内网dns服务部署以及主从dns配置
安装配置内网 bind主dns服务
一、环境说明
10.10.169.141 作为主dns服务
10.10.131.111 作为备dns服务
10.10.100.47 作为单独的内网其他的测试dns生效的服务器
2台dns服务器要关闭iptables,或者iptables放行953和53端口
二、安装和配置主dns服务
**1、首先安装bind9 **
yum install -y bind bind-utils bind-libs
+++++++++++++++++++++++++++++++++++
2、部署bind主DNS
主DNS服务器上创建named用户
创建rndc key
伪造数据,便于生成key
生成key
建立软链
手动创建 named.conf
+++++++++++++++++++++++++++++++++
3、主dns配置文件参数介绍:
vim /etc/named.conf
抛去//注释后的文件内容:
[root@vpn soft]# egrep -vi "^//|^$" /etc/named.conf
options {
listen-on port 53 { any; }; // ipv4 监听端口.默认是127.0.0.1,需要修改成any,意思是服务器上的所有IP地址均可提供DNS域名解析服务
listen-on-v6 port 53 { ::1; }; // ipv6 监听端口
directory "/var/named"; //指定DNS区域文件存放目录
dump-file "/var/named/data/cache_dump.db"; //缓存转储位置
statistics-file "/var/named/data/named_stats.txt"; //记录统计信息的文件
memstatistics-file "/var/named/data/named_mem_stats.txt"; //记录内存使用的统计信息
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; }; //默认是localhost ,允许所有人对本服务器发送DNS查询请求
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
version "dns server";
forward first;
/*forwarders { 100.100.2.136; 100.100.2.138; };*/阿里的北京区内部dns地址
forwarders { 119.29.29.29;182.254.116.116; }; // 腾讯的dns地址
allow-query-cache { any; };
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "jiaodayno.cn" IN {
type master;
file "jiaodayno.cn";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
- 10.
- 11.
- 12.
- 13.
- 14.
- 15.
- 16.
- 17.
- 18.
- 19.
- 20.
- 21.
- 22.
- 23.
- 24.
- 25.
- 26.
- 27.
- 28.
- 29.
- 30.
- 31.
- 32.
- 33.
- 34.
- 35.
- 36.
- 37.
- 38.
- 39.
- 40.
- 41.
- 42.
- 43.
- 44.
- 45.
- 46.
- 47.
- 48.
- 49.
- 50.
- 51.
- 52.
- 53.
+++++++++++++++++++++++++++++++++
4、主域数据配置文件
cd /var/named/ #进入到named目录下
cp named.localhost jiaodayno.cn #拷贝已有的named文件并重命名为baidu.com
chown named.named jiaodayno.cn #修改文件的属主跟属组
jiaodayno.cn文件内容如下:
[root@vpn ~]# cat /var/named/jiaodayno.cn
$TTL 1D
@ IN SOA ns1.jiaodayno.cn. ns2.jiaodayno.cn. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS ns1.jiaodayno.cn.
ns1 A 10.10.169.141
ns2 A 10.10.169.141
www A 10.10.131.111
jianwei A 10.10.100.47
io IN A 10.10.137.59 ## 加IN也是可以的
[root@vpn ~]# ll /var/named/jiaodayno.cn
-rw-r--r-- 1 named named 351 Feb 10 04:41 /var/named/jiaodayno.cn
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
- 10.
- 11.
- 12.
- 13.
- 14.
- 15.
- 16.
- 17.
- 18.
- 19.
- 20.
- 21.
- 22.
- 23.
- 24.
- 25.
++++++++++++++++++++++++++++
5、使用检查命令进行检查配置文件语法
+++++++++++++++++++++++++++++++++
6、配置bind dns为缓存dns
此时配置的dns只能解析对域名jiaodayno.cn主域的记录进行解析,无法解析其他未配置的众多域名,需要做的是指定上游dns
指定上游dns:当无法使用本地的dns解析时,利用上游dns服务器进行解析
重启服务
systemctl restart named
+++++++++++++++++++++++++
7、验证
修改客户端dns配置文件并检验
[root@vpn named]# dig www.jiaodayno.cn
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.3 <<>> www.jiaodayno.cn
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12672
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.jiaodayno.cn. IN A
;; ANSWER SECTION:
www.jiaodayno.cn. 86400 IN A 10.10.131.111
;; AUTHORITY SECTION:
jiaodayno.cn. 86400 IN NS ns1.jiaodayno.cn.
