN PTR www.liwanliang.com.
3 IN PTR ftp.liwanliang.com.
3 IN PTR dhcp.liwanliang.com.
4.修改目录文件权限
DNS运行的系统用户为named。因此需要保证/var/named目录下文件的权限正确。因为采用了chroot(yum -y install bind-chroot)安全配置,所有DNS所有的配置,通过回环挂载的模式,即:配置了/var/named下的配置 ,实际上上配置了/var/named/chroot/var/named下的配置。
这是通过mount --bind方式实现,通过mount命令可以查看
/var/named on /var/named/chroot/var/named type none (rw,bind)
/etc/named.conf on /var/named/chroot/etc/named.conf type none (rw,bind)
/etc/named.rfc1912.zones on /var/named/chroot/etc/named.rfc1912.zones type none (rw,bind)
/etc/rndc.key on /var/named/chroot/etc/rndc.key type none (rw,bind)
/usr/lib64/bind on /var/named/chroot/usr/lib64/bind type none (rw,bind)
/etc/named.iscdlv.key on /var/named/chroot/etc/named.iscdlv.key type none (rw,bind)
/etc/named.root.key on /var/named/chroot/etc/named.root.key type none (rw,bind)
/etc/services on /var/named/chroot/etc/services type none (rw,bind)
/etc/protocols on /var/named/chroot/etc/protocols type none (rw,bind)
/lib64/libnss_files-2.12.so on /var/named/chroot/lib64/libnss_files.so.2 type none (rw,bind)
# chown -R root.named /var/named/chroot
# chown -R root.named /var/named/slaves
5.检查配置文件是否正确
# named-checkzone "liwanliang.com" liwanliang.com.zone
# named-checkconf
# service named configtest
5.开启并检测DNS服务
# service named start
# ps -ef | grep named
# netstat -tupln | grep named
6.验证主DNS正反向解析
假如配置了主机的DNS指向:
echo "DNS1=192.168.10.3" >> /etc/sysconfig/network-scripts/ifcfg-eth0
service network restart
则采用以下命令即可:
# dig -t A www.liwanliang.com
假如未配置主机的DNS指向,通过@DNS的IP进行检测:
# dig -t A www.liwanliang.com @192.168.10.3
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t A www.liwanliang.com @192.168.10.3
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42299
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;www.liwanliang.com. IN A
;; ANSWER SECTION:
www.liwanliang.com. 600 IN A 192.168.10.3
;; AUTHORITY SECTION:
liwanliang.com. 600 IN NS ns2.liwanliang.com.
liwanliang.com. 600 IN NS ns1.liwanliang.com.
;; ADDITIONAL SECTION:
ns1.liwanliang.com. 600 IN A 192.168.10.3
ns2.liwanliang.com. 600 IN A 192.168.10.4
;; Query time: 0 msec
;; SERVER: 192.168.10.3#53(192.168.10.3)
;; WHEN: Sat Jul 8 21:34:46 2017
;; MSG SIZE rcvd: 120
反向解析:
# dig -x 192.168.10.3 @192.168.10.3
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -x 192.168.10.3 @192.168.10.3
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23601
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;3.10.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
3.10.168.192.in-addr.arpa. 600 IN PTR mail.liwanliang.com.
3.10.168.192.in-addr.arpa. 600 IN PTR www.liwanliang.com.
3.10.168.192.in-addr.arpa. 600 IN PTR ftp.liwanliang.com.
3.10.168.192.in-addr.arpa. 600 IN PTR dhcp.liwanliang.com.
3.10.168.192.in-addr.arpa. 600 IN PTR ns1.liwanliang.com.
;; AUTHORITY SECTION:
10.168.192.in-addr.arpa. 600 IN NS ns1.liwanliang.com.
10.168.192.in-addr.arpa. 600 IN NS ns2.liwanliang.com.
;; ADDITIONAL SECTION:
ns1.liwanliang.com. 600 IN A 192.168.10.3
ns2.liwanliang.com. 600 IN A 192.168.10.4
;; Query time: 0 msec
;; SERVER: 192.168.10.3#53(192.168.10.3)
;; WHEN: Sat Jul 8 21:49:50 2017
;; MSG SIZE rcvd: 213
至此,主DNS配置和验证完成
(4)从DNS配置
1.基础环境
# yum -y install bind bind-chroot bind-utils bind-libs
2.编辑主配置文件
# vim /etc/named.conf
options {
listen-on port 53 { 192.168.10.4; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
3.编辑区域配置文件
# vim /etc/named.rfc1912.zones
在最后添加一下内容:
zone "liwanliang.com" IN {
type slave;
masters { 192.168.10.3; };
allow-update { none; };
file "slaves/liwanliang.com.zone";
};
zone "10.168.192.in-addr.arpa" IN {
type slave;
masters { 192.168.10.3; };
allow-update { none; };
file "slaves/192.168.10.3.zone";
};
4.查看并修改目录文件权限
# ls -l /var/named/chroot
# chown -R root.named /var/named/chroot
5.检查配置文件正确性
# named-checkconf
# service named configtest
6.启动named服务
# service named start
# ps -ef | grep named
# netstat -tupln | grep named
7.检查文件同步结果
# ls -l /var/named/slaves
total 8
-rw-r--r-- 1 named named 601 Jul 8 20:58 192.168.10.3.zone
-rw-r--r-- 1 named named 528 Jul 8 20:58 liwanliang.com.zone
8.从DNS正反解析验证
正向解析验证:
# dig -t A www.liwanliang.com @192.168.10.4
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t A www.liwanliang.com @192.168.10.4
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2955
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;www.liwanliang.com. IN A
;; ANSWER SECTION:
www.liwanliang.com. 600 IN A 192.168.10.3
;; AUTHORITY SECTION:
liwanliang.com. 600 IN NS ns1.liwanliang.com.
liwanliang.com. 600 IN NS ns2.liwanliang.com.
;; ADDITIONAL SECTION:
ns1.liwanliang.com. 600 IN A 192.168.10.3
ns2.liwanliang.com. 600 IN A 192.168.10.4
;; Query time: 0 msec
;; SERVER: 192.168.10.4#53(192.168.10.4)
;; WHEN: Sat Jul 8 22:08:17 2017
;; MSG SIZE rcvd: 120
反向解析验证:
# dig -x 192.168.10.3 @192.168.10.4
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -x 192.168.10.3 @192.168.10.4
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29194
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;3.10.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
3.10.168.192.in-addr.arpa. 600 IN PTR mail.liwanliang.com.
3.10.168.192.in-addr.arpa. 600 IN PTR www.liwanliang.com.
3.10.168.192.in-addr.arpa. 600 IN PTR ftp.liwanliang.com.
3.10.168.192.in-addr.arpa. 600 IN PTR dhcp.liwanliang.com.
3.10.168.192.in-addr.arpa. 600 IN PTR ns1.liwanliang.com.
;; AUTHORITY SECTION:
10.168.192.in-addr.arpa. 600 IN NS ns2.liwanliang.com.
10.168.192.in-addr.arpa. 600 IN NS ns1.liwanliang.com.
;; ADDITIONAL SECTION:
ns1.liwanliang.com. 600 IN A 192.168.10.3
ns2.liwanliang.com. 600 IN A 192.168.10.4
;; Query time: 0 msec
;; SERVER: 192.168.10.4#53(192.168.10.4)
;; WHEN: Sat Jul 8 22:09:32 2017
;; MSG SIZE rcvd: 213