搭建DNS服务器
试验要求:以workstation(92.168.1.105)作为服务器,(可以做正向解析和反向解析),以server1(192.168.1.103)作为客户机验证
#安装bind服务
yum install bind-chroot bind-utils -y
bind安装好之后会产生若干程序和配置文件;常见的如下:
主程序:/usr/sbin/named
主配置文件:/etc/named.conf
区域配置文件:/etc/named.rfc.1912.zones
#配置bind
vim /etc/named.conf
11 listen-on port 53 { any; };
17 allow-query { any; };
zai ru xia tian jia :keyi shang waiwang///zhuan fa gong neng
allow-query { any; };
forward first;
forwarders {
8.8.8.8;
};
vim /etc/named.rfc1912.zones添加
zone "example.com" IN {
type master;
file "example.com.zone";
allow-update { none; };
};
ba DNS fu wu qi di zhi zhixiang ziji
添加正向解析:
cd /var/named/
cp -a named.localhost example.com.zone //复制模板文件
vim example.com.zone
$TTL 1D
@ IN SOA example.com. root.example.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS ns.example.com.
ns IN A 192.168.1.105
workstation IN A 192.168.1.105
server1 IN A 192.168.1.103
#检查配置文件及添加的zone是否正确
named-checkconf /etc/named.conf
named-checkzone example.com /var/named/example.com.zone
重启服务
systemctl restart named;systemctl enable named
在server1上用nslookup /dig /host+域名验证
yum -y install bind-chroot bind-utils
nslookup server1.example.com
Server:192.168.1.105
Address:192.168.1.105#53
Name:server1.example.com
Address: 192.168.1.103
添加反向解析:
vim /etc/named.rfc1912.zones
添加
zone "1.168.192.in-addr.arpa" IN {
type master;
file "192.168.1.arpa";
allow-update { none; };
};
vim 192.168.1.arpa
$TTL 1D
@ IN SOA example.com. root.example.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS ns.example.com.
ns A 192.168.1.105
105 PTR ns.example.com.
105 PTR workstation.example.com.
103 PTR server1.example.com.
部署从服务器:
workstation :vim /etc/named.rfc1912.zones
allow-update { server1的IP;};//正反向zone中都需要添加从服务器的IP
重启服务
systemctl restart named
server1:vim /etc/named.conf
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
在区域配置文件中添加如下:
vim /etc/named.rfc1912.zones
zone "example.com" IN {
type slave;
masters { 192.168.1.105; };
file "slaves/example.com.zone";
};
zone "1.168.192.in-addr.arpa" IN {
type slave;
masters { 192.168.1.105; };
file "slaves/192.168.1.arpa";
};
systemctl restart named
验证:
cd /var/named/slaves
[root@server1 slaves]# ls
192.168.1.arpa example.com.zone
主从服务器上启用密钥加密传输
workstation:
dnssec-keygen -a HMAC-MD5 -b 128 -n HOST student//生成DNS服务密钥
cat Kstudent.+157+61155.private //查看私钥,记住key的内容,待会会用到
Private-key-format: v1.3
Algorithm: 157 (HMAC_MD5)
Key: 5GzHt48CGo+pMEGrg7ck/Q==
Bits: AAA=
Created: 20161014154442
Publish: 20161014154442
Activate: 20161014154442
vim /var/named/chroot/etc/transfer.key//新建并编辑:
添加:
key "student" {
algorithm hmac-md5;
secret "5GzHt48CGo+pMEGrg7ck/Q==";
};
chown root.named /var/named/chroot/etc/transfer.key//更改权限
ln /var/named/chroot/etc/transfer.key /etc/transfer.key//创建硬链接
vim /etc/named.conf//编辑配置文件,新增红色部分
include "/etc/transfer.key";
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
allow-transfer { key student; };
systemctl restart named//保存重启服务
在server1上验证:
rm -rf /var/named/slaves/*
systemctl restart named //首先删除未加密前产生的文件
结果如下:
[root@server1 ~]# nslookup workstation.example.com
;; Got SERVFAIL reply from 127.0.0.1, trying next server
;; Got SERVFAIL reply from 127.0.0.1, trying next server
Server:::1
Address:::1#53
** server can't find workstation.example.com.example.com: SERVFAIL//解析失败
workstation:
scp /var/named/chroot/etc/transfer.key [email protected]:/var/named/chroot/etc///把密钥发给从服务器
server1:
cd /var/named/chroot/etc/
chown root:named transfer.key //更改所属组
ln transfer.key /etc/transfer.key//建立硬链接
vim /etc/named.conf
include "/etc/transfer.key";//在文件头部添加
server 192.168.1.105 {
keys { ruiyung; };
};//在loggin前添加
systemctl restart named
验证:从服务器是否同步到
[root@server1 slaves]# ls -al
total 12
drwxrwx---. 2 named named 50 Oct 14 17:22 .
drwxr-x---. 6 root named 4096 Oct 14 14:38 ..
-rw-r-----. 1 named named 262 Oct 14 17:22 192.168.1.arpa
-rw-r-----. 1 named named 240 Oct 14 17:22 example.com.zone
注意:关闭防火墙,seinux