标签:failed ESS 端口 network load .com omd manager linu
ineternet dns架构的实现互联网中dns的架构为下图所示
主机 | OS | IP |
---|---|---|
www | centos6 | 192.168.73.2 |
client | centos6 | 192.168.73.3 |
mylinuxopsdns1 | centos7 | 192.168.73.10 |
mylinuxopsdns2 | centos7 | 192.168.73.20 |
comdns | centos7 | 192.168.73.30 |
rootdns | centos7 | 192.168.73.40 |
ldns | centos7 | 192.168.73.50 |
[root@www ~]# service httpd start
Starting httpd: httpd: apr_sockaddr_info_get() failed for www
httpd: Could not reliably determine the server‘s fully qualified domain name, using 127.0.0.1 for ServerName
[ OK ]
[root@centos6 ~]# echo "<h1>welcome to mylinuxops.com</h1>" > /var/www/html/index.html
3.测试
[root@www ~]# curl 192.168.73.2
<h1>welcome to mylinuxops.com</h1>
[root@mylinuxopsdns1 ~]# yum install bind -y
[root@mylinuxopsdns1 ~]# systemctl start named
[root@mylinuxopsdns1 ~]# systemctl enable named
Created symlink from /etc/systemd/system/multi-user.target.wants/named.service to /usr/lib/systemd/system/named.service.
将监听地址和允许访问的主机注释
options {
// listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
// allow-query { localhost; };
[root@mylinuxopsdns1 ~]# vim /etc/named.rfc1912.zones
zone "mylinuxops.com" IN {
type master;
file "mylinuxops.com.zone";
};
[root@mylinuxopsdns1 ~]# cp -p /var/named/{named.localhost,mylinuxops.com.zone}
[root@mylinuxopsdns1 ~]# vim /var/named/mylinuxops.com.zone
$TTL 1D
@ IN SOA master admin.mylinuxops.com (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS master
NS slave
master A 192.168.73.10
slave A 192.168.73.20
www A 192.168.73.2
[root@mylinuxopsdns1 ~]# named-checkconf
[root@mylinuxopsdns1 ~]# named-checkzone mylinuxops.com /var/named/mylinuxops.com.zone
zone mylinuxops.com/IN: loaded serial 0
OK
[root@mylinuxopsdns1 ~]# rndc reload
[root@client ~]# dig www.mylinuxops.com @192.168.73.10
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6 <<>> www.mylinuxops.com @192.168.73.10
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24888
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;www.mylinuxops.com. IN A
;; ANSWER SECTION:
www.mylinuxops.com. 86400 IN A 192.168.73.2
;; AUTHORITY SECTION:
mylinuxops.com. 86400 IN NS master.mylinuxops.com.
;; ADDITIONAL SECTION:
master.mylinuxops.com. 86400 IN A 192.168.73.10
;; Query time: 1 msec
;; SERVER: 192.168.73.10#53(192.168.73.10)
;; WHEN: Fri Apr 19 04:23:08 2019
;; MSG SIZE rcvd: 89
[root@mylinuxopsdns2 ~]# yum install bind -y
[root@mylinuxopsdns2 ~]# systemctl start named
[root@mylinuxopsdns2 ~]# systemctl enable named
Created symlink from /etc/systemd/system/multi-user.target.wants/named.service to /usr/lib/systemd/system/named.service.
将端口行和允许访问的主机注释
[root@mylinuxopsdns2 ~]# vim /etc/named.conf
options {
// listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
// allow-query { localhost; };
[root@mylinuxopsdns2 ~]# vim /etc/named.rfc1912.zones
zone "mylinuxops.com" IN {
type slave;
masters {192.168.73.10;};
file "slaves/mylinuxops.zone";
};
[root@mylinuxopsdns2 ~]# named-checkconf
[root@mylinuxopsdns2 ~]# rndc reload
[root@centos7 ~]# ll /var/named/slaves/
total 4
-rw-r--r-- 1 named named 298 Apr 23 04:40 mylinuxops.zone
由于主从dns服务器都没有对能拉取区域数据库的主机加以限制,这样是非常不安全的,所以需要对主机的安全行进行加固
8.1对从服务器主配置文件修改,添加allow-transfer
[root@mylinuxopsdns2 ~]# vim /etc/named.conf
options {
// listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-transfer {none;};
// allow-query { localhost; };
[root@mylinuxopsdns2 ~]# rndc reload
server reload successful
8.2对主服务器主配置文件修改,添加allow-transfer只允许从服务来拉取数据
[root@mylinuxopsdns1 ~]# vim /etc/named.conf
options {
// listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-transfer {192.168.73.20;};
// allow-query { localhost; };
[root@mylinuxopsdns1 ~]# rndc reload
server reload successful
[root@comdns ~]# yum install bind -y
将监听的ip和允许访问的主机行注释
[root@comdns ~]# vim /etc/named.conf
options {
// listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
// allow-query { localhost; };
[root@comdns ~]# vim /etc/named.rfc1912.zones
zone "com" IN {
type master;
file "com.zone";
};
[root@comdns ~]# cp -p /var/named/{named.localhost,com.zone}
[root@comdns ~]# vim /var/named/com.zone
$TTL 1D
@ IN SOA master admin.mylinuxops.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS master
mylinuxops NS ns1
mylinuxops NS ns2
master A 192.168.73.30
ns1 A 192.168.73.10
ns2 A 192.168.73.20
[root@comdns ~]# named-checkconf
[root@comdns ~]# named-checkzone com /var/named/com.zone
zone com/IN: loaded serial 0
OK
[root@comdns ~]# systemctl restart named
在client端进行测试
[root@clinet ~]# dig www.mylinuxops.com @192.168.73.30
; <<>> DiG 9.9.4-RedHat-9.9.4-72.el7 <<>> www.mylinuxops.com @192.168.73.30
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47115
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.mylinuxops.com. IN A
;; ANSWER SECTION:
www.mylinuxops.com. 86400 IN A 192.168.73.2
;; AUTHORITY SECTION:
mylinuxops.com. 86400 IN NS ns2.com.
