Linux学习72 DNS高级应用-基于bind实现主从、智能DNS
一、DNS主从服务器中的从服务器配置
1、注意:
a、从服务器是区域级别的概念。比如我们主服务器有10个正向或反向区域,我们从服务器可以只是某个区域的从。如果只是第一个区域的从,那么我们的从服务器上只有第一个区域的副本,如果你要三个区域都是从那么就要配置三个区域的从。
b、我们也可以这样来,第一台服务器是正向区域的主,第二台服务器是正向区域的从。第二台服务器是反向的主,第一台服务器是反向的从。这种都是可以的。
c、我们还可以来级联,比如,我们有一台主服务器,主服务器上提供了一个正向区域的解析库,第二台服务器可以从第一台服务器上复制,复制后自己就有了这个区域文件,同时第二台服务器又可以向其它服务器复制,我们又有第三台服务器,第三台服务器没有把自己配置为主服务器的从,而是配置为了第二台从服务器的从。这种就叫做级联
2、我们如何让主从服务器都能够发挥功用呢?我们一般dns服务器有两种功用,如果其负责解析则其为dns服务器,如果不负责解析那么其就是一个dns缓存服务器
3、配置一个从区域
a、在从服务器上:
(1)、定义区域
1)、定义一个从区域
zone "ZONE_NAME" IN{
type slave;
file "slaves/ZONE_NAME.zone"; #以/var/named为相对路径
masters {MASTER_IP;};
}
2)、配置文件语法检查:named-checkconf
(2)、重载配置
rndc reload
systemctl reload named.service
b、在主服务器上:
(1)、确保区域数据文件中为每一个从服务器配置了NS记录,否则他不能被识别为NS服务器;
二、从服务器安装
1、安装bind服务,和主服务器安装bind服务一样
2、编辑我们主配置文件/etc/named.conf,让其能监听在外部地址上,并且关闭仅允许本地查询
[root@node2 /]# cat /etc/named.conf|grep -Ev "^$|^//" options { listen-on port 53 { 127.0.0.1;192.168.10.14; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; //allow-query { localhost; }; /* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ recursion yes; dnssec-enable no; dnssec-validation no; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";
3、我们启动我们从服务器上的named服务
[root@node2 /]# systemctl start named [root@node2 /]# systemctl status named ● named.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled) Active: active (running) since Sat 2020-05-09 23:42:51 CST; 5s ago Process: 1928 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS) Process: 1925 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (cod e=exited, status=0/SUCCESS) Main PID: 1930 (named) Memory: 13.6M CGroup: /system.slice/named.service └─1930 /usr/sbin/named -u named -c /etc/named.conf May 09 23:42:51 node2 named[1930]: managed-keys-zone: loaded serial 0 May 09 23:42:51 node2 named[1930]: zone 0.in-addr.arpa/IN: loaded serial 0 May 09 23:42:51 node2 named[1930]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0 May 09 23:42:51 node2 named[1930]: zone localhost/IN: loaded serial 0 May 09 23:42:51 node2 named[1930]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0 May 09 23:42:51 node2 named[1930]: zone localhost.localdomain/IN: loaded serial 0 May 09 23:42:51 node2 named[1930]: all zones loaded May 09 23:42:51 node2 named[1930]: running May 09 23:42:51 node2 named[1930]: error (network unreachable) resolving './DNSKEY/IN': 2001:7fe::53#53 May 09 23:42:51 node2 named[1930]: error (network unreachable) resolving './NS/IN': 2001:7fe::53#53
4、接下来我们配置其成为正向区域的从服务器。在/etc/named.rfc1912.zones中定义相应的zone即可
[root@node2 /]# tail -5 /etc/named.rfc1912.zones zone "wohaoshuai.com" IN { type slave; file "slaves/wohaoshuai.com.zone"; masters { 192.168.10.13; }; };
5、我们检查我们的语法是否有错误
[root@node2 /]# named-checkconf
6、我们主服务器的配置
a、我们在主服务器192.168.10.13的正向解析区域中新增一个NS记录,比如我们的ns2,这个ns2和对方的主机没有关系,但是我们的ns2需要有一个A记录,这个A记录要指向对方的主机!!!!!,从下面配置文件中我们可以看到我们有ns1和ns2两个NS记录,我们给ns1配置了一条A记录为我们的主服务器192.168.10.13,给ns2配置了一条A记录为我们的从服务器192.168.10.14。(我们没有从服务器的时候给ns1配置的A记录不指向我们的主服务器的ip好像主服务器也可以工作,不过最好我们ns1配置的A记录的ip还是指向主服务器的好)
[root@www /]# cat /var/named/wohaoshuai.com.zone $TTL 3600 $ORIGIN wohaoshuai.com. @ IN SOA wohaoshuai.com. dnsadmin.wohaoshuai.com. ( 2020050901 1H 10M 3D 1D ) IN NS ns1 IN NS ns2 IN MX 10 mx1 IN MX 20 mx2 ns1 IN A 192.168.10.13 ns2 IN A 192.168.10.14 mx1 IN A 192.168.10.40 mx2 IN A 192.168.10.50 www IN A 192.168.10.60 web IN CNAME www bbs IN A 172.16.100.70 bbs IN A 172.16.100.71
b、当我们从服务器和主服务器已经建立了连接以后我们每次修改主服务器的正向解析库的时候都应该把序列号加1,即从2020050901改为2020050902,否则我们从服务器一检查说序列号是一样的这样从服务器就不会更新了。
