标签:主从复制 dns正反向解析 子域授权 区域转发 学习笔记
DNS:Domain Name Service
监听端口:UDP/TCP 53号端口
实现工具:BIND(Berkeley Internet Name Domain), PowerDNS, dnsmasq
FQDN: Full Qualified Domain Name
正向解析:FQDN --> IP
反向解析:IP --> FQDN
查询:
递归查询:recursion用于客户端和本地DNS之间(客户端指向的DNS服务器:一定是允许给本地主机做递归的)
迭代查询:iteration用于本地DNS和根域及其他DNS之间
资源记录:Resource Record
资源记录有类型,用于资源的功能
SOA(Start Of Authority) 起始授权区域 划分给谁管理
NS(Name Server) 域名服务器 指明NS服务器
MX(Mail eXchanger) 邮件交换器 指明MX服务器
A(Address) FQDN-->IP
PTR(PoiTeR) IP --> FQDN
CNAME(Canonical Name) 别名记录
DNS服务器类型:
主DNS服务器
辅助DNS服务器
缓存名称服务器(只有三个区域:根、localhost、127.0.0.1,不具体负责某个域的解析,只是将解析到的数据缓存至本地)
正反向解析技术不同,不应该存放于同一个数据库文件中进行
DNS的数据库文件(区域数据文件,区域自身有名字):文本文件,只能包含资源记录或宏定义
资源记录的格式:
name [ttl] IN RRtype Value
缓存时间
SOA: 只能有一个(必须是区域数据库文件第一条记录)
name 区域名称,例如:kaiyuandiantang.com., 通常可以简写为@
value 主DNS服务器的FQDN
@ 600 IN SOA ns1.kaiyuandiantang.com. admin.kaiyuandiantang.com.(
serial number ;序列号,十进制数字,不能超过10位,通常使用日期,例如2017090601
refresh time ;刷新时间,即每隔多久到主服务器检查一次
retry time ;重试时间,应该小于refresh time
expire time ;过期时间,主服务器失效等待时长;主服务器失效后,辅助服务器也停止工作
negative answer ttl ;否定答案的ttl
)
NS:可以有多条
name 区域名称,通常可以简写为@
value DNS服务器的FQDN(可以使用相对名称)
@ 600 IN NS ns1
MX: 可以有多个
name 区域名称,用于标识smtp服务器
value 包含优先级和FQDN(优先级:0-99, 数字越小,级别越高)
@ 600 IN MX 10 mail
A: 只能定义在正向区域数据库文件中
name FQDN(可以使用相对名称)
value IP
www 600 IN A 192.168.130.1
CNAME:
name FQDN
value FQDN
ftp 600 IN CNAME www
PTR: IP-->FQDN, 只能定义在反向区域数据文件中,反向区域名称为逆向网络地址加.in-addr.arpa.后缀组成
nameIP, 逆向的主机地址,例如192.168.130.1的name为1,完全格式为1.130.168.192.in-addr.arpa.
valueFQDN
3 600 IN PTR www.kaiyuandiantang.com.
但凡以FQDN为value的资源记录,都应该给该value加一条A记录
主配置文件/etc/named.conf定义区域(至少有三个区域:根、localhost、127.0.0.1)
区域数据目录/var/named/存放区域数据库文件(属主、属组、权限:root, named, 640)
type {hint|master|slave|forward}
根域 主域 辅助域 转发域
反向解析区域数据库文件:区域名称以逆向的网络地址,并以.in-addr.arpa为后缀;
第一条必须是SOA
应该具有NS记录,但不能出现MX和A记录
较常见的即为PTR记录,名称为逆向的主机地址
dig命令:
# dig [-t type] [-x addr] [name] [@server]
+[no]trace
+[no]recurse
+[no]tcp
host命令:
# host [-t type] {name} [server]
nslookup命令:
nslookup>
server DNS_SERVER_IP
set q=TYPE
{name}
=========================================================================================
正反向解析例子(ns1:192.168.130.117)
=========================================================================================
1、安装bind
[root@localhost ~]# yum -y install bind
2、配置主配置文件
"/etc/named.conf" 43L, 1000C written
[root@localhost ~]# sed "/^\//d" /etc/named.conf
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion yes;
/* Path to ISC DLV key */
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
3、配置正向区域
[root@localhost ~]# tail -4 /etc/named.rfc1912.zones
zone "kaiyuandiantang.com" IN {
type master;
file "kaiyuandiantang.com.zone";
};
4、配置正向数据库文件
[root@localhost named]# cat kaiyuandiantang.com.zone
$TTL 600
@ IN SOA ns1.kaiyuandiantang.com. admin.kaiyuandiantang.com. (
2017090601
1H
5M
3D
12H
)
IN NS ns1
IN MX 10 mail
ns1 IN A 192.168.130.117
mail IN A 192.168.130.10
www IN A 192.168.130.20
pop IN CNAME mail
web IN CNAME www
5、修改权限启动服务
[root@localhost ~]# cd /var/named/
[root@localhost named]# chown root:named kaiyuandiantang.com.zone
[root@localhost named]# chmod 640 kaiyuandiantang.com.zone
[root@localhost named]# named-checkconf
[root@localhost named]# named-checkzone "kaiyuandiantang.com" kaiyuandiantang.com.zone
zone kaiyuandiantang.com/IN: loaded serial 2017090601
OK
[root@localhost named]# service named start
Generating /etc/rndc.key: [ OK ]
Starting named: [ OK ]
[root@localhost named]# service named reload
Reloading named: [ OK ]
[root@localhost named]# tail /var/log/messages
Aug 31 16:51:23 localhost named[20996]: managed-keys-zone ./IN: loaded serial 0
Aug 31 16:51:23 localhost named[20996]: running
Aug 31 16:51:29 localhost named[20996]: received control channel command ‘reload‘
Aug 31 16:51:29 localhost named[20996]: loading configuration from ‘/etc/named.conf‘
Aug 31 16:51:29 localhost named[20996]: using default UDP/IPv4 port range: [1024, 65535]
Aug 31 16:51:29 localhost named[20996]: using default UDP/IPv6 port range: [1024, 65535]
Aug 31 16:51:29 localhost named[20996]: sizing zone task pool based on 7 zones
Aug 31 16:51:29 localhost named[20996]: Warning: ‘empty-zones-enable/disable-empty-zone‘ not set: disabling RFC 1918 empty zones
Aug 31 16:51:29 localhost named[20996]: reloading configuration succeeded
Aug 31 16:51:29 localhost named[20996]: reloading zones succeeded
6、测试
[root@localhost named]# dig -t NS kaiyuandiantang.com @192.168.130.117
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t NS kaiyuandiantang.com @192.168.130.117
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3470
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;kaiyuandiantang.com. IN NS
;; ANSWER SECTION:
kaiyuandiantang.com. 600 IN NS ns1.kaiyuandiantang.com.
