DNS架構拓撲架構圖:
正向解析區域、反向解析區域;主/從;子域配置;
環境準備,3臺centos7.2系統,關閉防火牆,selinux,配置yum源,設置時間同步,設置DNS爲主域名服務器IP(172.16.100.67)
--------------------------------------------------------------------------------------------------------------------------------------
一,主域名服務器配置(172.16.100.67):
(1)安裝bind,並啓動,設置開機自啓動
~]# yum install bind –y
~]# systemctl start named.service
~]# systemctl enable named.service
(2)修改配置文件(僅列出有修改配置)
~]# vim /etc/named.conf
options { listen-on port 53 { 127.0.0.1;172.16.100.67; }; // allow-query { localhost; }; dnssec-enable no; dnssec-validation no;
(3)檢查配置文件語法錯誤(默認/etc/named.conf),並重讀配置文件
~]# named-checkconf
~]# rndc reload
(4)配置解析一個正向區域:
1)定義正向區域
~]# vim /etc/named.rfc1912.zones
zone "iecentury.com" IN { type master; file "iecentury.com.zone"; };
注意:區域名字即爲域名;
2)建立區域數據文件(主要記錄爲A或AAAA記錄,在/var/named目錄下建立區域數據文件;)
~]# vim /var/named/iecentury.com.zone
$TTL 3600 $ORIGIN iecentury.com. @ IN SOA ns1.iecentury.com. dnsadmin.iecentury.com. ( 201812031 1H 10M 3D 1D ) IN NS ns1 IN MX 10 mx1 IN MX 20 mx2 IN A 172.16.100.67 ns1 IN A 172.16.100.67 mx1 IN A 172.16.100.68 mx2 IN A 172.16.100.69 www IN A 172.16.100.67 web IN CNAME www
權限及屬組修改:
# chgrp named /var/named/iecentury.com.zone
# chmod o= /var/named/iecentury.com.zone
檢查語法錯誤
]# named-checkconf
]# named-checkzone iecentury.com /var/named/iecentury.com.zone
3) 讓服務器重載配置文件和區域數據文件(或 systemctl reload named.service)
# rndc reload
檢查rndc狀態(注意:語法正常,重讀配置成功,區域增加並不代表區域正常工作,要用dig/nslookup/host等DNS測試工具測試)
~]# rndc status
version: 9.9.4-RedHat-9.9.4-61.el7_5.1 <id:8f9657aa>
CPUs found: 8
worker threads: 8
UDP listeners per interface: 8
number of zones: 102 成功+1(默認101)
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running
(5)配置解析一個反向區域
1) 定義區域 (在主配置文件中或主配置文件輔助配置文件中實現);
~]# vim /etc/named.rfc1912.zones
zone "100.16.172.in-addr.arpa" IN { type master; file "100.16.172.zone"; };
注意:反向區域的名字
反寫的網段地址.in-addr.arpa
示例:100.16.172.in-addr.arpa
2)定義區域解析庫文件(主要記錄爲PTR)
在/var/named目錄下建立區域數據文件;示例:區域名稱爲100.16.172.in-addr.arpa;(反過來寫IP)
~]# vim /var/named/100.16.172.zone
$TTL 3600 $ORIGIN 100.16.172.in-addr.arpa. @ IN SOA ns1.iecentury.com. nsadmin.iecentury.com. ( 201810032 1H 10M 3D 12H ) IN NS ns1.iecentury.com. 67 IN PTR ns1.iecentury.com. 68 IN PTR mx1.iecentury.com. 69 IN PTR mx2.iecentury.com. 67 IN PTR www.iecentury.com.
