bind高級
回顧
配置成緩存名稱服務器
[root@www ~]# vim /etc/named.conf
//
options {
//listen-on port 53 { 10.201.106.129; };
/* listen-on-v6 port 53 { ::1; }; */
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
//allow-query { any; };
recursion yes;
/*dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
Path to ISC DLV key
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
*/
};
查看DNS的TCP和UDP端口是否開啓
[root@www ~]# ss -tuln | grep :53
udp UNCONN 0 0 10.201.106.129:53 *:*
udp UNCONN 0 0 127.0.0.1:53 *:*
tcp LISTEN 0 3 10.201.106.129:53 *:*
tcp LISTEN 0 3 127.0.0.1:53 *:*
tcp LISTEN 0 128 :::53835 :::*
定義正向和反向區域文件
vim /etc/named.rfc1912.conf
zone "magedu.com" IN {
type master;
file "magedu.com.zone";
};
zone "106.201.10.in-addr.arpa" IN {
type master;
file "10.201.106.zone";
};
重載服務
[root@www ~]# rndc reload
server reload successful
[root@www ~]# rndc reload
server reload successful
[root@www ~]# rndc status
version: 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6
CPUs found: 1
worker threads: 1
number of zones: 21
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running
[root@www ~]# tail /var/log/messages
Aug 3 13:39:42 qq named[19186]: error (network unreachable) resolving './DNSKEY/IN': 2001:503:c27::2:30#53
Aug 3 13:39:42 qq named[19186]: error (network unreachable) resolving './DNSKEY/IN': 2001:7fe::53#53
Aug 3 13:39:53 qq named[19186]: received control channel command 'reload'
Aug 3 13:39:53 qq named[19186]: loading configuration from '/etc/named.conf'
Aug 3 13:39:53 qq named[19186]: using default UDP/IPv4 port range: [1024, 65535]
Aug 3 13:39:53 qq named[19186]: using default UDP/IPv6 port range: [1024, 65535]
Aug 3 13:39:53 qq named[19186]: sizing zone task pool based on 8 zones
Aug 3 13:39:54 qq named[19186]: Warning: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones
Aug 3 13:39:54 qq named[19186]: reloading configuration succeeded
Aug 3 13:39:54 qq named[19186]: reloading zones succeeded
創建正向區域解析庫文件
[root@www named]# vim zz.com.zone
$TTL 1D
$ORIGIN zz.com.
@ IN SOA ns1.zz.com. admin.zz.com. (
2016042501
1H
5M
3D
1D )
IN NS ns1
IN NS ns2
ns1 IN A 10.201.106.129
ns2 IN A 10.201.106.128
www IN A 10.201.106.129
* IN A 10.201.106.129
[root@www named]# named-checkzone "zz.com" /var/named/zz.com.zone
zone zz.com/IN: loaded serial 2016042501
OK
更改區域記錄文件權限
[root@www named]# chmod 640 zz.com.zone
[root@www named]# chown :named zz.com.zone
[root@www named]# ll zz.com.zone
-rw-r----- 1 root named 217 Aug 3 14:09 zz.com.zone
重新加載named
[root@www named]# rndc reload
server reload successful
[root@www named]# tail /var/log/messages
Aug 3 14:14:07 qq named[19186]: received control channel command 'reload'
Aug 3 14:14:07 qq named[19186]: loading configuration from '/etc/named.conf'
Aug 3 14:14:07 qq named[19186]: using default UDP/IPv4 port range: [1024, 65535]
Aug 3 14:14:07 qq named[19186]: using default UDP/IPv6 port range: [1024, 65535]
Aug 3 14:14:07 qq named[19186]: sizing zone task pool based on 9 zones
Aug 3 14:14:07 qq named[19186]: Warning: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones
Aug 3 14:14:07 qq named[19186]: reloading configuration succeeded
Aug 3 14:14:07 qq named[19186]: zone zz.com/IN: loaded serial 2016042501
Aug 3 14:14:07 qq named[19186]: reloading zones succeeded
Aug 3 14:14:07 qq named[19186]: zone zz.com/IN: sending notifies (serial 2016042501)
記錄測試
[root@www named]# dig -t A www.zz.com @10.201.106.129
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6 <<>> -t A www.zz.com @10.201.106.129
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3270
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;www.zz.com. IN A
;; ANSWER SECTION:
www.zz.com. 86400 IN A 10.201.106.129
;; AUTHORITY SECTION:
zz.com. 86400 IN NS ns2.zz.com.
zz.com. 86400 IN NS ns1.zz.com.
