1. 搭建DNS服务器

    试验要求:以workstation(92.168.1.105)作为服务器,(可以做正向解析和反向解析),以server1(192.168.1.103)作为客户机验证

#安装bind服务

yum install bind-chroot bind-utils -y

bind安装好之后会产生若干程序和配置文件;常见的如下:

主程序:/usr/sbin/named 

主配置文件:/etc/named.conf

区域配置文件:/etc/named.rfc.1912.zones

#配置bind

vim /etc/named.conf

11         listen-on port 53 { any; };

17         allow-query     { any; };

zai ru xia tian jia :keyi shang waiwang///zhuan fa gong neng

allow-query     { any; };
        forward first;
        forwarders {
        8.8.8.8;
        };

vim /etc/named.rfc1912.zones添加

zone "example.com" IN {

        type master;

        file "example.com.zone";

        allow-update { none; };

};

ba DNS fu wu qi di zhi zhixiang ziji

添加正向解析:

cd /var/named/

cp -a named.localhost example.com.zone //复制模板文件

vim example.com.zone 

$TTL 1D

@       IN SOA example.com.     root.example.com. (

                                        0       ; serial

                                        1D      ; refresh

                                        1H      ; retry

                                        1W      ; expire

                                        3H )    ; minimum

                NS      ns.example.com.

ns              IN A    192.168.1.105

workstation     IN A    192.168.1.105

server1         IN A    192.168.1.103

#检查配置文件及添加的zone是否正确

named-checkconf /etc/named.conf 

named-checkzone example.com /var/named/example.com.zone

重启服务

systemctl restart named;systemctl enable named

在server1上用nslookup /dig /host+域名验证

yum -y install bind-chroot bind-utils

nslookup server1.example.com

Server:192.168.1.105

Address:192.168.1.105#53


Name:server1.example.com

Address: 192.168.1.103

 添加反向解析:

vim /etc/named.rfc1912.zones

添加

zone "1.168.192.in-addr.arpa" IN {

        type master;

        file "192.168.1.arpa";

        allow-update { none; };

};

vim 192.168.1.arpa 

$TTL 1D

@       IN SOA  example.com.    root.example.com. (

                                        0       ; serial

                                        1D      ; refresh

                                        1H      ; retry

                                        1W      ; expire

                                        3H )    ; minimum

        NS      ns.example.com.

ns      A       192.168.1.105

105     PTR     ns.example.com.

105     PTR     workstation.example.com.

103     PTR     server1.example.com.

部署从服务器:

workstation :vim /etc/named.rfc1912.zones

allow-update { server1的IP;};//正反向zone中都需要添加从服务器的IP

重启服务

systemctl restart named

server1:vim /etc/named.conf 

options {

        listen-on port 53 { any; };

        listen-on-v6 port 53 { ::1; };

        directory       "/var/named";

        dump-file       "/var/named/data/cache_dump.db";

        statistics-file "/var/named/data/named_stats.txt";

        memstatistics-file "/var/named/data/named_mem_stats.txt";

        allow-query     { any; };

在区域配置文件中添加如下:

vim /etc/named.rfc1912.zones

zone "example.com" IN {

        type slave;

        masters { 192.168.1.105; };

        file "slaves/example.com.zone";

};

zone "1.168.192.in-addr.arpa" IN {

        type slave;

        masters { 192.168.1.105; };

        file "slaves/192.168.1.arpa";

};

systemctl restart named

验证:

cd /var/named/slaves

[root@server1 slaves]# ls

192.168.1.arpa  example.com.zone

主从服务器上启用密钥加密传输

workstation:

dnssec-keygen -a HMAC-MD5 -b 128 -n HOST student//生成DNS服务密钥

cat Kstudent.+157+61155.private //查看私钥,记住key的内容,待会会用到

Private-key-format: v1.3

Algorithm: 157 (HMAC_MD5)

Key: 5GzHt48CGo+pMEGrg7ck/Q==

Bits: AAA=

Created: 20161014154442

Publish: 20161014154442

Activate: 20161014154442

vim /var/named/chroot/etc/transfer.key//新建并编辑:

添加:

key "student" {

algorithm hmac-md5;

secret "5GzHt48CGo+pMEGrg7ck/Q==";

};

chown root.named /var/named/chroot/etc/transfer.key//更改权限

ln /var/named/chroot/etc/transfer.key /etc/transfer.key//创建硬链接

vim /etc/named.conf//编辑配置文件,新增红色部分

include "/etc/transfer.key";

options {

        listen-on port 53 { any; };

        listen-on-v6 port 53 { ::1; };

        directory       "/var/named";

        dump-file       "/var/named/data/cache_dump.db";

        statistics-file "/var/named/data/named_stats.txt";

        memstatistics-file "/var/named/data/named_mem_stats.txt";

        allow-query     { any; };

        allow-transfer { key student; };

systemctl restart named//保存重启服务

在server1上验证:

rm -rf /var/named/slaves/*

systemctl restart named //首先删除未加密前产生的文件

结果如下:

[root@server1 ~]# nslookup workstation.example.com

;; Got SERVFAIL reply from 127.0.0.1, trying next server

;; Got SERVFAIL reply from 127.0.0.1, trying next server

Server:::1

Address:::1#53

** server can't find workstation.example.com.example.com: SERVFAIL//解析失败

workstation:

scp /var/named/chroot/etc/transfer.key [email protected]:/var/named/chroot/etc///把密钥发给从服务器

server1

cd /var/named/chroot/etc/

chown root:named transfer.key //更改所属组

ln transfer.key /etc/transfer.key//建立硬链接

vim /etc/named.conf

include "/etc/transfer.key";//在文件头部添加

server 192.168.1.105 {

        keys    { ruiyung; };

};//在loggin前添加

systemctl restart named

验证:从服务器是否同步到

[root@server1 slaves]# ls -al

total 12

drwxrwx---. 2 named named   50 Oct 14 17:22 .

drwxr-x---. 6 root  named 4096 Oct 14 14:38 ..

-rw-r-----. 1 named named  262 Oct 14 17:22 192.168.1.arpa

-rw-r-----. 1 named named  240 Oct 14 17:22 example.com.zone


注意:关闭防火墙,seinux