DNS Bind服务主从部署
DNS主从服务同步时,主服务每次修改配置文件需要修改一下序列号,主从同步主要 根据序列号的变化(即master端每次更改配置后需要重启named服务,才会自动进行同步到salve)。
主从原理:从会监听主的 TCP 53 端口,它会隔一段时间去探测 主配置文件中的序列号,如果主端 序列号更新后 从端探测到会 将主端内容 同步到本地。
DNS主从部署环境:
操作系统:CentOS Linux release 7.3.1611 (Core) master服务器:10.20.9.7 slave 服务器:10.20.9.8
关闭防火墙和selinux:
#systemctl stop firewalld #systemctl disable firewalld #systemctl status firewalld
#sed -i 's#SELINUX=enforcing#SELINUX=disabled#g' /etc/sysconfig/selinux 重启主机(reboot)
一.安装bind软件
master端和slave端都安装
# yum install -y bind bind-utils bind-chroot
二.修改服务器配置文件
1.master端配置修改(10.20.9.7)
1.1> 配置/etc/named.conf文件.
这个配置文件主要分3段内容,options是全局配置,logging是日志配置,最后是区域解析库配置以及所包含的区域解析库文件配置.
只修改第二行和最后一行为any
options { listen-on port 53 { any; }; #修改为any listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { any; }; #修改为any };
1.2> 编辑/etc/named.rfc1912.zones在文件末尾添加一个正向解析区域和一个反向解析区域.
####################################################################### zone "saneri.com" IN { type master; #定义区域类型,type可选值为:hint(根的)|master(主的)|slave(辅助的)|forward(转发) file "saneri.com.zone"; #定义区域文件名称 allow-update { none; }; allow-transfer { 10.20.9.8; }; #指定允许转发的目标主机,即从服务器 }; zone "9.20.10.in-addr.arpa" IN { type master; file "10.20.9.zone"; allow-update { none; }; allow-transfer { 10.20.9.8; }; };
修改后检查下:这个命令会同时检查named.conf和named.rfc1912.zones两个文件的配置信息
# named-checkconf
没有任何输出表示 /etc/named.conf没有语法错误.
1.3> 在/var/named目录下创建saneri.com.zone正向解析库文件和10.20.9.zone反向解析库文件
# cd /var/named/ [root@ops-dns-01 named]# vim saneri.com.zone $TTL 1D @ IN SOA dns1.saneri.com. mail.saneri.com. ( 2018030422 2H 10M 1W 1D ) @ IN NS dns1.saneri.com. @ IN NS dns2.saneri.com. @ IN MX 10 mail.saneri.com. dns1 IN A 10.20.9.7 dns2 IN A 10.20.9.8 mail IN A 10.20.9.7 www IN A 10.20.9.7
检查正向解析库文件有没有错误
正向解析语法检查:
[root@ops-dns-01 named]# named-checkzone "saneri.com" saneri.com.zone zone saneri.com/IN: loaded serial 2018030422 OK [root@ops-dns-01 named]#
添加反向解析库文件.
[root@ops-dns-01 named]# vim 10.20.9.zone $TTL 1d @ IN SOA dns1.saneri.com. mail.saneri.com. ( 2018030422; 2H; 10M; 1W; 1D; ) IN NS dns1.saneri.com. IN NS dns2.saneri.com. 7 IN PTR www.saneri.com. 7 IN PTR mail.saneri.com. 7 IN PTR dns1.saneri.com. 8 IN PTR dns2.saneri.com.
反向解析语法检查:
[root@ops-dns-01 named]# named-checkzone "9.20.10.in-addr.arpa" 10.20.9.zone zone 9.20.10.in-addr.arpa/IN: loaded serial 2018030422 OK [root@ops-dns-01 named]#
查看权限:目录下文件,属组应为named用户
[root@ops-dns-01 named]# chown -R named.named /var/named/
启动服务并查看服务状态
[root@ops-dns-01 named]# systemctl start named.service [root@ops-dns-01 named]# systemctl status named.service
1.4> 如果服务状态正常,就可以进行域名解析测试.