;; ADDITIONAL SECTION:
ns1.jiaodayno.cn. 86400 IN A 10.10.169.141
;; Query time: 0 msec
;; SERVER: 10.10.169.141#53(10.10.169.141)
;; WHEN: Wed Feb 10 04:49:29 CST 2021
;; MSG SIZE rcvd: 95
[root@vpn named]# dig jianwei.jiaodayno.cn
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.3 <<>> jianwei.jiaodayno.cn
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31918
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;jianwei.jiaodayno.cn. IN A
;; ANSWER SECTION:
jianwei.jiaodayno.cn. 86400 IN A 10.10.100.47
;; AUTHORITY SECTION:
jiaodayno.cn. 86400 IN NS ns1.jiaodayno.cn.
;; ADDITIONAL SECTION:
ns1.jiaodayno.cn. 86400 IN A 10.10.169.141
;; Query time: 0 msec
;; SERVER: 10.10.169.141#53(10.10.169.141)
;; WHEN: Wed Feb 10 04:49:47 CST 2021
;; MSG SIZE rcvd: 99
[root@test02 ~]# ping www.jiaodayno.cn
PING www.jiaodayno.cn (10.10.131.111) 56(84) bytes of data.
64 bytes from test01 (10.10.131.111): icmp_seq=1 ttl=63 time=0.786 ms
64 bytes from test01 (10.10.131.111): icmp_seq=2 ttl=63 time=0.318 ms
[root@test01 ~]# ping www.jiaodayno.cn
PING www.jiaodayno.cn (10.10.131.111) 56(84) bytes of data.
64 bytes from test01 (10.10.131.111): icmp_seq=1 ttl=64 time=0.008 ms
64 bytes from test01 (10.10.131.111): icmp_seq=2 ttl=64 time=0.024 ms
[root@test01 ~]# ping jianwei.jiaodayno.cn
PING jianwei.jiaodayno.cn (10.10.100.47) 56(84) bytes of data.
64 bytes from test02 (10.10.100.47): icmp_seq=1 ttl=63 time=0.997 ms
64 bytes from test02 (10.10.100.47): icmp_seq=2 ttl=63 time=0.268 ms
[root@test01 ~]# nslookup jianwei.jiaodayno.cn
Server: 10.10.169.141
Address: 10.10.169.141#53
Name: jianwei.jiaodayno.cn
Address: 10.10.100.47
[root@test01 ~]# nslookup www.jiaodayno.cn
Server: 10.10.169.141
Address: 10.10.169.141#53
Name: www.jiaodayno.cn
Address: 10.10.131.111
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
- 10.
- 11.
- 12.
- 13.
- 14.
- 15.
- 16.
- 17.
- 18.
- 19.
- 20.
- 21.
- 22.
- 23.
- 24.
- 25.
- 26.
- 27.
- 28.
- 29.
- 30.
- 31.
- 32.
- 33.
- 34.
- 35.
- 36.
- 37.
- 38.
- 39.
- 40.
- 41.
- 42.
- 43.
- 44.
- 45.
- 46.
- 47.
- 48.
- 49.
- 50.
- 51.
- 52.
- 53.
- 54.
- 55.
- 56.
- 57.
- 58.
- 59.
- 60.
- 61.
- 62.
- 63.
- 64.
- 65.
- 66.
- 67.
- 68.
- 69.
- 70.
- 71.
- 72.
- 73.
- 74.
- 75.
- 76.
- 77.
- 78.
- 79.
- 80.
- 81.
- 82.
- 83.
- 84.
- 85.
- 86.
++++++++++++++++++++++++
三、配置bind dns从服务器并同步
新增一台dns服务器为从服务器,编辑其主配置文件
10.10.131.111 作为备dns服务执行下面的命令:
从dns 服务的配置文件如下:
[root@test01 ~]# cat /etc/named.conf
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; };
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
bindkeys-file "/etc/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
version "dns server";
forward first;
/*forwarders { 100.100.2.136; 100.100.2.138; };*/
forwarders { 119.29.29.29;182.254.116.116; };
allow-query-cache { any; };
};
zone "jiaodayno.cn" IN {
type slave; ///类型为slave
file "jiaodayno.cn"; ///指定域文件名称
masters { 10.10.169.141; }; ///配置主dns服务的内网IP
};
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
- 10.
