码迷,mamicode.com
首页 > 其他好文 > 详细

14、DNS正反向解析、主从复制、子域授权、区域转发 学习笔记

时间:2017-09-11 18:21:43      阅读:203      评论:0      收藏:0      [点我收藏+]

标签:主从复制   dns正反向解析   子域授权   区域转发 学习笔记   

DNS:Domain Name Service

监听端口:UDP/TCP 53号端口 

实现工具:BIND(Berkeley Internet Name Domain), PowerDNS, dnsmasq


FQDN: Full Qualified Domain Name

正向解析:FQDN --> IP

反向解析:IP --> FQDN


查询:

递归查询:recursion用于客户端和本地DNS之间(客户端指向的DNS服务器:一定是允许给本地主机做递归的)

迭代查询:iteration用于本地DNS和根域及其他DNS之间


资源记录:Resource Record

资源记录有类型,用于资源的功能

SOA(Start Of Authority)    起始授权区域          划分给谁管理

NS(Name Server)            域名服务器            指明NS服务器

MX(Mail eXchanger)         邮件交换器            指明MX服务器

A(Address)                 FQDN-->IP

PTR(PoiTeR)                IP --> FQDN

CNAME(Canonical Name)      别名记录


DNS服务器类型:

主DNS服务器

辅助DNS服务器

缓存名称服务器(只有三个区域:根、localhost、127.0.0.1,不具体负责某个域的解析,只是将解析到的数据缓存至本地)


正反向解析技术不同,不应该存放于同一个数据库文件中进行


DNS的数据库文件(区域数据文件,区域自身有名字):文本文件,只能包含资源记录或宏定义


资源记录的格式:

name        [ttl]        IN        RRtype        Value

            缓存时间


SOA: 只能有一个(必须是区域数据库文件第一条记录)

name    区域名称,例如:kaiyuandiantang.com., 通常可以简写为@

value   主DNS服务器的FQDN


@    600    IN    SOA    ns1.kaiyuandiantang.com.  admin.kaiyuandiantang.com.(

serial number ;序列号,十进制数字,不能超过10位,通常使用日期,例如2017090601

refresh time  ;刷新时间,即每隔多久到主服务器检查一次

retry time    ;重试时间,应该小于refresh time

expire time   ;过期时间,主服务器失效等待时长;主服务器失效后,辅助服务器也停止工作

negative answer ttl  ;否定答案的ttl


NS:可以有多条

name    区域名称,通常可以简写为@

value   DNS服务器的FQDN(可以使用相对名称)

@    600     IN    NS    ns1


MX: 可以有多个

name    区域名称,用于标识smtp服务器

value   包含优先级和FQDN(优先级:0-99, 数字越小,级别越高)

@    600     IN     MX  10  mail


A: 只能定义在正向区域数据库文件中

name    FQDN(可以使用相对名称)

value   IP

www    600    IN     A     192.168.130.1


CNAME: 

name    FQDN

value   FQDN


ftp     600    IN     CNAME      www


PTR: IP-->FQDN, 只能定义在反向区域数据文件中,反向区域名称为逆向网络地址加.in-addr.arpa.后缀组成

nameIP, 逆向的主机地址,例如192.168.130.1的name为1,完全格式为1.130.168.192.in-addr.arpa.

valueFQDN

3    600  IN  PTR  www.kaiyuandiantang.com.


但凡以FQDN为value的资源记录,都应该给该value加一条A记录


主配置文件/etc/named.conf定义区域(至少有三个区域:根、localhost、127.0.0.1)

区域数据目录/var/named/存放区域数据库文件(属主、属组、权限:root, named, 640)


type {hint|master|slave|forward}

      根域 主域   辅助域 转发域


反向解析区域数据库文件:区域名称以逆向的网络地址,并以.in-addr.arpa为后缀;

第一条必须是SOA

应该具有NS记录,但不能出现MX和A记录

较常见的即为PTR记录,名称为逆向的主机地址


dig命令:

# dig [-t type] [-x addr] [name] [@server]

+[no]trace

+[no]recurse

+[no]tcp


host命令:

# host [-t type] {name} [server]


nslookup命令:

nslookup>

server DNS_SERVER_IP

set q=TYPE

{name}


=========================================================================================

正反向解析例子(ns1:192.168.130.117)

=========================================================================================

1、安装bind

[root@localhost ~]# yum -y install bind


2、配置主配置文件

"/etc/named.conf" 43L, 1000C written                                                                                                                     

[root@localhost ~]# sed "/^\//d" /etc/named.conf 


options {

        directory       "/var/named";

        dump-file       "/var/named/data/cache_dump.db";

        statistics-file "/var/named/data/named_stats.txt";

        memstatistics-file "/var/named/data/named_mem_stats.txt";

        allow-query     { any; };

        recursion yes;



        /* Path to ISC DLV key */


};


logging {

        channel default_debug {

                file "data/named.run";

                severity dynamic;

        };

};


zone "." IN {

        type hint;

        file "named.ca";

};


include "/etc/named.rfc1912.zones";


3、配置正向区域

[root@localhost ~]# tail -4 /etc/named.rfc1912.zones

zone "kaiyuandiantang.com" IN {

        type master;

        file "kaiyuandiantang.com.zone";

};


4、配置正向数据库文件

[root@localhost named]# cat kaiyuandiantang.com.zone

$TTL 600

@       IN      SOA     ns1.kaiyuandiantang.com.        admin.kaiyuandiantang.com. (

                        2017090601

                        1H

                        5M

                        3D

                        12H

                        )

        IN      NS      ns1

        IN      MX  10  mail

ns1     IN      A       192.168.130.117

mail    IN      A       192.168.130.10

www     IN      A       192.168.130.20

pop     IN      CNAME   mail

web     IN      CNAME   www


5、修改权限启动服务

[root@localhost ~]# cd /var/named/

[root@localhost named]# chown root:named kaiyuandiantang.com.zone 

[root@localhost named]# chmod 640 kaiyuandiantang.com.zone 

[root@localhost named]# named-checkconf 

[root@localhost named]# named-checkzone "kaiyuandiantang.com" kaiyuandiantang.com.zone 

zone kaiyuandiantang.com/IN: loaded serial 2017090601

OK

[root@localhost named]# service named start

Generating /etc/rndc.key:                                  [  OK  ]

Starting named:                                            [  OK  ]

[root@localhost named]# service named reload   

Reloading named:                                           [  OK  ]

[root@localhost named]# tail /var/log/messages 

Aug 31 16:51:23 localhost named[20996]: managed-keys-zone ./IN: loaded serial 0

Aug 31 16:51:23 localhost named[20996]: running

Aug 31 16:51:29 localhost named[20996]: received control channel command ‘reload‘

Aug 31 16:51:29 localhost named[20996]: loading configuration from ‘/etc/named.conf‘

Aug 31 16:51:29 localhost named[20996]: using default UDP/IPv4 port range: [1024, 65535]

Aug 31 16:51:29 localhost named[20996]: using default UDP/IPv6 port range: [1024, 65535]

Aug 31 16:51:29 localhost named[20996]: sizing zone task pool based on 7 zones

Aug 31 16:51:29 localhost named[20996]: Warning: ‘empty-zones-enable/disable-empty-zone‘ not set: disabling RFC 1918 empty zones

Aug 31 16:51:29 localhost named[20996]: reloading configuration succeeded

Aug 31 16:51:29 localhost named[20996]: reloading zones succeeded



6、测试

[root@localhost named]# dig -t NS kaiyuandiantang.com @192.168.130.117 


; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t NS kaiyuandiantang.com @192.168.130.117

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3470

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1


;; QUESTION SECTION:

;kaiyuandiantang.com.           IN      NS


;; ANSWER SECTION:

kaiyuandiantang.com.    600     IN      NS      ns1.kaiyuandiantang.com.


