DNS and Bind(补充)
一.配置主从服务器
1.从服务器是区域级别的概念
2.配置正向解析的从服务器(应该注意主从服务器时间同步,使用ntpdate命令)
"一.设定bind的配置文件:/etc/named.conf"
1.在option选项中添加本机地址:listen-on port 53 { 127.0.0.1; 192.168.3.20; };
2.关闭仅允许本机查询://allow-query { localhost; };
3.将dnssec关闭:dnssec-enable no; dnssec-validation no;
4.检查named配置文件:
1)[root@grub6 ~]# named-checkconf
5.启动named服务,并确定其已经正常运行
1)[root@grub6 ~]# service named start
启动 named: [确定]
"二.定义区域"
[root@grub6 ~]# vim /etc/named.rfc1912.zones
zone "kasumi.com" IN {
type slave;
file "slaves/kasumi.com.zone";
masters { 192.168.3.100; };
};
ps:需要注意从服务指定的/var/named/slaves/kasumi.com.zone不需要自行提供配置文件,由主服务器进行传送即可
"三.检查配置文件"
[root@grub6 ~]# named-checkconf
"四.在主服务器上为从服务器添加NS记录,将其添加为ns2"
[root@sakura named]# vim /var/named/kasumi.com.zone
$TTL 3600
$ORIGIN kasumi.com.
@ IN SOA ns1.kasumi.com. dnsadmin.kasumi.com. (
2019061502
1H
10M
1D
2D )
IN NS ns1
" IN NS ns2"
IN MX 10 mx1
IN MX 30 mx2
ns1 IN A 192.168.3.200
"ns2 IN A 192.168.3.20"
www IN A 192.168.3.200
mx1 IN A 192.168.3.201
mx2 IN A 192.168.3.202
web IN CNAME www
bbs IN A 192.168.3.205
bbs IN A 192.168.3.206
ps:确保区域数据文件中为每个从服务配置NS记录,并且在正向区域文件中,需要向每个从服务器的NS记录的主机名配置其A记录,用以记录从服务器的IP
"五.重载主从服务器配置"
[root@sakura ~]# systemctl reload named "主服务器"
[root@grub6 ~]# service named reload "从服务器"
重新载入named: [确定]
"配置完成后测试,此时已经可以看到从服务器已经同步了主服务器的区域文件"
[root@grub6 ~]# ll /var/named/slaves/
总用量 4
-rw-r--r--. 1 named named 533 6月 15 15:15 kasumi.com.zone
"解析www.baidu.com,可以看到已经正常解析"
[root@grub6 ~]# dig -t A www.baidu.com @192.168.3.20
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.1 <<>> -t A www.baidu.com @192.168.3.20
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45904
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 4, ADDITIONAL: 4
;; QUESTION SECTION:
;www.baidu.com. IN A
;; ANSWER SECTION:
www.baidu.com. 1200 IN CNAME www.a.shifen.com.
www.a.shifen.com. 137 IN A 61.135.169.125
www.a.shifen.com. 137 IN A 61.135.169.121
;; AUTHORITY SECTION:
shifen.com. 172800 IN NS ns2.baidu.com.
shifen.com. 172800 IN NS dns.baidu.com.
shifen.com. 172800 IN NS ns4.baidu.com.
shifen.com. 172800 IN NS ns3.baidu.com.
;; ADDITIONAL SECTION:
dns.baidu.com. 172800 IN A 202.108.22.220
ns2.baidu.com. 172800 IN A 220.181.33.31
ns3.baidu.com. 172800 IN A 112.80.248.64
ns4.baidu.com. 172800 IN A 14.215.178.80
;; Query time: 919 msec
;; SERVER: 192.168.3.20#53(192.168.3.20)
;; WHEN: Sat Jun 15 15:16:19 2019
;; MSG SIZE rcvd: 226
"增加主服务器的资源记录,测试从服务器是否可以解析"
[root@sakura ~]# vim /var/named/kasumi.com.zone
pop3 IN A 192.168.3.208 "添加新记录"
ps:需要注意,每次更改主服务器的区域内容时,需要对应增加其序列号,此时更改为2019061503
[root@sakura ~]# systemctl reload named
[root@sakura ~]# systemctl status named
zone kasumi.com/IN: sending notifies (serial 2019061503) "可以看到status中已经进行传送更改的2019061503序列号文件了"
"可以看到从服务器已经能够解析新增的记录"
[root@grub6 ~]# dig -t A pop3.kasumi.com @192.168.3.20
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.1 <<>> -t A pop3.kasumi.com @192.168.3.20
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33257
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;pop3.kasumi.com. IN A
;; ANSWER SECTION:
pop3.kasumi.com. 3600 IN A 192.168.3.208
;; AUTHORITY SECTION:
kasumi.com. 3600 IN NS ns2.kasumi.com.
kasumi.com. 3600 IN NS ns1.kasumi.com.
