[1.辅助dns,dns集群]
一台服务器不能满足大量访问需求,增加辅助dns服务器
先配置环境
vim /etc/sysconfig/network-scripts/ifcfg-eth0
hostnamectl set-hostname server-dns.example.com
vim /etc/yum.repos.d/rhel_dvd.repo
reboot
yum clean all
yum install bind -y 安装服务
firewall-cmd --permanent --add-service=dns 添加dns到火墙允许的服务中
firewall-cmd --reload 重新读取
主dns:
vim /etc/named.conf
listen-on port 53 { any; };
allow-query { any; };
dnssec-validation no;
vim /etc/named.rfc1912.zones
zone "logo.com" IN {
type master;
file "logo.com.zone";
allow-update { none; };
allow-transfer { 172.25.254.249; }; 允许谁同步(172.25.254.249)
};
辅助端dns:
vim /etc/resolv.conf
# Generated by NetworkManager
search example.com
nameserver 172.25.254.249
vim /etc/named.conf
listen-on port 53 { any; };
allow-query { any; };
dnssec-validation no;
vim /etc/named.rfc1912.zones
zone "logo.com" IN {
type slave;
file "slaves/logo.com.zone";
allow-update { none; };
masters { 172.25.254.249; };
};
ll /var/named/
测试:
systemctl restart named **server端
dig www.logo.com **desktop端
;; QUESTION SECTION:
;www.logo.com. IN A
;; ANSWER SECTION:
www.logo.com. 86400 IN A 172.25.254.155
;; AUTHORITY SECTION:
logo.com. 86400 IN NS dns.logo.com.
;; ADDITIONAL SECTION:
dns.logo.com. 86400 IN A 172.25.254.149
;; Query time: 0 msec
;; SERVER: 172.25.254.249#53(172.25.254.249)
;; WHEN: Thu Dec 01 01:05:40 EST 2016
;; MSG SIZE rcvd: 91
[2.自动同步dns]
主dns端:
vim /etc/named.rfc1912.zones
zone "logo.com" IN {
type master;
file "logo.com.zone";
allow-update { none; };
allow-transfer { 172.25.254.249; }; 允许谁同步
also-notify { 172.25.254.249; }; dns文件被改变向谁通知(172.25.254.249)
};
cp -p named.localhost logo.com.zone
vim logo.com.zone 编辑文件
$TTL 1D
@ IN SOA dns.logo.com root.logo.com. (
2016120101 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS dns.logo.com.
dns A 172.25.254.149
www A 172.25.254.155
systemctl restart named
client端:不做修改
测试:两边都 dig www.logo.com 效果如下:
client端(desktop):
;; ANSWER SECTION:
www.logo.com. 86400 IN A 172.25.254.155
;; AUTHORITY SECTION:
logo.com. 86400 IN NS dns.logo.com.
;; ADDITIONAL SECTION:
dns.logo.com. 86400 IN A 172.25.254.149
主dns(server端):
;; Query time: 0 msec
;; SERVER: 172.25.254.249#53(172.25.254.249)
;; ANSWER SECTION:
www.logo.com. 86400 IN A 172.25.254.155
;; AUTHORITY SECTION:
logo.com. 86400 IN NS dns.logo.com.
;; ADDITIONAL SECTION:
dns.logo.com. 86400 IN A 172.25.254.149
;; Query time: 0 msec
;; SERVER: 172.25.254.149#53(172.25.254.49)
dns实现同步,每次改变 vim logo.com.zon的内容,serial中的值2016120101一定要相应更改
[3.远程修改dns]
dns端:
vim /etc/named.rfc1912.zones
zone "logo.com" IN {
type master;
file "logo.com.zone";
allow-update { 172.25.254.249; }; 允许谁更新
allow-transfer { 172.25.254.249; }; 允许谁同步
also-notify { 172.25.254.249; }; dns文件被改变向谁通知(172.25.254.249)
};
cp -p /var/named/logo.com.zone /mnt/logo.com.zone
chmod 770 /var/named
client端
nsupdate
>server 172.25.254.149
>update delete www.logo.com
>send
>update add www.logo.com 86400 A 172.25.254.149
>send
>quit
86400表示dns保存周期为一天,即86400秒
恢复到原来:
rm -rf /var/named/logo.com.zone /var/named/logo.com.zone.jnl
cp -p /mnt/logo.com.zone /var/named/logo.com.zone
然后在dns端systemctl restart named,dig www.logo.com效果和之前未作更新实验前相同,则恢复成功
[4.设置密钥远程修改dns]
dns端:
cp -p /etc/rndc.key /etc/logo.com
cd /mnt/
dnssec-keygen -a HMAC-CDM5 -b 128 -n HOST logo
cat Klogo.+157+26907.key
cat Klogo.+157+26907.privatea
钥匙和锁的加密文件都相同
vim /etc/logo.key
key "logo-key" {
algorithm hmac-md5;
secret "3L95hg5rzk7lsUCbVIUMZQ==";此处修改为/mnt/Klogo.+157+08237.private中的密文
};
wq:
vim /etc/named.key
include"/etc/logo.key"; **将密码所在文件包含进去
scp /mnt/Klogo.+157+08237.* [email protected]:/mnt 分发密钥给客户端
systemctl restart named
client端:
cd /mnt
nsupdate -k /mnt/Klogo.+157+08237.private