[1.輔助dns,dns集羣]
一臺服務器不能滿足大量訪問需求,增加輔助dns服務器
先配置環境
vim /etc/sysconfig/network-scripts/ifcfg-eth0
hostnamectl set-hostname server-dns.example.com
vim /etc/yum.repos.d/rhel_dvd.repo
reboot
yum clean all
yum install bind -y 安裝服務
firewall-cmd --permanent --add-service=dns 添加dns到火牆允許的服務中
firewall-cmd --reload 重新讀取
主dns:
vim /etc/named.conf
listen-on port 53 { any; };
allow-query { any; };
dnssec-validation no;
vim /etc/named.rfc1912.zones
zone "logo.com" IN {
type master;
file "logo.com.zone";
allow-update { none; };
allow-transfer { 172.25.254.249; }; 允許誰同步(172.25.254.249)
};
輔助端dns:
vim /etc/resolv.conf
# Generated by NetworkManager
search example.com
nameserver 172.25.254.249
vim /etc/named.conf
listen-on port 53 { any; };
allow-query { any; };
dnssec-validation no;
vim /etc/named.rfc1912.zones
zone "logo.com" IN {
type slave;
file "slaves/logo.com.zone";
allow-update { none; };
masters { 172.25.254.249; };
};
ll /var/named/
測試:
systemctl restart named **server端
dig www.logo.com **desktop端
;; QUESTION SECTION:
;www.logo.com. IN A
;; ANSWER SECTION:
www.logo.com. 86400 IN A 172.25.254.155
;; AUTHORITY SECTION:
logo.com. 86400 IN NS dns.logo.com.
;; ADDITIONAL SECTION:
dns.logo.com. 86400 IN A 172.25.254.149
;; Query time: 0 msec
;; SERVER: 172.25.254.249#53(172.25.254.249)
;; WHEN: Thu Dec 01 01:05:40 EST 2016
;; MSG SIZE rcvd: 91
[2.自動同步dns]
主dns端:
vim /etc/named.rfc1912.zones
zone "logo.com" IN {
type master;
file "logo.com.zone";
allow-update { none; };
allow-transfer { 172.25.254.249; }; 允許誰同步
also-notify { 172.25.254.249; }; dns文件被改變向誰通知(172.25.254.249)
};
cp -p named.localhost logo.com.zone
vim logo.com.zone 編輯文件
$TTL 1D
@ IN SOA dns.logo.com root.logo.com. (
2016120101 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS dns.logo.com.
dns A 172.25.254.149
www A 172.25.254.155
systemctl restart named
client端:不做修改
測試:兩邊都 dig www.logo.com 效果如下:
client端(desktop):
;; ANSWER SECTION:
www.logo.com. 86400 IN A 172.25.254.155
;; AUTHORITY SECTION:
logo.com. 86400 IN NS dns.logo.com.
;; ADDITIONAL SECTION:
dns.logo.com. 86400 IN A 172.25.254.149
主dns(server端):
;; Query time: 0 msec
;; SERVER: 172.25.254.249#53(172.25.254.249)
;; ANSWER SECTION:
www.logo.com. 86400 IN A 172.25.254.155
;; AUTHORITY SECTION:
logo.com. 86400 IN NS dns.logo.com.
;; ADDITIONAL SECTION:
dns.logo.com. 86400 IN A 172.25.254.149
;; Query time: 0 msec
;; SERVER: 172.25.254.149#53(172.25.254.49)
dns實現同步,每次改變 vim logo.com.zon的內容,serial中的值2016120101一定要相應更改
[3.遠程修改dns]
dns端:
vim /etc/named.rfc1912.zones
zone "logo.com" IN {
type master;
file "logo.com.zone";
allow-update { 172.25.254.249; }; 允許誰更新
allow-transfer { 172.25.254.249; }; 允許誰同步
also-notify { 172.25.254.249; }; dns文件被改變向誰通知(172.25.254.249)
};
cp -p /var/named/logo.com.zone /mnt/logo.com.zone
chmod 770 /var/named
client端
nsupdate
>server 172.25.254.149
>update delete www.logo.com
>send
>update add www.logo.com 86400 A 172.25.254.149
>send
>quit
86400表示dns保存週期爲一天,即86400秒
恢復到原來:
rm -rf /var/named/logo.com.zone /var/named/logo.com.zone.jnl
cp -p /mnt/logo.com.zone /var/named/logo.com.zone
然後在dns端systemctl restart named,dig www.logo.com效果和之前未作更新實驗前相同,則恢復成功
[4.設置密鑰遠程修改dns]
dns端:
cp -p /etc/rndc.key /etc/logo.com
cd /mnt/
dnssec-keygen -a HMAC-CDM5 -b 128 -n HOST logo
cat Klogo.+157+26907.key
cat Klogo.+157+26907.privatea
鑰匙和鎖的加密文件都相同
vim /etc/logo.key
key "logo-key" {
algorithm hmac-md5;
secret "3L95hg5rzk7lsUCbVIUMZQ==";此處修改爲/mnt/Klogo.+157+08237.private中的密文
};
wq:
vim /etc/named.key
include"/etc/logo.key"; **將密碼所在文件包含進去
scp /mnt/Klogo.+157+08237.* [email protected]:/mnt 分發密鑰給客戶端
systemctl restart named
client端:
cd /mnt
nsupdate -k /mnt/Klogo.+157+08237.private