正向解析
[root@ops-dns-01 named]# dig -t A www.saneri.com @10.20.9.7 ; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> -t A www.saneri.com @10.20.9.7 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44586 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.saneri.com. IN A ;; ANSWER SECTION: www.saneri.com. 86400 IN A 10.20.9.7 ;; AUTHORITY SECTION: saneri.com. 86400 IN NS dns1.saneri.com. saneri.com. 86400 IN NS dns2.saneri.com. ;; ADDITIONAL SECTION: dns1.saneri.com. 86400 IN A 10.20.9.7 dns2.saneri.com. 86400 IN A 10.20.9.8 ;; Query time: 0 msec ;; SERVER: 10.20.9.7#53(10.20.9.7) ;; WHEN: Tue Sep 18 21:43:56 CST 2018 ;; MSG SIZE rcvd: 128 [root@ops-dns-01 named]#
反向解析:
[root@ops-dns-01 named]# dig -x 10.20.9.8 @10.20.9.7 ; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> -x 10.20.9.8 @10.20.9.7 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17606 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;8.9.20.10.in-addr.arpa. IN PTR ;; ANSWER SECTION: 8.9.20.10.in-addr.arpa. 86400 IN PTR dns2.saneri.com. ;; AUTHORITY SECTION: 9.20.10.in-addr.arpa. 86400 IN NS dns2.saneri.com. 9.20.10.in-addr.arpa. 86400 IN NS dns1.saneri.com. ;; ADDITIONAL SECTION: dns1.saneri.com. 86400 IN A 10.20.9.7 dns2.saneri.com. 86400 IN A 10.20.9.8 ;; Query time: 0 msec ;; SERVER: 10.20.9.7#53(10.20.9.7) ;; WHEN: Tue Sep 18 23:45:43 CST 2018 ;; MSG SIZE rcvd: 145 [root@ops-dns-01 named]#
至此DNS主服务器已经配置完毕并能正常工作!!!
2.从服务器salve端配置(10.20.9.8)
2.1> 编辑/etc/named.conf将监听IP地址改一下,其它不需要更改
options { listen-on port 53 { 10.20.9.8;127.0.0.1; }; //添加本机的ip地址 }
2.2> 编辑/etc/named.rfc1912.zones文件,添加如下配置
####################################################################### zone "saneri.com" IN { type slave; masters { 10.20.9.7; }; file "slaves/saneri.com.zone"; }; zone "9.20.10.in-addr.arpa" IN { type slave; masters { 10.20.9.7; }; file "slaves/10.20.9.zone"; };
注意事项:从服务器的区域解析库文件应当是从主服务器加载过来的,所以无需创建区域解析库文件.
2.3> 启动从named服务,并查看状态.
[root@ops-dns-02 ~]# systemctl start named.service [root@ops-dns-02 ~]# systemctl status named.service a—? named.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled) Active: active (running) since Tue 2018-09-18 15:46:56 CST; 24min ago Process: 2140 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS) Process: 2137 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS) Main PID: 2142 (named) CGroup: /system.slice/named.service a””a”€2142 /usr/sbin/named -u named -c /etc/named.conf Sep 18 15:47:11 ops-dns-02 named[2142]: zone 9.20.10.in-addr.arpa/IN: Transfer started. Sep 18 15:47:11 ops-dns-02 named[2142]: transfer of '9.20.10.in-addr.arpa/IN' from 10.20.9.7#53: connected using 10.20.9.8#45002 Sep 18 15:47:11 ops-dns-02 named[2142]: zone 9.20.10.in-addr.arpa/IN: transferred serial 2018030422 Sep 18 15:47:11 ops-dns-02 named[2142]: transfer of '9.20.10.in-addr.arpa/IN' from 10.20.9.7#53: Transfer completed: 1 mess...es/sec) Sep 18 15:47:11 ops-dns-02 named[2142]: zone 9.20.10.in-addr.arpa/IN: sending notifies (serial 2018030422) Sep 18 15:47:11 ops-dns-02 named[2142]: zone saneri.com/IN: Transfer started. Sep 18 15:47:11 ops-dns-02 named[2142]: transfer of 'saneri.com/IN' from 10.20.9.7#53: connected using 10.20.9.8#51488 Sep 18 15:47:11 ops-dns-02 named[2142]: zone saneri.com/IN: transferred serial 2018030422 Sep 18 15:47:11 ops-dns-02 named[2142]: transfer of 'saneri.com/IN' from 10.20.9.7#53: Transfer completed: 1 messages, 9 rec...es/sec) Sep 18 15:47:11 ops-dns-02 named[2142]: zone saneri.com/IN: sending notifies (serial 2018030422) Hint: Some lines were ellipsized, use -l to show in full.