權限及屬組修改:
~]# chmod o= /var/named/100.16.172.zone
~]# chgrp named /var/named/100.16.172.zone
檢查語法錯誤、重讀配置、rndc狀態檢查:
~]# named-checkzone 100.16.172.zone /var/named/100.16.172.zone
~]# named-checkconf
~]#rndc reload
[root@james ~]# rndc status
version: 9.9.4-RedHat-9.9.4-61.el7_5.1 <id:8f9657aa>
CPUs found: 8
worker threads: 8
UDP listeners per interface: 8
number of zones: 103 成功+1
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running
(6)測試正向解析及反向解析
~]# dig -t A www.iecentury.com
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> -t A www.iecentury.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45698
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.iecentury.com. IN A
;; ANSWER SECTION:
www.iecentury.com. 3600 IN A 172.16.100.67
;; AUTHORITY SECTION:
iecentury.com. 3600 IN NS ns1.iecentury.com.
;; ADDITIONAL SECTION:
ns1.iecentury.com. 3600 IN A 172.16.100.67
;; Query time: 21 msec
;; SERVER: 172.16.100.67#53(172.16.100.67)
;; WHEN: 日 11月 04 00:14:56 CST 2018
;; MSG SIZE rcvd: 96
~]# dig -x 172.16.100.67
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> -x 172.16.100.67
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56457
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;67.100.16.172.in-addr.arpa. IN PTR
;; ANSWER SECTION:
67.100.16.172.in-addr.arpa. 3600 IN PTR ns1.iecentury.com.
67.100.16.172.in-addr.arpa. 3600 IN PTR www.iecentury.com.
;; AUTHORITY SECTION:
100.16.172.in-addr.arpa. 3600 IN NS ns1.iecentury.com.
;; ADDITIONAL SECTION:
ns1.iecentury.com. 3600 IN A 172.16.100.67
;; Query time: 1 msec
;; SERVER: 172.16.100.67#53(172.16.100.67)
;; WHEN: 日 11月 04 00:15:13 CST 2018
;; MSG SIZE rcvd: 134
--------------------------------------------------------------------------------------------------------------------------------------
二 、輔域名服務器配置:(172.16.100.68)
(1)安裝bind,修改配置文件
~]# yum install bind -y
~]# vim /etc/named.conf
options { listen-on port 53 { 127.0.0.1;172.16.100.68;}; dnssec-enable no; dnssec-validation no;
(2)Master(172.16.100.67)上配置一個正向從區域和反向從區域:
在Master上,確保區域數據文件中爲每個從服務配置NS記錄,並且在正向區域文件需要每個從服務器的NS記錄的主機名配置一個A記錄,且此A後面的地址爲真正的從服務器的IP地址;
[root@james ~]# vim /var/named/iecentury.com.zone
$TTL 3600 $ORIGIN iecentury.com. @ IN SOA ns1.iecentury.com. dnsadmin.iecentury.com. ( 201812031 1H 10M 3D 1D ) IN NS ns1 IN NS ns2 #從服務器NS記錄 IN MX 10 mx1 IN MX 20 mx2 IN A 172.16.100.67 ns1 IN A 172.16.100.67 #從服務器A記錄 ns2 IN A 172.16.100.68 mx1 IN A 172.16.100.68 mx2 IN A 172.16.100.69 www IN A 172.16.100.67 web IN CNAME www 反向區域 ~]# vim /var/named/100.16.172.zone $TTL 3600 $ORIGIN 100.16.172.in-addr.arpa. @ IN SOA ns1.iecentury.com. nsadmin.iecentury.com. ( 2014100801 1H 10M 3D 12H ) IN NS ns1.iecentury.com. IN NS ns2.iecentury.com. #反向NS2記錄 67 IN PTR ns1.iecentury.com. 68 IN PTR ns2.iecentury.com. #反向A記錄 68 IN PTR mx1.iecentury.com. 69 IN PTR mx2.iecentury.com. 67 IN PTR www.iecentury.com.