c、现在我们来检查我们修改后的主服务器的zone,如果没问题就重载一下配置文件
[root@www /]# named-checkzone wohaoshuai.com /var/named/wohaoshuai.com.zone zone wohaoshuai.com/IN: loaded serial 2020050901 OK [root@www /]# rndc reload server reload successful
7、现在我们重载从服务器
[root@node2 /]# rndc reload server reload successful [root@node2 /]# systemctl status named ● named.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled) Active: active (running) since Sat 2020-05-09 23:42:51 CST; 34min ago Process: 1928 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS) Process: 1925 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (cod e=exited, status=0/SUCCESS) Main PID: 1930 (named) Memory: 19.9M CGroup: /system.slice/named.service └─1930 /usr/sbin/named -u named -c /etc/named.conf May 10 00:16:44 node2 named[1930]: reloading configuration succeeded May 10 00:16:44 node2 named[1930]: reloading zones succeeded May 10 00:16:44 node2 named[1930]: all zones loaded May 10 00:16:44 node2 named[1930]: running May 10 00:16:44 node2 named[1930]: zone wohaoshuai.com/IN: refresh: unexpected rcode (REFUSED) from master 192.168.10.13#53 (source 0.0.0.0#0) #可以看到从服务器刷新了 May 10 00:16:44 node2 named[1930]: zone wohaoshuai.com/IN: Transfer started. May 10 00:16:44 node2 named[1930]: transfer of 'wohaoshuai.com/IN' from 192.168.10.13#53: connected using 192.168.10.14#43658 May 10 00:16:44 node2 named[1930]: zone wohaoshuai.com/IN: transferred serial 2020050901 #从主服务器传递的序列号 May 10 00:16:44 node2 named[1930]: transfer of 'wohaoshuai.com/IN' from 192.168.10.13#53: Transfer completed: 1 messages, 14 records, 327 bytes, 0.003 secs (109000 bytes/sec) #可以看到传输完成了 May 10 00:16:44 node2 named[1930]: zone wohaoshuai.com/IN: sending notifies (serial 2020050901)
8、从服务器上
a、我们在从服务器上查看是否同步了我们的正向解析的zone
[root@node2 /]# ll /var/named/slaves/ total 4 -rw-r--r-- 1 named named 631 May 10 00:16 wohaoshuai.com.zone
b、我们查看到wohaoshuai.com.zone是乱码的,在CentOS6上是文本的,在CentOS7上是二进制的
c、我们在从服务器上来解析我们的www.wohaoshuai.com,可以看到我们可以解析到
[root@node2 /]# dig -t A www.wohaoshuai.com @192.168.10.14 ; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7 <<>> -t A www.wohaoshuai.com @192.168.10.14 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45512 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.wohaoshuai.com. IN A ;; ANSWER SECTION: www.wohaoshuai.com. 3600 IN A 192.168.10.60 ;; AUTHORITY SECTION: wohaoshuai.com. 3600 IN NS ns2.wohaoshuai.com. wohaoshuai.com. 3600 IN NS ns1.wohaoshuai.com. ;; ADDITIONAL SECTION: ns1.wohaoshuai.com. 3600 IN A 192.168.10.13 ns2.wohaoshuai.com. 3600 IN A 192.168.10.14 ;; Query time: 0 msec ;; SERVER: 192.168.10.14#53(192.168.10.14) ;; WHEN: Sun May 10 00:23:55 CST 2020 ;; MSG SIZE rcvd: 131
9、此时我们在主服务器上新增一个pop3.wohaoshuai.com的A记录看我们的从服务器能否解析
a、在没有增加之前我们从服务器先解析发现解析不了
[root@node2 /]# host -t A pop3.wohaoshuai.com
^C[root@node2 /]#
b、我们在主服务器上增加对应的A记录并且修改我们的版本号
[root@www /]# cat /var/named/wohaoshuai.com.zone |grep -E "2020|pop" 2020050902 pop3 IN A 192.168.10.73
c、我们然后在主服务器上通过rndc reload所有区域(最好只reload我们修改的区域,通过
rndc reload zone 命令来实现)
[root@www /]# rndc reload
server reload successful
d、我们通过systemctl status命令查看我们主服务器的named状态
