DNS Bind服务主从部署

DNS主从服务同步时,主服务每次修改配置文件需要修改一下序列号,主从同步主要 根据序列号的变化(即master端每次更改配置后需要重启named服务,才会自动进行同步到salve)。

主从原理:从会监听主的 TCP 53 端口,它会隔一段时间去探测 主配置文件中的序列号,如果主端 序列号更新后 从端探测到会 将主端内容 同步到本地。

DNS主从部署环境:

操作系统:CentOS Linux release 7.3.1611 (Core)

master服务器:10.20.9.7
slave 服务器:10.20.9.8

关闭防火墙和selinux:

#systemctl stop firewalld 
#systemctl disable firewalld 
#systemctl status firewalld 
#sed -i 's#SELINUX=enforcing#SELINUX=disabled#g' /etc/sysconfig/selinux 重启主机(reboot)

一.安装bind软件

master端和slave端都安装

# yum install -y bind bind-utils bind-chroot

二.修改服务器配置文件

1.master端配置修改(10.20.9.7)

1.1> 配置/etc/named.conf文件.

这个配置文件主要分3段内容,options是全局配置,logging是日志配置,最后是区域解析库配置以及所包含的区域解析库文件配置.

只修改第二行和最后一行为any

options {
        listen-on port 53 { any; };            #修改为any
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { any; };              #修改为any
        
      };

1.2> 编辑/etc/named.rfc1912.zones在文件末尾添加一个正向解析区域和一个反向解析区域.

#######################################################################
zone "saneri.com" IN {
        type master;                       #定义区域类型,type可选值为:hint(根的)|master(主的)|slave(辅助的)|forward(转发)
        file "saneri.com.zone";        #定义区域文件名称
        allow-update { none; };
        allow-transfer { 10.20.9.8; }; #指定允许转发的目标主机,即从服务器
};


zone "9.20.10.in-addr.arpa" IN {
        type master;
        file "10.20.9.zone";
        allow-update { none; };
        allow-transfer { 10.20.9.8; };
};

修改后检查下:这个命令会同时检查named.conf和named.rfc1912.zones两个文件的配置信息

# named-checkconf

没有任何输出表示 /etc/named.conf没有语法错误.

1.3> 在/var/named目录下创建saneri.com.zone正向解析库文件和10.20.9.zone反向解析库文件

# cd /var/named/

[root@ops-dns-01 named]# vim saneri.com.zone 
$TTL 1D
@               IN      SOA     dns1.saneri.com. mail.saneri.com. (
                2018030422
                2H
                10M
                1W
                1D
                )
@               IN  NS          dns1.saneri.com.
@               IN  NS          dns2.saneri.com.
@               IN  MX  10      mail.saneri.com.
dns1            IN  A           10.20.9.7
dns2            IN  A           10.20.9.8
mail            IN  A           10.20.9.7
www             IN  A           10.20.9.7

检查正向解析库文件有没有错误

正向解析语法检查:

[root@ops-dns-01 named]# named-checkzone "saneri.com" saneri.com.zone
zone saneri.com/IN: loaded serial 2018030422
OK
[root@ops-dns-01 named]# 

添加反向解析库文件.

[root@ops-dns-01 named]# vim 10.20.9.zone 
$TTL 1d
@    IN  SOA     dns1.saneri.com. mail.saneri.com. (
            2018030422;
            2H;
            10M;
            1W;
            1D;
            )
                IN      NS  dns1.saneri.com.
                IN      NS  dns2.saneri.com.
7               IN      PTR www.saneri.com.
7               IN      PTR mail.saneri.com.
7               IN      PTR dns1.saneri.com.
8               IN      PTR dns2.saneri.com.

反向解析语法检查:

[root@ops-dns-01 named]# named-checkzone "9.20.10.in-addr.arpa" 10.20.9.zone
zone 9.20.10.in-addr.arpa/IN: loaded serial 2018030422
OK
[root@ops-dns-01 named]# 

查看权限:目录下文件,属组应为named用户

[root@ops-dns-01 named]# chown -R named.named /var/named/

启动服务并查看服务状态

[root@ops-dns-01 named]# systemctl start named.service
[root@ops-dns-01 named]# systemctl status named.service  

1.4> 如果服务状态正常,就可以进行域名解析测试.

