DNS

bind配置文件关闭仅允许本地查询:
// allow-query { localhost; };

dns主服务器和从服务器的区别

区域(zone)和域(domain):
magedu.com域:
FQDN -->IP
正向解析库;区域
IP --> FQDN
反向解析库;区域

区域数据库文件:

资源记录:Resource Record,简称rr:
记录类型:A,AAAA,PTR,SOA,NS,CNAME,MX
SOA:Start Of Authority,起始授权记录;一个区域解析库有且只能有一个SOA记录,而且必须放在第一条;(岛)
NS:Name Service:域名服务记录;一个区域解析库可以有多个NS记录,其中一个为主;(岛主)
A:Address,地址记录,FQDN-->IPv4; (正向解析)
AAAA:地址记录,FQDN-->IPv6;
CNAME:Cononical Name,别名记录;
PTR:Pointer,IP-->FQDN (反向解析)
MX:Mail exchanger,邮件交换器;
优先级:0-99,数字越小优先级越高;

区域数据库文件之: 资源记录的定义格式

资源记录的定义格式
语法:name [TTL] IN RR_TYPE value

SOA:

name:当前区域的名字;例如:正向有:"magedu.com." 反向:"2.3.4.in-addr.arpa.";
value: 有多部分组成:
(1)当前区域的区域名称(也可以使用主DNS服务器名称);
(2)当前区域管理员的邮箱地址:但地址中不能使用@符号,一般使用点号不替代;
(3)(主从服务协调属性的字义以及否定答案的TTL)
例如:
magedu.com. 86400 IN SOA magedu.com. admin@magedu.com. (
2017010801 序列号
2H 刷新时间
10M 重试时间
1W 过期时间(1周)
1D 否定答案的TTL值
)

NS:

name: 当前区域的区域名称
value: 当前区域的某DNS服务器的名字,例如:ns.magedu.com.;
注意:一个区域可以有多个ns记录;
例如:
magedu.com. 86400 IN NS ns1.magedu.com.
magedu.com. 86400 IN NS ns2.magedu.com.

MX:

name: 当前区域的区域名称;
value: 当前区域某邮件交换器的主机名;
注意:MX记录可以有多个,但每个记录的value之前应该有一个数字表示其优先级;
例如:
magedu.com. 86400 IN MX 10 mx1.magedu.com.
magedu.com. 86400 IN MX 20 mx1.magedu.com.

A:

name:某FQDN,例如www.magedu.com.
value:某IPv4地址;
例如:
www.magedu.com. IN A 1.1.1.1
www.magedu.com. IN A 1.1.1.2
bbs.magedu.com. IN A 1.1.1.1

AAAA:

name:FQDN
value:IPv6

PTR:

name: IP地址,有特定格式,IP反过来写,而且加特定后缀;例如:1.2.3.4的记录应该写为4.3.2.1.in-addr.arpa.;
value:FQDN
例如:
4.3.2.1.in-addr.arpa. IN PTR www.magedu.com.

CNAME:

name:FQDN格式的别名;
value:FQDN格式的正式名字;
例如:
web.magedu.com. IN CNAME www.magedu.com.

注意:

(1)TTL可以从全局继承;
(2)@表示当前区域的名称;
(3)相邻的两条记录其name相同时,后面的可省略;
(4)对于正向区域来说,各MX,NS等类型的记录的value为一个FQDN,此FQDN就说有一个A记录;

BIND 配置一个正向解析区域

配置解析一个正向区域:

以mageedu.com域为例:
(1)定义区域
在主配置文件中或主配置文件辅助配置文件中实现;
zone "ZONE_NAME" IN {
type {master|slave|hint|forward};
file "ZONE_NAME.zone";
}
注意:区域名字即为域名;

~]# vim /etc/named.rfc1912.zones
zone "magedu.com" IN {
        type master;
        file "magedu.com.zone";
};

(2)建立区域数据文件(主要记录为A或AAAA)
在/var/named目录下建立区域数据文件;

