DNS(6) -- DNS子域实现
目录
1. DNS子域
子域即为主域下的一个子域名,当一个子域的流量过大时,主域的DNS服务器可以把一个子域的查询授权给一台专门的子域服务器,称为子域授权或子域委派。
1.1 子域授权环境说明
- 父域:xuzhichao.com
- 主DNS服务器:主机名:dns01;地址:192.168.20.70;
- 从DNS服务器:主机名:dns02;地址:192.168.20.71;
- 子域:linux.xuzhichao.com
- DNS服务器:主机名:dns-son;地址:192.168.20.72;
1.2 子域授权实现
1.2.1 主域DNS服务器配置
-
主域的主从DNS数据解析文件保持一致,以主DNS配置文件进行说明:
[root@dns01 named]# cat /etc/named.conf options { listen-on port 53 { localhost; }; listen-on-v6 port 53 { localhost; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; recursing-file "/var/named/data/named.recursing"; secroots-file "/var/named/data/named.secroots"; allow-query { any; }; recursion yes; allow-recursion { 192.168.20.0/24; 192.168.50.0/24; }; allow-transfer {192.168.20.71;}; also-notify {192.168.20.71;}; dnssec-enable yes; dnssec-validation yes; bindkeys-file "/etc/named.root.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; include "/etc/named.xuzhichao.com.zone"; #区域配置文件 [root@dns01 named]# cat /etc/named.xuzhichao.com.zone zone "xuzhichao.com" IN { type master; file "xuzhichao.com.zone"; notify yes; <==允许本区域数据解析文件进行通告 }; zone "20.168.192.in-addr.arpa" IN { type master; file "20.168.192.in-addr.arpa.zone"; notify yes; <==允许本区域数据解析文件进行通告 };
-
主DNS的区域数据库解析文件如下:
[root@dns01 named]# cat /var/named/xuzhichao.com.zone $TTL 86400 xuzhichao.com. IN SOA ns1.xuzhichao.com. mail.xuzhichao.com. ( 2021071603 10800 900 604800 86400 ) xuzhichao.com. IN NS ns1.xuzhichao.com. xuzhichao.com. IN NS ns2.xuzhichao.com. ns1 IN A 192.168.20.70 ns2 IN A 192.168.20.71 ;业务域 xuzhichao.com. IN MX 10 mx1.xuzhichao.com. mx1 IN A 192.168.20.11 www.xuzhichao.com. IN A 192.168.20.31 www.xuzhichao.com. IN A 192.168.20.32 web.xuzhichao.com. IN CNAME www.xuzhichao.com. ;主机域 nginx02.xuzhichao.com. IN A 192.168.20.22 ngxin03.xuzhichao.com. IN A 192.168.20.23 nginx-lb01.xuzhichao.com. IN A 192.168.20.19 nginx-lb02.xuzhichao.com. IN A 192.168.20.20 apache01.xuzhichao.com. IN A 192.168.20.21 lvs01.xuzhichao.com. IN A 192.168.20.31 lvs02.xuzhichao.com. IN A 192.168.20.32 mysql01.xuzhichao.com. IN A 192.168.20.50 redis01.xuzhichao.com. IN A 192.168.20.61 nfs01.xuzhichao.com. IN A 192.168.20.30 dns01.xuzhichao.com. IN A 192.168.20.70 dns02.xuzhichao.com. IN A 192.168.20.71 #子域授权相关配置,如果子域也存在主从DNS服务器,则需要写两条ns记录,指向子域的主从DNS。 ;子域授权 linux.xuzhichao.com. IN NS ns1.linux.xuzhichao.com. ;linux.xuzhichao.com. IN NS ns2.linux.xuzhichao.com. ns1.linux.xuzhichao.com. IN A 192.168.20.72 ;ns2.linux.xuzhichao.com. IN A 192.168.20.73
-
重启bind服务:
#检查配置文件: [root@dns01 named]# named-checkconf [root@dns01 named]# named-checkzone xuzhichao.com /var/named/xuzhichao.com.zone zone xuzhichao.com/IN: linux.xuzhichao.com/NS 'ns1.linux.xuzhichao.com' (out of zone) has no addresses records (A or AAAA) <==忽略报错; zone xuzhichao.com/IN: loaded serial 2021071603 OK #重启bind服务: [root@dns01 named]# rndc reload server reload successful