正向解析

[root@ops-dns-01 named]# dig -t A www.saneri.com @10.20.9.7

; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> -t A www.saneri.com @10.20.9.7
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44586
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.saneri.com.                 IN      A

;; ANSWER SECTION:
www.saneri.com.          86400   IN      A       10.20.9.7

;; AUTHORITY SECTION:
saneri.com.              86400   IN      NS      dns1.saneri.com.
saneri.com.              86400   IN      NS      dns2.saneri.com.

;; ADDITIONAL SECTION:
dns1.saneri.com.         86400   IN      A       10.20.9.7
dns2.saneri.com.         86400   IN      A       10.20.9.8

;; Query time: 0 msec
;; SERVER: 10.20.9.7#53(10.20.9.7)
;; WHEN: Tue Sep 18 21:43:56 CST 2018
;; MSG SIZE  rcvd: 128

[root@ops-dns-01 named]# 

反向解析:

[root@ops-dns-01 named]# dig -x 10.20.9.8 @10.20.9.7

; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> -x 10.20.9.8 @10.20.9.7
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17606
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;8.9.20.10.in-addr.arpa.                IN      PTR

;; ANSWER SECTION:
8.9.20.10.in-addr.arpa. 86400   IN      PTR     dns2.saneri.com.

;; AUTHORITY SECTION:
9.20.10.in-addr.arpa.   86400   IN      NS      dns2.saneri.com.
9.20.10.in-addr.arpa.   86400   IN      NS      dns1.saneri.com.

;; ADDITIONAL SECTION:
dns1.saneri.com.        86400   IN      A       10.20.9.7
dns2.saneri.com.        86400   IN      A       10.20.9.8

;; Query time: 0 msec
;; SERVER: 10.20.9.7#53(10.20.9.7)
;; WHEN: Tue Sep 18 23:45:43 CST 2018
;; MSG SIZE  rcvd: 145

[root@ops-dns-01 named]# 

 至此DNS主服务器已经配置完毕并能正常工作!!!

2.从服务器salve端配置(10.20.9.8)

2.1> 编辑/etc/named.conf将监听IP地址改一下,其它不需要更改

options {
        listen-on port 53 { 10.20.9.8;127.0.0.1; };  //添加本机的ip地址
        
        }

2.2> 编辑/etc/named.rfc1912.zones文件,添加如下配置

#######################################################################

zone "saneri.com" IN {
        type slave;
        masters { 10.20.9.7; };
        file "slaves/saneri.com.zone";
};
zone "9.20.10.in-addr.arpa" IN {
        type slave;
        masters { 10.20.9.7; };
        file "slaves/10.20.9.zone";
};

注意事项:从服务器的区域解析库文件应当是从主服务器加载过来的,所以无需创建区域解析库文件.

2.3> 启动从named服务,并查看状态.

[root@ops-dns-02 ~]# systemctl start named.service
[root@ops-dns-02 ~]# systemctl status named.service
a—? named.service - Berkeley Internet Name Domain (DNS)
   Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled)
   Active: active (running) since Tue 2018-09-18 15:46:56 CST; 24min ago
  Process: 2140 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
  Process: 2137 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
 Main PID: 2142 (named)
   CGroup: /system.slice/named.service
           a””a”€2142 /usr/sbin/named -u named -c /etc/named.conf

Sep 18 15:47:11 ops-dns-02 named[2142]: zone 9.20.10.in-addr.arpa/IN: Transfer started.
Sep 18 15:47:11 ops-dns-02 named[2142]: transfer of '9.20.10.in-addr.arpa/IN' from 10.20.9.7#53: connected using 10.20.9.8#45002
Sep 18 15:47:11 ops-dns-02 named[2142]: zone 9.20.10.in-addr.arpa/IN: transferred serial 2018030422
Sep 18 15:47:11 ops-dns-02 named[2142]: transfer of '9.20.10.in-addr.arpa/IN' from 10.20.9.7#53: Transfer completed: 1 mess...es/sec)
Sep 18 15:47:11 ops-dns-02 named[2142]: zone 9.20.10.in-addr.arpa/IN: sending notifies (serial 2018030422)
Sep 18 15:47:11 ops-dns-02 named[2142]: zone saneri.com/IN: Transfer started.
Sep 18 15:47:11 ops-dns-02 named[2142]: transfer of 'saneri.com/IN' from 10.20.9.7#53: connected using 10.20.9.8#51488
Sep 18 15:47:11 ops-dns-02 named[2142]: zone saneri.com/IN: transferred serial 2018030422
Sep 18 15:47:11 ops-dns-02 named[2142]: transfer of 'saneri.com/IN' from 10.20.9.7#53: Transfer completed: 1 messages, 9 rec...es/sec)
Sep 18 15:47:11 ops-dns-02 named[2142]: zone saneri.com/IN: sending notifies (serial 2018030422)
Hint: Some lines were ellipsized, use -l to show in full. 