从状态日志中发现,zone区域文件已同步到从服务器
2.4> 检查测试同步功能
查看/var/named/slaves/目录,发现多了两个文件。
[root@ops-dns-02 ~]# cd /var/named/ [root@ops-dns-02 named]# ll total 16 drwxr-x--- 7 root named 61 Sep 18 15:20 chroot drwxrwx--- 2 named named 23 Sep 18 15:30 data drwxrwx--- 2 named named 31 Sep 18 15:38 dynamic -rw-r----- 1 root named 2281 May 22 2017 named.ca -rw-r----- 1 root named 152 Dec 15 2009 named.empty -rw-r----- 1 root named 152 Jun 21 2007 named.localhost -rw-r----- 1 root named 168 Dec 15 2009 named.loopback drwxrwx--- 2 named named 48 Sep 18 15:47 slaves [root@ops-dns-02 named]# ll slaves/ total 8 -rw-r--r-- 1 named named 357 Sep 18 15:47 10.20.9.zone -rw-r--r-- 1 named named 394 Sep 18 15:47 saneri.com.zone [root@ops-dns-02 named]#
查看文件内容,可以看到该文件和主DNS服务器上的文件内容是一样的。说明这2个文件是自动从主服务器同步过来的。
以后添加DNS记录,只需修改正向解析文件/var/named/saneri.com.zone,和 反向解析文件/var/named/10.20.9.zone,并更新序列号(需要重载named)。则主服务器会自动将zone区域文件推送至从服务器/var/named/slaves下。
2.5> 遇到文件同步问题排查.
1、主服务器zone文件无法同步到从服务器的slaves目录下,从服务slaves目录下为空,查看日志信息.
[root@ops-dns-02 named]# tail -f /var/log/messages Sep 18 15:41:36 localhost named[11919]: command channel listening on ::1#953 Sep 18 15:41:36 localhost named[11919]: managed-keys-zone: loaded serial 2 Sep 18 15:41:36 localhost named[11919]: zone 0.in-addr.arpa/IN: loaded serial 0 Sep 18 15:41:36 localhost named[11919]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0 Sep 18 15:41:36 localhost named[11919]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0 Sep 18 15:41:36 localhost named[11919]: zone localhost/IN: loaded serial 0 Sep 18 15:41:36 localhost named[11919]: zone localhost.localdomain/IN: loaded serial 0 Sep 18 15:41:36 localhost named[11919]: all zones loaded Sep 18 15:41:36 localhost named[11919]: running Sep 18 15:41:36 localhost systemd: Started Berkeley Internet Name Domain (DNS). Sep 18 15:43:06 localhost named[11919]: zone saneri.com/IN: refresh: retry limit for master 10.20.9.7#53 exceeded (source 0.0.0.0#0) Sep 18 15:43:06 localhost named[11919]: zone saneri.com/IN: Transfer started. Sep 18 15:43:06 localhost named[11919]: transfer of 'saneri.com/IN' from 10.20.9.7#53: failed to connect: host unreachable Sep 18 15:43:06 localhost named[11919]: transfer of 'saneri.com/IN' from 10.20.9.7#53: Transfer completed: 0 messages, 0 records, 0 bytes, 0.001 secs (0 bytes/sec) Sep 18 15:43:06 localhost named[11919]: zone 9.20.10.in-addr.arpa/IN: refresh: retry limit for master 10.20.9.7#53 exceeded (source 0.0.0.0#0) Sep 18 15:43:19 localhost kernel: ip_tables: (C) 2000-2006 Netfilter Core Team Sep 18 15:44:36 localhost named[11919]: zone saneri.com/IN: refresh: retry limit for master 10.20.9.7#53 exceeded (source 0.0.0.0#0) Sep 18 15:44:37 localhost named[11919]: zone 9.20.10.in-addr.arpa/IN: refresh: retry limit for master 10.20.9.7#53 exceeded (source 0.0.0.0#0) Sep 18 15:44:37 localhost named[11919]: zone 9.20.10.in-addr.arpa/IN: refresh: skipping zone transfer as master 10.20.9.7#53 (source 0.0.0.0#0) is unreachable (cached) Sep 18 15:44:41 localhost named[11919]: zone saneri.com/IN: refresh: skipping zone transfer as master 10.20.9.7#53 (source 0.0.0.0#0) is unreachable (cached) Sep 18 15:45:03 localhost systemd: Reloading.