[root@www /]# systemctl status named ● named.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled) Active: active (running) since 六 2020-05-09 10:01:56 CST; 6h ago Process: 2189 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS) Process: 2186 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (cod e=exited, status=0/SUCCESS) Main PID: 2191 (named) Memory: 15.5M CGroup: /system.slice/named.service └─2191 /usr/sbin/named -u named -c /etc/named.conf 5月 09 16:36:18 www.wohaoshuai.com named[2191]: reloading configuration succeeded 5月 09 16:36:18 www.wohaoshuai.com named[2191]: reloading zones succeeded 5月 09 16:36:18 www.wohaoshuai.com named[2191]: zone wohaoshuai.com/IN: loaded serial 2020050902 #可以看到我们的序列号更新到了我们第二版 5月 09 16:36:18 www.wohaoshuai.com named[2191]: all zones loaded 5月 09 16:36:18 www.wohaoshuai.com named[2191]: running 5月 09 16:36:18 www.wohaoshuai.com named[2191]: zone wohaoshuai.com/IN: sending notifies (serial 2020050902) #发送通知 5月 09 16:36:18 www.wohaoshuai.com named[2191]: client 192.168.10.14#34210 (wohaoshuai.com): query 'wohaoshuai.com/SOA/IN' denied 5月 09 16:36:18 www.wohaoshuai.com named[2191]: client 192.168.10.14#58027 (wohaoshuai.com): transfer of 'wohaoshuai.com/IN': AXFR-style IXFR started 5月 09 16:36:18 www.wohaoshuai.com named[2191]: client 192.168.10.14#58027 (wohaoshuai.com): transfer of 'wohaoshuai.com/IN': AXFR-style IXFR ended 5月 09 16:36:19 www.wohaoshuai.com named[2191]: client 192.168.10.14#2460: received notify for zone 'wohaoshuai.com'
e、我们在从服务器上查看named状态
[root@node2 /]# systemctl status named ● named.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled) Active: active (running) since Sat 2020-05-09 23:42:51 CST; 59min ago Process: 1928 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS) Process: 1925 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (cod e=exited, status=0/SUCCESS) Main PID: 1930 (named) Memory: 19.9M CGroup: /system.slice/named.service └─1930 /usr/sbin/named -u named -c /etc/named.conf May 10 00:16:44 node2 named[1930]: zone wohaoshuai.com/IN: transferred serial 2020050901 May 10 00:16:44 node2 named[1930]: transfer of 'wohaoshuai.com/IN' from 192.168.10.13#53: Transfer completed: 1 messages, 14 records, 327 bytes, 0.003 secs (109000 bytes/sec) May 10 00:16:44 node2 named[1930]: zone wohaoshuai.com/IN: sending notifies (serial 2020050901) May 10 00:35:31 node2 named[1930]: client 192.168.10.13#59759: received notify for zone 'wohaoshuai.com' May 10 00:35:31 node2 named[1930]: zone wohaoshuai.com/IN: refresh: unexpected rcode (REFUSED) from master 192.168.10.13#53 (source 0.0.0.0#0) May 10 00:35:31 node2 named[1930]: zone wohaoshuai.com/IN: Transfer started. May 10 00:35:31 node2 named[1930]: transfer of 'wohaoshuai.com/IN' from 192.168.10.13#53: connected using 192.168.10.14#58027 May 10 00:35:31 node2 named[1930]: zone wohaoshuai.com/IN: transferred serial 2020050902 #可以看到我们的序列号更新了 May 10 00:35:31 node2 named[1930]: transfer of 'wohaoshuai.com/IN' from 192.168.10.13#53: Transfer completed: 1 messages, 15 records, 348 bytes, 0.006 secs (58000 bytes/sec) May 10 00:35:31 node2 named[1930]: zone wohaoshuai.com/IN: sending notifies (serial 2020050902)
f、我们现在来从服务器进行我们对应的A记录解析可以看到能够解析到
[root@node2 /]# host -t A pop3.wohaoshuai.com 192.168.10.14 Using domain server: Name: 192.168.10.14 Address: 192.168.10.14#53 Aliases: pop3.wohaoshuai.com has address 192.168.10.73
三、配置从服务器的从反向解析域
1、在从服务器/etc/named.rfc1912.zones反向解析zone
[root@node2 /]# tail -5 /etc/named.rfc1912.zones zone "10.168.192.in-addr.arpa" IN { type slave; file "slaves/192.168.10.zone"; masters { 192.168.10.13; }; };
2、检查从服务器主配置文件是否有错误
[root@node2 /]# named-checkconf
[root@node2 /]#
3、在主服务器反向解析库中确保是否有从服务器的NS解析记录,并且检查zone是否有语法错误
[root@www /]# cat /var/named/192.168.100.zone $TTL 3600 $ORIGIN 10.168.192.in-addr.arpa. @ IN SOA ns1.wohaoshuai.com. nsadmin.wohaoshuai.com. ( 2020050901 1H 10M 3D 12H ) IN NS ns1.wohaoshuai.com. IN NS ns2.wohaoshuai.com. 13 IN PTR ns1.wohaoshuai.com. 14 IN PTR ns2.wohaoshuai.com. 40 IN PTR mx1.wohaoshuai.com. 70 IN PTR bbs.wohaoshuai.com. 71 IN PTR bbs.wohaoshuai.com. 60 IN PTR www.wohaoshuai.com. [root@www /]# named-checkzone 10.168.192.in-addr.arpa /var/named/192.168.100.zone zone 10.168.192.in-addr.arpa/IN: loaded serial 2020050901 OK