;; ADDITIONAL SECTION:
ns1.kasumi.com. 3600 IN A 192.168.3.200
ns2.kasumi.com. 3600 IN A 192.168.3.20
;; Query time: 0 msec
;; SERVER: 192.168.3.20#53(192.168.3.20)
;; WHEN: Sat Jun 15 15:24:28 2019
;; MSG SIZE rcvd: 117
ps:此时从服务/var/named/slaves/kasumi.com.zone文件也已经更新
"也可以手动进行区域传送"
[root@grub6 ~]# dit -t axfr kasumi.com @192.168.3.100
3.配置反向解析的从服务器
"一.定义区域"
[root@grub6 ~]# vim /etc/named.rfc1912.zones
zone "3.168.192.in-addr.arpa" IN {
type slave;
file "slaves/192.168.3.zone";
masters { 192.168.3.100; };
};
[root@grub6 ~]# named-checkconf "检查配置文件"
"二.在主服务器的反向解析库添加从服务器相关数据"
[root@sakura ~]# cat /var/named/192.168.3.zone
$TTL 3600
$ORIGIN 3.168.192.in-addr.arpa.
@ IN SOA ns1.kasumi.com. nsadmin.kasumi.com. (
2019061503
1H
10M
1D
12H )
IN NS ns1.kasumi.com.
" IN NS ns2.kasumi.com."
200 IN PTR ns1.kasumi.com.
201 IN PTR mx1.kasumi.com.
202 IN PTR mx2.kasumi.com.
205 IN PTR bbs.kasumi.com
206 IN PTR bbs.kasumi.com.
200 IN PTR www.kasumi.com.
"20 IN PTR ns2.kasumi.com."
[root@sakura ~]# named-checkzone 3.168.192.in-addr.arpa /var/named/192.168.3.zone
zone 3.168.192.in-addr.arpa/IN: loaded serial 2019061502
OK "确认区域文件没有错误"
ps:需要注意,更改其序列号为2019061503
"三.重载主从配置文件,可以看到反向解析库文件以及同步"
[root@sakura ~]# systemctl reload named.service "主服务器"
[root@grub6 ~]# service named reload "从服务器"
[root@grub6 ~]#
[root@grub6 ~]# ll /var/named/slaves/
总用量 8
-rw-r--r--. 1 named named 518 6月 15 15:42 192.168.3.zone
-rw-r--r--. 1 named named 556 6月 15 15:25 kasumi.com.zone
相关测试,可以看到已经可以进行反向解析了
[root@grub6 ~]# dig -x 192.168.3.200 @192.168.3.20
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.1 <<>> -x 192.168.3.200 @192.168.3.20
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46616
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;200.3.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
200.3.168.192.in-addr.arpa. 3600 IN PTR ns1.kasumi.com.
200.3.168.192.in-addr.arpa. 3600 IN PTR www.kasumi.com.
;; AUTHORITY SECTION:
3.168.192.in-addr.arpa. 3600 IN NS ns2.kasumi.com.
3.168.192.in-addr.arpa. 3600 IN NS ns1.kasumi.com.
;; ADDITIONAL SECTION:
ns1.kasumi.com. 3600 IN A 192.168.3.200
ns2.kasumi.com. 3600 IN A 192.168.3.20
;; Query time: 0 msec
;; SERVER: 192.168.3.20#53(192.168.3.20)
;; WHEN: Sat Jun 15 15:46:51 2019
;; MSG SIZE rcvd: 154
"一.在主服务器上增加反向解析记录,并测试"
[root@sakura ~]# vim /var/named/192.168.3.zone
208 IN PTR pop3.kasumi.com. "增加的内容"
2019061504 "改变的序列号"
[root@sakura ~]# systemctl reload named.service
[root@sakura ~]# systemctl status named.service
zone 3.168.192.in-addr.arpa/IN: sending notifies (serial 2019061504) "已经进行增量传送"
"二.在送服务器进行测试,成功解析"
[root@grub6 ~]# dig -x 192.168.3.208 @192.168.3.20
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.1 <<>> -x 192.168.3.208 @192.168.3.20
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3144
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;208.3.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
208.3.168.192.in-addr.arpa. 3600 IN PTR pop3.kasumi.com.