从状态日志中发现,zone区域文件已同步到从服务器

2.4> 检查测试同步功能
查看/var/named/slaves/目录,发现多了两个文件。

[root@ops-dns-02 ~]# cd /var/named/
[root@ops-dns-02 named]# ll
total 16
drwxr-x--- 7 root named 61 Sep 18 15:20 chroot
drwxrwx--- 2 named named 23 Sep 18 15:30 data
drwxrwx--- 2 named named 31 Sep 18 15:38 dynamic
-rw-r----- 1 root named 2281 May 22 2017 named.ca
-rw-r----- 1 root named 152 Dec 15 2009 named.empty
-rw-r----- 1 root named 152 Jun 21 2007 named.localhost
-rw-r----- 1 root named 168 Dec 15 2009 named.loopback
drwxrwx--- 2 named named 48 Sep 18 15:47 slaves
[root@ops-dns-02 named]# ll slaves/
total 8
-rw-r--r-- 1 named named 357 Sep 18 15:47 10.20.9.zone
-rw-r--r-- 1 named named 394 Sep 18 15:47 saneri.com.zone
[root@ops-dns-02 named]#

查看文件内容,可以看到该文件和主DNS服务器上的文件内容是一样的。说明这2个文件是自动从主服务器同步过来的。
以后添加DNS记录,只需修改正向解析文件/var/named/saneri.com.zone,和 反向解析文件/var/named/10.20.9.zone,并更新序列号(需要重载named)。则主服务器会自动将zone区域文件推送至从服务器/var/named/slaves下。

2.5> 遇到文件同步问题排查.  

1、主服务器zone文件无法同步到从服务器的slaves目录下,从服务slaves目录下为空,查看日志信息.

[root@ops-dns-02 named]# tail -f /var/log/messages 
Sep 18 15:41:36 localhost named[11919]: command channel listening on ::1#953
Sep 18 15:41:36 localhost named[11919]: managed-keys-zone: loaded serial 2
Sep 18 15:41:36 localhost named[11919]: zone 0.in-addr.arpa/IN: loaded serial 0
Sep 18 15:41:36 localhost named[11919]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
Sep 18 15:41:36 localhost named[11919]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
Sep 18 15:41:36 localhost named[11919]: zone localhost/IN: loaded serial 0
Sep 18 15:41:36 localhost named[11919]: zone localhost.localdomain/IN: loaded serial 0
Sep 18 15:41:36 localhost named[11919]: all zones loaded
Sep 18 15:41:36 localhost named[11919]: running
Sep 18 15:41:36 localhost systemd: Started Berkeley Internet Name Domain (DNS).

