三.主从DNS 与DNS相关配置

标签：服务器   file   master   加密   

####三.主从DNS DNS加密####
1.主从DNS的配置
1）配置好两台DNS服务器
2）其中从DNS服务器配置如下：
vim /etc/named.rfc1912.zones
---------------------------------------
 25 zone "westos.com" IN {
 26         type slave;
 27         masters { 172.25.254.100; };
 28         file "slaves/westos.com.zone";
 29         allow-update { none; };
 30 };
 ---------------------------------------

主DNS服务器配置如下：
---------------------------------------
 25 zone "westos.com" IN {
 26         type master;
 27         file "westos.com.zone";
 28         allow-update { none; };
 29         allow-transfer { 172.25.254.200; }; ##允许谁去修改主DNS
 30         also-notify { 172.25.254.200; };    ##主动修改主DNS
 31 };
测试：
dig www.westos.com

2.主从DNS的 修改
修改主DNS服务器配置
cd /var/named/
ls
vim westos.com.zone
----------------------------------------------------------
$ORIGIN .
$TTL 86400      ; 1 day
westos.com              IN SOA  dns.westos.com. root.westos.com. (
                                2016113004 ; serial
                                86400      ; refresh (1 day)
                                3600       ; retry (1 hour)
                                604800     ; expire (1 week)
                                10800      ; minimum (3 hours)
                                )
                        NS      dns.westos.com.
$ORIGIN westos.com.
dns                     A       172.25.254.100
www                     A       172.25.254.110
---------------------------------------------------------------
在从DNS下：
cd slaves/
ls
rm -fr westos.com.zone
systemctl restart named
dig www.westos.com
systemctl stop firewalld.server

3.从DNS对主DNS的 nsupdate
配置主DNS如下：
vim /etc/named.rfc1912.zones
-----------------------------------------------------------------
 25 zone "westos.com" IN {
 26         type master;
 27         file "westos.com.zone";
 28         allow-update { 172.25.254.221; };    ##允许谁去更新主DNS
 29         allow-transfer { 172.25.254.221; };
 30         also-notify { 172.25.254.221; };
 31 };
-----------------------------------------------------------------
getenforce
setenforce 0         ##关闭主DNS的selinux
systemctl restart named

在从服务器上：
nsupdate
> server
could not read server name
> server 172.25.254.121
> update delete www.westos.com
> send
update failed: SERVFAIL
> server 172.25.254.121
> update delete www.westos.com
> send
> server 172.25.254.121
> update add www.westos.com 86400 A 172.25.254.110
> send

若出现：
> server 172.25.254.121
> update delete www.westos.com
> send
update failed: SERVFAIL
则说明主DNS没有关闭selinux

4.主DNS加密
主DNS上：
cd /mnt/
dnssec-keygen -a HMAC-MD5 -b 128 -n HOST westos
ls
cat Kwestos.+157+46777.key
-------------------------------------------------
westos. IN KEY 512 3 157 aukf9ImtS6taM/cNKXLWMg==
-------------------------------------------------

cat Kwestos.+157+46777.private
-------------------------------------
Private-key-format: v1.3
Algorithm: 157 (HMAC_MD5)
Key: aukf9ImtS6taM/cNKXLWMg==
Bits: AAA=
Created: 20161130084047
Publish: 20161130084047
Activate: 20161130084047
--------------------------------------

cp -p /etc/rndc.key /etc/westos.key
vim /etc/westos.com
---------------------------------------------
key "westos" {
        algorithm hmac-md5;
        secret "aukf9ImtS6taM/cNKXLWMg==";   ##密码就是上面生成的密码
};
---------------------------------------------

vim /etc/named.conf
 42 include "/etc/westos.key";  ##添加

vim /etc/named.rfc1912.zones
 25 zone "westos.com" IN {
 26         type master;
 27         file "westos.com.zone";
 28         allow-update { key westos; };
 29 };

systemctl restart named
cd /mnt/
scp Kwestos.+157+46777.* root@172.25.254.221:/mnt/  ##复制密钥

在从DNS下：
cd /mnt/
ls
nsupdate -k Kwestos.+157+46777.private
> server 172.25.254.121
> update delete www.westos.com
> send
> quit
##修改（删除）成功

5.自动加密寻址
yum install dhcp
cp /usr/share/doc/dhcp-4.2.5/dhcpd.conf.example /etc/dhcp/dhcpd.conf
vim /etc/dhcp/dhcpd.conf
-----------------------------------------------------------
1 # dhcpd.conf
2 #
3 # Sample configuration file for ISC dhcpd
4 #
5
6 # option definitions common to all supported networks...
7 option domain-name "westos.com";
8 option domain-name-servers 172.25.254.100;
 9
10 default-lease-time 600;
11 max-lease-time 7200;
12
13 # Use this to enble / disable dynamic dns updates globally.
14 ddns-update-style none;
15
16 # If this DHCP server is the official DHCP server for the local
17 # network, the authoritative directive should be uncommented.
18 #authoritative;
19
20 # Use this to send dhcp log messages to a different log file (you also
21 # have to hack syslog.conf to complete the redirection).
22 log-facility local7;
 23
24 # No service will be given on this subnet, but declaring it helps the
25 # DHCP server to understand the network topology.
26
27
28 # This is a very basic subnet declaration.
29
30 subnet 172.25.254.0 netmask 255.255.255.0 {
31   range 172.25.254.204 172.25.254.234;
32   option routers 172.25.254.100;
33 }
34 key westos {
              algorithm hmac-md5;
              secret 84f932vU/s198FosSEdmg==;    ##密钥
        };
39 zone westos.com. {
                primaty 127.0.0.1;
                key westos;
        }
---------------------------------------------------------------

本文出自 “12100661” 博客，谢绝转载！

三.主从DNS 与DNS相关配置

标签：服务器   file   master   加密   

原文地址：http://12110661.blog.51cto.com/12100661/1878553