bind9 主从配置

bind9 主ip 192.168.3.131

bind9 从ip 192.168.3.5

1，bind9 主主配置

主要配置是

         notify yes;//新添加的，修改后通知从机，没有测试出来
        dnssec-enable  no;//修改后
        dnssec-validation no;//修改后：上一行和这行改为no，后可以在访问外网的时候转到forwarders的dns上如果不是no，则不能访问外网，不知道什么原因
        allow-new-zones yes;//新添加的：添加这个允许rndc命令添加新的zone

[root@centerOs named]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

options {
    listen-on port 53 { any; };
    listen-on-v6 port 53 { ::1; };
    directory     "/var/named";
    dump-file     "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";
    memstatistics-file "/var/named/data/named_mem_stats.txt";
    recursing-file  "/var/named/data/named.recursing";
    secroots-file   "/var/named/data/named.secroots";
    allow-query     { any; };
    allow-transfer { none; }; //不允许传递消息，在zone文件中设置可传递消息的IP，可以覆盖本配置，作用防止其他的不相关的服务器获取资源记录

    /* 
     - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
     - If you are building a RECURSIVE (caching) DNS server, you need to enable 
       recursion. 
     - If your recursive DNS server has a public IP address, you MUST enable access 
       control to limit queries to your legitimate users. Failing to do so will
       cause your server to become part of large scale DNS amplification 
       attacks. Implementing BCP38 within your network would greatly
       reduce such attack surface 
    */
        recursion yes;
         notify yes;//新添加的，修改后通知从机，没有测试出来
        dnssec-enable  no;//修改后
        dnssec-validation no;//修改后：上一行和这行改为no，后可以在访问外网的时候转到forwarders的dns上如果不是no，则不能访问外网，不知道什么原因
        allow-new-zones yes;//新添加的：添加这个允许rndc命令添加新的zone
/* Path to ISC DLV key */
        bindkeys-file "/etc/named.root.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";

    #forward first;                   //下面这两行配置很重要，这个配置后，当客户端采用我们自己配置的内网DNS的NS服务器后，当访问别的网站，内网NS解析不了的就转发给8.8.8.8的DS服务器解析，保证能正常上网。
        forwarders {
            223.5.5.5;             //阿里云的DNS服务器
            223.6.6.6;
            8.8.8.8;
            8.8.4.4;
        };
        
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
    type hint;
    file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

2，/etc/named.rfc1912.zones增加如下这句话

zone "example.com" IN {
        type master;
        file "example.zone";
        allow-update { 192.168.3.131; };
        allow-transfer { 192.168.3.5; };
};

// 这个zone是反向解析的配置，"15.16.172.in-addr.arpa"前面的ip是172.16.15倒着写。
zone "3.168.192.in-addr.arpa" IN {
        type master;
        file "example.arpa";
        allow-update { 192.168.3.131; };
        allow-transfer { 192.168.3.5; };
};

3，/var/named 增加如下两个文件example.zone，example.arpa，下面文件分别对应

$ORIGIN example.com.
$TTL 600        ; 10 minutes
@       IN SOA  ns1.example.com.  admin.example.com. (
                                 2020092503 ; serial
                                 10800      ; refresh (3 hours)
                                 900        ; retry (15 minutes)
                                 604800     ; expire (1 week)
                                 86400      ; mininum (1 day)
                                 )   
        IN      NS      ns1.example.com.    ;主dns的
        IN      NS      ns2.example.com.    ;从dns的A记录
$TTL 60 ; 1 minute

ns1     IN              A       192.168.3.131
ns2     IN              A       192.168.3.5
;########################################################
www.example.com.        1               A       192.168.3.131
www.example.com.    1               A       192.168.3.5
bbs.example.com.    1               A       192.168.3.5
bbsa.example.com.    1               A       192.168.3.5
www1.example.com. CNAME www.example.com.

$TTL 600 ; 10m
@       IN SOA ns1.example.com. admin.example.com. (
                                        2020092502      ;serial number
                                        10800           ; refresh(3h)
                                        900             ; retry(15m)
                                        604800          ; expire(1W)
                                        86400           ; mininum (1d)
                                        )   
                                NS      ns1.example.com.
                                NS      ns2.example.com.
$TTL 60 ; 1m
131      IN      PTR     www.example.com

4，bind9 从配置

[root@test-rancher01 slaves]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

options {
    listen-on port 53 { any; };
    listen-on-v6 port 53 { ::1; };
    directory     "/var/named";
    dump-file     "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";
    memstatistics-file "/var/named/data/named_mem_stats.txt";
    recursing-file  "/var/named/data/named.recursing";
    secroots-file   "/var/named/data/named.secroots";
    allow-query     { any; };

    /* 
     - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
     - If you are building a RECURSIVE (caching) DNS server, you need to enable 
       recursion. 
     - If your recursive DNS server has a public IP address, you MUST enable access 
       control to limit queries to your legitimate users. Failing to do so will
       cause your server to become part of large scale DNS amplification 
       attacks. Implementing BCP38 within your network would greatly
       reduce such attack surface 
    */
    recursion yes;
    allow-new-zones yes;//新添加的：添加这个允许rndc命令添加新的zone
    dnssec-enable no;
    dnssec-validation no;

    /* Path to ISC DLV key */
    bindkeys-file "/etc/named.root.key";

    managed-keys-directory "/var/named/dynamic";

    pid-file "/run/named/named.pid";
    session-keyfile "/run/named/session.key";
       forward first; //下面这两行配置很重要，这个配置后，当客户端采用我们自己配置的内网DNS的NS服务器后，当访问别的网站，内网NS解析不了的就转发给8.8.8.8的DS服务器解析，保证能正常上网。
       forwarders {
            223.5.5.5; //阿里云的DNS服务器
        223.6.6.6;
        8.8.8.8;
           8.8.4.4;
       };        


};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
    type hint;
    file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

5，named.rfc1912.zones增加如下配置

zone "example.com" IN {
        type slave;
        file "slaves/slave.example.zone";
        masters { 192.168.3.131; };
};

zone "3.168.192.in-addr.arpa" IN {
        type slave;
        file "slaves/slave.example.arpa";
        masters { 192.168.3.131; };
};

6，重启主从bind9配置，如果/var/named/slaves 有配置文件，代表主从配置成功，如果没有，则没有成功

7，如果没有，检查防火墙配置，firewalld、iptables以及selinux都关闭，对服务会有很多影响

[root@centerOs named]# firewall-cmd --state
running
[root@centerOs named]# sudo systemctl stop firewalld.service
[root@centerOs named]# firewall-cmd --state
not running