标签:dns授权
dns授权
dns授权分为两步
1】父域dns对子域dns实现授权,
2】子域对父域
1.改变根提示,把父域dns视为根
2.转发器
dns服务器的搭建请看dns服务器搭建
一、修改父域实现对子域的授权
修改dns服务器配置文件注释最后一行
[root@localhost chroot]# vim etc/named.conf
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion yes;
// dnssec-enable yes;
// dnssec-validation yes;
// dnssec-lookaside auto;
/* Path to ISC DLV key */
// bindkeys-file "/etc/named.iscdlv.key";
// managed-keys-directory "/var/named/dynamic";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
//include "/etc/named.root.key";
声明两个区域b.com和bj.b.com
[root@localhost chroot]# vim etc/named.rfc1912.zones
19 zone "localhost" IN {
20 type master;
21 file "named.localhost";
22 allow-update { none; };
23 };
24 zone "b.com" IN {
25 type master;
26 file "b.com.zone";
27 allow-update { none; };
28 };
29 zone "bj.b.com" IN {
30 type master;
31 file "bj.b.com.zone";
32 allow-update { none; };
创建b.com.zone和sh.b.com.zone文件
[root@localhost chroot]# cd var/named
[root@localhost named]# cp named.localhost b.com
[root@localhost named]# cp named.localhost bj.b.com
[root@localhost named]# vim bj.b.com.zone
$TTL 1D
@ IN SOA ns.bj.b.com. rname.invalid. (
1 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS ns.bj.b.com.
ns IN A 192.168.3.120
www IN A 2.2.2.2
给子域sh.b.com授权
[root@localhost named]# vim b.com.zone
$TTL 1D
@ IN SOA ns.b.com. rname.invalid. (
1 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS ns.b.com.
ns IN A 192.168.3.120
www IN A 1.1.1.1
sh.b.com. IN NS ns.sh.b.com.
ns.sh.b.com. IN A 192.168.3.122
编辑完后保存退出,然后重新加载区域
[root@localhost named]# rndc reload
二、子域设置转发
1、登录到要设置为子域的dns服务器的主机
[root@localhost ~]# cd /var/named/chroot
编辑配置文件设置转发
[root@localhost chroot]# vim etc/named.conf
10 options {
11 listen-on port 53 { any; };
12 listen-on-v6 port 53 { ::1; };
13 directory "/var/named";
14 dump-file "/var/named/data/cache_dump.db";
15 statistics-file "/var/named/data/named_stats.txt";
16 memstatistics-file "/var/named/data/named_mem_stats.txt";
17 allow-query { any; };
18 recursion yes;
19
20 dnssec-enable yes;
21 dnssec-validation yes;
22 dnssec-lookaside auto;
//23行为设置转发
23 forwarders { 192.168.3.120; };
24 /* Path to ISC DLV key */
25 bindkeys-file "/etc/named.iscdlv.key";
26
27 managed-keys-directory "/var/named/dynamic";
28 };
29
30 logging {
31 channel default_debug {
32 file "data/named.run";
33 severity dynamic;
34 };
35 };
36
37 zone "." IN {
38 type hint;
39 file "named.ca";
40 };
41
42 include "/etc/named.rfc1912.zones";
//注释43行
43 //include "/etc/named.root.key";
声明sh.b.com
[root@localhost chroot]# vim etc/named.rfc1912.zones
24 zone "sh.b.com" IN {
25 type master;
26 file "sh.b.com.zone";
27 allow-update { none; };
28 };
创建并编辑sh.b.com.zone
[root@localhost chroot]# cd var/named
[root@localhost named]# cp named.localhost sh.b.com.zone
[root@localhost named]# vim sh.b.com.zone
1 $TTL 1D
2 @ IN SOA sh.b.com. rname.invalid. (
3 1 ; serial
4 1D ; refresh
5 1H ; retry
6 1W ; expire
7 3H ) ; minimum
8 @ IN NS ns.sh.b.com.
9 ns IN A 192.168.3.122
10 www IN A 3.3.3.3
编辑完后保存退出,然后重新加载区域
[root@localhost named]# rndc reload
[root@localhost named]# vim /etc/resolv.conf
# Generated by NetworkManager
nameserver 192.168.3.122
测试
[root@localhost chroot]# dig www.b.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6 <<>> www.b.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 10870
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;www.b.com.INA
;; ANSWER SECTION:
www.b.com.86400INA 1.1.1.1
;; AUTHORITY SECTION:
b.com.86400INNSns.b.com.
;; ADDITIONAL SECTION:
ns.b.com.86400INA192.168.3.120
;; Query time: 1 msec
;; SERVER: 192.168.3.122#53(192.168.3.122)
;; WHEN: Sat May 10 07:07:58 2014
;; MSG SIZE rcvd: 77
本文出自 “泡沫” 博客,谢绝转载!
CentOS下dns服务器之授权,布布扣,bubuko.com
标签:dns授权
原文地址:http://8877521.blog.51cto.com/8808744/1409114