~]# cd /var/named/
named]# vim magedu.com.zone
$TTL 3600
$ORIGIN magedu.com.
@ IN SOA ns1.magedu.com. dnsadmin.magedu.com. (
20170815
1H
10M
3D
1D )
IN NS ns1
IN MX 10 mx1
IN MX 20 mx2
ns1 IN A 172.16.100.67
MX1 IN A 172.16.100.68
MX2 IN A 172.16.100.69
www IN A 172.16.100.67
web IN CNAME www
bbs IN A 172.16.100.70
bbs IN A 172.16.100.71

named]# named-checkconf
named]# named-checkzone magedu.com /var/named/magedu.com.zone
named]# rndc reload
~]# dig -t A www.magedu.com @172.16.100.67
~]# dig -t A web.magedu.com @172.16.100.67
~]# dig -t A bbs.magedu.com @172.16.100.67
~]# host -t A bbs.magedu.com
bbs.magedu.com has address 172.16.100.70
bbs.magedu.com has address 172.16.100.71
~]# host -t A bbs.magedu.com
bbs.magedu.com has address 172.16.100.71
bbs.magedu.com has address 172.16.100.70
~]# dig -t NS magedu.com @172.16.100.67
~]# dig -t MX magedu.com @172.16.100.67
~]# host -t MX magedu.com
magedu.com mail is handled by 10 mx1.magedu.com.
magedu.com mail is handled by 20 mx2.magedu.com.
~]# host -t MX magedu.com
magedu.com mail is handled by 20 mx2.magedu.com.
magedu.com mail is handled by 10 mx1.magedu.com.

(3)让服务器重载配置文件和区域数据文件

 named]# chown :named magedu.com.zone
 named]# chmod o= magedu.com.zone
 named]# rndc reload
server reload successful

BIND 配置一个反向解析区域

(1)定义区域
在主配置文件中或主配置文件辅助配置文件中实现;
zone "ZONE_NAME" IN {
type {master|slave|hint|forward};
file "ZONE_NAME.zone";
}
注意:反向区域的名字
反写的网段地址:.in-addr.arpa
100.16.172.in-addr.arpa

named]# vim /etc/named.rfc1912.zones
zone "100.16.172.in-addr.arpa" IN {
        type master;
        file "172.16.100.zone";
};

(2)定义区域解析库文件(主要记录PTR)
示例:区域名称为:100.16.172.in-addr.arpa;

named]# vim 172.16.100.zone
$TTL 3600
$ORIGIN 100.16.172.in-addr.arpa.
@       IN      SOA     ns1.magedu.com.  nsadmin.magedu.com. (
                20170827
                1H
                10M
                3D
                12H )
        IN      NS      ns1.magedu.com.
67      IN      PTR     ns1.magedu.com.
68      IN      PTR     mx1.magedu.com.
69      IN      PTR     mx2.magedu.com.
70      IN      PTR     bbs.magedu.com.
71      IN      PTR     bbs.magedu.com.
67      IN      PTR     www.magedu.com.
named]# chgrp named 172.16.100.zone 
named]# chmod o= 172.16.100.zone
named]# named-checkconf
named]# named-checkzone 100.16.172.in-addr.arpa /var/named/172.16.100.zone 

(3)让服务器重载配置文件和区域数据文件

named]# rndc reload
server reload successful
named]# rndc status
version: 9.9.4-RedHat-9.9.4-50.el7_3.1 <id:8f9657aa>
CPUs found: 1
worker threads: 1
UDP listeners per interface: 1
number of zones: 103
named]# dig -x 172.16.100.67

DNS 主从服务器原理讲解

  • zone "ZONE_NAME" IN {
          type slave;
          file "slaves/ZONE_NAME.ZONE";
          masters {MASTER_IP};
    };
    

    配置文件语法检查:named-checkconfig
    (2)重载配置
    rndc reload
    systemctl reload named.service

配置从 DNS 服务器

On Master
(1)确保区域数据文件中为每个从服务器配置NS记录,并且在正向区域文件需要每个从服务器的NS记录的主机名配置一个A记录,且此A后面的地址为真正的从服务器的IP地址;
在从服务器中:192.168.100.68:

[root@linux-node2 ~]# yum install bind -y
~]# vim /etc/named.conf
listen-on port 53 { 127.0.0.1; 172.16.100.68; };
dnssec-enable no;
dnssec-validation no;

启动:

~]# systemctl start named.service
配置正向区域的从服务器:
[root@linux-node2 ~]# vim /etc/named.rfc1912.zones
zone "magedu.com" IN {
        type slave;
        file  "slaves/magedu.com.zone";
        masters { 172.16.100.67; };
};
  • 这样从区域就定义好了
    [root@linux-node2 ~]# named-checkconf

我们回到主服务器,在正向区域上去配置添加一个NS记录(NS记录要有一个A记录指定到从):

[root@linux-node1 ~]# vim /var/named/magedu.com.zone
        IN      NS      ns2
ns2     IN      A       172.16.100.68
            20170816 注意每次修改加1版本

主服务器检查区域配置文件:

[root@linux-node1 ~]# named-checkzone magedu.com  /var/named/magedu.com.zone 
zone magedu.com/IN: loaded serial 20170815
OK

[root@linux-node1 ~]# rndc reload
server reload successful

接下来在从服务器上重载服务器:
[root@linux-node2 ~]# rndc reload
server reload successful
查看状态:

[root@linux-node2 ~]# systemctl enable named  
Created symlink from /etc/systemd/system/multi-user.target.wants/named.service to /usr/lib/systemd/system/named.service.
[root@linux-node2 ~]# echo $?
0
[root@linux-node2 ~]# 
[root@linux-node2 ~]# 
[root@linux-node2 ~]# rndc reload
server reload successful
[root@linux-node2 ~]# systemctl status named.service
● named.service - Berkeley Internet Name Domain (DNS)
   Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled)
   Active: active (running) since Sun 2017-09-03 02:46:30 CST; 25min ago
 Main PID: 2296 (named)
   CGroup: /system.slice/named.service
           └─2296 /usr/sbin/named -u named

Sep 03 03:11:34 linux-node2 named[2296]: reloading configuration succeeded
Sep 03 03:11:34 linux-node2 named[2296]: reloading zones succeeded
Sep 03 03:11:34 linux-node2 named[2296]: all zones loaded
Sep 03 03:11:34 linux-node2 named[2296]: running
Sep 03 03:11:34 linux-node2 named[2296]: zone magedu.com/IN: refresh: unexp...)
Sep 03 03:11:34 linux-node2 named[2296]: zone magedu.com/IN: Transfer started.
Sep 03 03:11:34 linux-node2 named[2296]: transfer of 'magedu.com/IN' from 1...4
Sep 03 03:11:34 linux-node2 named[2296]: zone magedu.com/IN: transferred se...6
Sep 03 03:11:34 linux-node2 named[2296]: transfer of 'magedu.com/IN' from 1...)
Sep 03 03:11:34 linux-node2 named[2296]: zone magedu.com/IN: sending notifi...)
Hint: Some lines were ellipsized, use -l to show in full.

你看有了:

[root@linux-node2 ~]# cd /var/named/slaves/
[root@linux-node2 slaves]# ll
total 4
-rw-r--r-- 1 named named 567 Sep  3 03:11 magedu.com.zone

[root@linux-node2 ~]# dig -t A www.magedu.com @172.16.100.68

那么这个时候我在主服务器上增加一个pop3.magedu.com看下是否能解析;

[root@linux-node1 ~]# vim /var/named/magedu.com.zone
pop3    IN      A       172.16.100.72
在修改序列号版本号:
            20170817
[root@linux-node1 ~]# rndc reload
server reload successful

在查看下:

[root@linux-node1 ~]# systemctl status named.service
● named.service - Berkeley Internet Name Domain (DNS)
   Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled)
   Active: active (running) since Sun 2017-09-03 02:11:32 CST; 1h 12min ago
  Process: 2400 ExecReload=/bin/sh -c /usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS)
  Process: 1130 ExecStart=/usr/sbin/named -u named $OPTIONS (code=exited, status=0/SUCCESS)
  Process: 1102 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z /etc/named.conf; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
 Main PID: 1137 (named)
   CGroup: /system.slice/named.service
           └─1137 /usr/sbin/named -u named