;; ADDITIONAL SECTION:
ns1.kaiyuandiantang.com. 600 IN A 192.168.130.117
;; Query time: 0 msec
;; SERVER: 192.168.130.117#53(192.168.130.117)
;; WHEN: Thu Aug 31 16:53:46 2017
;; MSG SIZE rcvd: 71
[root@localhost named]#
[root@localhost named]# dig -t MX kaiyuandiantang.com @192.168.130.117
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t MX kaiyuandiantang.com @192.168.130.117
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38626
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; QUESTION SECTION:
;kaiyuandiantang.com. IN MX
;; ANSWER SECTION:
kaiyuandiantang.com. 600 IN MX 10 mail.kaiyuandiantang.com.
;; AUTHORITY SECTION:
kaiyuandiantang.com. 600 IN NS ns1.kaiyuandiantang.com.
;; ADDITIONAL SECTION:
mail.kaiyuandiantang.com. 600 IN A 192.168.130.10
ns1.kaiyuandiantang.com. 600 IN A 192.168.130.117
;; Query time: 0 msec
;; SERVER: 192.168.130.117#53(192.168.130.117)
;; WHEN: Thu Aug 31 16:53:53 2017
;; MSG SIZE rcvd: 108
[root@localhost named]#
[root@localhost named]# dig -t A www.kaiyuandiantang.com @192.168.130.117
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t A www.kaiyuandiantang.com @192.168.130.117
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46757
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;www.kaiyuandiantang.com. IN A
;; ANSWER SECTION:
www.kaiyuandiantang.com. 600 IN A 192.168.130.20
;; AUTHORITY SECTION:
kaiyuandiantang.com. 600 IN NS ns1.kaiyuandiantang.com.
;; ADDITIONAL SECTION:
ns1.kaiyuandiantang.com. 600 IN A 192.168.130.117
;; Query time: 0 msec
;; SERVER: 192.168.130.117#53(192.168.130.117)
;; WHEN: Thu Aug 31 16:54:09 2017
;; MSG SIZE rcvd: 91
[root@localhost named]#
7、配置反向区域
[root@localhost named]# tail -9 /etc/named.rfc1912.zones
zone "kaiyuandiantang.com" IN {
type master;
file "kaiyuandiantang.com.zone";
};
zone "130.168.192.in-addr.arpa" IN {
type master;
file "130.168.192.zone";
};
8、配置反向数据库文件
[root@localhost named]# cat 130.168.192.zone
$TTL 600
@ IN SOA ns1.kaiyuandiantang.com. admin.kaiyuandiantang.com. (
2017090601
1H
5M
3D
12H
)
IN NS ns1.kaiyuandiantang.com.
117 IN PTR ns1.kaiyuandiantang.com.
10 IN PTR mail.kaiyuandiantang.com.
20 IN PTR www.kaiyuandiantang.com.
9、修改权限启动服务
[root@localhost named]# chown root:named 130.168.192.zone
[root@localhost named]# chmod 640 130.168.192.zone
[root@localhost named]# named-checkconf
[root@localhost named]# named-checkzone "130.168.192.in-addr.arpa" 130.168.192.zone
zone 130.168.192.in-addr.arpa/IN: loaded serial 2017090601
OK
[root@localhost named]# service named reload
Reloading named: [ OK ]
[root@localhost named]# tail /var/log/messages
Aug 31 16:51:29 localhost named[20996]: reloading zones succeeded
Aug 31 17:08:42 localhost named[20996]: received control channel command ‘reload‘
Aug 31 17:08:42 localhost named[20996]: loading configuration from ‘/etc/named.conf‘
Aug 31 17:08:42 localhost named[20996]: using default UDP/IPv4 port range: [1024, 65535]
Aug 31 17:08:42 localhost named[20996]: using default UDP/IPv6 port range: [1024, 65535]
Aug 31 17:08:42 localhost named[20996]: sizing zone task pool based on 8 zones
Aug 31 17:08:42 localhost named[20996]: Warning: ‘empty-zones-enable/disable-empty-zone‘ not set: disabling RFC 1918 empty zones
Aug 31 17:08:42 localhost named[20996]: reloading configuration succeeded
Aug 31 17:08:42 localhost named[20996]: zone 130.168.192.in-addr.arpa/IN: loaded serial 2017090601
Aug 31 17:08:42 localhost named[20996]: reloading zones succeeded
10、测试
[root@localhost named]# dig -x 192.168.130.117 @192.168.130.117
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -x 192.168.130.117 @192.168.130.117
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6475
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;117.130.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
117.130.168.192.in-addr.arpa. 600 IN PTR ns1.kaiyuandiantang.com.
;; AUTHORITY SECTION:
130.168.192.in-addr.arpa. 600 IN NS ns1.kaiyuandiantang.com.
;; ADDITIONAL SECTION:
ns1.kaiyuandiantang.com. 600 IN A 192.168.130.117
;; Query time: 1 msec
;; SERVER: 192.168.130.117#53(192.168.130.117)
;; WHEN: Thu Aug 31 17:09:56 2017
;; MSG SIZE rcvd: 113
[root@localhost named]#
[root@localhost named]# dig -x 192.168.130.10 @192.168.130.117
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -x 192.168.130.10 @192.168.130.117
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63381
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;10.130.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
10.130.168.192.in-addr.arpa. 600 IN PTR mail.kaiyuandiantang.com.
;; AUTHORITY SECTION:
130.168.192.in-addr.arpa. 600 IN NS ns1.kaiyuandiantang.com.
;; ADDITIONAL SECTION:
ns1.kaiyuandiantang.com. 600 IN A 192.168.130.117
;; Query time: 0 msec
;; SERVER: 192.168.130.117#53(192.168.130.117)
;; WHEN: Thu Aug 31 17:10:01 2017
;; MSG SIZE rcvd: 117
[root@localhost named]#
[root@localhost named]# dig -x 192.168.130.20 @192.168.130.117
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -x 192.168.130.20 @192.168.130.117
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26960
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;20.130.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
20.130.168.192.in-addr.arpa. 600 IN PTR www.kaiyuandiantang.com.
;; AUTHORITY SECTION:
130.168.192.in-addr.arpa. 600 IN NS ns1.kaiyuandiantang.com.