;; ADDITIONAL SECTION:

ns1.kaiyuandiantang.com. 600    IN      A       192.168.130.117


;; Query time: 0 msec

;; SERVER: 192.168.130.117#53(192.168.130.117)

;; WHEN: Thu Aug 31 16:53:46 2017

;; MSG SIZE  rcvd: 71


[root@localhost named]# 

[root@localhost named]# dig -t MX kaiyuandiantang.com @192.168.130.117  


; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t MX kaiyuandiantang.com @192.168.130.117

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38626

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2


;; QUESTION SECTION:

;kaiyuandiantang.com.           IN      MX


;; ANSWER SECTION:

kaiyuandiantang.com.    600     IN      MX      10 mail.kaiyuandiantang.com.


;; AUTHORITY SECTION:

kaiyuandiantang.com.    600     IN      NS      ns1.kaiyuandiantang.com.


;; ADDITIONAL SECTION:

mail.kaiyuandiantang.com. 600   IN      A       192.168.130.10

ns1.kaiyuandiantang.com. 600    IN      A       192.168.130.117


;; Query time: 0 msec

;; SERVER: 192.168.130.117#53(192.168.130.117)

;; WHEN: Thu Aug 31 16:53:53 2017

;; MSG SIZE  rcvd: 108


[root@localhost named]# 

[root@localhost named]# dig -t A www.kaiyuandiantang.com @192.168.130.117


; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t A www.kaiyuandiantang.com @192.168.130.117

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46757

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1


;; QUESTION SECTION:

;www.kaiyuandiantang.com.       IN      A


;; ANSWER SECTION:

www.kaiyuandiantang.com. 600    IN      A       192.168.130.20


;; AUTHORITY SECTION:

kaiyuandiantang.com.    600     IN      NS      ns1.kaiyuandiantang.com.


;; ADDITIONAL SECTION:

ns1.kaiyuandiantang.com. 600    IN      A       192.168.130.117


;; Query time: 0 msec

;; SERVER: 192.168.130.117#53(192.168.130.117)

;; WHEN: Thu Aug 31 16:54:09 2017

;; MSG SIZE  rcvd: 91


[root@localhost named]# 



7、配置反向区域

[root@localhost named]# tail -9 /etc/named.rfc1912.zones

zone "kaiyuandiantang.com" IN {

        type master;

        file "kaiyuandiantang.com.zone";

};


zone "130.168.192.in-addr.arpa" IN {

        type master;

        file "130.168.192.zone";

};


8、配置反向数据库文件

[root@localhost named]# cat 130.168.192.zone

$TTL 600

@       IN      SOA     ns1.kaiyuandiantang.com.        admin.kaiyuandiantang.com. (

                        2017090601

                        1H

                        5M

                        3D

                        12H

                        )

        IN      NS      ns1.kaiyuandiantang.com.

117     IN      PTR     ns1.kaiyuandiantang.com.

10      IN      PTR     mail.kaiyuandiantang.com.

20      IN      PTR     www.kaiyuandiantang.com.


9、修改权限启动服务

[root@localhost named]# chown root:named 130.168.192.zone 

[root@localhost named]# chmod 640 130.168.192.zone 

[root@localhost named]# named-checkconf 

[root@localhost named]# named-checkzone "130.168.192.in-addr.arpa" 130.168.192.zone 

zone 130.168.192.in-addr.arpa/IN: loaded serial 2017090601

OK

[root@localhost named]# service named reload

Reloading named:                                           [  OK  ]

[root@localhost named]# tail /var/log/messages 

Aug 31 16:51:29 localhost named[20996]: reloading zones succeeded

Aug 31 17:08:42 localhost named[20996]: received control channel command ‘reload‘

Aug 31 17:08:42 localhost named[20996]: loading configuration from ‘/etc/named.conf‘

Aug 31 17:08:42 localhost named[20996]: using default UDP/IPv4 port range: [1024, 65535]

Aug 31 17:08:42 localhost named[20996]: using default UDP/IPv6 port range: [1024, 65535]

Aug 31 17:08:42 localhost named[20996]: sizing zone task pool based on 8 zones

Aug 31 17:08:42 localhost named[20996]: Warning: ‘empty-zones-enable/disable-empty-zone‘ not set: disabling RFC 1918 empty zones

Aug 31 17:08:42 localhost named[20996]: reloading configuration succeeded

Aug 31 17:08:42 localhost named[20996]: zone 130.168.192.in-addr.arpa/IN: loaded serial 2017090601

Aug 31 17:08:42 localhost named[20996]: reloading zones succeeded


10、测试

[root@localhost named]# dig -x 192.168.130.117 @192.168.130.117


; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -x 192.168.130.117 @192.168.130.117

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6475

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1


;; QUESTION SECTION:

;117.130.168.192.in-addr.arpa.  IN      PTR


;; ANSWER SECTION:

117.130.168.192.in-addr.arpa. 600 IN    PTR     ns1.kaiyuandiantang.com.


;; AUTHORITY SECTION:

130.168.192.in-addr.arpa. 600   IN      NS      ns1.kaiyuandiantang.com.


;; ADDITIONAL SECTION:

ns1.kaiyuandiantang.com. 600    IN      A       192.168.130.117


;; Query time: 1 msec

;; SERVER: 192.168.130.117#53(192.168.130.117)

;; WHEN: Thu Aug 31 17:09:56 2017

;; MSG SIZE  rcvd: 113


[root@localhost named]# 

[root@localhost named]# dig -x 192.168.130.10 @192.168.130.117 


; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -x 192.168.130.10 @192.168.130.117

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63381

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1


;; QUESTION SECTION:

;10.130.168.192.in-addr.arpa.   IN      PTR


;; ANSWER SECTION:

10.130.168.192.in-addr.arpa. 600 IN     PTR     mail.kaiyuandiantang.com.


;; AUTHORITY SECTION:

130.168.192.in-addr.arpa. 600   IN      NS      ns1.kaiyuandiantang.com.


;; ADDITIONAL SECTION:

ns1.kaiyuandiantang.com. 600    IN      A       192.168.130.117


;; Query time: 0 msec

;; SERVER: 192.168.130.117#53(192.168.130.117)

;; WHEN: Thu Aug 31 17:10:01 2017

;; MSG SIZE  rcvd: 117


[root@localhost named]# 

[root@localhost named]# dig -x 192.168.130.20 @192.168.130.117 


; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -x 192.168.130.20 @192.168.130.117

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26960

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1


;; QUESTION SECTION:

;20.130.168.192.in-addr.arpa.   IN      PTR


;; ANSWER SECTION:

20.130.168.192.in-addr.arpa. 600 IN     PTR     www.kaiyuandiantang.com.


;; AUTHORITY SECTION:

130.168.192.in-addr.arpa. 600   IN      NS      ns1.kaiyuandiantang.com.