;; AUTHORITY SECTION:
3.168.192.in-addr.arpa. 3600 IN NS ns2.kasumi.com.
3.168.192.in-addr.arpa. 3600 IN NS ns1.kasumi.com.
;; ADDITIONAL SECTION:
ns1.kasumi.com. 3600 IN A 192.168.3.200
ns2.kasumi.com. 3600 IN A 192.168.3.20
;; Query time: 0 msec
;; SERVER: 192.168.3.20#53(192.168.3.20)
;; WHEN: Sat Jun 15 15:50:39 2019
;; MSG SIZE rcvd: 141
二.子域授权
1.正向解析区域授权子域的方法
ops.kasumi.com. IN NS ns1.ops.kasumi.com.
ops.kasumi.com. IN NS ns2.ops.kasumi.com.
ns1.ops.kasumi.com. IN A IPADDRS
ns2.ops.kasumi.com. IN A IPADDRS
2.授权子域(此子域主机不能访问外网)
"一,更改named服务相关配置,并启动named服务"
"二.在主服务器上增加子域"
[root@sakura ~]# vim /var/named/kasumi.com.zone
ops IN NS ns1.ops "增加NS服务器"
ns1.ops IN A 192.168.3.26 "增加A记录"
2019061504 "增加序列号,使从服务器同步"
[root@sakura ~]# systemctl reload named.service
"三.配置子域服务器"
"1.定义区域"
[root@7 ~]# vim /etc/named.rfc1912.zones
zone "ops.kasumi.com" IN {
type master;
file "ops.kasumi.com.zone";
};
"2.配置区域文件"
[root@7 ~]# cat /var/named/ops.kasumi.com.zone
$TTL 3600
$ORIGIN ops.kasumi.com.
@ IN SOA ns1.ops.kasumi.com. nsadmin.ops.kasumi.com. (
2019061501
1H
10M
1D
2H )
IN NS ns1
ns1 IN A 192.168.3.26
www IN A 192.168.3.26
"3.更改权限及属组"
[root@7 ~]# chmod o= /var/named/ops.kasumi.com.zone
[root@7 ~]# chown .named /var/named/ops.kasumi.com.zone
[root@7 ~]# ll /var/named/ops.kasumi.com.zone
-rw-r-----. 1 root named 178 6月 15 19:07 /var/named/ops.kasumi.com.zone
"4.语法检查并进行重载"
[root@7 ~]# named-checkconf
[root@7 ~]# systemctl reload named.service
"相关解析测试"
[root@7 ~]# dig -t A www.ops.kasumi.com @192.168.3.26
; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.1 <<>> -t A www.ops.kasumi.com @192.168.3.26
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17977
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.ops.kasumi.com. IN A
;; ANSWER SECTION:
www.ops.kasumi.com. 3600 IN A 192.168.3.26
;; AUTHORITY SECTION:
ops.kasumi.com. 3600 IN NS ns1.ops.kasumi.com.
;; ADDITIONAL SECTION:
ns1.ops.kasumi.com. 3600 IN A 192.168.3.26
;; Query time: 0 msec
;; SERVER: 192.168.3.26#53(192.168.3.26)
;; WHEN: 六 6月 15 19:09:24 CST 2019
;; MSG SIZE rcvd: 97
"在其父域进行解析"
[root@sakura ~]# dig -t A www.ops.kasumi.com @192.168.3.100
; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.1 <<>> -t A www.ops.kasumi.com @192.168.3.100
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2844
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.ops.kasumi.com. IN A
;; ANSWER SECTION:
www.ops.kasumi.com. 3600 IN A 192.168.3.26
;; AUTHORITY SECTION:
ops.kasumi.com. 3600 IN NS ns1.ops.kasumi.com.
