DNS and Bind(补充)

一.配置主从服务器

1.从服务器是区域级别的概念

2.配置正向解析的从服务器(应该注意主从服务器时间同步,使用ntpdate命令)

"一.设定bind的配置文件:/etc/named.conf"
1.在option选项中添加本机地址:listen-on port 53 { 127.0.0.1; 192.168.3.20; };
2.关闭仅允许本机查询://allow-query     { localhost; };
3.将dnssec关闭:dnssec-enable no;  dnssec-validation no;
4.检查named配置文件:
   1)[root@grub6 ~]# named-checkconf 
5.启动named服务,并确定其已经正常运行
   1)[root@grub6 ~]# service named start
      启动 named:                                               [确定]
"二.定义区域"
[root@grub6 ~]# vim /etc/named.rfc1912.zones 
zone "kasumi.com" IN {
        type slave;
        file "slaves/kasumi.com.zone";
        masters { 192.168.3.100; };
};
ps:需要注意从服务指定的/var/named/slaves/kasumi.com.zone不需要自行提供配置文件,由主服务器进行传送即可
"三.检查配置文件"
[root@grub6 ~]# named-checkconf 
"四.在主服务器上为从服务器添加NS记录,将其添加为ns2"
[root@sakura named]# vim /var/named/kasumi.com.zone 
$TTL 3600
$ORIGIN kasumi.com.

@   IN   SOA   ns1.kasumi.com.  dnsadmin.kasumi.com. (
		2019061502
		1H
		10M
		1D	
		2D )
	IN NS ns1
"	IN NS ns2"
	IN MX 10 mx1
	IN MX 30 mx2
ns1 IN A 192.168.3.200
"ns2 IN A 192.168.3.20"
www IN A 192.168.3.200
mx1 IN A 192.168.3.201
mx2 IN A 192.168.3.202
web IN CNAME www
bbs IN A 192.168.3.205
bbs IN A 192.168.3.206
ps:确保区域数据文件中为每个从服务配置NS记录,并且在正向区域文件中,需要向每个从服务器的NS记录的主机名配置其A记录,用以记录从服务器的IP
"五.重载主从服务器配置"
[root@sakura ~]# systemctl reload named   "主服务器"
[root@grub6 ~]# service named reload    "从服务器"
重新载入named:                                             [确定]
"配置完成后测试,此时已经可以看到从服务器已经同步了主服务器的区域文件"
[root@grub6 ~]# ll /var/named/slaves/
总用量 4
-rw-r--r--. 1 named named 533 6月  15 15:15 kasumi.com.zone
"解析www.baidu.com,可以看到已经正常解析"
[root@grub6 ~]# dig -t A www.baidu.com @192.168.3.20

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.1 <<>> -t A www.baidu.com @192.168.3.20
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45904
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;www.baidu.com.			IN	A

;; ANSWER SECTION:
www.baidu.com.		1200	IN	CNAME	www.a.shifen.com.
www.a.shifen.com.	137	IN	A	61.135.169.125
www.a.shifen.com.	137	IN	A	61.135.169.121

;; AUTHORITY SECTION:
shifen.com.		172800	IN	NS	ns2.baidu.com.
shifen.com.		172800	IN	NS	dns.baidu.com.
shifen.com.		172800	IN	NS	ns4.baidu.com.
shifen.com.		172800	IN	NS	ns3.baidu.com.

;; ADDITIONAL SECTION:
dns.baidu.com.		172800	IN	A	202.108.22.220
ns2.baidu.com.		172800	IN	A	220.181.33.31
ns3.baidu.com.		172800	IN	A	112.80.248.64
ns4.baidu.com.		172800	IN	A	14.215.178.80

;; Query time: 919 msec
;; SERVER: 192.168.3.20#53(192.168.3.20)
;; WHEN: Sat Jun 15 15:16:19 2019
;; MSG SIZE  rcvd: 226
"增加主服务器的资源记录,测试从服务器是否可以解析"
[root@sakura ~]# vim /var/named/kasumi.com.zone
pop3 IN A 192.168.3.208   "添加新记录"
ps:需要注意,每次更改主服务器的区域内容时,需要对应增加其序列号,此时更改为2019061503
[root@sakura ~]# systemctl reload named
[root@sakura ~]# systemctl status named
zone kasumi.com/IN: sending notifies (serial 2019061503) "可以看到status中已经进行传送更改的2019061503序列号文件了"
"可以看到从服务器已经能够解析新增的记录"
[root@grub6 ~]# dig -t A pop3.kasumi.com @192.168.3.20

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.1 <<>> -t A pop3.kasumi.com @192.168.3.20
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33257
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;pop3.kasumi.com.		IN	A

;; ANSWER SECTION:
pop3.kasumi.com.	3600	IN	A	192.168.3.208

;; AUTHORITY SECTION:
kasumi.com.		3600	IN	NS	ns2.kasumi.com.
kasumi.com.		3600	IN	NS	ns1.kasumi.com.