Sep 03 03:23:29 linux-node1 named[1137]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
Sep 03 03:23:29 linux-node1 named[1137]: reloading configuration succeeded
Sep 03 03:23:29 linux-node1 named[1137]: reloading zones succeeded
Sep 03 03:23:29 linux-node1 named[1137]: zone magedu.com/IN: loaded serial 20170817
Sep 03 03:23:29 linux-node1 named[1137]: all zones loaded
Sep 03 03:23:29 linux-node1 named[1137]: running
Sep 03 03:23:29 linux-node1 named[1137]: zone magedu.com/IN: sending notifies (serial 20170817)
Sep 03 03:23:29 linux-node1 named[1137]: client 172.16.100.68#18607 (magedu.com): query 'magedu.com/SOA/IN' denied
Sep 03 03:23:29 linux-node1 named[1137]: client 172.16.100.68#58324 (magedu.com): transfer of 'magedu.com/IN': AXFR-styl...tarted
Sep 03 03:23:29 linux-node1 named[1137]: client 172.16.100.68#58324 (magedu.com): transfer of 'magedu.com/IN': AXFR-styl... ended
Hint: Some lines were ellipsized, use -l to show in full.

接下来我们看下从服务器上是否也收到通知:

[root@linux-node2 ~]# systemctl status named.service
● named.service - Berkeley Internet Name Domain (DNS)
   Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled)
   Active: active (running) since Sun 2017-09-03 02:46:30 CST; 40min ago
  Process: 2388 ExecReload=/bin/sh -c /usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS)
 Main PID: 2296 (named)
   CGroup: /system.slice/named.service
           └─2296 /usr/sbin/named -u named

Sep 03 03:14:19 linux-node2 named[2296]: reloading zones succeeded
Sep 03 03:14:19 linux-node2 named[2296]: all zones loaded
Sep 03 03:14:19 linux-node2 named[2296]: running
Sep 03 03:23:29 linux-node2 named[2296]: client 172.16.100.67#43008: received notify for zone 'magedu.com'
Sep 03 03:23:29 linux-node2 named[2296]: zone magedu.com/IN: refresh: unexpected rcode (REFUSED) from master 172.16.100....0.0#0)
Sep 03 03:23:29 linux-node2 named[2296]: zone magedu.com/IN: Transfer started.
Sep 03 03:23:29 linux-node2 named[2296]: transfer of 'magedu.com/IN' from 172.16.100.67#53: connected using 172.16.100.68#58324
Sep 03 03:23:29 linux-node2 named[2296]: zone magedu.com/IN: transferred serial 20170817
Sep 03 03:23:29 linux-node2 named[2296]: transfer of 'magedu.com/IN' from 172.16.100.67#53: Transfer completed: 1 messag...s/sec)
Sep 03 03:23:29 linux-node2 named[2296]: zone magedu.com/IN: sending notifies (serial 20170817)
Hint: Some lines were ellipsized, use -l to show in full.

看下解析:
[root@linux-node2 ~]# dig -t A pop3.magedu.com @172.16.100.68
发现可以找到解析记录了;
我们不需要reload从服务器会自动收到;

接下来把从服务器配置成反向解析区域:

[root@linux-node2 ~]# vim /etc/named.rfc1912.zones
zone "100.16.172.in-addr.arpa" IN {
        type slave;
        file "slaves/172.16.100.zone";
        masters { 172.16.100.67; };
};

检查主配置文件:
[root@linux-node2 ~]# named-checkconf
[root@linux-node2 ~]# rndc reload
server reload successful

接下来在主服务器中的反向解析区域中添加NS记录并把
NS记录添加一个RTP反向记录(这是要有的)

[root@linux-node1 ~]# vim /var/named/172.16.100.zone
         IN      NS      ns2.magedu.com.
68      IN      PTR     ns2.magedu.com.
反向解析记录并不是特别关键但NS记录一定要有;
            20170828
[root@linux-node1 ~]# named-checkzone 100.16.172.in-addr.arpa /var/named/172.16.100.zone
[root@linux-node1 ~]# rndc reload
server reload successful

