验证TCP和UDP的53端口作用:
将从服务器B的/var/named/slaves/目录下的文件删掉:
[root@centos7_1 slaves]# rm -rf /var/named/slaves/baidu.com.zone.slave 删除slaves目录下的文件 [root@centos7_1 slaves]# systemctl restart named 重启DNS服务 [root@centos7_1 slaves]# ls 还可以复制主服务器的文件 baidu.com.zone.slave [root@ansible~]#iptables -A INPUT -p tcp --dport 53 -j REJECT 将目标tcp的53端口拒绝。 [root@centos7_1 slaves]# systemctl restart named 重启服务 [root@centos7_1 slaves]# ls 此时不能复制主服务器的文件
在客户端C上dig可以查询到当前的53信息内容,此时的内容是来自于UDP的53端口
[root@centos6network-scripts]#dig www.baidu.com ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6 <<>> www.baidu.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3449 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;www.baidu.com. IN A ;; ANSWER SECTION: www.baidu.com. 86400 IN CNAME webs.baidu.com. webs.baidu.com. 86400 IN A 66.66.66.66 ;; AUTHORITY SECTION: baidu.com. 86400 IN NS dns1.baidu.com. baidu.com. 86400 IN NS dns2.baidu.com. ;; ADDITIONAL SECTION: dns1.baidu.com. 86400 IN A 192.168.34.101 dns2.baidu.com. 86400 IN A 192.168.34.103 ;; Query time: 10 msec ;; SERVER: 192.168.34.101#53(192.168.34.101) ;; WHEN: Thu Nov 7 11:14:25 2019 ;; MSG SIZE rcvd: 136
总结:TCP 的53端口影响了主从复制、UDP的53端口是供查询
实现子域委派:子域和父域在同一台主机上(可以忽略不看)
(1)创建子域,在主服务器A(主域)上将beijing.baidu.com域写入到/etc/named.rfc1912.zones配置文件内:
[root@ansiblenamed]#vim /etc/named.rfc1912.zones
zone "baidu.com" {
type master;
file "baidu.com.zone";
};
zone "beijing.baidu.com" {
type master;
file "beijing.baidu.com.zone";
};
创建一个beijing.baidu.com区域库文件,配置完之后启动DNS,systemctl start named:
[root@ansible~]#cd /var/named
[root@ansiblenamed]#ls
192.168.34.zone beijing.baidu.com.zone dynamic named.empty named.loopback
baidu.com.zone data named.ca named.localhost slaves
[root@ansiblenamed]#vim beijing.baidu.com.zone
$TTL 1D
@ IN SOA dns1 admin (
1 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS dns1
dns1 A 192.168.34.101 # 当前的IP地址指向顶级域的IP地址
www CNAME webs
webs A 88.88.88.88
[root@ansiblenamed]# chgrp named beijing.baidu.com.zone # 修改属组为named,保持权限一致
[root@ansiblenamed]# chmod 640 beijing.baidu.com.zone # 文件修改权限为640,防止文件内容被泄露
(2)在客户端C上dig查询配置好后的子域信息:
[root@centos6network-scripts]#dig www.baidu.com 查看主服务器的baidu.com域 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6 <<>> www.baidu.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41274 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;www.baidu.com. IN A ;; ANSWER SECTION: www.baidu.com. 86400 IN CNAME webs.baidu.com. webs.baidu.com. 86400 IN A 66.66.66.66 ;; AUTHORITY SECTION: baidu.com. 86400 IN NS dns2.baidu.com. baidu.com. 86400 IN NS dns1.baidu.com. ;; ADDITIONAL SECTION: dns1.baidu.com. 86400 IN A 192.168.34.101 dns2.baidu.com. 86400 IN A 192.168.34.103 ;; Query time: 0 msec ;; SERVER: 192.168.34.103#53(192.168.34.103) ;; WHEN: Thu Nov 7 11:57:45 2019 ;; MSG SIZE rcvd: 136 [root@centos6network-scripts]#dig www.beijing.baidu.com 查看当前的子域内容 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6 <<>> www.beijing.baidu.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59333 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;www.beijing.baidu.com. IN A ;; ANSWER SECTION: www.beijing.baidu.com. 86400 IN CNAME webs.beijing.baidu.com. webs.beijing.baidu.com. 86400 IN A 88.88.88.88 ;; AUTHORITY SECTION: beijing.baidu.com. 86400 IN NS dns1.beijing.baidu.com. ;; ADDITIONAL SECTION: dns1.beijing.baidu.com. 86400 IN A 192.168.34.101 ;; Query time: 4 msec ;; SERVER: 192.168.34.101#53(192.168.34.101) ;; WHEN: Thu Nov 7 11:57:54 2019 ;; MSG SIZE rcvd: 109
