基于centos的DNS主从服务器配置,子域授权
引言:由标题可知,主从服务器就是有两台服务器,当主服务器在发生故障无法进行工作时,就由从服务器来接手,继续完成工作
两台虚拟机除了IP地址不同以外,其他配置相同
- 系统:centos 7.6
- IP地址:192.168.164.137(主服务器),192.168.164.138(从服务器)
- DNS软件:Bind 9.8
- 测试域名:123.com
1.定义从区域配置文件,之前的环境在这里就不多说明,主服务器可参考上篇博文,这里是以上篇服务器为主服务器
在从服务器虚拟机上操作,这里的IP地址是192.168.164.138
(1)在/etc/named.rfc1912.zones 文件下添加下述字段
zone "123.com" IN {
type slave; //表明类型为slave从服务器
file "slaves/123.com.zone"; //文件相对路径位置
masters { 192.168.164.137; }; //主服务器IP地址
};
(2)配置完成重载即可
[root@localhost named]# rndc reload //重载文件
[root@localhost named]# systemctl restart named.service //重启服务器
//我们会发现/etc/named目录下多了个slaves目录,原先在主服务器中的zone文件此刻已经在从服务器上了
[root@localhost named]# ls
data dynamic named.ca named.empty named.localhost named.loopback ops.123.com.zone slaves
[root@localhost named]# cd slaves/
[root@localhost slaves]# ls
123.com.zone
(3)测试,通过从服务器测试解析主服务器上的记录的域名数据
[root@localhost slaves]# dig -t A www.123.com
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -t A www.123.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64934
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.123.com. IN A
;; ANSWER SECTION:
WWW.123.com. 3600 IN A 192.168.164.137 //看见没,域名解析的ip地址是主服务器的IP地址
;; AUTHORITY SECTION:
123.com. 3600 IN NS ns1.123.com.
123.com. 3600 IN NS ns2.123.com.
;; ADDITIONAL SECTION:
ns1.123.com. 3600 IN A 192.168.164.137
ns2.123.com. 3600 IN A 192.168.164.138
;; Query time: 0 msec
;; SERVER: 192.168.164.138#53(192.168.164.138) //而我们在这里解析使用的地址是从服务器的IP地址
;; WHEN: Sat Mar 28 09:55:27 EDT 2020
;; MSG SIZE rcvd: 128
(4)现在我们试着给主服务器新增域名解析A记录,注意要更新zone的版本号,然后让从服务器更新数据
//在主服务器上新增一个bbs.123.com,ip地址是192.168.164.135
[root@xiaoping centos]# vi /var/named/123.com.zone
$TTL 3600
$ORIGIN 123.com.
@ IN SOA ns1.123.com. admin.123.com. (
202032703 //注意在新增A记录后我们要更新版本号,由原来的02变成03
1H
10M
3D
1D )
IN NS ns1
IN NS ns2
ns2 IN A 192.168.164.138
ns1 IN A 192.168.164.137
WWW IN A 192.168.164.137
bbs IN A 192.168.164.135 //新增bbs.123.com
(2)主服务器查询bbs.123.com
[root@xiaoping centos]# dig -t A bbs.123.com
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -t A bbs.123.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44641
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;bbs.123.com. IN A
;; ANSWER SECTION:
bbs.123.com. 3600 IN A 192.168.164.135 //有结果,没有问题
;; AUTHORITY SECTION:
123.com. 3600 IN NS ns2.123.com.
123.com. 3600 IN NS ns1.123.com.