4、主服务器和从服务器都reload一下,主服务器要先reload,然后再看我们的从服务器已经生成了我们对应的区域解析库文件
[root@node2 /]# named-checkconf [root@node2 /]# rndc reload server reload successful [root@node2 /]# ls /var/named/slaves/ 192.168.10.zone wohaoshuai.com.zone
5、我们在从服务器上来解析一下我们192.168.10.60这个地址可以看到解析成功
[root@node2 /]# dig -x 192.168.10.60 @192.168.10.14 ; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7 <<>> -x 192.168.10.60 @192.168.10.14 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62923 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;60.10.168.192.in-addr.arpa. IN PTR ;; ANSWER SECTION: 60.10.168.192.in-addr.arpa. 3600 IN PTR www.wohaoshuai.com. ;; AUTHORITY SECTION: 10.168.192.in-addr.arpa. 3600 IN NS ns2.wohaoshuai.com. 10.168.192.in-addr.arpa. 3600 IN NS ns1.wohaoshuai.com. ;; ADDITIONAL SECTION: ns1.wohaoshuai.com. 3600 IN A 192.168.10.13 ns2.wohaoshuai.com. 3600 IN A 192.168.10.14 ;; Query time: 0 msec ;; SERVER: 192.168.10.14#53(192.168.10.14) ;; WHEN: Sun May 10 01:14:28 CST 2020 ;; MSG SIZE rcvd: 155
6、我们在主服务器上新增一条记录并且修改对应的序列号,看看在从服务器上能否解析
a、在主服务器上修改对应记录和序列号并且reload
[root@www /]# cat /var/named/192.168.100.zone $TTL 3600 $ORIGIN 10.168.192.in-addr.arpa. @ IN SOA ns1.wohaoshuai.com. nsadmin.wohaoshuai.com. ( 2020050902 1H 10M 3D 12H ) IN NS ns1.wohaoshuai.com. IN NS ns2.wohaoshuai.com. 13 IN PTR ns1.wohaoshuai.com. 14 IN PTR ns2.wohaoshuai.com. 40 IN PTR mx1.wohaoshuai.com. 70 IN PTR bbs.wohaoshuai.com. 71 IN PTR bbs.wohaoshuai.com. 60 IN PTR www.wohaoshuai.com. 61 IN PTR aaa.wohaoshuai.com. [root@www /]# rndc reload server reload successful
b、在从服务器上进行解析,可以看到能够解析
[root@node2 /]# dig -x 192.168.10.61 @192.168.10.14 ; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7 <<>> -x 192.168.10.61 @192.168.10.14 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27748 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;61.10.168.192.in-addr.arpa. IN PTR ;; ANSWER SECTION: 61.10.168.192.in-addr.arpa. 3600 IN PTR aaa.wohaoshuai.com. ;; AUTHORITY SECTION: 10.168.192.in-addr.arpa. 3600 IN NS ns2.wohaoshuai.com. 10.168.192.in-addr.arpa. 3600 IN NS ns1.wohaoshuai.com. ;; ADDITIONAL SECTION: ns1.wohaoshuai.com. 3600 IN A 192.168.10.13 ns2.wohaoshuai.com. 3600 IN A 192.168.10.14 ;; Query time: 2 msec ;; SERVER: 192.168.10.14#53(192.168.10.14) ;; WHEN: Sun May 10 01:19:38 CST 2020 ;; MSG SIZE rcvd: 155
四、测试区域传送
1、我们在从服务器上测试主服务器到从服务器的区域传送,如果传送成功就表示手动传送的方式从主服务器到从服务器上是成功的。只要这个传送没问题那么同步应该就不会有问题
[root@node2 /]# dig -t axfr wohaoshuai.com @192.168.10.13 ; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7 <<>> -t axfr wohaoshuai.com @192.168.10.13 ;; global options: +cmd wohaoshuai.com. 3600 IN SOA wohaoshuai.com. dnsadmin.wohaoshuai.com. 2020050902 3600 600 259200 86400 wohaoshuai.com. 3600 IN NS ns1.wohaoshuai.com. wohaoshuai.com. 3600 IN NS ns2.wohaoshuai.com. wohaoshuai.com. 3600 IN MX 10 mx1.wohaoshuai.com. wohaoshuai.com. 3600 IN MX 20 mx2.wohaoshuai.com. bbs.wohaoshuai.com. 3600 IN A 192.168.10.71 bbs.wohaoshuai.com. 3600 IN A 192.168.10.72 mx1.wohaoshuai.com. 3600 IN A 192.168.10.40 mx2.wohaoshuai.com. 3600 IN A 192.168.10.50 ns1.wohaoshuai.com. 3600 IN A 192.168.10.13 ns2.wohaoshuai.com. 3600 IN A 192.168.10.14 pop3.wohaoshuai.com. 3600 IN A 192.168.10.73 web.wohaoshuai.com. 3600 IN CNAME www.wohaoshuai.com. www.wohaoshuai.com. 3600 IN A 192.168.10.60 wohaoshuai.com. 3600 IN SOA wohaoshuai.com. dnsadmin.wohaoshuai.com. 2020050902 3600 600 259200 86400 ;; Query time: 4 msec ;; SERVER: 192.168.10.13#53(192.168.10.13) ;; WHEN: Sun May 10 01:27:04 CST 2020 ;; XFR size: 15 records (messages 1, bytes 348)