;; ADDITIONAL SECTION:
ns1.kaiyuandiantang.com. 600 IN A 192.168.130.117
;; Query time: 0 msec
;; SERVER: 192.168.130.117#53(192.168.130.117)
;; WHEN: Thu Aug 31 17:10:08 2017
;; MSG SIZE rcvd: 116
[root@localhost named]#
区域传送:
辅助DNS服务器从主DNS服务器或其它的辅助DNS服务器请求传输数据的过程;
完全区域传送:传送区域的所有数据, AXFR
增量区域传送:传送区域中改变的数据部分,IXFR
用dig模拟完全区域传送
# dig -t axfr 区域名称 @server
dig -t axfr kaiyuandiantang.com @192.168.130.117
主从:
主:bind版本可以低于从的;
向区域中添加从服务器的关键两步:
在上级获得授权
在主服务器的区域数据文件中为从服务器添加一条NS记录和对应的A或PTR记录;
zone "kaiyuandiantang.com" IN {
type slave;
masters { 192.168.130.117; };
file "slaves/kaiyuandiantang.com.zone";
};
区域传送安全控制:
allow-transfer { IP; };
=========================================================================================
主从复制例子(ns1:192.168.130.117,ns2:192.168.130.118)
=========================================================================================
1、修改ns1正向数据库文件,添加ns2的NS记录和A记录
[root@localhost ~]# cat /var/named/kaiyuandiantang.com.zone
$TTL 600
@ IN SOA ns1.kaiyuandiantang.com. admin.kaiyuandiantang.com. (
2017090601
1H
5M
3D
12H
)
IN NS ns1
IN NS ns2
IN MX 10 mail
ns1 IN A 192.168.130.117
ns2 IN A 192.168.130.118
mail IN A 192.168.130.10
www IN A 192.168.130.20
pop IN CNAME mail
web IN CNAME www
[root@localhost ~]# service named reload
Reloading named: [ OK ]
[root@localhost ~]# tail /var/log/messages
Sep 1 08:48:47 localhost named[20996]: loading configuration from ‘/etc/named.conf‘
Sep 1 08:48:47 localhost named[20996]: using default UDP/IPv4 port range: [1024, 65535]
Sep 1 08:48:47 localhost named[20996]: using default UDP/IPv6 port range: [1024, 65535]
Sep 1 08:48:47 localhost named[20996]: sizing zone task pool based on 8 zones
Sep 1 08:48:47 localhost named[20996]: Warning: ‘empty-zones-enable/disable-empty-zone‘ not set: disabling RFC 1918 empty zones
Sep 1 08:48:47 localhost named[20996]: reloading configuration succeeded
Sep 1 08:48:47 localhost named[20996]: reloading zones succeeded
Sep 1 08:48:47 localhost named[20996]: zone kaiyuandiantang.com/IN: zone serial (2017090601) unchanged. zone may fail to transfer to slaves.
Sep 1 08:48:47 localhost named[20996]: zone kaiyuandiantang.com/IN: loaded serial 2017090601
Sep 1 08:48:47 localhost named[20996]: zone kaiyuandiantang.com/IN: sending notifies (serial 2017090601)
2、ns2安装bind
yum -y install bind
3、配置ns2主配置文件
[root@localhost ~]# sed "/^\//d" /etc/named.conf
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion yes;
/* Path to ISC DLV key */
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
4、配置ns2正向区域
[root@localhost ~]# tail -5 /etc/named.rfc1912.zones
zone "kaiyuandiantang.com" IN {
type slave;
masters { 192.168.130.117; };
file "slaves/kaiyuandiantang.com.zone";
};
5、ns2启动服务
[root@localhost ~]# named-checkconf
[root@localhost ~]# service named start
Generating /etc/rndc.key: [ OK ]
Starting named: [ OK ]
[root@localhost ~]# service named reload
Reloading named: [ OK ]
[root@localhost ~]# tail -20 /var/log/messages
Sep 2 14:20:56 localhost named[22632]: zone 0.in-addr.arpa/IN: loaded serial 0
Sep 2 14:20:56 localhost named[22632]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
Sep 2 14:20:56 localhost named[22632]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
Sep 2 14:20:56 localhost named[22632]: zone localhost.localdomain/IN: loaded serial 0
Sep 2 14:20:56 localhost named[22632]: zone localhost/IN: loaded serial 0
Sep 2 14:20:56 localhost named[22632]: managed-keys-zone ./IN: loaded serial 0
Sep 2 14:20:56 localhost named[22632]: running
Sep 2 14:20:56 localhost named[22632]: zone kaiyuandiantang.com/IN: Transfer started.
Sep 2 14:20:56 localhost named[22632]: transfer of ‘kaiyuandiantang.com/IN‘ from 192.168.130.117#53: connected using 192.168.130.118#43804
Sep 2 14:20:56 localhost named[22632]: zone kaiyuandiantang.com/IN: transferred serial 2017090601
Sep 2 14:20:56 localhost named[22632]: transfer of ‘kaiyuandiantang.com/IN‘ from 192.168.130.117#53: Transfer completed: 1 messages, 11 records, 276 bytes, 0.001 secs (276000 bytes/sec)
Sep 2 14:20:56 localhost named[22632]: zone kaiyuandiantang.com/IN: sending notifies (serial 2017090601)
Sep 2 14:21:00 localhost named[22632]: received control channel command ‘reload‘
Sep 2 14:21:00 localhost named[22632]: loading configuration from ‘/etc/named.conf‘
Sep 2 14:21:00 localhost named[22632]: using default UDP/IPv4 port range: [1024, 65535]
Sep 2 14:21:00 localhost named[22632]: using default UDP/IPv6 port range: [1024, 65535]
Sep 2 14:21:00 localhost named[22632]: sizing zone task pool based on 7 zones
Sep 2 14:21:00 localhost named[22632]: Warning: ‘empty-zones-enable/disable-empty-zone‘ not set: disabling RFC 1918 empty zones
Sep 2 14:21:00 localhost named[22632]: reloading configuration succeeded
Sep 2 14:21:00 localhost named[22632]: reloading zones succeeded
6、验证、测试
[root@localhost ~]# cat /var/named/slaves/kaiyuandiantang.com.zone
$ORIGIN .
$TTL 600 ; 10 minutes
kaiyuandiantang.com IN SOA ns1.kaiyuandiantang.com. admin.kaiyuandiantang.com. (
2017090601 ; serial
3600 ; refresh (1 hour)
300 ; retry (5 minutes)
259200 ; expire (3 days)
43200 ; minimum (12 hours)
)
NS ns1.kaiyuandiantang.com.
NS ns2.kaiyuandiantang.com.
MX 10 mail.kaiyuandiantang.com.
$ORIGIN kaiyuandiantang.com.
mail A 192.168.130.10
ns1 A 192.168.130.117
ns2 A 192.168.130.118
pop CNAME mail
web CNAME www
www A 192.168.130.20
[root@localhost ~]# dig -t NS kaiyuandiantang.com @192.168.130.118
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t NS kaiyuandiantang.com @192.168.130.118
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28940
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2
;; QUESTION SECTION:
;kaiyuandiantang.com. IN NS
;; ANSWER SECTION:
kaiyuandiantang.com. 600 IN NS ns1.kaiyuandiantang.com.
kaiyuandiantang.com. 600 IN NS ns2.kaiyuandiantang.com.
