DNS(6) -- DNS子域实现



1. DNS子域

子域即为主域下的一个子域名,当一个子域的流量过大时,主域的DNS服务器可以把一个子域的查询授权给一台专门的子域服务器,称为子域授权或子域委派。

1.1 子域授权环境说明

  • 父域:xuzhichao.com
    • 主DNS服务器:主机名:dns01;地址:192.168.20.70;
    • 从DNS服务器:主机名:dns02;地址:192.168.20.71;
  • 子域:linux.xuzhichao.com
    • DNS服务器:主机名:dns-son;地址:192.168.20.72;

1.2 子域授权实现

1.2.1 主域DNS服务器配置

  • 主域的主从DNS数据解析文件保持一致,以主DNS配置文件进行说明:

    [root@dns01 named]# cat /etc/named.conf 
    options {
    	listen-on port 53 { localhost; };
    	listen-on-v6 port 53 { localhost; };
    	directory 	"/var/named";
    	dump-file 	"/var/named/data/cache_dump.db";
    	statistics-file "/var/named/data/named_stats.txt";
    	memstatistics-file "/var/named/data/named_mem_stats.txt";
    	recursing-file  "/var/named/data/named.recursing";
    	secroots-file   "/var/named/data/named.secroots";
    	allow-query     { any; };
    	recursion yes;
    	allow-recursion { 192.168.20.0/24; 192.168.50.0/24; };
    
    	allow-transfer {192.168.20.71;};     
    	also-notify {192.168.20.71;};		 
    
    	dnssec-enable yes;
    	dnssec-validation yes;
    	bindkeys-file "/etc/named.root.key";
    	managed-keys-directory "/var/named/dynamic";
    	pid-file "/run/named/named.pid";
    	session-keyfile "/run/named/session.key";
    };
    
    logging {
            channel default_debug {
                    file "data/named.run";
                    severity dynamic;
            };
    };
    
    zone "." IN {
    	type hint;
    	file "named.ca";
    };
    
    include "/etc/named.rfc1912.zones";
    include "/etc/named.root.key";
    include "/etc/named.xuzhichao.com.zone";
    
    #区域配置文件
    [root@dns01 named]# cat /etc/named.xuzhichao.com.zone 
    zone "xuzhichao.com" IN {
    		type master;
    		file "xuzhichao.com.zone";
    		notify yes;    <==允许本区域数据解析文件进行通告
    };
    
    zone "20.168.192.in-addr.arpa" IN {
    		type master;
    		file "20.168.192.in-addr.arpa.zone";
    		notify yes;     <==允许本区域数据解析文件进行通告
    };
    
  • 主DNS的区域数据库解析文件如下:

    [root@dns01 named]# cat /var/named/xuzhichao.com.zone 
    $TTL 86400
    
    xuzhichao.com.	IN	SOA	ns1.xuzhichao.com.	mail.xuzhichao.com. (
    2021071603
    10800
    900
    604800
    86400
    )
    
    xuzhichao.com.	IN	NS	ns1.xuzhichao.com.
    xuzhichao.com.	IN	NS	ns2.xuzhichao.com.
    
    ns1		IN	A	192.168.20.70
    ns2		IN	A	192.168.20.71
    
    ;业务域
    
    xuzhichao.com.	IN	MX	 10 mx1.xuzhichao.com.
    mx1		IN	A	 192.168.20.11
    
    www.xuzhichao.com.	IN	A	192.168.20.31
    www.xuzhichao.com.	IN	A	192.168.20.32
    
    web.xuzhichao.com.	IN	CNAME	www.xuzhichao.com.
    
    ;主机域
    
    nginx02.xuzhichao.com.	IN	A	192.168.20.22
    ngxin03.xuzhichao.com.	IN	A	192.168.20.23
    
    nginx-lb01.xuzhichao.com.	IN	A	192.168.20.19
    nginx-lb02.xuzhichao.com.	IN	A	192.168.20.20
    
    apache01.xuzhichao.com.		IN	A	192.168.20.21
    
    lvs01.xuzhichao.com.	IN	A	192.168.20.31
    lvs02.xuzhichao.com.	IN	A	192.168.20.32
    
    mysql01.xuzhichao.com.	IN	A	192.168.20.50
    
    redis01.xuzhichao.com.	IN	A	192.168.20.61
    
    nfs01.xuzhichao.com.	IN	A	192.168.20.30
    
    dns01.xuzhichao.com.	IN	A	192.168.20.70
    dns02.xuzhichao.com.	IN	A	192.168.20.71
    
    #子域授权相关配置,如果子域也存在主从DNS服务器,则需要写两条ns记录,指向子域的主从DNS。
    ;子域授权
    linux.xuzhichao.com.	IN	NS	ns1.linux.xuzhichao.com.
    ;linux.xuzhichao.com.	IN	NS	ns2.linux.xuzhichao.com.
    
    ns1.linux.xuzhichao.com.	IN	A	192.168.20.72
    ;ns2.linux.xuzhichao.com.	IN	A	192.168.20.73	
    
  • 重启bind服务:

    #检查配置文件:
    [root@dns01 named]# named-checkconf 
    [root@dns01 named]# named-checkzone xuzhichao.com /var/named/xuzhichao.com.zone 
    zone xuzhichao.com/IN: linux.xuzhichao.com/NS 'ns1.linux.xuzhichao.com' (out of zone) has no addresses records (A or AAAA)   <==忽略报错;
    zone xuzhichao.com/IN: loaded serial 2021071603
    OK
    