- 11.
- 12.
- 13.
- 14.
- 15.
- 16.
- 17.
- 18.
- 19.
- 20.
- 21.
- 22.
- 23.
- 24.
- 25.
- 26.
- 27.
- 28.
- 29.
- 30.
- 31.
- 32.
- 33.
- 34.
- 35.
- 36.
- 37.
- 38.
修改/var/named权限或修改属主和属组:
chown -R named.named /var/named
检查配置文件的语法:
[root@test01 data]# named-checkconf /etc/named.conf
修改主dns服务器 10.10.169.141的主配置文件named.conf如下:
[root@vpn ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
version "dns server";
forward first;
/*forwarders { 100.100.2.136; 100.100.2.138; };*/
forwarders { 119.29.29.29;182.254.116.116; };
allow-query-cache { any; };
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
// 主dns服务器named.conf文件配置如下实现主从dns同步
zone "jiaodayno.cn" IN {
type master;
file "jiaodayno.cn";
allow-transfer { 10.10.131.111; }; //填写的是从dns服务器的内网IP
notify yes;
also-notify { 10.10.131.111; };//填写的是从dns服务器的内网IP
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
- 10.
- 11.
- 12.
- 13.
- 14.
- 15.
- 16.
- 17.
- 18.
- 19.
- 20.
- 21.
- 22.
- 23.
- 24.
- 25.
- 26.
- 27.
- 28.
- 29.
- 30.
- 31.
- 32.
- 33.
- 34.
- 35.
- 36.
- 37.
- 38.
- 39.
- 40.
- 41.
- 42.
- 43.
- 44.
- 45.
- 46.
- 47.
- 48.
- 49.
- 50.
- 51.
- 52.
- 53.
- 54.
- 55.
- 56.
- 57.
- 58.
- 59.
- 60.
- 61.
- 62.
- 63.
- 64.
- 65.
- 66.
- 67.
- 68.
- 69.
- 70.
- 71.
- 72.
- 73.
- 74.
- 75.
- 76.
- 77.
- 78.
修改主dns服务器 10.10.169.141的域名数据配置文件:
[root@vpn ~]# cat /var/named/jiaodayno.cn
$TTL 1D
@ IN SOA ns1.jiaodayno.cn. ns2.jiaodayno.cn. (
1 ; serial //此参数最开始默认时0,没修改一次这个文件,此参数必须加1才能生效
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS ns1.jiaodayno.cn.
NS ns2.jiaodayno.cn. // #添加指定dns2从dns
ns1 A 10.10.169.141
ns2 A 10.10.131.111 //#添加指定dns2从dns的A记录
www A 10.10.100.47
jianwei A 10.10.100.47 //#增加域名
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
- 10.
- 11.
- 12.
- 13.
- 14.
- 15.
- 16.
!!!提示:每次修改主dns服务器的named.conf配置文件时,serial 这个参数必须加1,然后重启dns服务才能生效,然后把主dns zone域文件jiaodayno.cn信息同步到从dns服务器上
修改从dns服务器 10.10.131.111的resolv.conf文件:
修改10.10.100.47 作为单独的内网其他的测试dns服务器:
+++++++++++++++++++++++++++++
四、测试从dns服务是否正常同步主dns服务
**修改主dns服务的zone域文件添加A记录 bbs: **
[root@vpn ~]# cat /var/named/jiaodayno.cn
$TTL 1D
@ IN SOA ns1.jiaodayno.cn. ns2.jiaodayno.cn. (
3 ; serial //此参数最开始默认时0,没修改一次这个文件,此参数必须加1才能生效
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS ns1.jiaodayno.cn.
NS ns2.jiaodayno.cn. // #添加指定dns2从dns
ns1 A 10.10.169.141
ns2 A 10.10.131.111 //#添加指定dns2从dns的A记录
www A 10.10.100.47
jianwei A 10.10.100.47 //#增加域名
bbs A 10.10.100.47 //#增加域名
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
- 10.
- 11.
- 12.
- 13.
- 14.
- 15.
- 16.
- 17.
- 18.