在从服务器上看:
[root@linux-node2 slaves]# ll
total 8
-rw-r--r-- 1 named named 574 Sep 3 03:52 172.16.100.zone
-rw-r--r-- 1 named named 610 Sep 3 03:23 magedu.com.zone
看下解析:

[root@linux-node2 ~]# dig -x 172.16.100.67 @172.16.100.68

; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7_3.1 <<>> -x 172.16.100.67 @172.16.100.68
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41975
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;67.100.16.172.in-addr.arpa.    IN      PTR

;; ANSWER SECTION:
67.100.16.172.in-addr.arpa. 3600 IN     PTR     www.magedu.com.
67.100.16.172.in-addr.arpa. 3600 IN     PTR     ns1.magedu.com.

;; AUTHORITY SECTION:
100.16.172.in-addr.arpa. 3600   IN      NS      ns1.magedu.com.
100.16.172.in-addr.arpa. 3600   IN      NS      ns2.magedu.com.

;; ADDITIONAL SECTION:
ns1.magedu.com.         3600    IN      A       172.16.100.67
ns2.magedu.com.         3600    IN      A       172.16.100.68

;; Query time: 0 msec
;; SERVER: 172.16.100.68#53(172.16.100.68)
;; WHEN: Sun Sep 03 03:58:18 CST 2017
;; MSG SIZE  rcvd: 165

那么我们在主服务器新增一条记录看看能否立即同步过去:

[root@linux-node1 ~]# vim /var/named/172.16.100.zone
72      IN      PTR     pop3.magedu.com.
                20170829
[root@linux-node1 ~]# rndc reload
server reload successful
[root@linux-node1 ~]# systemctl status named
● named.service - Berkeley Internet Name Domain (DNS)
   Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled)
   Active: active (running) since Sun 2017-09-03 02:11:32 CST; 1h 51min ago
  Process: 2400 ExecReload=/bin/sh -c /usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS)
  Process: 1130 ExecStart=/usr/sbin/named -u named $OPTIONS (code=exited, status=0/SUCCESS)
  Process: 1102 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z /etc/named.conf; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
 Main PID: 1137 (named)
   CGroup: /system.slice/named.service
           └─1137 /usr/sbin/named -u named

Sep 03 04:02:44 linux-node1 named[1137]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
Sep 03 04:02:44 linux-node1 named[1137]: reloading configuration succeeded
Sep 03 04:02:44 linux-node1 named[1137]: reloading zones succeeded
Sep 03 04:02:44 linux-node1 named[1137]: all zones loaded
Sep 03 04:02:44 linux-node1 named[1137]: running
Sep 03 04:02:44 linux-node1 named[1137]: zone 100.16.172.in-addr.arpa/IN: loaded serial 20170829
Sep 03 04:02:44 linux-node1 named[1137]: zone 100.16.172.in-addr.arpa/IN: sending notifies (serial 20170829)
Sep 03 04:02:44 linux-node1 named[1137]: client 172.16.100.68#19698 (100.16.172.in-addr.arpa): query '100.16.172.in-addr...denied
Sep 03 04:02:44 linux-node1 named[1137]: client 172.16.100.68#50464 (100.16.172.in-addr.arpa): transfer of '100.16.172.i...tarted
Sep 03 04:02:44 linux-node1 named[1137]: client 172.16.100.68#50464 (100.16.172.in-addr.arpa): transfer of '100.16.172.i... ended
Hint: Some lines were ellipsized, use -l to show in full.   

在从服务器上查看解析:

[root@linux-node2 ~]# dig -x 172.16.100.72 @172.16.100.68

; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7_3.1 <<>> -x 172.16.100.72 @172.16.100.68
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22458
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;72.100.16.172.in-addr.arpa.    IN      PTR

;; ANSWER SECTION:
72.100.16.172.in-addr.arpa. 3600 IN     PTR     pop3.magedu.com.

;; AUTHORITY SECTION:
100.16.172.in-addr.arpa. 3600   IN      NS      ns2.magedu.com.
100.16.172.in-addr.arpa. 3600   IN      NS      ns1.magedu.com.