;; ADDITIONAL SECTION:

ns1.kaiyuandiantang.com. 600    IN      A       192.168.130.117


;; Query time: 0 msec

;; SERVER: 192.168.130.117#53(192.168.130.117)

;; WHEN: Thu Aug 31 17:10:08 2017

;; MSG SIZE  rcvd: 116


[root@localhost named]# 




区域传送:

辅助DNS服务器从主DNS服务器或其它的辅助DNS服务器请求传输数据的过程;


完全区域传送:传送区域的所有数据, AXFR

增量区域传送:传送区域中改变的数据部分,IXFR


用dig模拟完全区域传送

# dig -t axfr 区域名称 @server

dig -t axfr kaiyuandiantang.com @192.168.130.117


主从:

主:bind版本可以低于从的;


向区域中添加从服务器的关键两步:

在上级获得授权

在主服务器的区域数据文件中为从服务器添加一条NS记录和对应的A或PTR记录;


zone "kaiyuandiantang.com" IN {

     type slave;

     masters { 192.168.130.117; };

     file "slaves/kaiyuandiantang.com.zone";

};


区域传送安全控制:

allow-transfer { IP; };


=========================================================================================

主从复制例子(ns1:192.168.130.117,ns2:192.168.130.118)

=========================================================================================

1、修改ns1正向数据库文件,添加ns2的NS记录和A记录

[root@localhost ~]# cat /var/named/kaiyuandiantang.com.zone

$TTL 600

@       IN      SOA     ns1.kaiyuandiantang.com.        admin.kaiyuandiantang.com. (

                        2017090601

                        1H

                        5M

                        3D

                        12H

                        )

        IN      NS      ns1

        IN      NS      ns2

        IN      MX  10  mail

ns1     IN      A       192.168.130.117

ns2     IN      A       192.168.130.118

mail    IN      A       192.168.130.10

www     IN      A       192.168.130.20

pop     IN      CNAME   mail

web     IN      CNAME   www


[root@localhost ~]# service named reload

Reloading named:                                           [  OK  ]

[root@localhost ~]# tail /var/log/messages 

Sep  1 08:48:47 localhost named[20996]: loading configuration from ‘/etc/named.conf‘

Sep  1 08:48:47 localhost named[20996]: using default UDP/IPv4 port range: [1024, 65535]

Sep  1 08:48:47 localhost named[20996]: using default UDP/IPv6 port range: [1024, 65535]

Sep  1 08:48:47 localhost named[20996]: sizing zone task pool based on 8 zones

Sep  1 08:48:47 localhost named[20996]: Warning: ‘empty-zones-enable/disable-empty-zone‘ not set: disabling RFC 1918 empty zones

Sep  1 08:48:47 localhost named[20996]: reloading configuration succeeded

Sep  1 08:48:47 localhost named[20996]: reloading zones succeeded

Sep  1 08:48:47 localhost named[20996]: zone kaiyuandiantang.com/IN: zone serial (2017090601) unchanged. zone may fail to transfer to slaves.

Sep  1 08:48:47 localhost named[20996]: zone kaiyuandiantang.com/IN: loaded serial 2017090601

Sep  1 08:48:47 localhost named[20996]: zone kaiyuandiantang.com/IN: sending notifies (serial 2017090601)


2、ns2安装bind

yum -y install bind


3、配置ns2主配置文件

[root@localhost ~]# sed "/^\//d" /etc/named.conf


options {

        directory       "/var/named";

        dump-file       "/var/named/data/cache_dump.db";

        statistics-file "/var/named/data/named_stats.txt";

        memstatistics-file "/var/named/data/named_mem_stats.txt";

        allow-query     { any; };

        recursion yes;



        /* Path to ISC DLV key */


};


logging {

        channel default_debug {

                file "data/named.run";

                severity dynamic;

        };

};


zone "." IN {

        type hint;

        file "named.ca";

};


include "/etc/named.rfc1912.zones";


4、配置ns2正向区域

[root@localhost ~]# tail -5 /etc/named.rfc1912.zones

zone "kaiyuandiantang.com" IN {

        type slave;

        masters { 192.168.130.117; };

        file "slaves/kaiyuandiantang.com.zone";

};


5、ns2启动服务

[root@localhost ~]# named-checkconf 

[root@localhost ~]# service named start

Generating /etc/rndc.key:                                  [  OK  ]

Starting named:                                            [  OK  ]

[root@localhost ~]# service named reload

Reloading named:                                           [  OK  ]

[root@localhost ~]# tail -20 /var/log/messages 

Sep  2 14:20:56 localhost named[22632]: zone 0.in-addr.arpa/IN: loaded serial 0

Sep  2 14:20:56 localhost named[22632]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0

Sep  2 14:20:56 localhost named[22632]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0

Sep  2 14:20:56 localhost named[22632]: zone localhost.localdomain/IN: loaded serial 0

Sep  2 14:20:56 localhost named[22632]: zone localhost/IN: loaded serial 0

Sep  2 14:20:56 localhost named[22632]: managed-keys-zone ./IN: loaded serial 0

Sep  2 14:20:56 localhost named[22632]: running

Sep  2 14:20:56 localhost named[22632]: zone kaiyuandiantang.com/IN: Transfer started.

Sep  2 14:20:56 localhost named[22632]: transfer of ‘kaiyuandiantang.com/IN‘ from 192.168.130.117#53: connected using 192.168.130.118#43804

Sep  2 14:20:56 localhost named[22632]: zone kaiyuandiantang.com/IN: transferred serial 2017090601

Sep  2 14:20:56 localhost named[22632]: transfer of ‘kaiyuandiantang.com/IN‘ from 192.168.130.117#53: Transfer completed: 1 messages, 11 records, 276 bytes, 0.001 secs (276000 bytes/sec)

Sep  2 14:20:56 localhost named[22632]: zone kaiyuandiantang.com/IN: sending notifies (serial 2017090601)

Sep  2 14:21:00 localhost named[22632]: received control channel command ‘reload‘

Sep  2 14:21:00 localhost named[22632]: loading configuration from ‘/etc/named.conf‘

Sep  2 14:21:00 localhost named[22632]: using default UDP/IPv4 port range: [1024, 65535]

Sep  2 14:21:00 localhost named[22632]: using default UDP/IPv6 port range: [1024, 65535]

Sep  2 14:21:00 localhost named[22632]: sizing zone task pool based on 7 zones

Sep  2 14:21:00 localhost named[22632]: Warning: ‘empty-zones-enable/disable-empty-zone‘ not set: disabling RFC 1918 empty zones

Sep  2 14:21:00 localhost named[22632]: reloading configuration succeeded

Sep  2 14:21:00 localhost named[22632]: reloading zones succeeded


6、验证、测试

[root@localhost ~]# cat /var/named/slaves/kaiyuandiantang.com.zone 

$ORIGIN .

$TTL 600        ; 10 minutes

kaiyuandiantang.com     IN SOA  ns1.kaiyuandiantang.com. admin.kaiyuandiantang.com. (

                                2017090601 ; serial

                                3600       ; refresh (1 hour)

                                300        ; retry (5 minutes)

                                259200     ; expire (3 days)

                                43200      ; minimum (12 hours)

                                )

                        NS      ns1.kaiyuandiantang.com.

                        NS      ns2.kaiyuandiantang.com.

                        MX      10 mail.kaiyuandiantang.com.

$ORIGIN kaiyuandiantang.com.

mail                    A       192.168.130.10

ns1                     A       192.168.130.117

ns2                     A       192.168.130.118

pop                     CNAME   mail

web                     CNAME   www

www                     A       192.168.130.20


[root@localhost ~]# dig -t NS kaiyuandiantang.com @192.168.130.118


; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t NS kaiyuandiantang.com @192.168.130.118

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28940

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2


;; QUESTION SECTION:

;kaiyuandiantang.com.           IN      NS


;; ANSWER SECTION:

kaiyuandiantang.com.    600     IN      NS      ns1.kaiyuandiantang.com.

kaiyuandiantang.com.    600     IN      NS      ns2.kaiyuandiantang.com.