;; ADDITIONAL SECTION:
ns1.kasumi.com.		3600	IN	A	192.168.3.200
ns2.kasumi.com.		3600	IN	A	192.168.3.20

;; Query time: 0 msec
;; SERVER: 192.168.3.20#53(192.168.3.20)
;; WHEN: Sat Jun 15 15:24:28 2019
;; MSG SIZE  rcvd: 117
ps:此时从服务/var/named/slaves/kasumi.com.zone文件也已经更新
"也可以手动进行区域传送"
[root@grub6 ~]# dit -t axfr kasumi.com @192.168.3.100

3.配置反向解析的从服务器

"一.定义区域"
[root@grub6 ~]# vim /etc/named.rfc1912.zones 
 zone "3.168.192.in-addr.arpa" IN {
        type slave;
        file "slaves/192.168.3.zone";
        masters { 192.168.3.100; };
};
[root@grub6 ~]# named-checkconf "检查配置文件"
"二.在主服务器的反向解析库添加从服务器相关数据"
[root@sakura ~]# cat /var/named/192.168.3.zone 
$TTL 3600
$ORIGIN 3.168.192.in-addr.arpa.

@ IN SOA ns1.kasumi.com. nsadmin.kasumi.com. (
		2019061503
		1H
		10M
		1D
		12H )
	IN NS ns1.kasumi.com.
"	IN NS ns2.kasumi.com."
200 IN PTR ns1.kasumi.com.
201	IN PTR mx1.kasumi.com.
202	IN PTR mx2.kasumi.com.
205	IN PTR bbs.kasumi.com	
206 IN PTR bbs.kasumi.com.
200 IN PTR www.kasumi.com.
"20 IN PTR ns2.kasumi.com."
[root@sakura ~]# named-checkzone 3.168.192.in-addr.arpa /var/named/192.168.3.zone 
zone 3.168.192.in-addr.arpa/IN: loaded serial 2019061502
OK    "确认区域文件没有错误"
ps:需要注意,更改其序列号为2019061503
"三.重载主从配置文件,可以看到反向解析库文件以及同步"
[root@sakura ~]# systemctl reload named.service  "主服务器"
[root@grub6 ~]# service  named reload   "从服务器"
[root@grub6 ~]# 
[root@grub6 ~]# ll /var/named/slaves/
总用量 8
-rw-r--r--. 1 named named 518 6月  15 15:42 192.168.3.zone
-rw-r--r--. 1 named named 556 6月  15 15:25 kasumi.com.zone
相关测试,可以看到已经可以进行反向解析了
[root@grub6 ~]# dig -x 192.168.3.200 @192.168.3.20

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.1 <<>> -x 192.168.3.200 @192.168.3.20
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46616
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;200.3.168.192.in-addr.arpa.	IN	PTR

;; ANSWER SECTION:
200.3.168.192.in-addr.arpa. 3600 IN	PTR	ns1.kasumi.com.
200.3.168.192.in-addr.arpa. 3600 IN	PTR	www.kasumi.com.

;; AUTHORITY SECTION:
3.168.192.in-addr.arpa.	3600	IN	NS	ns2.kasumi.com.
3.168.192.in-addr.arpa.	3600	IN	NS	ns1.kasumi.com.

;; ADDITIONAL SECTION:
ns1.kasumi.com.		3600	IN	A	192.168.3.200
ns2.kasumi.com.		3600	IN	A	192.168.3.20

;; Query time: 0 msec
;; SERVER: 192.168.3.20#53(192.168.3.20)
;; WHEN: Sat Jun 15 15:46:51 2019
;; MSG SIZE  rcvd: 154
"一.在主服务器上增加反向解析记录,并测试"
[root@sakura ~]# vim /var/named/192.168.3.zone 
208 IN PTR pop3.kasumi.com.  "增加的内容"
2019061504  "改变的序列号"
[root@sakura ~]# systemctl reload named.service 
[root@sakura ~]# systemctl status named.service
zone 3.168.192.in-addr.arpa/IN: sending notifies (serial 2019061504)  "已经进行增量传送"
"二.在送服务器进行测试,成功解析"
[root@grub6 ~]# dig -x 192.168.3.208 @192.168.3.20

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.1 <<>> -x 192.168.3.208 @192.168.3.20
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3144
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;208.3.168.192.in-addr.arpa.	IN	PTR

;; ANSWER SECTION:
208.3.168.192.in-addr.arpa. 3600 IN	PTR	pop3.kasumi.com.