;; ADDITIONAL SECTION:
ns1.magedu.com.         3600    IN      A       172.16.100.67
ns2.magedu.com.         3600    IN      A       172.16.100.68

;; Query time: 0 msec
;; SERVER: 172.16.100.68#53(172.16.100.68)
;; WHEN: Sun Sep 03 04:04:56 CST 2017
;; MSG SIZE  rcvd: 152

手动测试区域传送,显示所有区域的资源记录:

[root@linux-node1 ~]# dig -t axfr magedu.com

; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7_3.1 <<>> -t axfr magedu.com
;; global options: +cmd
magedu.com.             3600    IN      SOA     ns1.magedu.com. dnsadmin.magedu.com. 20170817 3600 600 259200 86400
magedu.com.             3600    IN      NS      ns1.magedu.com.
magedu.com.             3600    IN      NS      ns2.magedu.com.
magedu.com.             3600    IN      MX      10 mx1.magedu.com.
magedu.com.             3600    IN      MX      20 mx2.magedu.com.
bbs.magedu.com.         3600    IN      A       172.16.100.70
bbs.magedu.com.         3600    IN      A       172.16.100.71
MX1.magedu.com.         3600    IN      A       172.16.100.68
MX2.magedu.com.         3600    IN      A       172.16.100.69
ns1.magedu.com.         3600    IN      A       172.16.100.67
ns2.magedu.com.         3600    IN      A       172.16.100.68
pop3.magedu.com.        3600    IN      A       172.16.100.72
web.magedu.com.         3600    IN      CNAME   www.magedu.com.
www.magedu.com.         3600    IN      A       172.16.100.67
magedu.com.             3600    IN      SOA     ns1.magedu.com. dnsadmin.magedu.com. 20170817 3600 600 259200 86400
;; Query time: 1 msec
;; SERVER: 172.16.100.67#53(172.16.100.67)
;; WHEN: Sun Sep 03 04:17:39 CST 2017
;; XFR size: 15 records (messages 1, bytes 352)

在从服务器中:
[root@linux-node2 ~]# dig -t axfr magedu.com @172.16.100.67 通过主服务器的ip
从67到68传送;
也可以传送区域:
[root@linux-node2 ~]# dig -t axfr 100.16.172.in-addr.arpa @172.16.100.67
这种区域传送是有风险的;所以要做访问控制;
注意:时间要同步;
ntpdate命令;

配置 DNS 子域授权

子域授权:
正向解析区域子域的方法:
ops.magedu.com. IN NS ns1.ops.magedu.com.
ops.magedu.com. IN NS ns2.ops.magedu.com.
ns1.ops.magedu.com. IN A IP.AD.DR.ESS
ns2.ops.magedu.com. IN A IP.AD.DR.ESS

编辑主服务器的正向配置文件,增加一个新的资源记录;
[root@linux-node1 ~]# vim /var/named/magedu.com.zone
ops IN NS ns1.ops
ns1.ops IN A 172.16.100.69
20170818
[root@linux-node1 ~]# rndc reload

接下来在打开一台机器,配置子域服务器;

[root@linux-node3 ~]# yum install bind -y
[root@linux-node3 ~]# vim /etc/named.conf
listen-on port 53 { 127.0.0.1; 172.16.100.69; };
dnssec-enable no;
dnssec-validation no;
[root@linux-node3 ~]# systemctl start named.service

定义一个区域:
[root@linux-node3 ~]# vim /etc/named.rfc1912.zones
zone "ops.magedu.com" IN {
type master;
file "ops.magedu.com.zone";
};
这样正向区域的子域就好了;
创建正向区域的解析库;

[root@linux-node3 ~]# cd /var/named/
[root@linux-node3 named]# vim ops.magedu.com.zone
$TTL 3600
$ORIGIN ops.magedu.com.
@       IN      SOA     ns1.ops.magedu.com  nsadmin.ops.magedu.com. (
                20180903
                1H
                10M
                1D
                2H )
        IN      NS      ns1
ns1     IN      A       172.16.100.69
www     IN      A       172.16.100.69
[root@linux-node3 named]# chmod o= ops.magedu.com.zone 
[root@linux-node3 named]# chgrp named ops.magedu.com.zone 
#### [root@linux-node3 named]# rndc reload
server reload successful
[root@linux-node3 named]# dig -t A www.ops.magedu.com @172.16.100.69