泛域名解析
[root@www named]# dig -t A ftp.zz.com @10.201.106.129
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6 <<>> -t A ftp.zz.com @10.201.106.129
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4797
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;ftp.zz.com. IN A
;; ANSWER SECTION:
ftp.zz.com. 86400 IN A 10.201.106.129
;; AUTHORITY SECTION:
zz.com. 86400 IN NS ns2.zz.com.
zz.com. 86400 IN NS ns1.zz.com.
子域授權
在區域解析庫創建子域
[root@www named]# vim zz.com.zone
$TTL 1D
$ORIGIN zz.com.
@ IN SOA ns1.zz.com. admin.zz.com. (
2016042501
1H
5M
3D
1D )
IN NS ns1
IN NS ns2
ns1 IN A 10.201.106.129
ns2 IN A 10.201.106.128
www IN A 10.201.106.129
* IN A 10.201.106.129
ops IN NS ns1.ops ##子域定義
ops IN NS ns2.ops ##子域定義
ns1.ops IN A 10.201.106.128 ##子域定義
ns2.ops IN A 10.201.106.131 ##子域定義
重載後區域數不會發生改變
[root@www named]#
[root@www named]# rndc status
version: 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6
CPUs found: 1
worker threads: 1
number of zones: 22
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running
[root@www named]#
[root@www named]# rndc reload
server reload successful
[root@www named]#
[root@www named]# rndc status
version: 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6
CPUs found: 1
worker threads: 1
number of zones: 22
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running
[root@www named]#
配置子域服務器
也是將子域服務器配置成緩存服務器,/etc/named.conf
定義子域區域
[root@zz ~]# vim /etc/named.rfc1912.zones
55 zone "ops.zz.com" IN {
56 type master;
57 file "ops.zz.com";
58 };
重載後已經增加了一個區域
[root@zz ~]# rndc status
version: 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6
CPUs found: 1
worker threads: 1
number of zones: 21
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running
[root@zz ~]#
[root@zz ~]# rndc reload
server reload successful
[root@zz ~]# rndc status
version: 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6
CPUs found: 1
worker threads: 1
number of zones: 22
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running
[root@zz ~]#
編輯子正向域區域解析庫文件
[root@zz named]# vim ops.zz.com.zone
1 $TTl 1d
2 $ORIGIN ops.zz.com.
3 @ IN SOA ns1.ops.zz.com. admin.ops.zz.com. (
4 2015042501
5 1H
6 10M
7 3D
8 1D )
9 IN NS ns1
10 IN NS ns2
11 ns1 IN A 10.201.106.128
12 ns2 IN A 10.201.106.131
13 www IN A 10.201.106.200
14 * IN A 10.201.106.200
[root@zz named]# named-checkzone "ops.zz.com" /var/named/ops.zz.com.zone
zone ops.zz.com/IN: loaded serial 2015042501
OK
[root@zz named]# vim ops.zz.com.zone
[root@zz named]# tail /var/log/messages
Jul 29 18:39:35 zz named[2524]: loading configuration from '/etc/named.conf'
Jul 29 18:39:35 zz named[2524]: using default UDP/IPv4 port range: [1024, 65535]
Jul 29 18:39:35 zz named[2524]: using default UDP/IPv6 port range: [1024, 65535]
Jul 29 18:39:35 zz named[2524]: sizing zone task pool based on 9 zones
Jul 29 18:39:36 zz named[2524]: Warning: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones
Jul 29 18:39:36 zz named[2524]: zone ops.zz.com/IN: (master) removed
Jul 29 18:39:36 zz named[2524]: reloading configuration succeeded
Jul 29 18:39:36 zz named[2524]: zone ops.zz.com/IN: loaded serial 2015042501
Jul 29 18:39:36 zz named[2524]: reloading zones succeeded
Jul 29 18:39:36 zz named[2524]: zone ops.zz.com/IN: sending notifies (serial 2015042501)
修改權限
[root@zz named]# chgrp named ops.zz.com.zone
[root@zz named]# ll ops.zz.com.zone
-rw-r-----. 1 root named 232 Jul 29 21:29 ops.zz.com.zone
[root@zz named]#
[root@zz named]# dig -t NS ops.zz.com @10.201.106.128
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> -t NS ops.zz.com @10.201.106.128
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12464
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2
;; QUESTION SECTION:
;ops.zz.com. IN NS
;; ANSWER SECTION:
ops.zz.com. 86400 IN NS ns2.ops.zz.com.
ops.zz.com. 86400 IN NS ns1.ops.zz.com.
測試子域服務器解析
[root@zz named]# dig -t A www.ops.zz.com @10.201.106.128
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> -t A www.ops.zz.com @10.201.106.128
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17382
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;www.ops.zz.com. IN A
;; ANSWER SECTION:
www.ops.zz.com. 86400 IN A 10.201.106.200
;; AUTHORITY SECTION:
ops.zz.com. 86400 IN NS ns1.ops.zz.com.
ops.zz.com. 86400 IN NS ns2.ops.zz.com.