1.2.2 子域DNS服务器配置
-
子域DNS配置配置文件:
[root@dns-son ~]# cat /etc/named.conf options { listen-on port 53 { localhost; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; recursing-file "/var/named/data/named.recursing"; secroots-file "/var/named/data/named.secroots"; allow-query { any; }; recursion yes; dnssec-enable yes; dnssec-validation yes; bindkeys-file "/etc/named.root.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; zone "linux.xuzhichao.com" IN { <==新增区域配置段 type master; file "linux.xuzhichao.com.zone"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";
-
子域DNS区域数据库解析文件:
[root@dns-son ~]# cat /var/named/linux.xuzhichao.com.zone $TTL 86400 @ IN SOA ns1.linux.xuzhichao.com. mail.linux.xuzhichao.com. ( 2021071603 10800 900 604800 86400 ) @ IN NS ns1.linux.xuzhichao.com. ns1 IN A 192.168.20.72 @ IN MX 10 mail.linux.xuzhichao.com. mail IN A 192.168.20.11 www IN A 1.1.1.1 web IN CNAME www db01 IN A 2.2.2.2
-
启动bind服务:
[root@dns-son ~]# named-checkconf [root@dns-son ~]# named-checkzone linux.xuzhichao.com /var/named/linux.xuzhichao.com.zone zone linux.xuzhichao.com/IN: loaded serial 2021071603 OK [root@dns-son ~]# systemctl start named.service
-
客户端测试:
[root@xuzhichao ~]# dig www.linux.xuzhichao.com @192.168.20.72 +short 1.1.1.1 [root@xuzhichao ~]# dig web.linux.xuzhichao.com @192.168.20.72 +short www.linux.xuzhichao.com. 1.1.1.1 [root@xuzhichao ~]# dig db01.linux.xuzhichao.com @192.168.20.72 +short 2.2.2.2
1.3 DNS转发域
1.3.1 DNS转发域概述
-
以上场景中子域存在问题:
由于父域与子域互相维护不同的区域配置,它们之间并不存在任何的联系,所以子域在解析父域的域名时,它并不会直接通过父域来获取权威的解析记录,而是按照以下步骤查询:
- 第一步:它会先找顶点根域;
- 第二步:寻找找 com 域对应的 DNS 服务器;
- 第三步:寻找 xuzhichao.com 域对应的 DNS 服务器,而后获取对应的解析记录;
这种查找模式是由 DNS 的机制所决定的;
解决的方法:明确告诉子域,让其能找到父域进项查询解析,而无需查找根域;(需要配置 DNS 的转发)
-
转发域
转发指的是将域名查询请求,转至某一台服务器解析(被转发的服务器必须允许为当前服务器做递归)。
1.3.2 转发域的分类
-
转发分为两类,全局转发和区域转发
-
全局转发
对非本机所负责解析区域的请求,全转发给指定的服务器。
配置格式为
#直接放在/etc/namd.conf文件中 Options { forward first|only; <==first表示转发服务器如果得不到结果会自己去互联网进行迭代查询,only表示只是转发请求,得到得不到结果不关心 forwarders { ip;}; <==表示转发给谁,可以由多台 };
-
区域转发
仅转发对特定的区域的请求,比如,只转发xuzhichao.com域的请求,其它的不管,比全局转发优先级高。
设置格式为:(需要放在具体的域中)
zone "ZONE_NAME" IN { type forward; forward first|only; forwarders { ip;}; };
-
1.3.3 DNS转发域实现
-
在子域的DNS服务器上增加父域转发的配置文件:
[root@dns-son ~]# cat /etc/named.conf zone "xuzhichao.com" IN { type forward; forward only; forwarders { 192.168.20.70; 192.168.20.71; }; }; [root@dns-son ~]# rndc reload server reload successful
-
客户端使用子域服务器解析父域的域名:
[root@xuzhichao ~]# dig www.xuzhichao.com @192.168.20.72 +short 192.168.20.32 192.168.20.31