;; ADDITIONAL SECTION:
ns1.kaiyuandiantang.com. 600 IN A 192.168.130.117
ns2.kaiyuandiantang.com. 600 IN A 192.168.130.118
;; Query time: 1 msec
;; SERVER: 192.168.130.118#53(192.168.130.118)
;; WHEN: Sat Sep 2 14:24:08 2017
;; MSG SIZE rcvd: 105
[root@localhost ~]#
[root@localhost ~]# dig -t MX kaiyuandiantang.com @192.168.130.118
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t MX kaiyuandiantang.com @192.168.130.118
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27789
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; QUESTION SECTION:
;kaiyuandiantang.com. IN MX
;; ANSWER SECTION:
kaiyuandiantang.com. 600 IN MX 10 mail.kaiyuandiantang.com.
;; AUTHORITY SECTION:
kaiyuandiantang.com. 600 IN NS ns2.kaiyuandiantang.com.
kaiyuandiantang.com. 600 IN NS ns1.kaiyuandiantang.com.
;; ADDITIONAL SECTION:
mail.kaiyuandiantang.com. 600 IN A 192.168.130.10
ns1.kaiyuandiantang.com. 600 IN A 192.168.130.117
ns2.kaiyuandiantang.com. 600 IN A 192.168.130.118
;; Query time: 1 msec
;; SERVER: 192.168.130.118#53(192.168.130.118)
;; WHEN: Sat Sep 2 14:24:29 2017
;; MSG SIZE rcvd: 142
[root@localhost ~]#
[root@localhost ~]# dig -t A mail.kaiyuandiantang.com @192.168.130.118
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t A mail.kaiyuandiantang.com @192.168.130.118
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7090
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;mail.kaiyuandiantang.com. IN A
;; ANSWER SECTION:
mail.kaiyuandiantang.com. 600 IN A 192.168.130.10
;; AUTHORITY SECTION:
kaiyuandiantang.com. 600 IN NS ns1.kaiyuandiantang.com.
kaiyuandiantang.com. 600 IN NS ns2.kaiyuandiantang.com.
;; ADDITIONAL SECTION:
ns1.kaiyuandiantang.com. 600 IN A 192.168.130.117
ns2.kaiyuandiantang.com. 600 IN A 192.168.130.118
;; Query time: 0 msec
;; SERVER: 192.168.130.118#53(192.168.130.118)
;; WHEN: Sat Sep 2 14:24:56 2017
;; MSG SIZE rcvd: 126
[root@localhost ~]#
[root@localhost ~]# dig -t A www.kaiyuandiantang.com @192.168.130.118
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t A www.kaiyuandiantang.com @192.168.130.118
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2339
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;www.kaiyuandiantang.com. IN A
;; ANSWER SECTION:
www.kaiyuandiantang.com. 600 IN A 192.168.130.20
;; AUTHORITY SECTION:
kaiyuandiantang.com. 600 IN NS ns1.kaiyuandiantang.com.
kaiyuandiantang.com. 600 IN NS ns2.kaiyuandiantang.com.
;; ADDITIONAL SECTION:
ns1.kaiyuandiantang.com. 600 IN A 192.168.130.117
ns2.kaiyuandiantang.com. 600 IN A 192.168.130.118
;; Query time: 0 msec
;; SERVER: 192.168.130.118#53(192.168.130.118)
;; WHEN: Sat Sep 2 14:25:05 2017
;; MSG SIZE rcvd: 125
7、修改ns1反向向数据库文件,添加ns2的NS记录和PTR记录
"/var/named/130.168.192.zone" 14L, 323C written
[root@localhost ~]# cat /var/named/130.168.192.zone
$TTL 600
@ IN SOA ns1.kaiyuandiantang.com. admin.kaiyuandiantang.com. (
2017090601
1H
5M
3D
12H
)
IN NS ns1.kaiyuandiantang.com.
IN NS ns2.kaiyuandiantang.com.
117 IN PTR ns1.kaiyuandiantang.com.
118 IN PTR ns2.kaiyuandiantang.com.
10 IN PTR mail.kaiyuandiantang.com.
20 IN PTR www.kaiyuandiantang.com.
[root@localhost ~]# service named reload
Reloading named: [ OK ]
[root@localhost ~]# tail /var/log/messages
Sep 1 09:35:38 localhost named[20996]: loading configuration from ‘/etc/named.conf‘
Sep 1 09:35:38 localhost named[20996]: using default UDP/IPv4 port range: [1024, 65535]
Sep 1 09:35:38 localhost named[20996]: using default UDP/IPv6 port range: [1024, 65535]
Sep 1 09:35:38 localhost named[20996]: sizing zone task pool based on 8 zones
Sep 1 09:35:38 localhost named[20996]: Warning: ‘empty-zones-enable/disable-empty-zone‘ not set: disabling RFC 1918 empty zones
Sep 1 09:35:38 localhost named[20996]: reloading configuration succeeded
Sep 1 09:35:38 localhost named[20996]: reloading zones succeeded
Sep 1 09:35:38 localhost named[20996]: zone 130.168.192.in-addr.arpa/IN: zone serial (2017090601) unchanged. zone may fail to transfer to slaves.
Sep 1 09:35:38 localhost named[20996]: zone 130.168.192.in-addr.arpa/IN: loaded serial 2017090601
Sep 1 09:35:39 localhost named[20996]: zone 130.168.192.in-addr.arpa/IN: sending notifies (serial 2017090601)
8、配置ns2反向区域
[root@localhost ~]# tail -11 /etc/named.rfc1912.zones
zone "kaiyuandiantang.com" IN {
type slave;
masters { 192.168.130.117; };
file "slaves/kaiyuandiantang.com.zone";
};
zone "130.168.192.in-addr.arpa" IN {
type slave;
masters { 192.168.130.117; };
file "slaves/130.168.192.zone";
};
9、ns2启动服务
[root@localhost ~]# named-checkconf
[root@localhost ~]# service named reload
Reloading named: [ OK ]
[root@localhost ~]# tail /var/log/messages
Sep 2 14:43:39 localhost named[22632]: using default UDP/IPv6 port range: [1024, 65535]
Sep 2 14:43:39 localhost named[22632]: sizing zone task pool based on 8 zones
Sep 2 14:43:39 localhost named[22632]: Warning: ‘empty-zones-enable/disable-empty-zone‘ not set: disabling RFC 1918 empty zones
Sep 2 14:43:39 localhost named[22632]: reloading configuration succeeded
Sep 2 14:43:39 localhost named[22632]: reloading zones succeeded
Sep 2 14:43:39 localhost named[22632]: zone 130.168.192.in-addr.arpa/IN: Transfer started.
