####辅助dns####
###dns集群####
(1)辅助dns
设定slave
选定一台机子作辅助dns机
在辅助机上的操作
1. yum install bind -y
2.vim /etc/named.conf
 listen-on port 53 { any; };
 allow-query     { any; };
 dnssec-validation no;
3.vim /etc/named.rfc1912.zones
zone "westos.com" IN {
        type slave;
        masters {172.25.254.109; };
        file "slaves/westos.com.zone";
        allow-update { none; };
};
4.vim /etc/resolv.conf
namesever 172.25.254.209
5.systemctl restart named
6.systemctl stop firewalld
主dns设置
vim /etc/named.rfc1912.zones
zone "westos.com" IN {
        type master;
        file "westos.com.zone";
        allow-update {none; };
        allow-transfer {172.25.254.209; };    ##允许209同步数据
};
$TTL 1D
@       IN SOA  dns.westos.com. root.westos.com. (
                                        0       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
        NS      dns.westos.com.
dns     A       172.25.254.109
www     A       172.25.254.140
www     A       172.25.254.240
systemctl restart named           ##重启服务
进行以上操作后将在辅助dns机的slaves/有 westos.com.zone文件
可以在辅助dns机中 dig www.westos.com
[root@slave-dns slaves]# dig www.westos.com
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> www.westos.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29609
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.westos.com.   IN A

;; ANSWER SECTION:
www.westos.com.  86400 IN A 172.25.254.240
www.westos.com.  86400 IN A 172.25.254.140

;; AUTHORITY SECTION:
westos.com.  86400 IN NS dns.westos.com.

;; ADDITIONAL SECTION:
dns.westos.com.  86400 IN A 172.25.254.109

;; Query time: 0 msec
;; SERVER: 172.25.254.109#53(172.25.254.109)
;; WHEN: Wed Nov 30 08:19:21 EST 2016
;; MSG SIZE  rcvd: 109
(2)辅助dns自动获取主dns数据
主dns设置
vim /etc/named.rfc1912.zones
zone "westos.com" IN {
        type master;
        file "westos.com.zone";
        allow-update { 172.25.254.209; };
        allow-transfer {172.25.254.209; };
        also-notify {172.25.254.209; };    ##主dns发生变化时,将同步到辅助dns
};
 vim /var/named/westos.com.zone
$TTL 1D
@       IN SOA  dns.westos.com. root.westos.com. (
                                2016112901      ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
        NS      dns.westos.com.
dns     A       172.25.254.109
www     A       172.25.254.140
www     A       172.25.254.152
systemctl restart named
(以上的操作是改变www.westos.com的ip地址,并且要辅助dns机与之同步,常规操作则必须删除辅助机中slave/westos.com.zone文件,而每次进行这样的操作过于麻烦,而上面的操作则是选择在主dns机中修改/var/named/westos.com.zone文件中的serial值(上限10位数)以达到在以后的操作中自动同步主dns)
在辅助dns上测试
[root@dns-slave slaves]# dig www.westos.com

; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> www.westos.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18144
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.westos.com.   IN A

;; ANSWER SECTION:
www.westos.com.  86400 IN A 172.25.254.152
www.westos.com.  86400 IN A 172.25.254.140

;; AUTHORITY SECTION:
westos.com.  86400 IN NS dns.westos.com.

;; ADDITIONAL SECTION:
dns.westos.com.  86400 IN A 172.25.254.109

;; Query time: 0 msec
;; SERVER: 172.25.254.109#53(172.25.254.109)
;; WHEN: Wed Nov 30 09:29:09 EST 2016
;; MSG SIZE  rcvd: 109
(3)远程主机对dns的A记录修改
主dns设置
cp -p /var/named/westos.com.zone /mnt      ##备份到/mnt以便于恢复
vim /etc/named.rfc1912.zones
zone "westos.com" IN {
        type master;
        file "westos.com.zone";
        allow-update { 172.25.254.209; };   ##允许209 更新
        allow-transfer {172.25.254.209; };
        also-notify {172.25.254.209; };
};
chmod 770 /var/named/                      ##对/var/named组执行权限
systemctl restart named                    ##重启服务
辅助dns设置
[1]删除www.westos.com
[root@dns-slave slaves]# nsupdate
> server 172.25.254.109
> update delete www.westos.com
> send
> quit
测试结果
[root@dns-slave slaves]# dig www.westos.com

; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> www.westos.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 32405
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.westos.com.   IN A

;; AUTHORITY SECTION:
westos.com.  10800 IN SOA dns.westos.com. root.westos.com. 2016112902 86400 3600 604800 10800