;; ADDITIONAL SECTION:

ns1.kaiyuandiantang.com. 600    IN      A       192.168.130.117

ns2.kaiyuandiantang.com. 600    IN      A       192.168.130.118


;; Query time: 1 msec

;; SERVER: 192.168.130.118#53(192.168.130.118)

;; WHEN: Sat Sep  2 14:24:08 2017

;; MSG SIZE  rcvd: 105


[root@localhost ~]# 

[root@localhost ~]# dig -t MX kaiyuandiantang.com @192.168.130.118


; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t MX kaiyuandiantang.com @192.168.130.118

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27789

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3


;; QUESTION SECTION:

;kaiyuandiantang.com.           IN      MX


;; ANSWER SECTION:

kaiyuandiantang.com.    600     IN      MX      10 mail.kaiyuandiantang.com.


;; AUTHORITY SECTION:

kaiyuandiantang.com.    600     IN      NS      ns2.kaiyuandiantang.com.

kaiyuandiantang.com.    600     IN      NS      ns1.kaiyuandiantang.com.


;; ADDITIONAL SECTION:

mail.kaiyuandiantang.com. 600   IN      A       192.168.130.10

ns1.kaiyuandiantang.com. 600    IN      A       192.168.130.117

ns2.kaiyuandiantang.com. 600    IN      A       192.168.130.118


;; Query time: 1 msec

;; SERVER: 192.168.130.118#53(192.168.130.118)

;; WHEN: Sat Sep  2 14:24:29 2017

;; MSG SIZE  rcvd: 142


[root@localhost ~]# 

[root@localhost ~]# dig -t A mail.kaiyuandiantang.com @192.168.130.118


; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t A mail.kaiyuandiantang.com @192.168.130.118

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7090

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2


;; QUESTION SECTION:

;mail.kaiyuandiantang.com.      IN      A


;; ANSWER SECTION:

mail.kaiyuandiantang.com. 600   IN      A       192.168.130.10


;; AUTHORITY SECTION:

kaiyuandiantang.com.    600     IN      NS      ns1.kaiyuandiantang.com.

kaiyuandiantang.com.    600     IN      NS      ns2.kaiyuandiantang.com.


;; ADDITIONAL SECTION:

ns1.kaiyuandiantang.com. 600    IN      A       192.168.130.117

ns2.kaiyuandiantang.com. 600    IN      A       192.168.130.118


;; Query time: 0 msec

;; SERVER: 192.168.130.118#53(192.168.130.118)

;; WHEN: Sat Sep  2 14:24:56 2017

;; MSG SIZE  rcvd: 126


[root@localhost ~]# 

[root@localhost ~]# dig -t A www.kaiyuandiantang.com @192.168.130.118    


; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t A www.kaiyuandiantang.com @192.168.130.118

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2339

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2


;; QUESTION SECTION:

;www.kaiyuandiantang.com.       IN      A


;; ANSWER SECTION:

www.kaiyuandiantang.com. 600    IN      A       192.168.130.20


;; AUTHORITY SECTION:

kaiyuandiantang.com.    600     IN      NS      ns1.kaiyuandiantang.com.

kaiyuandiantang.com.    600     IN      NS      ns2.kaiyuandiantang.com.


;; ADDITIONAL SECTION:

ns1.kaiyuandiantang.com. 600    IN      A       192.168.130.117

ns2.kaiyuandiantang.com. 600    IN      A       192.168.130.118


;; Query time: 0 msec

;; SERVER: 192.168.130.118#53(192.168.130.118)

;; WHEN: Sat Sep  2 14:25:05 2017

;; MSG SIZE  rcvd: 125



7、修改ns1反向向数据库文件,添加ns2的NS记录和PTR记录

"/var/named/130.168.192.zone" 14L, 323C written                                                                                                                    

[root@localhost ~]# cat /var/named/130.168.192.zone

$TTL 600

@       IN      SOA     ns1.kaiyuandiantang.com.        admin.kaiyuandiantang.com. (

                        2017090601

                        1H

                        5M

                        3D

                        12H

                        )

        IN      NS      ns1.kaiyuandiantang.com.

        IN      NS      ns2.kaiyuandiantang.com.

117     IN      PTR     ns1.kaiyuandiantang.com.

118     IN      PTR     ns2.kaiyuandiantang.com.

10      IN      PTR     mail.kaiyuandiantang.com.

20      IN      PTR     www.kaiyuandiantang.com.


[root@localhost ~]# service named reload

Reloading named:                                           [  OK  ]

[root@localhost ~]# tail /var/log/messages 

Sep  1 09:35:38 localhost named[20996]: loading configuration from ‘/etc/named.conf‘

Sep  1 09:35:38 localhost named[20996]: using default UDP/IPv4 port range: [1024, 65535]

Sep  1 09:35:38 localhost named[20996]: using default UDP/IPv6 port range: [1024, 65535]

Sep  1 09:35:38 localhost named[20996]: sizing zone task pool based on 8 zones

Sep  1 09:35:38 localhost named[20996]: Warning: ‘empty-zones-enable/disable-empty-zone‘ not set: disabling RFC 1918 empty zones

Sep  1 09:35:38 localhost named[20996]: reloading configuration succeeded

Sep  1 09:35:38 localhost named[20996]: reloading zones succeeded

Sep  1 09:35:38 localhost named[20996]: zone 130.168.192.in-addr.arpa/IN: zone serial (2017090601) unchanged. zone may fail to transfer to slaves.

Sep  1 09:35:38 localhost named[20996]: zone 130.168.192.in-addr.arpa/IN: loaded serial 2017090601

Sep  1 09:35:39 localhost named[20996]: zone 130.168.192.in-addr.arpa/IN: sending notifies (serial 2017090601)


8、配置ns2反向区域

[root@localhost ~]# tail -11 /etc/named.rfc1912.zones

zone "kaiyuandiantang.com" IN {

        type slave;

        masters { 192.168.130.117; };

        file "slaves/kaiyuandiantang.com.zone";

};


zone "130.168.192.in-addr.arpa" IN {

        type slave;

        masters { 192.168.130.117; };

        file "slaves/130.168.192.zone";

};


9、ns2启动服务

[root@localhost ~]# named-checkconf 

[root@localhost ~]# service named reload

Reloading named:                                           [  OK  ]

[root@localhost ~]# tail /var/log/messages 

Sep  2 14:43:39 localhost named[22632]: using default UDP/IPv6 port range: [1024, 65535]

Sep  2 14:43:39 localhost named[22632]: sizing zone task pool based on 8 zones

Sep  2 14:43:39 localhost named[22632]: Warning: ‘empty-zones-enable/disable-empty-zone‘ not set: disabling RFC 1918 empty zones

Sep  2 14:43:39 localhost named[22632]: reloading configuration succeeded

Sep  2 14:43:39 localhost named[22632]: reloading zones succeeded

Sep  2 14:43:39 localhost named[22632]: zone 130.168.192.in-addr.arpa/IN: Transfer started.