父域測試子域
[root@www named]# dig -t NS ops.zz.com @10.201.106.129 +norecurse
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6 <<>> -t NS ops.zz.com @10.201.106.129 +norecurse
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42676
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;ops.zz.com. IN NS
;; AUTHORITY SECTION:
ops.zz.com. 86400 IN NS ns1.ops.zz.com.
ops.zz.com. 86400 IN NS ns2.ops.zz.com.
;; ADDITIONAL SECTION:
ns1.ops.zz.com. 86400 IN A 10.201.106.128
ns2.ops.zz.com. 86400 IN A 10.201.106.131
解決問題:
定義轉發域
父域配置(全局轉發)
vim /etc/name.conf
options {
listen-on port 53 { 10.201.106.128;127.0.0.1; };
//listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion yes;
forward first; ***
forwarder { 10.201.106.2; }; ***
子域(區域轉發),配置子域對zz.com的解析都轉發給主服務器解析;
vim /etc/named.rfc1912.conf
zone "zz.com" IN {
type forward;
forward only;
forwarders { 10.201.106.129; };
};
測試:在子域解析父域的域名
[root@zz ~]# dig -t A www.magedu.com @10.201.106.128
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> -t A www.magedu.com @10.201.106.128
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39821
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;www.magedu.com. IN A
;; ANSWER SECTION:
www.magedu.com. 86400 IN A 10.201.106.129
www.magedu.com. 86400 IN A 10.201.106.128
測試:在父域測試子域的域名
[root@qq ~]# dig -t A ns1.ops.zz.com @10.201.106.129
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6 <<>> -t A ns1.ops.zz.com @10.201.106.129
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13781
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
;; QUESTION SECTION:
;ns1.ops.zz.com. IN A
;; ANSWER SECTION:
ns1.ops.zz.com. 86400 IN A 10.201.106.128
將子域的轉發區域測試,將不能解析父域 ###、
將轉發域註釋掉(/etc/named.rfc1912.conf)
[root@zz ~]# dig -t A www.zz.com @10.201.106.128
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> -t A www.zz.com @10.201.106.128
;; global options: +cmd
;; Got answer:
查看防火牆是否打開
[root@zz ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@zz ~]#
清空緩存
rndc flsuh
區域解析優先級大於全局解析
當子域服務器同時配置區域和全局解析配置時,解析內網的域名時找父域服務器,解析外網的域名時找外網DNS服務器;
配置:
全局解析配置:
[root@zz ~]# vim /etc/named.conf
forward first;
forwarders { 10.201.106.2; };
區域解析配置:
[root@zz ~]# vim /etc/named.rfc1912.zones
zone "zz.com" IN {
type forward;
forward only;
forwarders { 10.201.106.129; };
};
測試驗證:
[root@zz ~]# dig -t A www.baidu.com @10.201.106.128
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> -t A www.baidu.com @10.201.106.128
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27032
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 13, ADDITIONAL: 10
;; QUESTION SECTION:
;www.baidu.com. IN A
;; ANSWER SECTION:
www.baidu.com. 5 IN CNAME www.a.shifen.com.
www.a.shifen.com. 5 IN A 111.13.100.91
www.a.shifen.com. 5 IN A 111.13.100.92
;; AUTHORITY SECTION:
. 5 IN NS e.root-servers.net.
. 5 IN NS f.root-servers.net.
. 5 IN NS h.root-servers.net.
. 5 IN NS g.root-servers.net.
. 5 IN NS d.root-servers.net.
. 5 IN NS i.root-servers.net.
. 5 IN NS c.root-servers.net.
. 5 IN NS l.root-servers.net.
. 5 IN NS a.root-servers.net.
. 5 IN NS j.root-servers.net.
. 5 IN NS k.root-servers.net.
. 5 IN NS b.root-servers.net.
. 5 IN NS m.root-servers.net.
;; ADDITIONAL SECTION:
h.root-servers.net. 5 IN A 198.97.190.53
j.root-servers.net. 5 IN A 192.58.128.30
j.root-servers.net. 5 IN AAAA 2001:503:c27::2:30
e.root-servers.net. 5 IN A 192.203.230.10
a.root-servers.net. 5 IN A 198.41.0.4
a.root-servers.net. 5 IN AAAA 2001:503:ba3e::2:30
k.root-servers.net. 5 IN A 193.0.14.129
k.root-servers.net. 5 IN AAAA 2001:7fd::1
d.root-servers.net. 5 IN A 199.7.91.13
d.root-servers.net. 5 IN AAAA 2001:500:2d::d
;; Query time: 12 msec
;; SERVER: 10.201.106.128#53(10.201.106.128)
;; WHEN: Fri Jul 29 23:41:15 2016
;; MSG SIZE rcvd: 509
[root@zz ~]# dig -t A www.zz.com @10.201.106.128
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> -t A www.zz.com @10.201.106.128
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6758
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;www.zz.com. IN A
;; ANSWER SECTION:
www.zz.com. 85785 IN A 10.201.106.129
;; AUTHORITY SECTION:
zz.com. 85770 IN NS ns1.zz.com.
zz.com. 85770 IN NS ns2.zz.com.