查看主dns服务的zone域文件时间搓:
检查配置文件named.conf配置文件语法:
[root@vpn named]# systemctl restart named
验证dns服务同步:
在从dns服务器 10.10.131.111 查看域文件:
发现bbs 以及有主dns服务同步到了从dns服务:
分别在10.10.131.111和 10.10.100.47 2台服务器验证域名解析是否生效:
[root@test01 named]# dig bbs.jiaodayno.cn
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.3 <<>> bbs.jiaodayno.cn
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36098
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;bbs.jiaodayno.cn. IN A
;; ANSWER SECTION:
bbs.jiaodayno.cn. 86400 IN A 10.10.100.47
;; AUTHORITY SECTION:
jiaodayno.cn. 86400 IN NS ns1.jiaodayno.cn.
jiaodayno.cn. 86400 IN NS ns2.jiaodayno.cn.
;; ADDITIONAL SECTION:
ns1.jiaodayno.cn. 86400 IN A 10.10.169.141
ns2.jiaodayno.cn. 86400 IN A 10.10.131.111
;; Query time: 1 msec
;; SERVER: 10.10.169.141#53(10.10.169.141)
;; WHEN: Wed Feb 10 22:18:57 CST 2021
;; MSG SIZE rcvd: 129
[root@test01 named]# dig www.jiaodayno.cn
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.3 <<>> www.jiaodayno.cn
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59924
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.jiaodayno.cn. IN A
;; ANSWER SECTION:
www.jiaodayno.cn. 86400 IN A 10.10.100.47
;; AUTHORITY SECTION:
jiaodayno.cn. 86400 IN NS ns2.jiaodayno.cn.
jiaodayno.cn. 86400 IN NS ns1.jiaodayno.cn.
;; ADDITIONAL SECTION:
ns1.jiaodayno.cn. 86400 IN A 10.10.169.141
ns2.jiaodayno.cn. 86400 IN A 10.10.131.111
;; Query time: 1 msec
;; SERVER: 10.10.169.141#53(10.10.169.141)
;; WHEN: Wed Feb 10 22:19:08 CST 2021
;; MSG SIZE rcvd: 129
[root@test01 named]# nslookup www.jiaodayno.cn
Server: 10.10.169.141
Address: 10.10.169.141#53
Name: www.jiaodayno.cn
Address: 10.10.100.47
[root@test01 named]# nslookup bbs.jiaodayno.cn
Server: 10.10.169.141
Address: 10.10.169.141#53
Name: bbs.jiaodayno.cn
Address: 10.10.100.47
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
- 10.
- 11.
- 12.
- 13.
- 14.
- 15.
- 16.
- 17.
- 18.
- 19.
- 20.
- 21.
- 22.
- 23.
- 24.
- 25.
- 26.
- 27.
- 28.
- 29.
- 30.
- 31.
- 32.
- 33.
- 34.
- 35.
- 36.
- 37.
- 38.
- 39.
- 40.
- 41.
- 42.
- 43.
- 44.
- 45.
- 46.
- 47.
- 48.
- 49.
- 50.
- 51.
- 52.
- 53.
- 54.
- 55.
- 56.
- 57.
- 58.
- 59.
- 60.
- 61.
- 62.
- 63.
- 64.
- 65.
- 66.
- 67.
- 68.
- 69.
- 70.
- 71.
- 72.
+++++++++++++++++++++
五、验证主dns服务挂掉从dns服务是否可以正常提供解析服务
10.10.169.141服务器关闭掉主dns服务
[root@vpn named]# systemctl stop named;ss -lntup|grep named
** 10.10.100.47测试验证:**
[root@test02 ~]# ping www.jiaodayno.cn
PING www.jiaodayno.cn (10.10.100.47) 56(84) bytes of data.
64 bytes from test02 (10.10.100.47): icmp_seq=1 ttl=64 time=0.020 ms
64 bytes from test02 (10.10.100.47): icmp_seq=2 ttl=64 time=0.043 ms
^C
--- www.jiaodayno.cn ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.020/0.031/0.043/0.012 ms
[root@test02 ~]# ping bbs.jiaodayno.cn
PING bbs.jiaodayno.cn (10.10.100.47) 56(84) bytes of data.