mylinuxops.com. 86400 IN NS ns1.com.
;; ADDITIONAL SECTION:
ns1.com. 86400 IN A 192.168.73.10
ns2.com. 86400 IN A 192.168.73.20
;; Query time: 6 msec
;; SERVER: 192.168.73.30#53(192.168.73.30)
;; WHEN: Tue Apr 23 17:25:07 CST 2019
;; MSG SIZE rcvd: 131
[root@rootdns ~]# yum install bind -y
将监听地址和允许访问的主机行注释,修改最底下的根域
[root@rootdns ~]# vim /etc/named.conf
options {
// listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
// allow-query { localhost; };
....
zone "." IN {
type master;
file "root.zone";
};
[root@rootdns ~]# cp -p /var/named/{named.localhost,root.zone}
[root@rootdns ~]# vim /var/named/root.zone
$TTL 1D
@ IN SOA ns1 admin.mylinuxops.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS ns1
com NS master
ns1 A 192.168.73.40
master A 192.168.73.30
[root@rootdns ~]# named-checkconf
[root@rootdns ~]# named-checkzone . /var/named/root.zone
zone ./IN: loaded serial 0
OK
[root@rootdns ~]# systemctl start named
[root@rootdns ~]# systemctl enable named
Created symlink from /etc/systemd/system/multi-user.target.wants/named.service to /usr/lib/systemd/system/named.service.
[root@localhost ~]# dig www.mylinuxops.com @192.168.73.40
; <<>> DiG 9.9.4-RedHat-9.9.4-72.el7 <<>> www.mylinuxops.com @192.168.73.40
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38921
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.mylinuxops.com. IN A
;; ANSWER SECTION:
www.mylinuxops.com. 86400 IN A 192.168.73.2
;; AUTHORITY SECTION:
mylinuxops.com. 85104 IN NS ns1.com.
mylinuxops.com. 85104 IN NS ns2.com.
;; ADDITIONAL SECTION:
ns1.com. 85104 IN A 192.168.73.10
ns2.com. 85104 IN A 192.168.73.20
;; Query time: 2 msec
;; SERVER: 192.168.73.40#53(192.168.73.40)
;; WHEN: Tue Apr 23 17:59:09 CST 2019
;; MSG SIZE rcvd: 131
[root@ldns ~]# yum install bind -y
将监听地址和允许访问的主机注释,将dnssec相关的两项关闭
[root@ldns ~]# vim /etc/named.conf
options {
// listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
// allow-query { localhost; };
....
dnssec-enable no;
dnssec-validation no;
将根数据库文件指向rootdns所在的地址,其余的全部删除
[root@ldns ~]# vim /var/named/named.ca
. 518400 IN NS a.root-servers.net.
a.root-servers.net. 3600000 IN A 192.168.73.40
[root@client ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens33
TYPE=Ethernet
BOOTPROTO=static
NAME=ens33
DEVICE=ens33
ONBOOT=on
IPADDR=192.168.73.3
PREFIX=24
DNS1=192.168.73.50
[root@localhost ~]# systemctl restart network
[root@localhost ~]# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 192.168.73.50
[root@localhost ~]# curl www.mylinuxops.com
<h1>welcome to mylinuxops.com</h1>
标签:failed ESS 端口 network load .com omd manager linu
原文地址:https://blog.51cto.com/11886307/2385725