;; ADDITIONAL SECTION:
ns1.ops.kasumi.com. 3600 IN A 192.168.3.26
;; Query time: 3 msec
;; SERVER: 192.168.3.100#53(192.168.3.100)
;; WHEN: 六 6月 15 19:11:05 CST 2019
;; MSG SIZE rcvd: 97
三.定义转发
1.区域转发:仅转发对某特定区域的解析请求
"区域转发格式"
zone "ZONE_NAME" IN {
type forward;
forward {only|first};
forwarders { SERVER_IP; };
};
ps:需要注意
1)first:首先转发;当转发器不响应时,自行去迭代进行查询
2)only:只转发,自己不会进行查询
"设置区域转发"
[root@7 ~]# dig -t A www.kasumi.com @192.168.3.26 "未设置转发时,子域无法解析父域的域名,此时也可以通过@主服务器进行解析"
[root@7 ~]# vim /etc/named.rfc1912.zones
zone "kasumi.com" IN {
type forward;
forward {only};
forwarders { 192.168.3.100; 192.168.3.20; };
};
[root@7 ~]# named-checkconf
[root@7 ~]# systemctl reload named.service
[root@7 ~]# dig -t A www.kasumi.com @192.168.3.26 "此时已经可以解析父域"
; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.1 <<>> -t A www.kasumi.com @192.168.3.26
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36721
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.kasumi.com. IN A
;; ANSWER SECTION:
www.kasumi.com. 3565 IN A 192.168.3.200
;; AUTHORITY SECTION:
kasumi.com. 3565 IN NS ns1.kasumi.com.
kasumi.com. 3565 IN NS ns2.kasumi.com.
;; ADDITIONAL SECTION:
ns1.kasumi.com. 3565 IN A 192.168.3.200
ns2.kasumi.com. 3565 IN A 192.168.3.20
;; Query time: 0 msec
;; SERVER: 192.168.3.26#53(192.168.3.26)
;; WHEN: 日 6月 16 16:33:05 CST 2019
;; MSG SIZE rcvd: 127
2.全局转发:针对凡本地没有通过zone定义的区域查询请求,通通转给某转发器
"全局转发格式,需要在/etc/named.conf中进行添加"
option {
... ...
forward {only|first};
forwarders { SERVER_IP; };
};
"设置全局转发"
[root@7 ~]# dig -t A www.baidu.com @192.168.3.26 "此时由于子域主DNS服务器不能连接外网无法解析"
[root@7 ~]# vim /etc/named.conf
options {
listen-on port 53 { 127.0.0.1; 192.168.3.26; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
" 添加如下内容
forward only;
forwarders { 192.168.3.100; 192.168.3.20; };"
//allow-query { localhost; };
[root@7 ~]# named-checkconf
[root@7 ~]# systemctl reload named
[root@7 ~]# dig -t A www.baidu.com @192.168.3.26 "此时已经成功解析"
; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.1 <<>> -t A www.baidu.com @192.168.3.26
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45069
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 5, ADDITIONAL: 6
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.baidu.com. IN A
;; ANSWER SECTION:
www.baidu.com. 1069 IN CNAME www.a.shifen.com.
www.a.shifen.com. 178 IN A 112.80.248.75
www.a.shifen.com. 178 IN A 112.80.248.76
;; AUTHORITY SECTION:
a.shifen.com. 1198 IN NS ns2.a.shifen.com.
a.shifen.com. 1198 IN NS ns1.a.shifen.com.
a.shifen.com. 1198 IN NS ns3.a.shifen.com.
a.shifen.com. 1198 IN NS ns4.a.shifen.com.
a.shifen.com. 1198 IN NS ns5.a.shifen.com.
;; ADDITIONAL SECTION:
ns3.a.shifen.com. 1198 IN A 112.80.255.253
ns5.a.shifen.com. 1198 IN A 180.76.76.95
ns1.a.shifen.com. 1198 IN A 61.135.165.224
ns2.a.shifen.com. 1198 IN A 220.181.33.32
ns4.a.shifen.com. 1198 IN A 14.215.177.229
;; Query time: 3233 msec
;; SERVER: 192.168.3.26#53(192.168.3.26)
;; WHEN: 日 6月 16 16:43:29 CST 2019
;; MSG SIZE rcvd: 271
3.需要注意:被转发的服务器必须允许为当前服务做递归
四.bind中的安全相关配置
1.acl:访问控制列表;把一个或多个地址归并一个命名的集合,随后通过此名称即可对此集和内的所有主机实现统一调用
"acl设置格式,需要先定义才可以使用,放在option前"
acl acl_name {
ip;
net/prelen;
};
"例如"
acl mynet {
192.168.3.0/24;
127.0.0.0/8;
};
"bind内置的四个acl"
1.none:没有一个主机
2.any:任意主机
3.local:本机
4.localnet:本机所在的IP所属网络
2.访问控制指令
1)allow-query {}; 允许查询的主机;白名单;
2)allow-transfer {}; 允许向哪些主机做区域传送;默认为所有主机,应该将其配置为仅允许从服务器
ps:需要注意若将其访问控制添加至option中则对全局生效,添加至区域中仅对指定区域生效
"此时子域服务器也可进行区域传送"
[root@7 ~]# dig -t axfr kasumi.com @192.168.3.100
; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.1 <<>> -t axfr @192.168.3.100
; (1 server found)
;; global options: +cmd
. 517345 IN NS f.root-servers.net.