Sep 2 14:43:39 localhost named[22632]: transfer of ‘130.168.192.in-addr.arpa/IN‘ from 192.168.130.117#53: connected using 192.168.130.118#51094
Sep 2 14:43:39 localhost named[22632]: zone 130.168.192.in-addr.arpa/IN: transferred serial 2017090601
Sep 2 14:43:39 localhost named[22632]: transfer of ‘130.168.192.in-addr.arpa/IN‘ from 192.168.130.117#53: Transfer completed: 1 messages, 8 records, 254 bytes, 0.001 secs (254000 bytes/sec)
Sep 2 14:43:39 localhost named[22632]: zone 130.168.192.in-addr.arpa/IN: sending notifies (serial 2017090601)
10、验证、测试
[root@localhost ~]# cat /var/named/slaves/130.168.192.zone
$ORIGIN .
$TTL 600 ; 10 minutes
130.168.192.in-addr.arpa IN SOA ns1.kaiyuandiantang.com. admin.kaiyuandiantang.com. (
2017090601 ; serial
3600 ; refresh (1 hour)
300 ; retry (5 minutes)
259200 ; expire (3 days)
43200 ; minimum (12 hours)
)
NS ns1.kaiyuandiantang.com.
NS ns2.kaiyuandiantang.com.
$ORIGIN 130.168.192.in-addr.arpa.
10 PTR mail.kaiyuandiantang.com.
117 PTR ns1.kaiyuandiantang.com.
118 PTR ns2.kaiyuandiantang.com.
20 PTR www.kaiyuandiantang.com.
[root@localhost ~]# dig -x 192.168.130.117 @192.168.130.118
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -x 192.168.130.117 @192.168.130.118
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25446
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;117.130.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
117.130.168.192.in-addr.arpa. 600 IN PTR ns1.kaiyuandiantang.com.
;; AUTHORITY SECTION:
130.168.192.in-addr.arpa. 600 IN NS ns1.kaiyuandiantang.com.
130.168.192.in-addr.arpa. 600 IN NS ns2.kaiyuandiantang.com.
;; ADDITIONAL SECTION:
ns1.kaiyuandiantang.com. 600 IN A 192.168.130.117
ns2.kaiyuandiantang.com. 600 IN A 192.168.130.118
;; Query time: 0 msec
;; SERVER: 192.168.130.118#53(192.168.130.118)
;; WHEN: Sat Sep 2 15:07:54 2017
;; MSG SIZE rcvd: 147
[root@localhost ~]#
[root@localhost ~]# dig -x 192.168.130.118 @192.168.130.118
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -x 192.168.130.118 @192.168.130.118
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37094
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;118.130.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
118.130.168.192.in-addr.arpa. 600 IN PTR ns2.kaiyuandiantang.com.
;; AUTHORITY SECTION:
130.168.192.in-addr.arpa. 600 IN NS ns2.kaiyuandiantang.com.
130.168.192.in-addr.arpa. 600 IN NS ns1.kaiyuandiantang.com.
;; ADDITIONAL SECTION:
ns1.kaiyuandiantang.com. 600 IN A 192.168.130.117
ns2.kaiyuandiantang.com. 600 IN A 192.168.130.118
;; Query time: 0 msec
;; SERVER: 192.168.130.118#53(192.168.130.118)
;; WHEN: Sat Sep 2 15:08:01 2017
;; MSG SIZE rcvd: 147
[root@localhost ~]#
[root@localhost ~]# dig -x 192.168.130.10 @192.168.130.118
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -x 192.168.130.10 @192.168.130.118
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11469
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;10.130.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
10.130.168.192.in-addr.arpa. 600 IN PTR mail.kaiyuandiantang.com.
;; AUTHORITY SECTION:
130.168.192.in-addr.arpa. 600 IN NS ns2.kaiyuandiantang.com.
130.168.192.in-addr.arpa. 600 IN NS ns1.kaiyuandiantang.com.
;; ADDITIONAL SECTION:
ns1.kaiyuandiantang.com. 600 IN A 192.168.130.117
ns2.kaiyuandiantang.com. 600 IN A 192.168.130.118
;; Query time: 0 msec
;; SERVER: 192.168.130.118#53(192.168.130.118)
;; WHEN: Sat Sep 2 15:08:10 2017
;; MSG SIZE rcvd: 151
[root@localhost ~]#
[root@localhost ~]# dig -x 192.168.130.20 @192.168.130.118
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -x 192.168.130.20 @192.168.130.118
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64194
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;20.130.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
20.130.168.192.in-addr.arpa. 600 IN PTR www.kaiyuandiantang.com.
;; AUTHORITY SECTION:
130.168.192.in-addr.arpa. 600 IN NS ns1.kaiyuandiantang.com.
130.168.192.in-addr.arpa. 600 IN NS ns2.kaiyuandiantang.com.
;; ADDITIONAL SECTION:
ns1.kaiyuandiantang.com. 600 IN A 192.168.130.117
ns2.kaiyuandiantang.com. 600 IN A 192.168.130.118
;; Query time: 0 msec
;; SERVER: 192.168.130.118#53(192.168.130.118)
;; WHEN: Sat Sep 2 15:08:14 2017
;; MSG SIZE rcvd: 150
11、此时区域传送存在一个安全问题,任何一台机器只要知道区域名称和DNS的IP就可以获得数据库文件的内容,可通过添加allow-transfer加以控制。
未加allow-transfer前(在192.168.130.119上测试)
[root@localhost ~]# dig -t axfr kaiyuandiantang.com @192.168.130.117
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> -t axfr kaiyuandiantang.com @192.168.130.117
;; global options: +cmd
kaiyuandiantang.com. 600 IN SOA ns1.kaiyuandiantang.com. admin.kaiyuandiantang.com. 2017090601 3600 300 259200 43200
kaiyuandiantang.com. 600 IN NS ns1.kaiyuandiantang.com.
kaiyuandiantang.com. 600 IN NS ns2.kaiyuandiantang.com.
kaiyuandiantang.com. 600 IN MX 10 mail.kaiyuandiantang.com.
mail.kaiyuandiantang.com. 600 IN A 192.168.130.10
ns1.kaiyuandiantang.com. 600 IN A 192.168.130.117
ns2.kaiyuandiantang.com. 600 IN A 192.168.130.118
pop.kaiyuandiantang.com. 600 IN CNAME mail.kaiyuandiantang.com.
web.kaiyuandiantang.com. 600 IN CNAME www.kaiyuandiantang.com.
www.kaiyuandiantang.com. 600 IN A 192.168.130.20
kaiyuandiantang.com. 600 IN SOA ns1.kaiyuandiantang.com. admin.kaiyuandiantang.com. 2017090601 3600 300 259200 43200
;; Query time: 6 msec
;; SERVER: 192.168.130.117#53(192.168.130.117)
;; WHEN: Thu Sep 7 11:49:50 2017
;; XFR size: 11 records (messages 1, bytes 276)
[root@localhost ~]#
[root@localhost ~]# dig -t axfr kaiyuandiantang.com @192.168.130.118
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> -t axfr kaiyuandiantang.com @192.168.130.118
;; global options: +cmd
kaiyuandiantang.com. 600 IN SOA ns1.kaiyuandiantang.com. admin.kaiyuandiantang.com. 2017090601 3600 300 259200 43200
kaiyuandiantang.com. 600 IN MX 10 mail.kaiyuandiantang.com.