在主上查询子域记录:
[root@linux-node1 ~]# dig -t A www.ops.magedu.com @172.16.100.67

配置 DNS 转发

定义转发:
注意:被转发的服务器必须允许为当前服务做递归;
(1)区域转发:仅转发对某特定区域的解析请求;
zone "ZONE_NAME" IN {
type forward;
forward {first|only};
forwarders {SERVER_IP;};
};
first:首先转发;转发器不响应时,自行去迭代查询;
only: 只转发;
所以对子域而言,由于他不知道父域在什么地方,我们就可以定义区域转发,就不用去找根了;
在子域编辑主配置文件加一个区域:

[root@linux-node3 named]# vim /etc/named.rfc1912.zones
zone "magedu.com" IN {
        type forward;
        forward only;
        forwarders { 172.16.100.67; 172.16.100.68;};
};
[root@linux-node3 named]# named-checkconf
[root@linux-node3 named]# rndc reload
server reload successful
[root@linux-node3 named]# dig -t A www.magedu.com  @172.16.100.69
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
通过这个去转发解析的;而不是找根。

(2)全局转发(在options里面增加)
全局转发:针对凡本地没有通过zone定义的区域查询请求,通通转给某转发器;

  options {
     ......
    forward {only|first};
    forwarders {SERVER_IP;};
    ......
    };
[root@linux-node3 named]# vim /etc/named.conf
 forward only;
 forwarders { 172.16.100.67; };
[root@linux-node3 named]# rndc reload
server reload successful

这样就是全局的了;
刚才我们不能解析baidu,现在我们配置全局,应该就可以解析baidu了;
[root@linux-node3 named]# dig -t A www.baidu.com @172.16.100.69
可以解析了其实是172.16.100.67送来的;

bind 中的安全相关的配置:

acl:访问控制列表;把一个或多个地址归并一个命名的 集合,随后通过此名称即可对此集合内的所有主机实现统一调用;
acl acl_name {
ip;
net/prelen;
};
示例:
acl mynet {
172.16.0.0/16;
127.0.0.0/8;
};
bind有四个内置的acl
none: 没有一个主机;
any: 任意主机;
local:本机;
localnet:本机所在的IP所属的网络;
访问控制指令:
allow-query {}; 允许查询的主机;白名单;
allow-transfer {}; 允许向哪些主机做区域传送;默认为向所有主机;应该配置为仅允许从服务器;
allow-recursion {}; 允许哪些主机向当前DNS服务器发起递归查询请求;
allow-update {}; DDNS,允许动态更新区域数据库文件中的内容;

[root@linux-node1 ~]# vim /etc/named.rfc1912.zones
zone "magedu.com" IN {
        type master;
        file "magedu.com.zone";
        allow-transfer { slaves; };
        };

然后编辑主配置文件:

[root@linux-node1 ~]# vim /etc/named.conf 
acl slaves {
        172.16.100.68;
        127.0.0.1;
};

加到最前面就可以;
[root@linux-node1 ~]# named-checkconf
[root@linux-node1 ~]# rndc reload
server reload successful
接下来我们使用子来同步你看不可以了:
[root@linux-node3 named]# dig -x axfr magedu.com @172.16.100.67
我们使用从服务器来同步:
[root@linux-node2 ~]# dig -t axfr magedu.com @172.16.100.67
你看从服务器可以同步;
那么主服务器也是同步不了:
[root@linux-node1 ~]# dig -t axfr magedu.com @172.16.100.67

; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7_3.1 <<>> -t axfr magedu.com @172.16.100.67
;; global options: +cmd
; Transfer failed.
因为没有监听这个地址,只监听127.0.0.1;