64 bytes from test02 (10.10.100.47): icmp_seq=1 ttl=64 time=0.012 ms
64 bytes from test02 (10.10.100.47): icmp_seq=2 ttl=64 time=0.031 ms
^C
--- bbs.jiaodayno.cn ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.012/0.021/0.031/0.010 ms
[root@test02 ~]# dig bbs.jiaodayno.cn
; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.2 <<>> bbs.jiaodayno.cn
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18908
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;bbs.jiaodayno.cn. IN A
;; ANSWER SECTION:
bbs.jiaodayno.cn. 86400 IN A 10.10.100.47
;; AUTHORITY SECTION:
jiaodayno.cn. 86400 IN NS ns2.jiaodayno.cn.
jiaodayno.cn. 86400 IN NS ns1.jiaodayno.cn.
;; ADDITIONAL SECTION:
ns1.jiaodayno.cn. 86400 IN A 10.10.169.141
ns2.jiaodayno.cn. 86400 IN A 10.10.131.111
;; Query time: 1 msec
;; SERVER: 10.10.131.111#53(10.10.131.111)
;; WHEN: Wed Feb 10 22:24:38 CST 2021
;; MSG SIZE rcvd: 129
[root@test02 ~]# dig www.jiaodayno.cn
; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.2 <<>> www.jiaodayno.cn
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45096
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.jiaodayno.cn. IN A
;; ANSWER SECTION:
www.jiaodayno.cn. 86400 IN A 10.10.100.47
;; AUTHORITY SECTION:
jiaodayno.cn. 86400 IN NS ns2.jiaodayno.cn.
jiaodayno.cn. 86400 IN NS ns1.jiaodayno.cn.
;; ADDITIONAL SECTION:
ns1.jiaodayno.cn. 86400 IN A 10.10.169.141
ns2.jiaodayno.cn. 86400 IN A 10.10.131.111
;; Query time: 1 msec
;; SERVER: 10.10.131.111#53(10.10.131.111)
;; WHEN: Wed Feb 10 22:25:04 CST 2021
;; MSG SIZE rcvd: 129
[root@test02 ~]# nslookup www.jiaodayno.cn
Server: 10.10.131.111
Address: 10.10.131.111#53
Name: www.jiaodayno.cn
Address: 10.10.100.47
[root@test02 ~]# nslookup bbs.jiaodayno.cn
Server: 10.10.131.111
Address: 10.10.131.111#53
Name: bbs.jiaodayno.cn
Address: 10.10.100.47
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
- 10.
- 11.
- 12.
- 13.
- 14.
- 15.
- 16.
- 17.
- 18.
- 19.
- 20.
- 21.
- 22.
- 23.
- 24.
- 25.
- 26.
- 27.
- 28.
- 29.
- 30.
- 31.
- 32.
- 33.
- 34.
- 35.
- 36.
- 37.
- 38.
- 39.
- 40.
- 41.
- 42.
- 43.
- 44.
- 45.
- 46.
- 47.
- 48.
- 49.
- 50.
- 51.
- 52.
- 53.
- 54.
- 55.
- 56.
- 57.
- 58.
- 59.
- 60.
- 61.
- 62.
- 63.
- 64.
- 65.
- 66.
- 67.
- 68.
- 69.
- 70.
- 71.
- 72.
- 73.
- 74.
- 75.
- 76.
- 77.
- 78.
- 79.
- 80.
- 81.
- 82.
- 83.
- 84.
- 85.
- 86.
- 87.
- 88.
- 89.
++++++++++++++++++++++++++++++++++++++
六、 主dns配置文件配置多个主域
主dns服务配置文件 /etc/named.conf 配置多个主域文件
10.10.169.141 机器为主dns服务,主dns服务/etc/named.conf文件添加多个域参数内容如下:
[root@vpn ~]# cat /etc/named.conf|sed -n '63,81p'
zone "jiaodayno.cn" IN {
type master;
file "jiaodayno.cn"; //域文件名称
allow-transfer { 10.10.131.111; }; ////填写的是从dns服务器的内网IP
notify yes;
also-notify { 10.10.131.111; }; //填写的是从dns服务器的内网IP
};
zone "aikeno.cn" IN {
type master;
file "aikeno.cn"; //域文件名称
allow-transfer { 10.10.131.111; }; //填写的是从dns服务器的内网IP
notify yes;
also-notify { 10.10.131.111; }; //填写的是从dns服务器的内网IP
};
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
- 10.