Sep  2 14:43:39 localhost named[22632]: transfer of ‘130.168.192.in-addr.arpa/IN‘ from 192.168.130.117#53: connected using 192.168.130.118#51094

Sep  2 14:43:39 localhost named[22632]: zone 130.168.192.in-addr.arpa/IN: transferred serial 2017090601

Sep  2 14:43:39 localhost named[22632]: transfer of ‘130.168.192.in-addr.arpa/IN‘ from 192.168.130.117#53: Transfer completed: 1 messages, 8 records, 254 bytes, 0.001 secs (254000 bytes/sec)

Sep  2 14:43:39 localhost named[22632]: zone 130.168.192.in-addr.arpa/IN: sending notifies (serial 2017090601)


10、验证、测试

[root@localhost ~]# cat /var/named/slaves/130.168.192.zone 

$ORIGIN .

$TTL 600        ; 10 minutes

130.168.192.in-addr.arpa IN SOA ns1.kaiyuandiantang.com. admin.kaiyuandiantang.com. (

                                2017090601 ; serial

                                3600       ; refresh (1 hour)

                                300        ; retry (5 minutes)

                                259200     ; expire (3 days)

                                43200      ; minimum (12 hours)

                                )

                        NS      ns1.kaiyuandiantang.com.

                        NS      ns2.kaiyuandiantang.com.

$ORIGIN 130.168.192.in-addr.arpa.

10                      PTR     mail.kaiyuandiantang.com.

117                     PTR     ns1.kaiyuandiantang.com.

118                     PTR     ns2.kaiyuandiantang.com.

20                      PTR     www.kaiyuandiantang.com.


[root@localhost ~]# dig -x 192.168.130.117 @192.168.130.118


; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -x 192.168.130.117 @192.168.130.118

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25446

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2


;; QUESTION SECTION:

;117.130.168.192.in-addr.arpa.  IN      PTR


;; ANSWER SECTION:

117.130.168.192.in-addr.arpa. 600 IN    PTR     ns1.kaiyuandiantang.com.


;; AUTHORITY SECTION:

130.168.192.in-addr.arpa. 600   IN      NS      ns1.kaiyuandiantang.com.

130.168.192.in-addr.arpa. 600   IN      NS      ns2.kaiyuandiantang.com.


;; ADDITIONAL SECTION:

ns1.kaiyuandiantang.com. 600    IN      A       192.168.130.117

ns2.kaiyuandiantang.com. 600    IN      A       192.168.130.118


;; Query time: 0 msec

;; SERVER: 192.168.130.118#53(192.168.130.118)

;; WHEN: Sat Sep  2 15:07:54 2017

;; MSG SIZE  rcvd: 147


[root@localhost ~]# 

[root@localhost ~]# dig -x 192.168.130.118 @192.168.130.118


; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -x 192.168.130.118 @192.168.130.118

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37094

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2


;; QUESTION SECTION:

;118.130.168.192.in-addr.arpa.  IN      PTR


;; ANSWER SECTION:

118.130.168.192.in-addr.arpa. 600 IN    PTR     ns2.kaiyuandiantang.com.


;; AUTHORITY SECTION:

130.168.192.in-addr.arpa. 600   IN      NS      ns2.kaiyuandiantang.com.

130.168.192.in-addr.arpa. 600   IN      NS      ns1.kaiyuandiantang.com.


;; ADDITIONAL SECTION:

ns1.kaiyuandiantang.com. 600    IN      A       192.168.130.117

ns2.kaiyuandiantang.com. 600    IN      A       192.168.130.118


;; Query time: 0 msec

;; SERVER: 192.168.130.118#53(192.168.130.118)

;; WHEN: Sat Sep  2 15:08:01 2017

;; MSG SIZE  rcvd: 147


[root@localhost ~]# 

[root@localhost ~]# dig -x 192.168.130.10 @192.168.130.118 


; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -x 192.168.130.10 @192.168.130.118

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11469

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2


;; QUESTION SECTION:

;10.130.168.192.in-addr.arpa.   IN      PTR


;; ANSWER SECTION:

10.130.168.192.in-addr.arpa. 600 IN     PTR     mail.kaiyuandiantang.com.


;; AUTHORITY SECTION:

130.168.192.in-addr.arpa. 600   IN      NS      ns2.kaiyuandiantang.com.

130.168.192.in-addr.arpa. 600   IN      NS      ns1.kaiyuandiantang.com.


;; ADDITIONAL SECTION:

ns1.kaiyuandiantang.com. 600    IN      A       192.168.130.117

ns2.kaiyuandiantang.com. 600    IN      A       192.168.130.118


;; Query time: 0 msec

;; SERVER: 192.168.130.118#53(192.168.130.118)

;; WHEN: Sat Sep  2 15:08:10 2017

;; MSG SIZE  rcvd: 151


[root@localhost ~]# 

[root@localhost ~]# dig -x 192.168.130.20 @192.168.130.118 


; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -x 192.168.130.20 @192.168.130.118

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64194

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2


;; QUESTION SECTION:

;20.130.168.192.in-addr.arpa.   IN      PTR


;; ANSWER SECTION:

20.130.168.192.in-addr.arpa. 600 IN     PTR     www.kaiyuandiantang.com.


;; AUTHORITY SECTION:

130.168.192.in-addr.arpa. 600   IN      NS      ns1.kaiyuandiantang.com.

130.168.192.in-addr.arpa. 600   IN      NS      ns2.kaiyuandiantang.com.


;; ADDITIONAL SECTION:

ns1.kaiyuandiantang.com. 600    IN      A       192.168.130.117

ns2.kaiyuandiantang.com. 600    IN      A       192.168.130.118


;; Query time: 0 msec

;; SERVER: 192.168.130.118#53(192.168.130.118)

;; WHEN: Sat Sep  2 15:08:14 2017

;; MSG SIZE  rcvd: 150


11、此时区域传送存在一个安全问题,任何一台机器只要知道区域名称和DNS的IP就可以获得数据库文件的内容,可通过添加allow-transfer加以控制。

未加allow-transfer前(在192.168.130.119上测试)

[root@localhost ~]# dig -t axfr kaiyuandiantang.com @192.168.130.117


; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> -t axfr kaiyuandiantang.com @192.168.130.117

;; global options: +cmd

kaiyuandiantang.com.    600     IN      SOA     ns1.kaiyuandiantang.com. admin.kaiyuandiantang.com. 2017090601 3600 300 259200 43200

kaiyuandiantang.com.    600     IN      NS      ns1.kaiyuandiantang.com.

kaiyuandiantang.com.    600     IN      NS      ns2.kaiyuandiantang.com.

kaiyuandiantang.com.    600     IN      MX      10 mail.kaiyuandiantang.com.

mail.kaiyuandiantang.com. 600   IN      A       192.168.130.10

ns1.kaiyuandiantang.com. 600    IN      A       192.168.130.117

ns2.kaiyuandiantang.com. 600    IN      A       192.168.130.118

pop.kaiyuandiantang.com. 600    IN      CNAME   mail.kaiyuandiantang.com.

web.kaiyuandiantang.com. 600    IN      CNAME   www.kaiyuandiantang.com.

www.kaiyuandiantang.com. 600    IN      A       192.168.130.20

kaiyuandiantang.com.    600     IN      SOA     ns1.kaiyuandiantang.com. admin.kaiyuandiantang.com. 2017090601 3600 300 259200 43200

;; Query time: 6 msec

;; SERVER: 192.168.130.117#53(192.168.130.117)

;; WHEN: Thu Sep  7 11:49:50 2017

;; XFR size: 11 records (messages 1, bytes 276)