    #重启bind服务:
    [root@dns01 named]# rndc reload
    server reload successful	
    

1.2.2 子域DNS服务器配置

  • 子域DNS配置配置文件:

    [root@dns-son ~]# cat /etc/named.conf
    options {
    	listen-on port 53 { localhost; };
    	listen-on-v6 port 53 { ::1; };
    	directory 	"/var/named";
    	dump-file 	"/var/named/data/cache_dump.db";
    	statistics-file "/var/named/data/named_stats.txt";
    	memstatistics-file "/var/named/data/named_mem_stats.txt";
    	recursing-file  "/var/named/data/named.recursing";
    	secroots-file   "/var/named/data/named.secroots";
    	allow-query     { any; };
    	recursion yes;
    	dnssec-enable yes;
    	dnssec-validation yes;
    
    	bindkeys-file "/etc/named.root.key";
    
    	managed-keys-directory "/var/named/dynamic";
    
    	pid-file "/run/named/named.pid";
    	session-keyfile "/run/named/session.key";
    };
    
    logging {
            channel default_debug {
                    file "data/named.run";
                    severity dynamic;
            };
    };
    
    zone "." IN {
    	type hint;
    	file "named.ca";
    };
    
    zone "linux.xuzhichao.com" IN {     <==新增区域配置段
    	type master;
    	file "linux.xuzhichao.com.zone";
    };
    
    include "/etc/named.rfc1912.zones";
    include "/etc/named.root.key";
    
  • 子域DNS区域数据库解析文件:

    [root@dns-son ~]# cat /var/named/linux.xuzhichao.com.zone
    $TTL 86400
    
    @	IN	SOA	ns1.linux.xuzhichao.com.	mail.linux.xuzhichao.com. (
    2021071603
    10800
    900
    604800
    86400
    )
    
    @	IN	NS	ns1.linux.xuzhichao.com.
    ns1	IN	A	192.168.20.72
    
    @	IN	MX	10 mail.linux.xuzhichao.com.
    mail	IN	A	192.168.20.11
    
    www	IN	A	1.1.1.1
    web	IN	CNAME	www
    
    db01	IN	A	2.2.2.2
    
  • 启动bind服务:

    [root@dns-son ~]# named-checkconf 
    [root@dns-son ~]# named-checkzone linux.xuzhichao.com /var/named/linux.xuzhichao.com.zone 
    zone linux.xuzhichao.com/IN: loaded serial 2021071603
    OK
    [root@dns-son ~]# systemctl start named.service 
    
  • 客户端测试:

    [root@xuzhichao ~]# dig www.linux.xuzhichao.com @192.168.20.72 +short
    1.1.1.1
    [root@xuzhichao ~]# dig web.linux.xuzhichao.com @192.168.20.72 +short
    www.linux.xuzhichao.com.
    1.1.1.1
    [root@xuzhichao ~]# dig db01.linux.xuzhichao.com @192.168.20.72 +short
    2.2.2.2
    

1.3 DNS转发域

1.3.1 DNS转发域概述

  • 以上场景中子域存在问题:

    由于父域与子域互相维护不同的区域配置,它们之间并不存在任何的联系,所以子域在解析父域的域名时,它并不会直接通过父域来获取权威的解析记录,而是按照以下步骤查询:

    • 第一步:它会先找顶点根域;
    • 第二步:寻找找 com 域对应的 DNS 服务器;
    • 第三步:寻找 xuzhichao.com 域对应的 DNS 服务器,而后获取对应的解析记录;

    这种查找模式是由 DNS 的机制所决定的;

    解决的方法:明确告诉子域,让其能找到父域进项查询解析,而无需查找根域;(需要配置 DNS 的转发)

  • 转发域

    转发指的是将域名查询请求,转至某一台服务器解析(被转发的服务器必须允许为当前服务器做递归)。

1.3.2 转发域的分类

  • 转发分为两类,全局转发和区域转发

    • 全局转发

      对非本机所负责解析区域的请求,全转发给指定的服务器。

      配置格式为

      #直接放在/etc/namd.conf文件中
      Options {
      	forward first|only;     <==first表示转发服务器如果得不到结果会自己去互联网进行迭代查询,only表示只是转发请求,得到得不到结果不关心
      	forwarders { ip;};      <==表示转发给谁,可以由多台
      };
      
    • 区域转发

      仅转发对特定的区域的请求,比如,只转发xuzhichao.com域的请求,其它的不管,比全局转发优先级高。

      设置格式为:(需要放在具体的域中)

      zone "ZONE_NAME" IN {
      	type forward;
      	forward first|only;
      	forwarders { ip;};
      };
      

1.3.3 DNS转发域实现

  • 在子域的DNS服务器上增加父域转发的配置文件:

    [root@dns-son ~]# cat /etc/named.conf
    zone "xuzhichao.com" IN {
    	type forward;
    	forward only;
    	forwarders { 192.168.20.70; 192.168.20.71; };
    };
    
    [root@dns-son ~]# rndc reload
    server reload successful
    
  • 客户端使用子域服务器解析父域的域名:

    [root@xuzhichao ~]# dig www.xuzhichao.com @192.168.20.72 +short
    192.168.20.32
    192.168.20.31
    
posted @ 2021-07-18 00:18  向往自由的独行者  阅读(3785)  评论(0编辑  收藏  举报