实现子域委派:父域和子域在不同主机上
父域与子域委派架构图:
1、在主DNS服务器上配置一个shenzhen子域
(1)将主服务器A的配置文件/var/named/baidu.com.zone进行修改,添加一个shenzhen域:
[root@ansiblenamed]#vim /var/named/baidu.com.zone
$TTL 1D
@ IN SOA dns1 admin.baidu.com. (
1 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS dns1
NS dns2
shenzhen NS dns3 # 添加一个shenzhen域
dns1 A 192.168.34.101
dns2 A 192.168.34.103
dhs3 A 192.168.34.102 # 将shenzhen域委派给192.168.7.102主机
www CNAME webs
webs A 66.66.66.66
(2)重启主服务器A的DNS服务:
[root@ansiblenamed]#rndc reload server reload successful
注意:检查配置文件是否书写错误
# named-checkconf 查看配置文件是否有误 # named-checkzone baidu.com /var/named/baidu.com.zone 检查域文件是否有误
2、在子域DNS服务器上创建子域
在子域DNS服务器上安装DNS服务,并DNS配置相关文件
yum install bind
[root@centos102 ~]# vim /etc/named.conf
options {
// listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
// allow-query { localhost; };
(4)修改子域DNS服务器的/etc/named.rfc1912.zones配置文件:
[root@centos102 ~]# vim /etc/named.rfc1912.zones
zone "shenzhen.baidu.com" {
type master;
file "shenzhen.baidu.com.zone";
};
(5)在子域DNS服务器上远程复制主服务器A的区域库文件,并将所属组属性进行修改:
[root@centos102 ~]# scp -p 192.168.34.103:/var/named/baidu.com.zone /var/named/shenzhen.baidu.com.zone [root@centos102 named]# ll total 32 drwxrwx--- 2 named named 4096 Mar 23 2017 data drwxrwx--- 2 named named 4096 Mar 23 2017 dynamic -rw-r----- 1 root named 3171 Jan 11 2016 named.ca -rw-r----- 1 root named 152 Dec 15 2009 named.empty -rw-r----- 1 root named 152 Jun 21 2007 named.localhost -rw-r----- 1 root named 168 Dec 15 2009 named.loopback -rw-r----- 1 root root 296 Nov 7 12:11 shenzhen.baidu.com.zone 此时的文件所属组属性有问题 drwxrwx--- 2 named named 4096 Mar 23 2017 slaves [root@centos102 named]# chgrp named shenzhen.baidu.com.zone 修改当前的shenzhen.baidu.com.zone所属组属性
(6)修改子域DNS服务器当前的shenzhen.baidu.com.zone配置文件:
[root@centos7-2 named]# vim shenzhen.baidu.com.zone
$TTL 1D
@ IN SOA dns1 admin (
1 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS dns1
dns1 A 192.168.34.102
www CNAME webs
webs A 7.7.7.7
注意:需要检查配置文件和域文件是否有误。
named-checkconf 查看配置文件是否有误 named-checkzone baidu.com /var/named/baidu.com.zone 检查域文件是否有误
(7)启动(子域)DNS服务:
[root@centos7-2 named]# systemctl start named
3、在客户端上验证效果
此时,我们的客户端并没有配置执行shenzhen.baidu.com.zone子域的DNS IP地址,
在客户端执行dig查看当前的shenzhen.baidu.com.zone子域情况:
[root@centos6~]#cat /etc/resolv.conf # 查看当前的DNS指向的IP地址 # Generated by NetworkManager search 10.localdomain nameserver 192.168.34.101 nameserver 192.168.34.103 [root@centos6~]#dig www.shenzhen.baidu.com # 此时已经实现了迭代查询功能 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6 <<>> www.shenzhen.baidu.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15796 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;www.shenzhen.baidu.com. IN A ;; ANSWER SECTION: www.shenzhen.baidu.com. 86266 IN CNAME webs.shenzhen.baidu.com. webs.shenzhen.baidu.com. 86266 IN A 7.7.7.7 ;; AUTHORITY SECTION: shenzhen.baidu.com. 86266 IN NS dns1.shenzhen.baidu.com. ;; ADDITIONAL SECTION: dns1.shenzhen.baidu.com. 86266 IN A 192.168.34.102 ;; Query time: 4 msec ;; SERVER: 192.168.34.101#53(192.168.34.101) ;; WHEN: Thu Nov 7 16:35:25 2019 ;; MSG SIZE rcvd: 110