[root@localhost ~]# 

[root@localhost ~]# dig -t axfr kaiyuandiantang.com @192.168.130.118


; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> -t axfr kaiyuandiantang.com @192.168.130.118

;; global options: +cmd

kaiyuandiantang.com.    600     IN      SOA     ns1.kaiyuandiantang.com. admin.kaiyuandiantang.com. 2017090601 3600 300 259200 43200

kaiyuandiantang.com.    600     IN      MX      10 mail.kaiyuandiantang.com.

kaiyuandiantang.com.    600     IN      NS      ns1.kaiyuandiantang.com.

kaiyuandiantang.com.    600     IN      NS      ns2.kaiyuandiantang.com.

mail.kaiyuandiantang.com. 600   IN      A       192.168.130.10

ns1.kaiyuandiantang.com. 600    IN      A       192.168.130.117

ns2.kaiyuandiantang.com. 600    IN      A       192.168.130.118

pop.kaiyuandiantang.com. 600    IN      CNAME   mail.kaiyuandiantang.com.

web.kaiyuandiantang.com. 600    IN      CNAME   www.kaiyuandiantang.com.

www.kaiyuandiantang.com. 600    IN      A       192.168.130.20

kaiyuandiantang.com.    600     IN      SOA     ns1.kaiyuandiantang.com. admin.kaiyuandiantang.com. 2017090601 3600 300 259200 43200

;; Query time: 4 msec

;; SERVER: 192.168.130.118#53(192.168.130.118)

;; WHEN: Thu Sep  7 11:49:56 2017

;; XFR size: 11 records (messages 1, bytes 276)


[root@localhost ~]# 

[root@localhost ~]# dig -t axfr 130.168.192.in-addr.arpa @192.168.130.117


; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> -t axfr 130.168.192.in-addr.arpa @192.168.130.117

;; global options: +cmd

130.168.192.in-addr.arpa. 600   IN      SOA     ns1.kaiyuandiantang.com. admin.kaiyuandiantang.com. 2017090601 3600 300 259200 43200

130.168.192.in-addr.arpa. 600   IN      NS      ns1.kaiyuandiantang.com.

130.168.192.in-addr.arpa. 600   IN      NS      ns2.kaiyuandiantang.com.

10.130.168.192.in-addr.arpa. 600 IN     PTR     mail.kaiyuandiantang.com.

117.130.168.192.in-addr.arpa. 600 IN    PTR     ns1.kaiyuandiantang.com.

118.130.168.192.in-addr.arpa. 600 IN    PTR     ns2.kaiyuandiantang.com.

20.130.168.192.in-addr.arpa. 600 IN     PTR     www.kaiyuandiantang.com.

130.168.192.in-addr.arpa. 600   IN      SOA     ns1.kaiyuandiantang.com. admin.kaiyuandiantang.com. 2017090601 3600 300 259200 43200

;; Query time: 1 msec

;; SERVER: 192.168.130.117#53(192.168.130.117)

;; WHEN: Thu Sep  7 11:50:26 2017

;; XFR size: 8 records (messages 1, bytes 254)


[root@localhost ~]# 

[root@localhost ~]# dig -t axfr 130.168.192.in-addr.arpa @192.168.130.118


; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> -t axfr 130.168.192.in-addr.arpa @192.168.130.118

;; global options: +cmd

130.168.192.in-addr.arpa. 600   IN      SOA     ns1.kaiyuandiantang.com. admin.kaiyuandiantang.com. 2017090601 3600 300 259200 43200

130.168.192.in-addr.arpa. 600   IN      NS      ns1.kaiyuandiantang.com.

130.168.192.in-addr.arpa. 600   IN      NS      ns2.kaiyuandiantang.com.

10.130.168.192.in-addr.arpa. 600 IN     PTR     mail.kaiyuandiantang.com.

117.130.168.192.in-addr.arpa. 600 IN    PTR     ns1.kaiyuandiantang.com.

118.130.168.192.in-addr.arpa. 600 IN    PTR     ns2.kaiyuandiantang.com.

20.130.168.192.in-addr.arpa. 600 IN     PTR     www.kaiyuandiantang.com.

130.168.192.in-addr.arpa. 600   IN      SOA     ns1.kaiyuandiantang.com. admin.kaiyuandiantang.com. 2017090601 3600 300 259200 43200

;; Query time: 9 msec

;; SERVER: 192.168.130.118#53(192.168.130.118)

;; WHEN: Thu Sep  7 11:50:38 2017

;; XFR size: 8 records (messages 1, bytes 254)


[root@localhost ~]# 



ns1添加allow-transfer

[root@localhost ~]# tail -11 /etc/named.rfc1912.zones

zone "kaiyuandiantang.com" IN {

        type master;

        file "kaiyuandiantang.com.zone";

        allow-transfer { 127.0.0.1; 192.168.130.117; };

};


zone "130.168.192.in-addr.arpa" IN {

        type master;

        file "130.168.192.zone";

        allow-transfer { 127.0.0.1; 192.168.130.117; };

};


[root@localhost ~]# service named reload

Reloading named:                                           [  OK  ]

[root@localhost ~]# tail /var/log/messages 

Sep  1 10:45:45 localhost named[20996]: /etc/named.rfc1912.zones:52: missing ‘;‘ before ‘}‘

Sep  1 10:45:45 localhost named[20996]: reloading configuration failed: failure

Sep  1 10:46:48 localhost named[20996]: received control channel command ‘reload‘

Sep  1 10:46:48 localhost named[20996]: loading configuration from ‘/etc/named.conf‘

Sep  1 10:46:48 localhost named[20996]: using default UDP/IPv4 port range: [1024, 65535]

Sep  1 10:46:48 localhost named[20996]: using default UDP/IPv6 port range: [1024, 65535]

Sep  1 10:46:48 localhost named[20996]: sizing zone task pool based on 8 zones

Sep  1 10:46:48 localhost named[20996]: Warning: ‘empty-zones-enable/disable-empty-zone‘ not set: disabling RFC 1918 empty zones

Sep  1 10:46:48 localhost named[20996]: reloading configuration succeeded

Sep  1 10:46:48 localhost named[20996]: reloading zones succeeded



ns2添加allow-transfer

[root@localhost ~]# tail -13 /etc/named.rfc1912.zones

zone "kaiyuandiantang.com" IN {

        type slave;

        masters { 192.168.130.117; };

        file "slaves/kaiyuandiantang.com.zone";

        allow-transfer { none; };

};


zone "130.168.192.in-addr.arpa" IN {

        type slave;

        masters { 192.168.130.117; };

        file "slaves/130.168.192.zone";

        allow-transfer { none; };

};


[root@localhost ~]# service named reload

Reloading named:                                           [  OK  ]

[root@localhost ~]# tail /var/log/messages 

Sep  2 15:42:39 localhost named[22632]: client 192.168.130.119#50309: transfer of ‘130.168.192.in-addr.arpa/IN‘: AXFR started

Sep  2 15:42:39 localhost named[22632]: client 192.168.130.119#50309: transfer of ‘130.168.192.in-addr.arpa/IN‘: AXFR ended

Sep  2 15:48:52 localhost named[22632]: received control channel command ‘reload‘

Sep  2 15:48:52 localhost named[22632]: loading configuration from ‘/etc/named.conf‘

Sep  2 15:48:52 localhost named[22632]: using default UDP/IPv4 port range: [1024, 65535]

Sep  2 15:48:52 localhost named[22632]: using default UDP/IPv6 port range: [1024, 65535]

Sep  2 15:48:52 localhost named[22632]: sizing zone task pool based on 8 zones

Sep  2 15:48:52 localhost named[22632]: Warning: ‘empty-zones-enable/disable-empty-zone‘ not set: disabling RFC 1918 empty zones

Sep  2 15:48:52 localhost named[22632]: reloading configuration succeeded

Sep  2 15:48:52 localhost named[22632]: reloading zones succeeded



添加allow-transfer后(在192.168.130.119上测试)

[root@localhost ~]# dig -t axfr kaiyuandiantang.com @192.168.130.117     


; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> -t axfr kaiyuandiantang.com @192.168.130.117

;; global options: +cmd

; Transfer failed.