;; Query time: 1 msec
;; SERVER: 172.25.254.109#53(172.25.254.109)
;; WHEN: Wed Nov 30 10:17:23 EST 2016
;; MSG SIZE  rcvd: 88
[2]添加www.westos.com
[root@dns-slave slaves]# nsupdate
> server 172.25.254.109
> update add www.westos.com 86400 A 172.25.254.160
> send
> quit
测试结果
[root@dns-slave slaves]# dig www.westos.com

; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> www.westos.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38963
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.westos.com.   IN A

;; ANSWER SECTION:
www.westos.com.  86400 IN A 172.25.254.160

;; AUTHORITY SECTION:
westos.com.  86400 IN NS dns.westos.com.

;; ADDITIONAL SECTION:
dns.westos.com.  86400 IN A 172.25.254.109

;; Query time: 0 msec
;; SERVER: 172.25.254.109#53(172.25.254.109)
;; WHEN: Wed Nov 30 10:19:31 EST 2016
;; MSG SIZE  rcvd: 93
恢复
主dns设置
[root@dns-server named]# rm -fr westos.com.zone.jnl westos.com.zone
[root@dns-server named]# cp /mnt/westos.com.zone /var/named/
(4)主机更新上锁
一般机子对主dns不可以修改A记录但对于有key的机子开放
[root@dns-server named]# cp -p /etc/rndc.key /etc/westos.key
[root@dns-server named]# cd /mnt
[root@dns-server mnt]# dnssec-keygen -a HMAC-MD5 -b 128 -n HOST westos
Kwestos.+157+24617   ##生成钥匙 -a是加密方式 -b是密码大小 -n是加密用户

[root@dns-server mnt]# scp /mnt/Kwestos.+157+24617.* [email protected]:/mnt
[email protected]'s password:
Kwestos.+157+24617.key                       100%   50     0.1KB/s   00:00   
Kwestos.+157+24617.private                   100%  165     0.2KB/s   00:00   

[root@dns-server mnt]# vim /etc/westos.key
key "westos" {
        algorithm hmac-md5;
        secret "Uk7EUpv4XDXQ5DEKhYnERA==";
};


[root@dns-server mnt]# vim /etc/named.conf
include "/etc/westos.key";
[root@dns-server mnt]# vim /etc/named.rfc1912.zones
zone "westos.com" IN {
        type master;
        file "westos.com.zone";
        allow-update { key westos; };   ##允许key westos 更新
};:
[root@dns-server mnt]# systemctl restart named
辅助dns操作
[root@dns-slave mnt]# nsupdate -k Kwestos.+157+24617.private
> server 172.25.254.109
> update add hello.westos.com 86400 A 172.25.254.160
> send
> quit
测试:
[root@dns-slave mnt]# dig hello.westos.com

; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> hello.westos.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18884
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;hello.westos.com.  IN A

;; ANSWER SECTION:
hello.westos.com. 86400 IN A 172.25.254.160

;; AUTHORITY SECTION:
westos.com.  86400 IN NS dns.westos.com.

;; ADDITIONAL SECTION:
dns.westos.com.  86400 IN A 172.25.254.109

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Dec 02 01:07:48 EST 2016
;; MSG SIZE  rcvd: 95

(5)ddns
ddns=dhcp+dns
动态dns需要dhcp与dns的协同工作
这里dns所需要的bind6以上的版本,以及dhcp需要3.0以上版本。在操作以前要把原来的westos.com.zone恢复,以免影响后续操作。
主dns设置
yum install dhcp -y
systemctl start dhcpd
systemctl stop firewalld
 setenforce 0
cp /usr/share/doc/dhcp-4.2.5/dhcpd.conf.example /etc/dhcp/dhcpd.conf
cp: overwrite ‘/etc/dhcp/dhcpd.conf’? yes
vim /etc/dhcp/dhcp.conf
option domain-name "westos.com";
##删除27,28行
ddns-update-style interim;
subnet 172.25.254.109 netmask 255.255.255.0 {
  range 172.25.254.110 172.25.254.120;
  option routers 172.25.254.109;
}
key westos {
        algorithm hmac-md5;
       secret Uk7EUpv4XDXQ5DEKhYnERA==;
};
zone westos.com. {
primary 127.0.0.1;
key westos
}
systemctl restart dhcpd
systemctl restart named
辅助dns上的设置
vim /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=dhcp
ONBOOT=yes
TYPE=Ethernet
USERCTL=yes
PEERDNS=yes
IPV6INIT=no
PERSISTENT_DHCLIENT=1
systemctl restart network
配置完成后可以在机子上进行测试。