kaiyuandiantang.com. 600 IN NS ns1.kaiyuandiantang.com.
kaiyuandiantang.com. 600 IN NS ns2.kaiyuandiantang.com.
mail.kaiyuandiantang.com. 600 IN A 192.168.130.10
ns1.kaiyuandiantang.com. 600 IN A 192.168.130.117
ns2.kaiyuandiantang.com. 600 IN A 192.168.130.118
pop.kaiyuandiantang.com. 600 IN CNAME mail.kaiyuandiantang.com.
web.kaiyuandiantang.com. 600 IN CNAME www.kaiyuandiantang.com.
www.kaiyuandiantang.com. 600 IN A 192.168.130.20
kaiyuandiantang.com. 600 IN SOA ns1.kaiyuandiantang.com. admin.kaiyuandiantang.com. 2017090601 3600 300 259200 43200
;; Query time: 4 msec
;; SERVER: 192.168.130.118#53(192.168.130.118)
;; WHEN: Thu Sep 7 11:49:56 2017
;; XFR size: 11 records (messages 1, bytes 276)
[root@localhost ~]#
[root@localhost ~]# dig -t axfr 130.168.192.in-addr.arpa @192.168.130.117
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> -t axfr 130.168.192.in-addr.arpa @192.168.130.117
;; global options: +cmd
130.168.192.in-addr.arpa. 600 IN SOA ns1.kaiyuandiantang.com. admin.kaiyuandiantang.com. 2017090601 3600 300 259200 43200
130.168.192.in-addr.arpa. 600 IN NS ns1.kaiyuandiantang.com.
130.168.192.in-addr.arpa. 600 IN NS ns2.kaiyuandiantang.com.
10.130.168.192.in-addr.arpa. 600 IN PTR mail.kaiyuandiantang.com.
117.130.168.192.in-addr.arpa. 600 IN PTR ns1.kaiyuandiantang.com.
118.130.168.192.in-addr.arpa. 600 IN PTR ns2.kaiyuandiantang.com.
20.130.168.192.in-addr.arpa. 600 IN PTR www.kaiyuandiantang.com.
130.168.192.in-addr.arpa. 600 IN SOA ns1.kaiyuandiantang.com. admin.kaiyuandiantang.com. 2017090601 3600 300 259200 43200
;; Query time: 1 msec
;; SERVER: 192.168.130.117#53(192.168.130.117)
;; WHEN: Thu Sep 7 11:50:26 2017
;; XFR size: 8 records (messages 1, bytes 254)
[root@localhost ~]#
[root@localhost ~]# dig -t axfr 130.168.192.in-addr.arpa @192.168.130.118
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> -t axfr 130.168.192.in-addr.arpa @192.168.130.118
;; global options: +cmd
130.168.192.in-addr.arpa. 600 IN SOA ns1.kaiyuandiantang.com. admin.kaiyuandiantang.com. 2017090601 3600 300 259200 43200
130.168.192.in-addr.arpa. 600 IN NS ns1.kaiyuandiantang.com.
130.168.192.in-addr.arpa. 600 IN NS ns2.kaiyuandiantang.com.
10.130.168.192.in-addr.arpa. 600 IN PTR mail.kaiyuandiantang.com.
117.130.168.192.in-addr.arpa. 600 IN PTR ns1.kaiyuandiantang.com.
118.130.168.192.in-addr.arpa. 600 IN PTR ns2.kaiyuandiantang.com.
20.130.168.192.in-addr.arpa. 600 IN PTR www.kaiyuandiantang.com.
130.168.192.in-addr.arpa. 600 IN SOA ns1.kaiyuandiantang.com. admin.kaiyuandiantang.com. 2017090601 3600 300 259200 43200
;; Query time: 9 msec
;; SERVER: 192.168.130.118#53(192.168.130.118)
;; WHEN: Thu Sep 7 11:50:38 2017
;; XFR size: 8 records (messages 1, bytes 254)
[root@localhost ~]#
ns1添加allow-transfer
[root@localhost ~]# tail -11 /etc/named.rfc1912.zones
zone "kaiyuandiantang.com" IN {
type master;
file "kaiyuandiantang.com.zone";
allow-transfer { 127.0.0.1; 192.168.130.117; };
};
zone "130.168.192.in-addr.arpa" IN {
type master;
file "130.168.192.zone";
allow-transfer { 127.0.0.1; 192.168.130.117; };
};
[root@localhost ~]# service named reload
Reloading named: [ OK ]
[root@localhost ~]# tail /var/log/messages
Sep 1 10:45:45 localhost named[20996]: /etc/named.rfc1912.zones:52: missing ‘;‘ before ‘}‘
Sep 1 10:45:45 localhost named[20996]: reloading configuration failed: failure
Sep 1 10:46:48 localhost named[20996]: received control channel command ‘reload‘
Sep 1 10:46:48 localhost named[20996]: loading configuration from ‘/etc/named.conf‘
Sep 1 10:46:48 localhost named[20996]: using default UDP/IPv4 port range: [1024, 65535]
Sep 1 10:46:48 localhost named[20996]: using default UDP/IPv6 port range: [1024, 65535]
Sep 1 10:46:48 localhost named[20996]: sizing zone task pool based on 8 zones
Sep 1 10:46:48 localhost named[20996]: Warning: ‘empty-zones-enable/disable-empty-zone‘ not set: disabling RFC 1918 empty zones
Sep 1 10:46:48 localhost named[20996]: reloading configuration succeeded
Sep 1 10:46:48 localhost named[20996]: reloading zones succeeded
ns2添加allow-transfer
[root@localhost ~]# tail -13 /etc/named.rfc1912.zones
zone "kaiyuandiantang.com" IN {
type slave;
masters { 192.168.130.117; };
file "slaves/kaiyuandiantang.com.zone";
allow-transfer { none; };
};
zone "130.168.192.in-addr.arpa" IN {
type slave;
masters { 192.168.130.117; };
file "slaves/130.168.192.zone";
allow-transfer { none; };
};
[root@localhost ~]# service named reload
Reloading named: [ OK ]
[root@localhost ~]# tail /var/log/messages
Sep 2 15:42:39 localhost named[22632]: client 192.168.130.119#50309: transfer of ‘130.168.192.in-addr.arpa/IN‘: AXFR started
Sep 2 15:42:39 localhost named[22632]: client 192.168.130.119#50309: transfer of ‘130.168.192.in-addr.arpa/IN‘: AXFR ended
Sep 2 15:48:52 localhost named[22632]: received control channel command ‘reload‘
Sep 2 15:48:52 localhost named[22632]: loading configuration from ‘/etc/named.conf‘
Sep 2 15:48:52 localhost named[22632]: using default UDP/IPv4 port range: [1024, 65535]
Sep 2 15:48:52 localhost named[22632]: using default UDP/IPv6 port range: [1024, 65535]
Sep 2 15:48:52 localhost named[22632]: sizing zone task pool based on 8 zones
Sep 2 15:48:52 localhost named[22632]: Warning: ‘empty-zones-enable/disable-empty-zone‘ not set: disabling RFC 1918 empty zones
Sep 2 15:48:52 localhost named[22632]: reloading configuration succeeded
Sep 2 15:48:52 localhost named[22632]: reloading zones succeeded
添加allow-transfer后(在192.168.130.119上测试)
[root@localhost ~]# dig -t axfr kaiyuandiantang.com @192.168.130.117
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> -t axfr kaiyuandiantang.com @192.168.130.117
;; global options: +cmd
; Transfer failed.