;; AUTHORITY SECTION:
3.168.192.in-addr.arpa.	3600	IN	NS	ns2.kasumi.com.
3.168.192.in-addr.arpa.	3600	IN	NS	ns1.kasumi.com.

;; ADDITIONAL SECTION:
ns1.kasumi.com.		3600	IN	A	192.168.3.200
ns2.kasumi.com.		3600	IN	A	192.168.3.20

;; Query time: 0 msec
;; SERVER: 192.168.3.20#53(192.168.3.20)
;; WHEN: Sat Jun 15 15:50:39 2019
;; MSG SIZE  rcvd: 141

二.子域授权

1.正向解析区域授权子域的方法

ops.kasumi.com. IN  NS ns1.ops.kasumi.com.
ops.kasumi.com. IN  NS ns2.ops.kasumi.com.
ns1.ops.kasumi.com. IN  A   IPADDRS
ns2.ops.kasumi.com. IN  A   IPADDRS

2.授权子域(此子域主机不能访问外网)

"一,更改named服务相关配置,并启动named服务"

"二.在主服务器上增加子域"
[root@sakura ~]# vim /var/named/kasumi.com.zone 
ops IN NS ns1.ops  "增加NS服务器"
ns1.ops IN A 192.168.3.26  "增加A记录"
2019061504   "增加序列号,使从服务器同步"
[root@sakura ~]# systemctl reload named.service 

"三.配置子域服务器"
"1.定义区域"
[root@7 ~]# vim /etc/named.rfc1912.zones
zone "ops.kasumi.com" IN {
        type master;
        file "ops.kasumi.com.zone";
};
"2.配置区域文件"
[root@7 ~]# cat /var/named/ops.kasumi.com.zone
$TTL 3600
$ORIGIN ops.kasumi.com.
@	IN	SOA	ns1.ops.kasumi.com. nsadmin.ops.kasumi.com. (
	2019061501
	1H
	10M
	1D
	2H ) 
	IN	NS	ns1
ns1	IN	A	192.168.3.26
www	IN	A	192.168.3.26
"3.更改权限及属组"
[root@7 ~]# chmod o= /var/named/ops.kasumi.com.zone
[root@7 ~]# chown .named /var/named/ops.kasumi.com.zone
[root@7 ~]# ll /var/named/ops.kasumi.com.zone
-rw-r-----. 1 root named 178 6月  15 19:07 /var/named/ops.kasumi.com.zone
"4.语法检查并进行重载"
[root@7 ~]# named-checkconf 
[root@7 ~]# systemctl reload named.service 
"相关解析测试"
[root@7 ~]# dig -t A www.ops.kasumi.com @192.168.3.26

; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.1 <<>> -t A www.ops.kasumi.com @192.168.3.26
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17977
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.ops.kasumi.com.		IN	A

;; ANSWER SECTION:
www.ops.kasumi.com.	3600	IN	A	192.168.3.26

;; AUTHORITY SECTION:
ops.kasumi.com.		3600	IN	NS	ns1.ops.kasumi.com.

;; ADDITIONAL SECTION:
ns1.ops.kasumi.com.	3600	IN	A	192.168.3.26

;; Query time: 0 msec
;; SERVER: 192.168.3.26#53(192.168.3.26)
;; WHEN: 六 6月 15 19:09:24 CST 2019
;; MSG SIZE  rcvd: 97
"在其父域进行解析"
[root@sakura ~]# dig -t A www.ops.kasumi.com @192.168.3.100

; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.1 <<>> -t A www.ops.kasumi.com @192.168.3.100
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2844
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.ops.kasumi.com.		IN	A

;; ANSWER SECTION:
www.ops.kasumi.com.	3600	IN	A	192.168.3.26

;; AUTHORITY SECTION:
ops.kasumi.com.		3600	IN	NS	ns1.ops.kasumi.com.