2、我们也可以进行反向传送
[root@node2 /]# dig -t axfr 10.168.192.in-addr.arpa @192.168.10.13 ; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7 <<>> -t axfr 10.168.192.in-addr.arpa @192.168.10.13 ;; global options: +cmd 10.168.192.in-addr.arpa. 3600 IN SOA ns1.wohaoshuai.com. nsadmin.wohaoshuai.com. 2020050902 3600 600 259200 43200 10.168.192.in-addr.arpa. 3600 IN NS ns1.wohaoshuai.com. 10.168.192.in-addr.arpa. 3600 IN NS ns2.wohaoshuai.com. 13.10.168.192.in-addr.arpa. 3600 IN PTR ns1.wohaoshuai.com. 14.10.168.192.in-addr.arpa. 3600 IN PTR ns2.wohaoshuai.com. 40.10.168.192.in-addr.arpa. 3600 IN PTR mx1.wohaoshuai.com. 60.10.168.192.in-addr.arpa. 3600 IN PTR www.wohaoshuai.com. 61.10.168.192.in-addr.arpa. 3600 IN PTR aaa.wohaoshuai.com. 70.10.168.192.in-addr.arpa. 3600 IN PTR bbs.wohaoshuai.com. 71.10.168.192.in-addr.arpa. 3600 IN PTR bbs.wohaoshuai.com. 10.168.192.in-addr.arpa. 3600 IN SOA ns1.wohaoshuai.com. nsadmin.wohaoshuai.com. 2020050902 3600 600 259200 43200 ;; Query time: 2 msec ;; SERVER: 192.168.10.13#53(192.168.10.13) ;; WHEN: Sun May 10 01:29:59 CST 2020 ;; XFR size: 11 records (messages 1, bytes 306)
3、这种开放式的区域传送方式是存在巨大风险的,因为这样你公司的所有的主机叫什么名是什么地址,这些别人就能猜出来你公司的组织架构了,因此我们主服务器只能开放给从服务器做传送,其它任何服务器要传送都应该拒绝,因此我们需要做访问控制。
4、主从复制要注意:
a、主从服务器时间要同步
(1)、通过ntpdate命令连接到同一个时间服务器上即可
四、子域授权
1、假如我们现在有wohaoshuai.com域的一主一从的服务器,现在我们需要建一个子域,比如我们的财务部,叫fin.wohaoshuai.com,他里面有很多服务器,比如叫www.fin.wohaoshuai.com。我们又要建一个子域,叫ops.wohaoshuai.com,假如里面又有一台主机叫做ns.ops.wohaoshuai.com。那么我们要怎么讲我们的子域授权给另外一个服务器让另外一个服务器来实现这才是最关键的
2、正向解析区域授权子域的方法:
a、在正向区域中定义一个子域即可,即在我们正向区域中写上
(1)、ops.wohaoshuai.com. IN NS ns1.ops.wohaoshuai.com.
(2)、再定义一个一个A记录,即ns1.ops.wohaoshuai.com.指向我们一个IP,这个IP为我们子域名称服务器的正常IP地址
ns1.ops.wohaoshuai.com. IN A IP.AD.DR.ESS
(3)、当然有可能有多个子域,那么就在我们就多写几条NS记录以及给上其A记录即可
3、我们来开始实验
a、我们现在有服务器(要确保时间同步)
(1)、上述实验中的主服务器:192.168.10.13
(2)、上述实验中的从服务器:192.168.10.14
(3)、子域服务器:192.168.10.15(注意,此服务器也是主DNS服务器,只是其需要我们的主服务器192.168.10.13的授权)
b、编辑我们主服务器正向解析数据库文件添加相应子域授权内容,即添加NS记录和A记录并更新序列号,以及reload一下
[root@www ~]# cat /var/named/wohaoshuai.com.zone $TTL 3600 $ORIGIN wohaoshuai.com. @ IN SOA wohaoshuai.com. dnsadmin.wohaoshuai.com. ( 2020050904 1H 10M 3D 1D ) IN NS ns1 IN NS ns2 IN MX 10 mx1 IN MX 20 mx2 ns1 IN A 192.168.10.13 ns2 IN A 192.168.10.14 mx1 IN A 192.168.10.40 mx2 IN A 192.168.10.50 www IN A 192.168.10.60 web IN CNAME www bbs IN A 192.168.10.71 bbs IN A 192.168.10.72 pop3 IN A 192.168.10.73 ops IN NS ns1.ops ns1.ops IN A 192.168.10.15
[root@www ~]# rndc reload
server reload successful
c、现在在子域服务器安装bind,然后配置配置文件,然后手动添加区域解析库文件,和配置主服务器一样的操作
(1)、安装bind
(2)、修改配置文件(和master配置文件修改一样,只是监听地址写成192.168.10.15)
(3)、在/var/named/ops.wohaoshuai.com.zone中增加对应的zone
[root@node3 /]# tail -4 /etc/named.rfc1912.zones zone "ops.wohaoshuai.com" IN { type master; file "ops.wohaoshuai.com.zone"; };
(4)、创建正向区域的区域解析库并修改对应权限,然后reload一下(记得要先启动named服务再reload)
[root@node3 /]# cat /var/named/ops.wohaoshuai.com.zone $TTL 3600 $ORIGIN ops.wohaoshuai.com. @ IN SOA ns1.ops.wohaoshuai.com. dnsadmin.ops.wohaoshuai.com. ( 2021051001 1H 10M 3D 1D ) IN NS ns1 ns1 IN A 192.168.10.15 www IN A 192.168.10.200 [root@node3 /]# chmod o= /var/named/ops.wohaoshuai.com.zone [root@node3 /]# chgrp named /var/named/ops.wohaoshuai.com.zone [root@node3 /]# ll /var/named/ops.wohaoshuai.com.zone -rw-r----- 1 root named 197 May 10 19:27 /var/named/ops.wohaoshuai.com.zone [root@node3 /]# rndc reload