[root@linux-node1 ~]# vim /etc/named.conf
acl mynet {
        127.0.0.0/8;
};
allow-recursion { mynet; };
这样只允许这个网络递归了;
[root@linux-node1 ~]# rndc reload         
server reload successful
我们在子域测试,我们说过只允许递归才能做转发的;
[root@linux-node3 named]# dig -t A www.baidu.com @172.16.100.69
你看查不到,接下来我们在主服务器增加下这个ip:
[root@linux-node1 ~]# vim /etc/named.conf 
acl mynet {
        127.0.0.0/8;
        **172.16.100.69**;
};
[root@linux-node1 ~]# rndc reload         
server reload successful
在子域上在查(查询到了):

[root@linux-node3 named]# dig -t A www.baidu.com @172.16.100.69

; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7_3.1 <<>> -t A www.baidu.com @172.16.100.69
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19906
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 5, ADDITIONAL: 6

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.baidu.com.                 IN      A

;; ANSWER SECTION:
www.baidu.com.          1200    IN      CNAME   www.a.shifen.com.
www.a.shifen.com.       300     IN      A       14.215.177.39
www.a.shifen.com.       300     IN      A       14.215.177.38

;; AUTHORITY SECTION:
a.shifen.com.           1200    IN      NS      ns2.a.shifen.com.
a.shifen.com.           1200    IN      NS      ns3.a.shifen.com.
a.shifen.com.           1200    IN      NS      ns5.a.shifen.com.
a.shifen.com.           1200    IN      NS      ns4.a.shifen.com.
a.shifen.com.           1200    IN      NS      ns1.a.shifen.com.

;; ADDITIONAL SECTION:
ns1.a.shifen.com.       1200    IN      A       61.135.165.224
ns4.a.shifen.com.       1200    IN      A       115.239.210.176
ns3.a.shifen.com.       1200    IN      A       61.135.162.215
ns5.a.shifen.com.       1200    IN      A       119.75.222.17
ns2.a.shifen.com.       1200    IN      A       180.149.133.241

;; Query time: 1703 msec
;; SERVER: 172.16.100.69#53(172.16.100.69)

把从设置为不让传送:

[root@linux-node2 ~]# vim /etc/named.rfc1912.zones
zone "magedu.com" IN {
        type slave;
        file  "slaves/magedu.com.zone";
        masters { 172.16.100.67; };
        allow-transfer { none; };
        allow-update { none; };
};
zone "100.16.172.in-addr.arpa" IN {
        type slave;
        file "slaves/172.16.100.zone";
        masters { 172.16.100.67; };
        allow-update { none; };
};

这样你的服务器就安全了;
[root@linux-node2 ~]# rndc reload
server reload successful
我们在子域测试下从服务器,肯定不能传送了:

[root@linux-node3 named]# dig -t axfr magedu.com @172.16.100.68

; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7_3.1 <<>> -t axfr magedu.com @172.16.100.68
;; global options: +cmd
; Transfer failed.
你看传送不过来了;

智能DNS解析

  bind view:
    视图:
      view VIEW_NAME {
        zone
        zone
        zone
    }
    
view internal {
 match-clients { 172.16.0.0/8;};
  zone "magedu.com" IN {
        type master;
        file "magedu.com/internal";
        };
    };
view external {
  match-clients { any; };
  zone "magedu.com" IN {
        type master;
        file "magedu.com/external";
        };
    };

然后现在我们要做到能区别用户;所以在每个view中要加一个match-clients打算对哪些客户端进行匹配;比如匹配内网;
这样就能完成智能解析了,如果是来自互联网的联通和电信怎么做?
你要收集全国的联通地址有哪些放在view的match.clients,但是这样显示太大了,那么要这么做更好?定义一个acl,把要定义的全定进去;于是来自联通的客户端都匹配到联通有view里面去;那么全国这么多联通跟电信,我要怎么知道呢?你可以找亚太,在他们数据库里面找一下就有了;哪些卖给中国电信,哪些卖给中国联通;写个脚本去找;
课外作业: whois命令;
博客作业:正向解析区域;反向解析区域;主从;子域;基本安全控制;

posted @ 2017-09-11 09:15  ShenghuiChen  阅读(792)  评论(0编辑  收藏  举报