;; ADDITIONAL SECTION:
ns1.ops.kasumi.com.	3600	IN	A	192.168.3.26

;; Query time: 3 msec
;; SERVER: 192.168.3.100#53(192.168.3.100)
;; WHEN: 六 6月 15 19:11:05 CST 2019
;; MSG SIZE  rcvd: 97

三.定义转发

1.区域转发:仅转发对某特定区域的解析请求

"区域转发格式"
zone "ZONE_NAME" IN {
	type forward;
	forward {only|first};
	forwarders { SERVER_IP; };
};
ps:需要注意
	1)first:首先转发;当转发器不响应时,自行去迭代进行查询
	2)only:只转发,自己不会进行查询
"设置区域转发"
[root@7 ~]# dig -t A www.kasumi.com @192.168.3.26  "未设置转发时,子域无法解析父域的域名,此时也可以通过@主服务器进行解析"
[root@7 ~]# vim /etc/named.rfc1912.zones
zone "kasumi.com" IN {
        type forward;
        forward {only};
        forwarders { 192.168.3.100; 192.168.3.20; };
};
[root@7 ~]# named-checkconf 
[root@7 ~]# systemctl reload named.service
[root@7 ~]# dig -t A www.kasumi.com @192.168.3.26   "此时已经可以解析父域"
; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.1 <<>> -t A www.kasumi.com @192.168.3.26
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36721
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.kasumi.com.			IN	A

;; ANSWER SECTION:
www.kasumi.com.		3565	IN	A	192.168.3.200

;; AUTHORITY SECTION:
kasumi.com.		3565	IN	NS	ns1.kasumi.com.
kasumi.com.		3565	IN	NS	ns2.kasumi.com.

;; ADDITIONAL SECTION:
ns1.kasumi.com.		3565	IN	A	192.168.3.200
ns2.kasumi.com.		3565	IN	A	192.168.3.20

;; Query time: 0 msec
;; SERVER: 192.168.3.26#53(192.168.3.26)
;; WHEN: 日 6月 16 16:33:05 CST 2019
;; MSG SIZE  rcvd: 127

2.全局转发:针对凡本地没有通过zone定义的区域查询请求,通通转给某转发器

"全局转发格式,需要在/etc/named.conf中进行添加"
option {
	... ...
	forward {only|first};
	forwarders { SERVER_IP; };
};
"设置全局转发"
[root@7 ~]# dig -t A www.baidu.com @192.168.3.26  "此时由于子域主DNS服务器不能连接外网无法解析"
[root@7 ~]# vim /etc/named.conf 
options {
        listen-on port 53 { 127.0.0.1; 192.168.3.26; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file  "/var/named/data/named.recursing";
        secroots-file   "/var/named/data/named.secroots";
      " 添加如下内容 
        forward         only;    
        forwarders      { 192.168.3.100; 192.168.3.20; };"
        //allow-query     { localhost; };
[root@7 ~]# named-checkconf
[root@7 ~]# systemctl reload named
[root@7 ~]# dig -t A www.baidu.com @192.168.3.26  "此时已经成功解析"
; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.1 <<>> -t A www.baidu.com @192.168.3.26
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45069
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 5, ADDITIONAL: 6

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.baidu.com.			IN	A

;; ANSWER SECTION:
www.baidu.com.		1069	IN	CNAME	www.a.shifen.com.
www.a.shifen.com.	178	IN	A	112.80.248.75
www.a.shifen.com.	178	IN	A	112.80.248.76

;; AUTHORITY SECTION:
a.shifen.com.		1198	IN	NS	ns2.a.shifen.com.
a.shifen.com.		1198	IN	NS	ns1.a.shifen.com.
a.shifen.com.		1198	IN	NS	ns3.a.shifen.com.
a.shifen.com.		1198	IN	NS	ns4.a.shifen.com.
a.shifen.com.		1198	IN	NS	ns5.a.shifen.com.

;; ADDITIONAL SECTION:
ns3.a.shifen.com.	1198	IN	A	112.80.255.253
ns5.a.shifen.com.	1198	IN	A	180.76.76.95
ns1.a.shifen.com.	1198	IN	A	61.135.165.224
ns2.a.shifen.com.	1198	IN	A	220.181.33.32
ns4.a.shifen.com.	1198	IN	A	14.215.177.229

;; Query time: 3233 msec
;; SERVER: 192.168.3.26#53(192.168.3.26)
;; WHEN: 日 6月 16 16:43:29 CST 2019
;; MSG SIZE  rcvd: 271

3.需要注意:被转发的服务器必须允许为当前服务做递归

四.bind中的安全相关配置

1.acl:访问控制列表;把一个或多个地址归并一个命名的集合,随后通过此名称即可对此集和内的所有主机实现统一调用

"acl设置格式,需要先定义才可以使用,放在option前"
acl acl_name {
	ip;
	net/prelen;
};
"例如"
acl mynet {
	192.168.3.0/24;
	127.0.0.0/8;
};
"bind内置的四个acl"
1.none:没有一个主机
2.any:任意主机
3.local:本机
4.localnet:本机所在的IP所属网络

2.访问控制指令
1)allow-query {}; 允许查询的主机;白名单;