- 11.
- 12.
- 13.
- 14.
- 15.
- 16.
- 17.
- 18.
- 19.
- 20.
- 21.
- 22.
/var/named/aikeno.cn 主域配置文件内容如下:
[root@vpn ~]# cat /var/named/aikeno.cn
$TTL 1D
@ IN SOA ns1.aikeno.cn. ns2.aikeno.cn. (
1 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS ns1.aikeno.cn.
NS ns2.aikeno.cn.
ns1 A 10.10.169.141
ns2 A 10.10.131.111
oa A 10.10.137.59
www A 10.10.137.59
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
- 10.
- 11.
- 12.
- 13.
- 14.
- 15.
- 16.
- 17.
提示:每次修改 /var/named/aikeno.cn 文件,必须给serial参数加1,这样重启named服务才会生效
**授权named用户 **
检查配置文件语法:
检查主域文件的语法:
重启named服务:
systemctl restart named
测试是否生效:
[root@10-10-73-48 ~]# ping www.aikeno.cn
PING www.aikeno.cn (10.10.137.59) 56(84) bytes of data.
64 bytes from 10.10.137.59 (10.10.137.59): icmp_seq=1 ttl=63 time=1.39 ms
^C
--- www.aikeno.cn ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.394/1.394/1.394/0.000 ms
[root@10-10-73-48 ~]# dig www.aikeno.cn
; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.2 <<>> www.aikeno.cn
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56460
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.aikeno.cn. IN A
;; ANSWER SECTION:
www.aikeno.cn. 86400 IN A 10.10.137.59
;; AUTHORITY SECTION:
aikeno.cn. 86400 IN NS ns1.aikeno.cn.
aikeno.cn. 86400 IN NS ns2.aikeno.cn.
;; ADDITIONAL SECTION:
ns1.aikeno.cn. 86400 IN A 10.10.169.141
ns2.aikeno.cn. 86400 IN A 10.10.131.111
;; Query time: 1 msec
;; SERVER: 10.10.131.111#53(10.10.131.111)
;; WHEN: Sat Mar 13 21:59:49 CST 2021
;; MSG SIZE rcvd: 129
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
- 10.
- 11.
- 12.
- 13.
- 14.
- 15.
- 16.
- 17.
- 18.
- 19.
- 20.
- 21.
- 22.
- 23.
- 24.
- 25.
- 26.
- 27.
- 28.
- 29.
- 30.
- 31.
- 32.
- 33.
- 34.
- 35.
- 36.
但是此时再检查slave dns服务器10.10.131.111时,/var/named/aikeno.cn 文件没有同步过来,这样的话,当主dns服务挂掉的话,从 dns上的aikeno.cn主域的解析记录不会生效
检查从dns服务的named.conf配置文件:
需要把新加的主域文件也写入到从dns服务的 named.conf中
[root@test01 ~]# cat /etc/named.conf|sed -n '28,38p'
zone "jiaodayno.cn" IN {
type slave;
file "jiaodayno.cn";
masters { 10.10.169.141; }; //填写的是主dns服务器的内网IP
};
zone "aikeno.cn" IN {
type slave;
file "aikeno.cn";
masters { 10.10.169.141; }; //填写的是主dns服务器的内网IP
};
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
- 10.
- 11.
- 12.
- 13.
检查从dns named.conf配置文件语法:
[root@test01 ~]# named-checkconf /etc/named.conf
注意:此时不能 named-checkzone "aikeno.cn" /var/named/aikeno.cn
因为这个/var/named/aikeno.cn 这个主域文件没有同步过来。必须重启slave dns服务,才会同步到slave dns服务器上。
但是同步到slave dns服务器上的/var/named/aikeno.cn 文件是二进制文件。所以此时要是再slave上执行named-checkzone "aikeno.cn" /var/named/aikeno.cn
时,也是会报错的
所以在slave dns服务器上不要执行 named-checkzone "aikeno.cn" /var/named/aikeno.cn 进行主域文件语法校验
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
此时停掉主dns服务,测试slave dns服务 主域aikeno.cn 文件的解析记录是否正常:
[root@vpn ~]# systemctl stop named
[root@vpn ~]# ping www.aikeno.cn
ping: www.aikeno.cn: Name or service not known
检测 从dns服务解析记录:
[root@test01 ~]# ping www.aikeno.cn
PING www.aikeno.cn (10.10.137.59) 56(84) bytes of data.