(5)、我们来子域进行解析可以看到能解析到。
[root@node3 /]# host -t A www.ops.wohaoshuai.com 192.168.10.15 Using domain server: Name: 192.168.10.15 Address: 192.168.10.15#53 Aliases: www.ops.wohaoshuai.com has address 192.168.10.200
(6)、我们来主服务器上解析可以看到也能解析到
[root@www ~]# host -t A www.ops.wohaoshuai.com 192.168.10.13 Using domain server: Name: 192.168.10.13 Address: 192.168.10.13#53 Aliases: www.ops.wohaoshuai.com has address 192.168.10.200
(7)、我们可以在主服务器上通过dig测试,发现www.ops.wohaoshuai.com为非权威应答,即不是自己解析的,是子域服务器解析的
[root@www ~]# dig -t A www.ops.wohaoshuai.com @192.168.10.13 ; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7 <<>> -t A www.ops.wohaoshuai.com @192.168.10.13 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37212 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 #可以看到没有aa,表示非权威应答 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.ops.wohaoshuai.com. IN A ;; ANSWER SECTION: www.ops.wohaoshuai.com. 3570 IN A 192.168.10.200 ;; AUTHORITY SECTION: ops.wohaoshuai.com. 3570 IN NS ns1.ops.wohaoshuai.com. ;; ADDITIONAL SECTION: ns1.ops.wohaoshuai.com. 3570 IN A 192.168.10.15 ;; Query time: 0 msec ;; SERVER: 192.168.10.13#53(192.168.10.13) ;; WHEN: 日 5月 10 12:22:36 CST 2020 ;; MSG SIZE rcvd: 101 [root@www ~]# dig -t A www.wohaoshuai.com @192.168.10.13 ; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7 <<>> -t A www.wohaoshuai.com @192.168.10.13 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54104 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 #可以看到如果是自己解析的话就有aa,表示权威应答 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.wohaoshuai.com. IN A ;; ANSWER SECTION: www.wohaoshuai.com. 3600 IN A 192.168.10.60 ;; AUTHORITY SECTION: wohaoshuai.com. 3600 IN NS ns1.wohaoshuai.com. wohaoshuai.com. 3600 IN NS ns2.wohaoshuai.com.
3、定义转发
a、区域转发:只把对某一个区域的请求转发给某一个服务器,即仅转发对某特定区域的解析请求
(1)、对应的配置
zone "ZONE_NAME" IN {
type forward;
forward {first|only};
forwarders {SERVER_IP};
}
1)、type forward;:类型为forward,表示为转发类型
2)、forward {first|only};:指明转发的方式,转发的方式有两种,第一种叫first,第二种叫only。first是首先转发的意思,表示如果我解析不了就先转发给你,如果你也解析不了就自己去找根迭代。only表示只转发,转发不成功的话就算了。
3)、forwarders {SERVER_IP};:表示指明转发给谁,SERVER_IP为被转发的服务器的IP
(2)、编辑192.168.10.15对应的配置文件/etc/named.rfc1912.zones添加对应的转发zone,然后reload一下
[root@node3 /]# cat /etc/named.rfc1912.zones // named.rfc1912.zones: // // Provided by Red Hat caching-nameserver package // // ISC BIND named zone configuration for zones recommended by // RFC 1912 section 4.1 : localhost TLDs and address zones // and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt // (c)2007 R W Franks // // See /usr/share/doc/bind*/sample/ for example named configuration files. // zone "localhost.localdomain" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "localhost" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "1.0.0.127.in-addr.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "0.in-addr.arpa" IN { type master; file "named.empty"; allow-update { none; }; }; zone "ops.wohaoshuai.com" IN { type master; file "ops.wohaoshuai.com.zone"; }; zone "wohaoshuai.com" IN { type forward; forward only; forwarders { 192.168.10.13; 192.168.10.14; }; };
(3)、我们来通过dig测试解析www.wohaoshuai.com,可以发现为非权威应答,即对于这个域他只起了一个转发的作用