2)allow-transfer {}; 允许向哪些主机做区域传送;默认为所有主机,应该将其配置为仅允许从服务器
ps:需要注意若将其访问控制添加至option中则对全局生效,添加至区域中仅对指定区域生效

"此时子域服务器也可进行区域传送"
[root@7 ~]# dig -t axfr  kasumi.com @192.168.3.100  
; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.1 <<>> -t axfr @192.168.3.100
; (1 server found)
;; global options: +cmd
.			517345	IN	NS	f.root-servers.net.
.			517345	IN	NS	l.root-servers.net.
.			517345	IN	NS	c.root-servers.net.
.			517345	IN	NS	k.root-servers.net.
.			517345	IN	NS	j.root-servers.net.
.			517345	IN	NS	m.root-servers.net.
.			517345	IN	NS	b.root-servers.net.
.			517345	IN	NS	g.root-servers.net.
.			517345	IN	NS	e.root-servers.net.
.			517345	IN	NS	h.root-servers.net.
.			517345	IN	NS	a.root-servers.net.
.			517345	IN	NS	d.root-servers.net.
.			517345	IN	NS	i.root-servers.net.
;; Query time: 0 msec
;; SERVER: 192.168.3.100#53(192.168.3.100)
;; WHEN: 日 6月 16 17:01:01 CST 2019
;; MSG SIZE  rcvd: 811
"配置控制列表"
[root@sakura ~]# vim /etc/named.rfc1912.zones "配置区域文件"
zone "kasumi.com" IN {
     type master;
     file "kasumi.com.zone";
     allow-transfer { slaves; };   "添加访问控制"
 };
 [root@sakura ~]# vim /etc/named.conf  "配置主文件"
 acl slaves {
	192.168.3.20;
	127.0.0.1;
};
[root@sakura ~]# named-checkconf 
[root@sakura ~]# rndc reload
server reload successful
[root@7 ~]# dig -t axfr kasumi.com @192.168.3.100  "子域无法进行区域传送"

; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.1 <<>> -t axfr kasumi.com @192.168.3.100
;; global options: +cmd
; Transfer failed.
[root@grub6 ~]# dig -t  axfr kasumi.com @192.168.3.100  "从服务器可以正常进行区域传送"

3)allow-recursion {}; 允许哪些主机向当前DNS服务器发起递归查询请求

"添加设置为仅本地主机可进行递归查询,默认所有主机均可进行"
[root@sakura ~]# vim /etc/named.conf 
 acl mynet {
   127.0.0.0/8; "表示所有主机都无法进行递归查询"
 };
 allow-recursion { mynet; }; "在option中添加"
[root@sakura ~]# named-checkconf 
[root@sakura ~]# rndc reload
server reload successful
[root@7 ~]# dig -t A www.baidu.com @192.168.3.26  "此时定义过转发的子域已经无法进行解析"

; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.1 <<>> -t A www.baidu.com @192.168.3.26
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 19721
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.baidu.com.			IN	A

;; Query time: 0 msec
;; SERVER: 192.168.3.26#53(192.168.3.26)
;; WHEN: 日 6月 16 17:44:29 CST 2019
;; MSG SIZE  rcvd: 42

4)allow-update {}; DDNS,允许动态更新区域数据库文件中的内容(一般不开启)

"对从服务器设置不运行进行区域传送"
[root@grub6 ~]# vim /etc/named.rfc1912.zones 
zone "kasumi.com" IN {
        type slave;
        file "slaves/kasumi.com.zone";
        masters { 192.168.3.100; };
        allow-transfer { none; };
        allow-update { none; };
};
[root@grub6 ~]# rndc reload
server reload successful
[root@7 ~]# dig -t axfr kasumi.com @192.168.3.20
; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.1 <<>> -t axfr kasumi.com @192.168.3.20
;; global options: +cmd
; Transfer failed.

ps:需要注意,在一个域中,其主DNS服务器应该将区域传送设置为仅向从服务器进行传送,并且将从服务器的区域传送全部关闭;并且每一个区域都应该设置allow-update { none; };

五.bind view

1.bind view:实现DNS智能解析

"相关配置"
view VIEW_NAME {
	zone
	zone
	zone
}

view internal {
	match-clients { 172.16.0.0/8; };
	zone "kasumi.com" IN{
		type master;
		file "kasumi.com/internal";
		};
};

view external {
	match-clients { any; };
	zone "kasumi.com" IN{
		type master;
		file "kasumi.com/external";
		};
};
ps:可以将指定IP设定为acl,将其用在match-clients{}

你可能感兴趣的:(linux基础学习)