64 bytes from 10.10.137.59 (10.10.137.59): icmp_seq=1 ttl=63 time=0.464 ms
64 bytes from 10.10.137.59 (10.10.137.59): icmp_seq=2 ttl=63 time=0.615 ms
[root@10-10-73-48 ~]# ping www.aikeno.cn
PING www.aikeno.cn (10.10.137.59) 56(84) bytes of data.
64 bytes from 10.10.137.59 (10.10.137.59): icmp_seq=1 ttl=63 time=1.08 ms
64 bytes from 10.10.137.59 (10.10.137.59): icmp_seq=2 ttl=63 time=0.382 ms
[root@test01 ~]# dig www.aikeno.cn
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.3 <<>> www.aikeno.cn
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55406
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.aikeno.cn. IN A
;; ANSWER SECTION:
www.aikeno.cn. 86400 IN A 10.10.137.59
;; AUTHORITY SECTION:
aikeno.cn. 86400 IN NS ns2.aikeno.cn.
aikeno.cn. 86400 IN NS ns1.aikeno.cn.
;; ADDITIONAL SECTION:
ns1.aikeno.cn. 86400 IN A 10.10.169.141
ns2.aikeno.cn. 86400 IN A 10.10.131.111
;; Query time: 0 msec
;; SERVER: 10.10.131.111#53(10.10.131.111)
;; WHEN: Sat Mar 13 22:25:35 CST 2021
;; MSG SIZE rcvd: 129
[root@10-10-73-48 ~]# dig www.aikeno.cn
; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.2 <<>> www.aikeno.cn
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15630
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.aikeno.cn. IN A
;; ANSWER SECTION:
www.aikeno.cn. 86400 IN A 10.10.137.59
;; AUTHORITY SECTION:
aikeno.cn. 86400 IN NS ns1.aikeno.cn.
aikeno.cn. 86400 IN NS ns2.aikeno.cn.
;; ADDITIONAL SECTION:
ns1.aikeno.cn. 86400 IN A 10.10.169.141
ns2.aikeno.cn. 86400 IN A 10.10.131.111
;; Query time: 1 msec
;; SERVER: 10.10.131.111#53(10.10.131.111)
;; WHEN: Sat Mar 13 22:26:17 CST 2021
;; MSG SIZE rcvd: 129
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
- 10.
- 11.
- 12.
- 13.
- 14.
- 15.
- 16.
- 17.
- 18.
- 19.
- 20.
- 21.
- 22.
- 23.
- 24.
- 25.
- 26.
- 27.
- 28.
- 29.
- 30.
- 31.
- 32.
- 33.
- 34.
- 35.
- 36.
- 37.
- 38.
- 39.
- 40.
- 41.
- 42.
- 43.
- 44.
- 45.
- 46.
- 47.
- 48.
- 49.
- 50.
- 51.
- 52.
- 53.
- 54.
- 55.
- 56.
- 57.
- 58.
- 59.
- 60.
- 61.
- 62.
- 63.
- 64.
- 65.
- 66.
- 67.
- 68.
也可以采用下面的方式测试:
[root@test01 ~]# host -t NS aikeno.cn 10.10.131.111
Using domain server:
Name: 10.10.131.111
Address: 10.10.131.111#53
Aliases:
aikeno.cn name server ns2.aikeno.cn.
aikeno.cn name server ns1.aikeno.cn.
[root@test01 ~]# host -t NS aikeno.cn 10.10.169.141
;; connection timed out; no servers could be reached
[root@test01 ~]#
[root@test01 ~]# host -t NS aikeno.cn 10.10.169.141
Using domain server:
Name: 10.10.169.141
Address: 10.10.169.141#53
Aliases:
aikeno.cn name server ns2.aikeno.cn.
aikeno.cn name server ns1.aikeno.cn.
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
- 10.
- 11.
- 12.
- 13.
- 14.
- 15.
- 16.
- 17.
- 18.
- 19.
- 20.
参考文档:
https://www.zytrax.com/books/dns/ch7/view.html
https://blog.51cto.com/zhuzw/1705394
https://www.cnblogs.com/kevingrace/p/9359989.html