发现无法连接机器,考虑是iptables和seLinux的问题,检查下主服务器和从服务器是否已关闭,或正确设置然后重启即可.
2.6> 测试从DNS服务器。
正向解析:
[root@ops-dns-02 slaves]# dig -t A www.saneri.com @10.20.9.8 ; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> -t A www.saneri.com @10.20.9.8 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17466 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.saneri.com. IN A ;; ANSWER SECTION: www.saneri.com. 86400 IN A 10.20.9.7 ;; AUTHORITY SECTION: saneri.com. 86400 IN NS dns2.saneri.com. saneri.com. 86400 IN NS dns1.saneri.com. ;; ADDITIONAL SECTION: dns1.saneri.com. 86400 IN A 10.20.9.7 dns2.saneri.com. 86400 IN A 10.20.9.8 ;; Query time: 0 msec ;; SERVER: 10.20.9.8#53(10.20.9.8) ;; WHEN: Tue Sep 18 15:57:21 CST 2018 ;; MSG SIZE rcvd: 128 [root@ops-dns-02 slaves]#
反向解析:
[root@ops-dns-02 ~]# dig -x 10.20.9.7 @10.20.9.8 ; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> -x 10.20.9.7 @10.20.9.8 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58389 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;7.9.20.10.in-addr.arpa. IN PTR ;; ANSWER SECTION: 7.9.20.10.in-addr.arpa. 86400 IN PTR mail.saneri.com. 7.9.20.10.in-addr.arpa. 86400 IN PTR dns1.saneri.com. 7.9.20.10.in-addr.arpa. 86400 IN PTR www.saneri.com. ;; AUTHORITY SECTION: 9.20.10.in-addr.arpa. 86400 IN NS dns2.saneri.com. 9.20.10.in-addr.arpa. 86400 IN NS dns1.saneri.com. ;; ADDITIONAL SECTION: dns1.saneri.com. 86400 IN A 10.20.9.7 dns2.saneri.com. 86400 IN A 10.20.9.8 ;; Query time: 0 msec ;; SERVER: 10.20.9.8#53(10.20.9.8) ;; WHEN: Tue Sep 18 16:21:26 CST 2018 ;; MSG SIZE rcvd: 181 [root@ops-dns-02 ~]#
dig命令
dig命令是常用的域名查询工具,可以用来测试域名系统工作是否正常。
语法
dig(选项)(参数)
选项
@<服务器地址>:指定进行域名解析的域名服务器; -b<ip地址>:当主机具有多个IP地址,指定使用本机的哪个IP地址向域名服务器发送域名查询请求; -f<文件名称>:指定dig以批处理的方式运行,指定的文件中保存着需要批处理查询的DNS任务信息; -P:指定域名服务器所使用端口号; -t<类型>:指定要查询的DNS数据类型; -x<IP地址>:执行逆向域名查询; -4:使用IPv4; -6:使用IPv6; -h:显示指令帮助信息。
参考文档:https://blog.csdn.net/fanren224/article/details/79693801.