[root@localhost ~]# dig -t axfr kaiyuandiantang.com @192.168.130.118
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> -t axfr kaiyuandiantang.com @192.168.130.118
;; global options: +cmd
; Transfer failed.
[root@localhost ~]# dig -t axfr 130.168.192.in-addr.arpa @192.168.130.117
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> -t axfr 130.168.192.in-addr.arpa @192.168.130.117
;; global options: +cmd
; Transfer failed.
[root@localhost ~]# dig -t axfr 130.168.192.in-addr.arpa @192.168.130.118
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> -t axfr 130.168.192.in-addr.arpa @192.168.130.118
;; global options: +cmd
; Transfer failed.
[root@localhost ~]#
BIND子域授权的实现:glue record
在父域的配置文件中添加如下项:
授权的子区域名称
子区域的名称服务器
子区域的名称服务器的IP地址
=========================================================================================
正向子域授权例子(父域:192.168.130.117,子域:192.168.130.119)
=========================================================================================
1、在父域中对子域进行授权
[root@localhost ~]# cat /var/named/kaiyuandiantang.com.zone
$TTL 600
@ IN SOA ns1.kaiyuandiantang.com. admin.kaiyuandiantang.com. (
2017090601
1H
5M
3D
12H
)
IN NS ns1
IN NS ns2
IN MX 10 mail
ns1 IN A 192.168.130.117
ns2 IN A 192.168.130.118
mail IN A 192.168.130.10
www IN A 192.168.130.20
pop IN CNAME mail
web IN CNAME www
linux IN NS ns1.linux
ns1.linux IN A 192.168.130.119
[root@localhost ~]# service named reload
Reloading named: [ OK ]
[root@localhost ~]# tail /var/log/messages
Sep 1 16:29:00 localhost named[20996]: loading configuration from ‘/etc/named.conf‘
Sep 1 16:29:00 localhost named[20996]: using default UDP/IPv4 port range: [1024, 65535]
Sep 1 16:29:00 localhost named[20996]: using default UDP/IPv6 port range: [1024, 65535]
Sep 1 16:29:00 localhost named[20996]: sizing zone task pool based on 8 zones
Sep 1 16:29:00 localhost named[20996]: Warning: ‘empty-zones-enable/disable-empty-zone‘ not set: disabling RFC 1918 empty zones
Sep 1 16:29:00 localhost named[20996]: reloading configuration succeeded
Sep 1 16:29:00 localhost named[20996]: reloading zones succeeded
Sep 1 16:29:00 localhost named[20996]: zone kaiyuandiantang.com/IN: zone serial (2017090601) unchanged. zone may fail to transfer to slaves.
Sep 1 16:29:00 localhost named[20996]: zone kaiyuandiantang.com/IN: loaded serial 2017090601
Sep 1 16:29:00 localhost named[20996]: zone kaiyuandiantang.com/IN: sending notifies (serial 2017090601)
[root@localhost ~]#
2、配置子域服务器的主配置文件
[root@localhost ~]# sed "/^\//d" /etc/named.conf
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion yes;
/* Path to ISC DLV key */
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
3、配置子域服务器的区域数据文件
[root@localhost ~]# tail -4 /etc/named.rfc1912.zones
zone "linux.kaiyuandiantang.com" IN {
type master;
file "linux.kaiyuandiantang.com.zone";
};
4、配置子域服务器的数据库文件
[root@localhost ~]# cat /var/named/linux.kaiyuandiantang.com.zone
$TTL 600
@ IN SOA ns1.linux.kaiyuandiantang.com. admin.linux.kaiyuandiantang.com. (
2017090701
1H
5M
3D
12H
)
IN NS ns1
IN MX 10 mail
ns1 IN A 192.168.130.119
mail IN A 192.168.130.30
www IN A 192.168.130.40
pop IN CNAME mail
web IN CNAME www
[root@localhost ~]#
5、子域服务器修改权限启动服务
[root@localhost ~]# cd /var/named/
[root@localhost named]# chown root:named linux.kaiyuandiantang.com.zone
[root@localhost named]# chmod 640 linux.kaiyuandiantang.com.zone
[root@localhost named]# named-checkconf
[root@localhost named]# named-checkzone linux.kaiyuandiantang.com linux.kaiyuandiantang.com.zone
zone linux.kaiyuandiantang.com/IN: loaded serial 2017090701
OK
[root@localhost named]# service named start
Starting named: [ OK ]
[root@localhost named]# tail /var/log/messages
Aug 31 18:30:52 localhost named[20903]: command channel listening on 127.0.0.1#953
Aug 31 18:30:52 localhost named[20903]: command channel listening on ::1#953
Aug 31 18:30:52 localhost named[20903]: zone 0.in-addr.arpa/IN: loaded serial 0
Aug 31 18:30:52 localhost named[20903]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
Aug 31 18:30:52 localhost named[20903]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
Aug 31 18:30:52 localhost named[20903]: zone linux.kaiyuandiantang.com/IN: loaded serial 2017090701
Aug 31 18:30:52 localhost named[20903]: zone localhost.localdomain/IN: loaded serial 0
Aug 31 18:30:52 localhost named[20903]: zone localhost/IN: loaded serial 0
Aug 31 18:30:52 localhost named[20903]: managed-keys-zone ./IN: loaded serial 0
Aug 31 18:30:52 localhost named[20903]: running
[root@localhost named]#
6、测试
[root@localhost named]# dig -t NS linux.kaiyuandiantang.com @192.168.130.119
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t NS linux.kaiyuandiantang.com @192.168.130.119
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63108
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;linux.kaiyuandiantang.com. IN NS
;; ANSWER SECTION:
linux.kaiyuandiantang.com. 600 IN NS ns1.linux.kaiyuandiantang.com.