[root@localhost ~]# dig -t axfr kaiyuandiantang.com @192.168.130.118


; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> -t axfr kaiyuandiantang.com @192.168.130.118

;; global options: +cmd

; Transfer failed.

[root@localhost ~]# dig -t axfr 130.168.192.in-addr.arpa @192.168.130.117


; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> -t axfr 130.168.192.in-addr.arpa @192.168.130.117

;; global options: +cmd

; Transfer failed.

[root@localhost ~]# dig -t axfr 130.168.192.in-addr.arpa @192.168.130.118


; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> -t axfr 130.168.192.in-addr.arpa @192.168.130.118

;; global options: +cmd

; Transfer failed.

[root@localhost ~]# 



BIND子域授权的实现:glue record

在父域的配置文件中添加如下项:

授权的子区域名称

子区域的名称服务器

子区域的名称服务器的IP地址


=========================================================================================

正向子域授权例子(父域:192.168.130.117,子域:192.168.130.119)

=========================================================================================

1、在父域中对子域进行授权

[root@localhost ~]# cat /var/named/kaiyuandiantang.com.zone

$TTL 600

@       IN      SOA     ns1.kaiyuandiantang.com.        admin.kaiyuandiantang.com. (

                        2017090601

                        1H

                        5M

                        3D

                        12H

                        )

        IN      NS      ns1

        IN      NS      ns2

        IN      MX  10  mail

ns1     IN      A       192.168.130.117

ns2     IN      A       192.168.130.118

mail    IN      A       192.168.130.10

www     IN      A       192.168.130.20

pop     IN      CNAME   mail

web     IN      CNAME   www


linux           IN      NS      ns1.linux

ns1.linux       IN      A       192.168.130.119


[root@localhost ~]# service named reload

Reloading named:                                           [  OK  ]

[root@localhost ~]# tail /var/log/messages 

Sep  1 16:29:00 localhost named[20996]: loading configuration from ‘/etc/named.conf‘

Sep  1 16:29:00 localhost named[20996]: using default UDP/IPv4 port range: [1024, 65535]

Sep  1 16:29:00 localhost named[20996]: using default UDP/IPv6 port range: [1024, 65535]

Sep  1 16:29:00 localhost named[20996]: sizing zone task pool based on 8 zones

Sep  1 16:29:00 localhost named[20996]: Warning: ‘empty-zones-enable/disable-empty-zone‘ not set: disabling RFC 1918 empty zones

Sep  1 16:29:00 localhost named[20996]: reloading configuration succeeded

Sep  1 16:29:00 localhost named[20996]: reloading zones succeeded

Sep  1 16:29:00 localhost named[20996]: zone kaiyuandiantang.com/IN: zone serial (2017090601) unchanged. zone may fail to transfer to slaves.

Sep  1 16:29:00 localhost named[20996]: zone kaiyuandiantang.com/IN: loaded serial 2017090601

Sep  1 16:29:00 localhost named[20996]: zone kaiyuandiantang.com/IN: sending notifies (serial 2017090601)

[root@localhost ~]# 

2、配置子域服务器的主配置文件

[root@localhost ~]# sed "/^\//d" /etc/named.conf


options {

        directory       "/var/named";

        dump-file       "/var/named/data/cache_dump.db";

        statistics-file "/var/named/data/named_stats.txt";

        memstatistics-file "/var/named/data/named_mem_stats.txt";

        allow-query     { any; };

        recursion yes;



        /* Path to ISC DLV key */


};


logging {

        channel default_debug {

                file "data/named.run";

                severity dynamic;

        };

};


zone "." IN {

        type hint;

        file "named.ca";

};


include "/etc/named.rfc1912.zones";


3、配置子域服务器的区域数据文件

[root@localhost ~]# tail -4 /etc/named.rfc1912.zones

zone "linux.kaiyuandiantang.com" IN {

        type master;

        file "linux.kaiyuandiantang.com.zone";

};


4、配置子域服务器的数据库文件

[root@localhost ~]# cat /var/named/linux.kaiyuandiantang.com.zone

$TTL 600

@       IN      SOA     ns1.linux.kaiyuandiantang.com.        admin.linux.kaiyuandiantang.com. (

                        2017090701

                        1H

                        5M

                        3D

                        12H

                        )

        IN      NS      ns1

        IN      MX  10  mail

ns1     IN      A       192.168.130.119

mail    IN      A       192.168.130.30

www     IN      A       192.168.130.40

pop     IN      CNAME   mail

web     IN      CNAME   www

[root@localhost ~]# 


5、子域服务器修改权限启动服务

[root@localhost ~]# cd /var/named/

[root@localhost named]# chown root:named linux.kaiyuandiantang.com.zone 

[root@localhost named]# chmod 640 linux.kaiyuandiantang.com.zone 

[root@localhost named]# named-checkconf 

[root@localhost named]# named-checkzone linux.kaiyuandiantang.com linux.kaiyuandiantang.com.zone 

zone linux.kaiyuandiantang.com/IN: loaded serial 2017090701

OK

[root@localhost named]# service named start

Starting named:                                            [  OK  ]

[root@localhost named]# tail /var/log/messages 

Aug 31 18:30:52 localhost named[20903]: command channel listening on 127.0.0.1#953

Aug 31 18:30:52 localhost named[20903]: command channel listening on ::1#953

Aug 31 18:30:52 localhost named[20903]: zone 0.in-addr.arpa/IN: loaded serial 0

Aug 31 18:30:52 localhost named[20903]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0

Aug 31 18:30:52 localhost named[20903]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0

Aug 31 18:30:52 localhost named[20903]: zone linux.kaiyuandiantang.com/IN: loaded serial 2017090701

Aug 31 18:30:52 localhost named[20903]: zone localhost.localdomain/IN: loaded serial 0

Aug 31 18:30:52 localhost named[20903]: zone localhost/IN: loaded serial 0

Aug 31 18:30:52 localhost named[20903]: managed-keys-zone ./IN: loaded serial 0

Aug 31 18:30:52 localhost named[20903]: running

[root@localhost named]# 


6、测试

[root@localhost named]# dig -t NS linux.kaiyuandiantang.com @192.168.130.119    


; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t NS linux.kaiyuandiantang.com @192.168.130.119

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63108

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1


;; QUESTION SECTION:

;linux.kaiyuandiantang.com.     IN      NS


;; ANSWER SECTION:

linux.kaiyuandiantang.com. 600  IN      NS      ns1.linux.kaiyuandiantang.com.