語法檢查並重新配置
~]# named-checkzone iecentury.com /var/named/iecentury.com.zone
~]
# rndc reload
(3)在slave DNS上定義iecentury.com域名正向區域(masters爲NS1)和反向解析區域
~]# vim /etc/named.rfc1912.zones
zone "iecentury.com" IN { type slave; file "slaves/iecentury.con.zone"; masters { 172.16.100.67; }; };
zone "100.16.172.in-addr.arpa" IN { type slave; file "slaves/100.16.172.zone"; masters { 172.16.100.67; }; };
語法檢查、重載配置
1 2 | 配置文件語法檢查 named-checkconf |
1 2 | 重載配置 rndc reload |
驗證:(1)在/var/named/slaves目錄下自動同步iecentury.zone區域
~]# ls /var/named/slaves
iecentury.com.zone
(2)測試slave正反向解析
~]# dig -x 172.16.100.67
~]# dig -t A www.iecentury.com
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> -t A www.iecentury.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13394
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.iecentury.com.INA
;; ANSWER SECTION:
www.iecentury.com.3600INA172.16.100.67
;; AUTHORITY SECTION:
iecentury.com.3600INNSns1.iecentury.com.
iecentury.com.3600INNSns2.iecentury.com.
;; ADDITIONAL SECTION:
ns1.iecentury.com.3600INA172.16.100.67
ns2.iecentury.com.3600INA172.16.100.68
;; Query time: 0 msec
;; SERVER: 172.16.100.68#53(172.16.100.68)
;; WHEN: 日 11月 04 13:13:24 CST 2018
;; MSG SIZE rcvd: 130
至此,輔域名服務器配置完畢
--------------------------------------------------------------------------------------------------------------------------------------
三、子域服務器(ops.iecentury.com)
master上(172.16.100.67)子域授權
~]# vim /var/named/iecentury.com.zone
$TTL 3600 $ORIGIN iecentury.com. @ IN SOA ns1.iecentury.com. dnsadmin.iecentury.com. ( 201811033 #序列號手動+1 1H 10M 3D 1D ) IN NS ns1 IN NS ns2 IN MX 10 mx1 IN MX 20 mx2 IN A 172.16.100.67 ns1 IN A 172.16.100.67 ns2 IN A 172.16.100.68 mx1 IN A 172.16.100.68 mx2 IN A 172.16.100.69 www IN A 172.16.100.67 web IN CNAME www ops IN NS ns1.ops #添加子域ns記錄 ns1.ops IN A 172.16.100.69 #添加子域A記錄 重載配置
~]# rndc reload
子域服務器配置(172.16.100.69)
(1)安裝bind,並啓動,設置開機自啓動
~]# yum install bind –y
~]# systemctl start named.service
~]# systemctl enable named.service
(2)修改配置文件(僅列出有修改配置)
~]# vim /etc/named.conf
options { listen-on port 53 { 127.0.0.1;172.16.100.69; }; // allow-query { localhost; }; dnssec-enable no; dnssec-validation no;
(3)檢查配置文件語法錯誤(默認/etc/named.conf),並重讀配置文件
~]# named-checkconf
~]# rndc reload
(4)配置解析一個子域正向區域:
1)定義正向區域
~]# vim /etc/named.rfc1912.zones
zone "ops.iecentury.com" IN { type master; file "ops.iecentury.com.zone"; };
2)建立區域數據文件(主要記錄爲A或AAAA記錄,在/var/named目錄下建立區域數據文件;)
~]# vim /var/named/iecentury.com.zone
$TTL 3600 $ORIGIN ops.iecentury.com. @ IN SOA ns1.ops.iecentury.com. dnsadmin.ops.iecentury.com. ( 201811034 1H 10M 3D 1D ) IN NS ns1 ns1 IN A 172.16.100.69 www IN A 172.16.100.69
權限及屬組修改:
~]# chmod o= /var/named/ops.iecentury.com.zone
~]# chgrp named /var/named/ops.iecentury.com.zone
子域測試:
~]# dig -t A www.ops.iecentury.com
設置子域對父域的轉發
~]# vim /etc/named.rfc1912.zones
zone "iecentury.com" IN { type forward; forward only; forwarders { 172.16.100.67;172.16.100.68; }; };
主從域服務器測試子域解析:
~]# dig -t A www.ops.iecentury.com
備註:如從域不測試不成功,可嘗試重啓named服務
~]# systemctl restart named.service
以上是正向解析區域、反向解析區域;主/從;子域配置;bind acl基本安全控制,非DNS服務商,可不做深入瞭解!