;; ADDITIONAL SECTION:
ns1.linux.kaiyuandiantang.com. 600 IN A 192.168.130.119
;; Query time: 0 msec
;; SERVER: 192.168.130.119#53(192.168.130.119)
;; WHEN: Thu Aug 31 18:32:28 2017
;; MSG SIZE rcvd: 77
[root@localhost named]# dig -t MX linux.kaiyuandiantang.com @192.168.130.119
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t MX linux.kaiyuandiantang.com @192.168.130.119
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42605
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; QUESTION SECTION:
;linux.kaiyuandiantang.com. IN MX
;; ANSWER SECTION:
linux.kaiyuandiantang.com. 600 IN MX 10 mail.linux.kaiyuandiantang.com.
;; AUTHORITY SECTION:
linux.kaiyuandiantang.com. 600 IN NS ns1.linux.kaiyuandiantang.com.
;; ADDITIONAL SECTION:
mail.linux.kaiyuandiantang.com. 600 IN A 192.168.130.30
ns1.linux.kaiyuandiantang.com. 600 IN A 192.168.130.119
;; Query time: 0 msec
;; SERVER: 192.168.130.119#53(192.168.130.119)
;; WHEN: Thu Aug 31 18:32:40 2017
;; MSG SIZE rcvd: 114
[root@localhost named]#
[root@localhost named]# dig -t A www.linux.kaiyuandiantang.com @192.168.130.119
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t A www.linux.kaiyuandiantang.com @192.168.130.119
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56396
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;www.linux.kaiyuandiantang.com. IN A
;; ANSWER SECTION:
www.linux.kaiyuandiantang.com. 600 IN A 192.168.130.40
;; AUTHORITY SECTION:
linux.kaiyuandiantang.com. 600 IN NS ns1.linux.kaiyuandiantang.com.
;; ADDITIONAL SECTION:
ns1.linux.kaiyuandiantang.com. 600 IN A 192.168.130.119
;; Query time: 1 msec
;; SERVER: 192.168.130.119#53(192.168.130.119)
;; WHEN: Thu Aug 31 18:33:01 2017
;; MSG SIZE rcvd: 97
[root@localhost named]# dig -t A ns1.linux.kaiyuandiantang.com @192.168.130.119
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t A ns1.linux.kaiyuandiantang.com @192.168.130.119
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3947
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;ns1.linux.kaiyuandiantang.com. IN A
;; ANSWER SECTION:
ns1.linux.kaiyuandiantang.com. 600 IN A 192.168.130.119
;; AUTHORITY SECTION:
linux.kaiyuandiantang.com. 600 IN NS ns1.linux.kaiyuandiantang.com.
;; Query time: 0 msec
;; SERVER: 192.168.130.119#53(192.168.130.119)
;; WHEN: Thu Aug 31 18:33:08 2017
;; MSG SIZE rcvd: 77
[root@localhost named]# dig -t A mail.linux.kaiyuandiantang.com @192.168.130.119
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t A mail.linux.kaiyuandiantang.com @192.168.130.119
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50725
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;mail.linux.kaiyuandiantang.com. IN A
;; ANSWER SECTION:
mail.linux.kaiyuandiantang.com. 600 IN A 192.168.130.30
;; AUTHORITY SECTION:
linux.kaiyuandiantang.com. 600 IN NS ns1.linux.kaiyuandiantang.com.
;; ADDITIONAL SECTION:
ns1.linux.kaiyuandiantang.com. 600 IN A 192.168.130.119
;; Query time: 0 msec
;; SERVER: 192.168.130.119#53(192.168.130.119)
;; WHEN: Thu Aug 31 18:33:14 2017
;; MSG SIZE rcvd: 98
[root@localhost named]#
7、问题
[root@localhost named]# dig -t A www.kaiyuandiantang.com @192.168.130.119
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t A www.kaiyuandiantang.com @192.168.130.119
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 59745
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;www.kaiyuandiantang.com. IN A
;; AUTHORITY SECTION:
com. 829 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1504779223 1800 900 604800 86400
;; Query time: 0 msec
;; SERVER: 192.168.130.119#53(192.168.130.119)
;; WHEN: Thu Aug 31 18:46:52 2017
;; MSG SIZE rcvd: 114
此时因为kaiyuandaintang.com不是该子域dns负责解析的,所以将查询根域,根域提供线索让其查询com域,因为com域下并没有kaiyuandiankang.com这个子域,所以解析失败;为解决该问题,引入区域转发。
配置区域转发:转发域
解析某本机不负责的区域内的名称时不转发给根,而是转给指定的主机;
配置转发的方式:
转发非本机负责解析的所有区域:
options {
forward only|first;
forwarders { IP; }
};
转发某特定区域:
zone "特定区域" IN {
type forward;
forwarders { IP; }
forward only|first;
}
允许使用转发的前提:本机要在对方的允许的递归主机列表中;
8、子域服务器开启区域转发功能
[root@localhost named]# tail -9 /etc/named.rfc1912.zones
type master;
file "linux.kaiyuandiantang.com.zone";
};
zone "kaiyuandiantang.com" IN {
type forward;
forwarders { 192.168.130.117; };
forward only;
};
[root@localhost named]# service named restart
Stopping named: . [ OK ]
Starting named: [ OK ]
[root@localhost named]# dig -t A www.kaiyuandiantang.com @192.168.130.119
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t A www.kaiyuandiantang.com @192.168.130.119
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47012
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;www.kaiyuandiantang.com. IN A
;; ANSWER SECTION:
www.kaiyuandiantang.com. 600 IN A 192.168.130.20
;; AUTHORITY SECTION:
kaiyuandiantang.com. 600 IN NS ns2.kaiyuandiantang.com.
kaiyuandiantang.com. 600 IN NS ns1.kaiyuandiantang.com.
;; ADDITIONAL SECTION:
ns2.kaiyuandiantang.com. 600 IN A 192.168.130.118
ns1.kaiyuandiantang.com. 600 IN A 192.168.130.117
;; Query time: 3 msec
;; SERVER: 192.168.130.119#53(192.168.130.119)
;; WHEN: Thu Aug 31 18:57:19 2017
;; MSG SIZE rcvd: 125
[root@localhost named]#
安全控制选项:
allow-transfer {};
通常都需要启用;
allow-query {};
此项通常仅用于服务器是缓存名称服务器时,只开放查询功能给本地客户端;
allow-recursion { };
定义递归白名单;
allow-update { none; };
定义允许动态更新区域数据文件的主机白名单
ACL: BIND支持使用访问控制列表
acl ACL_NAME {
172.16.0.0/16;
192.168.0.0/24
127.0.0.0/8;
};
访问控制列表只有定义后才能使用;通常acl要定义在named.conf的最上方;
BIND有四个内置的acl:
any: 任何主机
none: 无一主机
local: 本机
localnet: 本机的所在的网络;
本文出自 “开源殿堂” 博客,请务必保留此出处http://kaiyuandiantang.blog.51cto.com/10699754/1964390
14、DNS正反向解析、主从复制、子域授权、区域转发 学习笔记
标签:主从复制 dns正反向解析 子域授权 区域转发 学习笔记
原文地址:http://kaiyuandiantang.blog.51cto.com/10699754/1964390