[root@node3 /]# dig -t A www.wohaoshuai.com @192.168.10.15 ; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7 <<>> -t A www.wohaoshuai.com @192.168.10.15 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12171 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 #可以看到没有aa,表示非权威应答 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.wohaoshuai.com. IN A ;; ANSWER SECTION: www.wohaoshuai.com. 3453 IN A 192.168.10.60 ;; AUTHORITY SECTION: wohaoshuai.com. 3453 IN NS ns1.wohaoshuai.com. wohaoshuai.com. 3453 IN NS ns2.wohaoshuai.com. ;; ADDITIONAL SECTION: ns2.wohaoshuai.com. 3453 IN A 192.168.10.14 ns1.wohaoshuai.com. 3453 IN A 192.168.10.13 ;; Query time: 0 msec ;; SERVER: 192.168.10.15#53(192.168.10.15) ;; WHEN: Sun May 10 20:34:07 CST 2020 ;; MSG SIZE rcvd: 131
b、全局转发:凡本地没有通过zone定义的区域的查询请求统统转发给某转发器,只要不是自己负责的都转发给域名服务器。即当解析请求到来时他会先去找zone,只要zone有他就说了算,如果zone没有那就全局说了算,也就是转发服务器说了算。
(1)、配置文件
只需要在/etc/named.conf options中添加
forward {only|first};
forwarders { 192.168.10.13; }; #表示只要不是自己负责的全都转发给192.168.10.13
[root@node3 /]# cat /etc/named.conf |grep -Ev "^$|^//" options { listen-on port 53 { 127.0.0.1;192.168.10.15; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; forward only; forwarders { 192.168.10.13; }; /* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ recursion yes; dnssec-enable no; dnssec-validation no; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";
c、注意:被转发的服务器必须允许为当前服务器做递归
五、bind中的安全相关的配置
1、访问控制列表(acl):把一个或多个地址归并为一个命名的集合,随后通过此名称即可对此集合内的所有主机实现统一调用
a、定义
acl acl_name {
ip;
net/prelen;
};
b、示例
acl mynet {
192.168.0.0/16;
127.0.0.0/8
};
c、bind有四个内置的acl
(1)、none:没有一个主机
(2)、any:任意主机
(3)、local:本机
(4)、localnet:本机所在的IP所属的网络
2、访问控制指令
a、allow-query {}; :允许查询的主机,白名单。如果不写表示默认允许所有查询。
b、allow-transfer {};:允许向哪些主机做区域传送;默认向所有主机;应该配置为仅允许从服务器。我们此参数如果加在/etc/named.conf的options中表示全局生效,如果加在某个域的zone中表示只对某个域生效
(1)、我们来看我们的配置文件/etc/named.rfc1912.zones中的wohaoshuai.com 这个zone
[root@www ~]# cat /etc/named.rfc1912.zones |grep -A2 "wohaoshuai" zone "wohaoshuai.com" IN { type master; file "wohaoshuai.com.zone"; allow-transfer { slaves; }; #表示只允许我们slaves这个白名单中的服务器做区域传送 };
(2)、然后我们在主服务器的/etc/named.conf中定义我们的全局白名单slaves,此处我们只将我们的本机和从服务器加入到我们的白名单中,并且reload一下
[root@www ~]# cat /etc/named.conf |grep -Ev "^$|^//" acl slaves { 192.168.10.14; 127.0.0.1; }; options { listen-on port 53 { 192.168.10.13; };
.....
[root@www ~]# rndc reload
server reload successful
(3)、我们现在用我们的从服务器来测试区域传送,发现是可以的
[root@node2 ~]# dig -t axfr wohaoshuai.com @192.168.10.13 ; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7 <<>> -t axfr wohaoshuai.com @192.168.10.13 ;; global options: +cmd wohaoshuai.com. 3600 IN SOA wohaoshuai.com. dnsadmin.wohaoshuai.com. 2020050904 3600 600 259200 86400 wohaoshuai.com. 3600 IN NS ns1.wohaoshuai.com. wohaoshuai.com. 3600 IN NS ns2.wohaoshuai.com. wohaoshuai.com. 3600 IN MX 10 mx1.wohaoshuai.com. wohaoshuai.com. 3600 IN MX 20 mx2.wohaoshuai.com. bbs.wohaoshuai.com. 3600 IN A 192.168.10.71 bbs.wohaoshuai.com. 3600 IN A 192.168.10.72 mx1.wohaoshuai.com. 3600 IN A 192.168.10.40 mx2.wohaoshuai.com. 3600 IN A 192.168.10.50 ns1.wohaoshuai.com. 3600 IN A 192.168.10.13 ns2.wohaoshuai.com. 3600 IN A 192.168.10.14 ops.wohaoshuai.com. 3600 IN NS ns1.ops.wohaoshuai.com. ns1.ops.wohaoshuai.com. 3600 IN A 192.168.10.15 pop3.wohaoshuai.com. 3600 IN A 192.168.10.73 web.wohaoshuai.com. 3600 IN CNAME www.wohaoshuai.com. www.wohaoshuai.com. 3600 IN A 192.168.10.60 wohaoshuai.com. 3600 IN SOA wohaoshuai.com. dnsadmin.wohaoshuai.com. 2020050904 3600 600 259200 86400 ;; Query time: 2 msec ;; SERVER: 192.168.10.13#53(192.168.10.13) ;; WHEN: Sun May 10 13:06:22 CST 2020 ;; XFR size: 17 records (messages 1, bytes 386)
(4)、我们现在用我们的子域服务器做区域传送发现被拒绝了
[root@node3 /]# dig -t axfr wohaoshuai.com @192.168.10.13 ; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7 <<>> -t axfr wohaoshuai.com @192.168.10.13 ;; global options: +cmd ; Transfer failed.