;; ADDITIONAL SECTION:
ns1.123.com. 3600 IN A 192.168.164.137
ns2.123.com. 3600 IN A 192.168.164.138
;; Query time: 0 msec
;; SERVER: 192.168.164.137#53(192.168.164.137)
;; WHEN: Sat Mar 28 21:24:39 CST 2020
;; MSG SIZE rcvd: 124
(3)从服务器查询bbs.123.com,查找失败,因为还没有更新
[root@localhost named]# dig -t A bbs.123.com
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -t A bbs.123.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 22208
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;bbs.123.com. IN A //没有找到,查找失败
;; AUTHORITY SECTION:
123.com. 3600 IN SOA ns1.123.com. admin.123.com. 202032702 3600 600 259200 86400
;; Query time: 0 msec
;; SERVER: 192.168.164.138#53(192.168.164.138)
;; WHEN: Sat Mar 28 09:26:17 EDT 2020
;; MSG SIZE rcvd: 86
(4)回去主服务器重载文件,后查看named状态,注意看最后几行
[root@xiaoping centos]# rndc reload
[root@xiaoping centos]# systemctl status named.service
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled)
Active: active (running) since Sat 2020-03-28 20:18:18 CST; 1h 4min ago
Process: 11785 ExecStop=/bin/sh -c /usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID (code=exited, status=0/SUCCESS)
Process: 11801 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
Process: 11798 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
Main PID: 11803 (named)
Tasks: 5
Memory: 148.9M
CGroup: /system.slice/named.service
└─11803 /usr/sbin/named -u named -c /etc/named.conf
Mar 28 21:15:29 xiaoping named[11803]: network unreachable resolving './NS/IN': 2001:dc3::35#53
Mar 28 21:15:29 xiaoping named[11803]: network unreachable resolving './DNSKEY/IN': 2001:500:2f::f#53
Mar 28 21:15:29 xiaoping named[11803]: network unreachable resolving './NS/IN': 2001:500:2f::f#53
Mar 28 21:15:29 xiaoping named[11803]: network unreachable resolving './DNSKEY/IN': 2001:7fd::1#53
Mar 28 21:15:29 xiaoping named[11803]: network unreachable resolving './NS/IN': 2001:7fd::1#53
Mar 28 21:15:29 xiaoping named[11803]: network unreachable resolving './DNSKEY/IN': 2001:500:9f::42#53
Mar 28 21:15:29 xiaoping named[11803]: network unreachable resolving './NS/IN': 2001:500:9f::42#53
Mar 28 21:15:29 xiaoping named[11803]: zone 123.com/IN: sending notifies (serial 202032703) //这里表示一检测到zone文件更新,正在发送通知给从服务器,我们可以去从服务器下看看了
Mar 28 21:15:39 xiaoping named[11803]: managed-keys-zone: Unable to fetch DNSKEY set '.': timed out
Mar 28 21:15:39 xiaoping named[11803]: resolver priming query complete
Hint: Some lines were ellipsized, use -l to show in full.
(5)查看从服务器状态,同样是注意最后几行
[root@localhost named]# systemctl status named.service
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled)
Active: active (running) since Sat 2020-03-28 09:22:10 EDT; 5min ago
Process: 11054 ExecStop=/bin/sh -c /usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID (code=exited, status=0/SUCCESS)
Process: 8539 ExecReload=/bin/sh -c /usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS)
Process: 11070 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
Process: 11067 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
Main PID: 11072 (named)
Tasks: 5
CGroup: /system.slice/named.service
└─11072 /usr/sbin/named -u named -c /etc/named.conf
Mar 28 09:24:11 localhost.localdomain named[11072]: all zones loaded
Mar 28 09:24:11 localhost.localdomain named[11072]: running
Mar 28 09:24:21 localhost.localdomain named[11072]: managed-keys-zone: Unable to fetch DNSKEY set...ut
Mar 28 09:24:21 localhost.localdomain named[11072]: resolver priming query complete
Mar 28 09:27:19 localhost.localdomain named[11072]: zone 123.com/IN: Transfer started. //传输开始,说明已经收到更新通知了,因网络问题这个通知可能会存在延迟
Mar 28 09:27:19 localhost.localdomain named[11072]: transfer of '123.com/IN' from 192.168.164.137...66 //来自192.168.164.137的123.com的zone文件
Mar 28 09:27:19 localhost.localdomain named[11072]: zone 123.com/IN: transferred serial 202032703 //zone 123.com文件的版本号202032703,是不是和我们在主服务器上看到的一样呢
Mar 28 09:27:19 localhost.localdomain named[11072]: transfer of '123.com/IN' from 192.168.164.137...ss
Mar 28 09:27:19 localhost.localdomain named[11072]: transfer of '123.com/IN' from 192.168.164.137...c)
Mar 28 09:27:19 localhost.localdomain named[11072]: zone 123.com/IN: sending notifies (serial 202...3)
Hint: Some lines were ellipsized, use -l to show in full.
(5)从服务器更新后我们再来查询一下bbs.123.com
[root@localhost named]# dig -t A bbs.123.com
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -t A bbs.123.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47160
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;bbs.123.com. IN A
;; ANSWER SECTION:
bbs.123.com. 3600 IN A 192.168.164.135 //是不是和我们在主服务器上的查询结果一样呢
;; AUTHORITY SECTION:
123.com. 3600 IN NS ns2.123.com.