;; ADDITIONAL SECTION:

ns1.linux.kaiyuandiantang.com. 600 IN   A       192.168.130.119


;; Query time: 0 msec

;; SERVER: 192.168.130.119#53(192.168.130.119)

;; WHEN: Thu Aug 31 18:32:28 2017

;; MSG SIZE  rcvd: 77


[root@localhost named]# dig -t MX linux.kaiyuandiantang.com @192.168.130.119  


; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t MX linux.kaiyuandiantang.com @192.168.130.119

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42605

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2


;; QUESTION SECTION:

;linux.kaiyuandiantang.com.     IN      MX


;; ANSWER SECTION:

linux.kaiyuandiantang.com. 600  IN      MX      10 mail.linux.kaiyuandiantang.com.


;; AUTHORITY SECTION:

linux.kaiyuandiantang.com. 600  IN      NS      ns1.linux.kaiyuandiantang.com.


;; ADDITIONAL SECTION:

mail.linux.kaiyuandiantang.com. 600 IN  A       192.168.130.30

ns1.linux.kaiyuandiantang.com. 600 IN   A       192.168.130.119


;; Query time: 0 msec

;; SERVER: 192.168.130.119#53(192.168.130.119)

;; WHEN: Thu Aug 31 18:32:40 2017

;; MSG SIZE  rcvd: 114


[root@localhost named]# 

[root@localhost named]# dig -t A  www.linux.kaiyuandiantang.com @192.168.130.119  


; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t A www.linux.kaiyuandiantang.com @192.168.130.119

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56396

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1


;; QUESTION SECTION:

;www.linux.kaiyuandiantang.com. IN      A


;; ANSWER SECTION:

www.linux.kaiyuandiantang.com. 600 IN   A       192.168.130.40


;; AUTHORITY SECTION:

linux.kaiyuandiantang.com. 600  IN      NS      ns1.linux.kaiyuandiantang.com.


;; ADDITIONAL SECTION:

ns1.linux.kaiyuandiantang.com. 600 IN   A       192.168.130.119


;; Query time: 1 msec

;; SERVER: 192.168.130.119#53(192.168.130.119)

;; WHEN: Thu Aug 31 18:33:01 2017

;; MSG SIZE  rcvd: 97


[root@localhost named]# dig -t A  ns1.linux.kaiyuandiantang.com @192.168.130.119   


; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t A ns1.linux.kaiyuandiantang.com @192.168.130.119

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3947

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0


;; QUESTION SECTION:

;ns1.linux.kaiyuandiantang.com. IN      A


;; ANSWER SECTION:

ns1.linux.kaiyuandiantang.com. 600 IN   A       192.168.130.119


;; AUTHORITY SECTION:

linux.kaiyuandiantang.com. 600  IN      NS      ns1.linux.kaiyuandiantang.com.


;; Query time: 0 msec

;; SERVER: 192.168.130.119#53(192.168.130.119)

;; WHEN: Thu Aug 31 18:33:08 2017

;; MSG SIZE  rcvd: 77


[root@localhost named]# dig -t A  mail.linux.kaiyuandiantang.com @192.168.130.119   


; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t A mail.linux.kaiyuandiantang.com @192.168.130.119

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50725

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1


;; QUESTION SECTION:

;mail.linux.kaiyuandiantang.com.        IN      A


;; ANSWER SECTION:

mail.linux.kaiyuandiantang.com. 600 IN  A       192.168.130.30


;; AUTHORITY SECTION:

linux.kaiyuandiantang.com. 600  IN      NS      ns1.linux.kaiyuandiantang.com.


;; ADDITIONAL SECTION:

ns1.linux.kaiyuandiantang.com. 600 IN   A       192.168.130.119


;; Query time: 0 msec

;; SERVER: 192.168.130.119#53(192.168.130.119)

;; WHEN: Thu Aug 31 18:33:14 2017

;; MSG SIZE  rcvd: 98


[root@localhost named]# 


7、问题

[root@localhost named]# dig -t A www.kaiyuandiantang.com @192.168.130.119


; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t A www.kaiyuandiantang.com @192.168.130.119

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 59745

;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0


;; QUESTION SECTION:

;www.kaiyuandiantang.com.       IN      A


;; AUTHORITY SECTION:

com.                    829     IN      SOA     a.gtld-servers.net. nstld.verisign-grs.com. 1504779223 1800 900 604800 86400


;; Query time: 0 msec

;; SERVER: 192.168.130.119#53(192.168.130.119)

;; WHEN: Thu Aug 31 18:46:52 2017

;; MSG SIZE  rcvd: 114


此时因为kaiyuandaintang.com不是该子域dns负责解析的,所以将查询根域,根域提供线索让其查询com域,因为com域下并没有kaiyuandiankang.com这个子域,所以解析失败;为解决该问题,引入区域转发。


配置区域转发:转发域

解析某本机不负责的区域内的名称时不转发给根,而是转给指定的主机;


配置转发的方式:

转发非本机负责解析的所有区域:

options {

forward only|first;

forwarders { IP; }

};


转发某特定区域:

zone "特定区域" IN {

type forward;

forwarders { IP; }

forward only|first;

}


允许使用转发的前提:本机要在对方的允许的递归主机列表中;



8、子域服务器开启区域转发功能

[root@localhost named]# tail -9 /etc/named.rfc1912.zones

        type master;

        file "linux.kaiyuandiantang.com.zone";

};


zone "kaiyuandiantang.com" IN {

        type forward;

        forwarders { 192.168.130.117; };

        forward only;

};

[root@localhost named]# service named restart                            

Stopping named: .                                          [  OK  ]

Starting named:                                            [  OK  ]

[root@localhost named]# dig -t A www.kaiyuandiantang.com @192.168.130.119


; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t A www.kaiyuandiantang.com @192.168.130.119

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47012

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2


;; QUESTION SECTION:

;www.kaiyuandiantang.com.       IN      A


;; ANSWER SECTION:

www.kaiyuandiantang.com. 600    IN      A       192.168.130.20


;; AUTHORITY SECTION:

kaiyuandiantang.com.    600     IN      NS      ns2.kaiyuandiantang.com.

kaiyuandiantang.com.    600     IN      NS      ns1.kaiyuandiantang.com.


;; ADDITIONAL SECTION:

ns2.kaiyuandiantang.com. 600    IN      A       192.168.130.118

ns1.kaiyuandiantang.com. 600    IN      A       192.168.130.117


;; Query time: 3 msec

;; SERVER: 192.168.130.119#53(192.168.130.119)

;; WHEN: Thu Aug 31 18:57:19 2017

;; MSG SIZE  rcvd: 125


[root@localhost named]# 



安全控制选项:

allow-transfer {};

通常都需要启用;

allow-query {};

此项通常仅用于服务器是缓存名称服务器时,只开放查询功能给本地客户端;

allow-recursion {  };

定义递归白名单;

allow-update { none; };

定义允许动态更新区域数据文件的主机白名单


ACL: BIND支持使用访问控制列表

acl ACL_NAME {

172.16.0.0/16;

192.168.0.0/24

127.0.0.0/8;

};


访问控制列表只有定义后才能使用;通常acl要定义在named.conf的最上方;


BIND有四个内置的acl:

any: 任何主机

none: 无一主机

local: 本机

localnet: 本机的所在的网络;


本文出自 “开源殿堂” 博客,请务必保留此出处http://kaiyuandiantang.blog.51cto.com/10699754/1964390

14、DNS正反向解析、主从复制、子域授权、区域转发 学习笔记

标签:主从复制   dns正反向解析   子域授权   区域转发 学习笔记   

原文地址:http://kaiyuandiantang.blog.51cto.com/10699754/1964390

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!