;; ADDITIONAL SECTION:
ns2.zz.com. 85770 IN A 10.201.106.128
ns1.zz.com. 85770 IN A 10.201.106.129
;; Query time: 1 msec
;; SERVER: 10.201.106.128#53(10.201.106.128)
;; WHEN: Fri Jul 29 23:41:27 2016
;; MSG SIZE rcvd: 112
如果失敗失敗,可以看下named.conf裏的一些安全配置改爲no,兩邊服務器的安全配置都需要一模一樣,不能一邊項關閉,一邊項註釋;
bind的基礎安全配置
acl的定義
[root@qq ~]# vim /etc/named.conf
acl slaves {
10.201.106.129;
127.0.0.1
};
只需要特定主機查詢主域服務器的解析困
如果不在白名單,就算是自己服務器的其它IP也無法查詢
/etc/named.rfc1912.conf
zone "zz.com" IN {
type master;
file "zz.com.zone";
allow-query { 10.201.106.129; };
};
換成any,任意主機都可以查詢;
zone "zz.com" IN {
type master;
file "zz.com.zone";
allow-query { any; };
};
子域發起查詢主域名
[root@zz ~]# dig -t A www.zz.com @10.201.106.129
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> -t A www.zz.com @10.201.106.129
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3007
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;www.zz.com. IN A
;; ANSWER SECTION:
www.zz.com. 86400 IN A 10.201.106.129
;; AUTHORITY SECTION:
zz.com. 86400 IN NS ns1.zz.com.
zz.com. 86400 IN NS ns2.zz.com.
只需許主域本機區域傳送
未配置前子域可以從主域區域傳送:
[root@zz ~]# dig -t AXFR zz.com @10.201.106.129
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> -t AXFR zz.com @10.201.106.129
;; global options: +cmd
zz.com. 86400 IN SOA ns1.zz.com. admin.zz.com. 2016042501 3600 300 259200 86400
zz.com. 86400 IN NS ns1.zz.com.
zz.com. 86400 IN NS ns2.zz.com.
*.zz.com. 86400 IN A 10.201.106.129
ns1.zz.com. 86400 IN A 10.201.106.129
ns2.zz.com. 86400 IN A 10.201.106.128
ops.zz.com. 86400 IN NS ns1.ops.zz.com.
ns1.ops.zz.com. 86400 IN A 10.201.106.128
www.zz.com. 86400 IN A 10.201.106.129
zz.com. 86400 IN SOA ns1.zz.com. admin.zz.c
主機配置/etc/named.rfc1912.conf進行限制
zone "zz.com" IN {
type master;
file "zz.com.zone";
allow-query { any; };
allow-transfer { 10.201.106.129; };
};
子域再測試,不能再傳送了:
[root@zz ~]# dig -t AXFR zz.com @10.201.106.129
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> -t AXFR zz.com @10.201.106.129
;; global options: +cmd
; Transfer failed.
主域可以正常傳送區域
[root@qq ~]# dig -t AXFR zz.com @10.201.106.129
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6 <<>> -t AXFR zz.com @10.201.106.129
;; global options: +cmd
zz.com. 86400 IN SOA ns1.zz.com. admin.zz.com. 2016042501 3600 300 259200 86400
zz.com. 86400 IN NS ns1.zz.com.
zz.com. 86400 IN NS ns2.zz.com.
*.zz.com. 86400 IN A 10.201.106.129
ns1.zz.com. 86400 IN A 10.201.106.129
ns2.zz.com. 86400 IN A 10.201.106.128
ops.zz.com. 86400 IN NS ns1.ops.zz.com.
ns1.ops.zz.com. 86400 IN A 10.201.106.128
www.zz.com. 86400 IN A 10.201.106.129
zz.com. 86400 IN SOA ns1.zz.com. admin.zz.com. 2016042501 3600 300 259200 86400
;; Query time: 2 msec
;; SERVER: 10.201.106.129#53(10.201.106.129)
;; WHEN: Wed Aug 3 20:33:43 2016
;; XFR size: 10 records (messages 1, bytes 246)
允許哪些主機遞歸
/etc/named.confg
allow-recursion { ip; };
禁止更新區域數據庫中的內容
zone "zz.com" IN {
type master;
file "zz.com.zone";
allow-update { none; };
};