123.com. 3600 IN NS ns1.123.com.
;; ADDITIONAL SECTION:
ns1.123.com. 3600 IN A 192.168.164.137
ns2.123.com. 3600 IN A 192.168.164.138
;; Query time: 0 msec
;; SERVER: 192.168.164.138#53(192.168.164.138) //这是在从服务器上的查询的结果
;; WHEN: Sat Mar 28 09:28:06 EDT 2020
;; MSG SIZE rcvd: 124
子域授权:父域主机是192.168.164.141,域名123.com
子域主机是192.168.164.138,域名ops.123.com
(1)在父域的正向解析区域添加子域ops.123.com的NS解析记录
[root@localhost named]# vi 123.com.zone
$TTL 3600
$ORIGIN 123.com.
@ IN SOA ns1.123.com. admin.123.com. (
202042302
1H
10M
3D
1D )
IN NS ns1
ns1 IN A 192.168.164.141
WWW IN A 192.168.164.141
ops IN NS ns1.ops //ops的ns记录
ns1.ops IN A 192.168.164.138 //指向的子域主机是192.168.164.138
(2)配置192.168.164.138这台机为子域ops.123.com的主服务器
[root@localhost named]#vi /etc/named.rfc1912.zones //添加以下字段到/etc/named.rfc1912.zones文件中
zone "ops.123.com" IN {
type master;
file "ops.123.com.zone";
allow-update { none; };
};
//添加子域ops.123.com的zone文件
[root@localhost named]#vi ops.123.com.zone
$TTL 3600
$ORIGIN ops.123.com.
@ IN SOA ns1.ops.123.com. admin.ops.123.com. (
202042302
1H
10M
3D
1D )
IN NS ns1
ns1 IN A 192.168.164.138
WWW IN A 192.168.164.138
(3)测试
子域解析ns1.ops.123.com
[root@localhost named]#dig -t A ns1.ops.123.com //ns1.ops.123.com
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -t A ns1.ops.123.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65092
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ns1.ops.123.com. IN A
;; ANSWER SECTION:
ns1.ops.123.com. 3600 IN A 192.168.164.138
;; AUTHORITY SECTION:
ops.123.com. 3600 IN NS ns1.ops.123.com.
;; Query time: 0 msec
;; SERVER: 192.168.164.138#53(192.168.164.138)
;; WHEN: Thu Apr 23 04:48:45 EDT 2020
;; MSG SIZE rcvd: 74
子域解析父域ns1.123.com
[root@localhost named]#dig -t A ns1.123.com
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -t A ns1.123.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49263
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ns1.123.com. IN A
;; ANSWER SECTION:
ns1.123.com. 824 IN A 192.168.164.141
;; Query time: 0 msec
;; SERVER: 192.168.164.138#53(192.168.164.138)
;; WHEN: Thu Apr 23 04:51:02 EDT 2020
;; MSG SIZE rcvd: 56
(4)父域解析子域
[root@localhost named]# dig -t A ns1.ops.123.com
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -t A ns1.ops.123.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22563
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ns1.ops.123.com. IN A
;; ANSWER SECTION:
ns1.ops.123.com. 2524 IN A 192.168.164.138
;; AUTHORITY SECTION:
ops.123.com. 2524 IN NS ns1.ops.123.com.
;; Query time: 0 msec
;; SERVER: 192.168.164.141#53(192.168.164.141)
;; WHEN: Thu Apr 23 16:51:41 CST 2020
;; MSG SIZE rcvd: 74
父域解析父域123.com
[root@localhost named]# dig -t A ns1.123.com
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -t A ns1.123.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55895
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ns1.123.com. IN A
;; ANSWER SECTION:
ns1.123.com. 3600 IN A 192.168.164.141
;; AUTHORITY SECTION:
123.com. 3600 IN NS ns1.123.com.
;; Query time: 0 msec
;; SERVER: 192.168.164.141#53(192.168.164.141)
;; WHEN: Thu Apr 23 16:52:18 CST 2020
;; MSG SIZE rcvd: 70
定义转发域。在子域上配置,当需要解析的域名子域上没有时,子域会转发给其他主机进行查询,我们这里设置为转发给父域
//定义转发域
[root@localhost named]#vi /etc/named.rfc1912.zones
zone "123.com" IN {
type forward;
forward only;
forwarders { 192.168.164.141; };
};
完成后rndc reload即可