Sep 18 15:43:06 localhost named[11919]: zone saneri.com/IN: refresh: retry limit for master 10.20.9.7#53 exceeded (source 0.0.0.0#0)
Sep 18 15:43:06 localhost named[11919]: zone saneri.com/IN: Transfer started.
Sep 18 15:43:06 localhost named[11919]: transfer of 'saneri.com/IN' from 10.20.9.7#53: failed to connect: host unreachable
Sep 18 15:43:06 localhost named[11919]: transfer of 'saneri.com/IN' from 10.20.9.7#53: Transfer completed: 0 messages, 0 records, 0 bytes, 0.001 secs (0 bytes/sec)
Sep 18 15:43:06 localhost named[11919]: zone 9.20.10.in-addr.arpa/IN: refresh: retry limit for master 10.20.9.7#53 exceeded (source 0.0.0.0#0)
Sep 18 15:43:19 localhost kernel: ip_tables: (C) 2000-2006 Netfilter Core Team
Sep 18 15:44:36 localhost named[11919]: zone saneri.com/IN: refresh: retry limit for master 10.20.9.7#53 exceeded (source 0.0.0.0#0)
Sep 18 15:44:37 localhost named[11919]: zone 9.20.10.in-addr.arpa/IN: refresh: retry limit for master 10.20.9.7#53 exceeded (source 0.0.0.0#0)
Sep 18 15:44:37 localhost named[11919]: zone 9.20.10.in-addr.arpa/IN: refresh: skipping zone transfer as master 10.20.9.7#53 (source 0.0.0.0#0) is unreachable (cached)
Sep 18 15:44:41 localhost named[11919]: zone saneri.com/IN: refresh: skipping zone transfer as master 10.20.9.7#53 (source 0.0.0.0#0) is unreachable (cached)
Sep 18 15:45:03 localhost systemd: Reloading.

发现无法连接机器,考虑是iptables和seLinux的问题,检查下主服务器和从服务器是否已关闭,或正确设置然后重启即可.

2.6> 测试从DNS服务器。

正向解析:

[root@ops-dns-02 slaves]# dig -t A www.saneri.com @10.20.9.8

; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> -t A www.saneri.com @10.20.9.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17466
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.saneri.com.                 IN      A

;; ANSWER SECTION:
www.saneri.com.          86400   IN      A       10.20.9.7

;; AUTHORITY SECTION:
saneri.com.              86400   IN      NS      dns2.saneri.com.
saneri.com.              86400   IN      NS      dns1.saneri.com.

;; ADDITIONAL SECTION:
dns1.saneri.com.         86400   IN      A       10.20.9.7
dns2.saneri.com.         86400   IN      A       10.20.9.8

;; Query time: 0 msec
;; SERVER: 10.20.9.8#53(10.20.9.8)
;; WHEN: Tue Sep 18 15:57:21 CST 2018
;; MSG SIZE  rcvd: 128

[root@ops-dns-02 slaves]# 

反向解析:

[root@ops-dns-02 ~]# dig -x 10.20.9.7  @10.20.9.8

; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> -x 10.20.9.7 @10.20.9.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58389
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;7.9.20.10.in-addr.arpa.                IN      PTR

;; ANSWER SECTION:
7.9.20.10.in-addr.arpa. 86400   IN      PTR     mail.saneri.com.
7.9.20.10.in-addr.arpa. 86400   IN      PTR     dns1.saneri.com.
7.9.20.10.in-addr.arpa. 86400   IN      PTR     www.saneri.com.

;; AUTHORITY SECTION:
9.20.10.in-addr.arpa.   86400   IN      NS      dns2.saneri.com.
9.20.10.in-addr.arpa.   86400   IN      NS      dns1.saneri.com.

;; ADDITIONAL SECTION:
dns1.saneri.com.         86400   IN      A       10.20.9.7
dns2.saneri.com.         86400   IN      A       10.20.9.8

;; Query time: 0 msec
;; SERVER: 10.20.9.8#53(10.20.9.8)
;; WHEN: Tue Sep 18 16:21:26 CST 2018
;; MSG SIZE  rcvd: 181

[root@ops-dns-02 ~]# 

dig命令
dig命令是常用的域名查询工具,可以用来测试域名系统工作是否正常。

 语法

dig(选项)(参数)

选项

@<服务器地址>:指定进行域名解析的域名服务器;
-b<ip地址>:当主机具有多个IP地址,指定使用本机的哪个IP地址向域名服务器发送域名查询请求;
-f<文件名称>:指定dig以批处理的方式运行,指定的文件中保存着需要批处理查询的DNS任务信息;
-P:指定域名服务器所使用端口号;
-t<类型>:指定要查询的DNS数据类型;
-x<IP地址>:执行逆向域名查询;
-4:使用IPv4;
-6:使用IPv6;
-h:显示指令帮助信息。

 

参考文档:https://blog.csdn.net/fanren224/article/details/79693801.

posted @ 2018-09-18 15:28  梦徒  阅读(2491)  评论(0编辑  收藏  举报