c、allow-recursion {};:允许哪些主机向当前DNS服务器发起递归查询请求;配置文件中是谁都允许,可以在/etc/named.conf中的options中的 recursion yes;这个默认参数中看到。
(1)、我们现在来添加允许递归的网段的白名单,然后注释掉 recursion yes;这个参数并且添加allow-recursion这个参数
[root@www ~]# cat /etc/named.conf // // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // // See the BIND Administrator's Reference Manual (ARM) for details about the // configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html acl slaves { 192.168.10.14; 127.0.0.1; }; acl mynet { 192.168.10.0/24; 127.0.0.1/8; }; options { listen-on port 53 { 192.168.10.13; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; //allow-query { localhost; }; /* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ //recursion yes; allow-recursion { mynet; }; dnssec-enable no; dnssec-validation no; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";
(2)、测试
1)、我们首先干掉mynet这个acl中的192.168.10.0/25这个网段,然后在子域服务器上通过dig命令解析www.baidu.com发现是不行的
[root@node3 /]# dig -t A www.baidu.com @192.168.10.13 ; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7 <<>> -t A www.baidu.com @192.168.10.13 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 37858 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.baidu.com. IN A ;; Query time: 2 msec ;; SERVER: 192.168.10.13#53(192.168.10.13) ;; WHEN: Sun May 10 21:23:25 CST 2020 ;; MSG SIZE rcvd: 42
2)、然后我们再在mynet这个白名单中加上192.168.10.0/24这个网段再来解析www.baidu.com发现就可以了
[root@node3 /]# dig -t A www.baidu.com @192.168.10.13 ; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7 <<>> -t A www.baidu.com @192.168.10.13 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24667 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 5, ADDITIONAL: 6 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.baidu.com. IN A ;; ANSWER SECTION: www.baidu.com. 1200 IN CNAME www.a.shifen.com. www.a.shifen.com. 300 IN A 39.156.66.14 www.a.shifen.com. 300 IN A 39.156.66.18 ;; AUTHORITY SECTION: a.shifen.com. 1199 IN NS ns3.a.shifen.com. a.shifen.com. 1199 IN NS ns5.a.shifen.com. a.shifen.com. 1199 IN NS ns4.a.shifen.com. a.shifen.com. 1199 IN NS ns1.a.shifen.com. a.shifen.com. 1199 IN NS ns2.a.shifen.com. ;; ADDITIONAL SECTION: ns5.a.shifen.com. 1199 IN A 180.76.76.95 ns1.a.shifen.com. 1199 IN A 61.135.165.224 ns2.a.shifen.com. 1199 IN A 220.181.33.32 ns3.a.shifen.com. 1199 IN A 112.80.255.253 ns4.a.shifen.com. 1199 IN A 14.215.177.229 ;; Query time: 1029 msec ;; SERVER: 192.168.10.13#53(192.168.10.13) ;; WHEN: Sun May 10 21:24:00 CST 2020 ;; MSG SIZE rcvd: 271
d、allow-update {};:是否允许更新。DDNS,表示是否允许由进程动态更新区域数据库文件中的内容,他任何时候都是none的。
3、对于从服务来讲
a、需要在zone中关闭区域传送,设置为none即可
[root@node2 ~]# cat /etc/named.rfc1912.zones |grep -A3 wohaoshuai zone "wohaoshuai.com" IN { type slave; file "slaves/wohaoshuai.com.zone"; masters { 192.168.10.13; }; allow-update { none; }; };
六、bind view
1、即智能dns,即我们一个主机名有多个地址。来自于不同的网段的请求就给其解析为不同的地址。但是这些不同的地址都是同一个主机的。
2、定义view
a、定义
view VIEW_NAME{
zone
zone
}
b、举例
内网:
view internal {
match-clients { 192.168.10.0/24; };
zone "wohaoshuai.com" IN {
type master;
file "wohaoshuai.com/internal";
};
};
互联网:
view external {
match-clients { any; };
zone "wohaoshuai.com" IN {
type master;
file "wohaoshuai.com/external";
};
};
七、课外作业
1、whois命令
2、注册一个域名