. 517345 IN NS l.root-servers.net.
. 517345 IN NS c.root-servers.net.
. 517345 IN NS k.root-servers.net.
. 517345 IN NS j.root-servers.net.
. 517345 IN NS m.root-servers.net.
. 517345 IN NS b.root-servers.net.
. 517345 IN NS g.root-servers.net.
. 517345 IN NS e.root-servers.net.
. 517345 IN NS h.root-servers.net.
. 517345 IN NS a.root-servers.net.
. 517345 IN NS d.root-servers.net.
. 517345 IN NS i.root-servers.net.
;; Query time: 0 msec
;; SERVER: 192.168.3.100#53(192.168.3.100)
;; WHEN: 日 6月 16 17:01:01 CST 2019
;; MSG SIZE rcvd: 811
"配置控制列表"
[root@sakura ~]# vim /etc/named.rfc1912.zones "配置区域文件"
zone "kasumi.com" IN {
type master;
file "kasumi.com.zone";
allow-transfer { slaves; }; "添加访问控制"
};
[root@sakura ~]# vim /etc/named.conf "配置主文件"
acl slaves {
192.168.3.20;
127.0.0.1;
};
[root@sakura ~]# named-checkconf
[root@sakura ~]# rndc reload
server reload successful
[root@7 ~]# dig -t axfr kasumi.com @192.168.3.100 "子域无法进行区域传送"
; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.1 <<>> -t axfr kasumi.com @192.168.3.100
;; global options: +cmd
; Transfer failed.
[root@grub6 ~]# dig -t axfr kasumi.com @192.168.3.100 "从服务器可以正常进行区域传送"
3)allow-recursion {}; 允许哪些主机向当前DNS服务器发起递归查询请求
"添加设置为仅本地主机可进行递归查询,默认所有主机均可进行"
[root@sakura ~]# vim /etc/named.conf
acl mynet {
127.0.0.0/8; "表示所有主机都无法进行递归查询"
};
allow-recursion { mynet; }; "在option中添加"
[root@sakura ~]# named-checkconf
[root@sakura ~]# rndc reload
server reload successful
[root@7 ~]# dig -t A www.baidu.com @192.168.3.26 "此时定义过转发的子域已经无法进行解析"
; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.1 <<>> -t A www.baidu.com @192.168.3.26
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 19721
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.baidu.com. IN A
;; Query time: 0 msec
;; SERVER: 192.168.3.26#53(192.168.3.26)
;; WHEN: 日 6月 16 17:44:29 CST 2019
;; MSG SIZE rcvd: 42
4)allow-update {}; DDNS,允许动态更新区域数据库文件中的内容(一般不开启)
"对从服务器设置不运行进行区域传送"
[root@grub6 ~]# vim /etc/named.rfc1912.zones
zone "kasumi.com" IN {
type slave;
file "slaves/kasumi.com.zone";
masters { 192.168.3.100; };
allow-transfer { none; };
allow-update { none; };
};
[root@grub6 ~]# rndc reload
server reload successful
[root@7 ~]# dig -t axfr kasumi.com @192.168.3.20
; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.1 <<>> -t axfr kasumi.com @192.168.3.20
;; global options: +cmd
; Transfer failed.
ps:需要注意,在一个域中,其主DNS服务器应该将区域传送设置为仅向从服务器进行传送,并且将从服务器的区域传送全部关闭;并且每一个区域都应该设置allow-update { none; };
五.bind view
1.bind view:实现DNS智能解析
"相关配置"
view VIEW_NAME {
zone
zone
zone
}
view internal {
match-clients { 172.16.0.0/8; };
zone "kasumi.com" IN{
type master;
file "kasumi.com/internal";
};
};
view external {
match-clients { any; };
zone "kasumi.com" IN{
type master;
file "kasumi.com/external";
};
};
ps:可以将指定IP设定为acl,将其用在match-clients{}中