Bind实践 - 搭建解析yqc.com域的主从DNS服务器

实验拓扑:

域名为yqc.com,域内主机网段为192.168.43.0/24
域中有一个子域ops.yqc.com,需要在正向解析区域授权该子域

321 Services - DNS bind - DNS正向 反向 主从 实验拓扑.jpg

大致步骤

  1. 192.168.43.101:搭建yqc.com的正向解析服务
  2. 192.168.43.102:搭建43.168.192.in-addr.arpa的反向解析服务
  3. 192.168.43.101:搭建反向解析从服务器
  4. 192.168.43.102:搭建正向解析从服务器
  5. 192.168.43.103:搭建子域ops.yqc.com的正向解析服务,并在主DNS服务器上授权子域
  6. 192.168.43.103:定义子域DNS服务器的转发功能
  7. 为DNS服务器做简单的安全配置

准备工作

首先在各服务器上上安装DNS服务所需的程序包:

~]# yum -y install bind bind-libs bind-utils bind-chroot

安装完成后,在主配置文件/etc/named.conf中关闭不必要的选项:
关闭dnssec功能

dnssec-enable no;
dnssec-validation no;
dnssec-lookaside no;

注释掉仅允许本地查询

//allow-query { localhost; }

配置crontab,添加定时同步ntp(因为主从服务器需要时间同步)

一、在192.168.43.101上搭建yqc.com的正向解析DNS主服务器

首先,在主配置文件/etc/named.conf中添加监听地址192.168.43.101

options {
        listen-on port 53 { 127.0.0.1;192.168.43.101; };

1. 定义区域

/etc/named.rfc1912.zones

zone "yqc.com" IN {
        type master;
        file "yqc.com.zone";
};

2. 建立区域数据文件

/var/named/yqc.com.zone

$TTL 3600
$ORIGIN yqc.com.
@       IN      SOA     ns1.yqc.com.    dnsadmin.yqc.com. (
                2018111301
                1H
                10M
                3D
                1D )
        IN      NS      ns1.yqc.com.
        IN      MX  10  mx1
ns1     IN      A       192.168.43.101
mx1     IN      A       192.168.43.101
CentOS7-node-01 IN      A       192.168.43.71
CentOS7-node-02 IN      A       192.168.43.72
node1   IN      CNAME   CentOS7-node-01
node2   IN      CNAME   CentOS7-node-02

3. 更改区域数据文件的属组和权限

~]# chown root.named /var/named/yqc.com.zone
~]# chmod o= /var/named/yqc.com.zone

4. 检查配置文件,重载配置或启动服务

~]# named-checkconf
~]# named-checkzone yqc.com /var/named/yqc.com.zone
~]# rndc reload

若未启动named服务,则直接启动

~]# systemctl start named.service

5.客户端dig命令测试

~]# dig -t A node1.yqc.com @192.168.43.101

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t A node1.yqc.com @192.168.43.101
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40545
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;node1.yqc.com.         IN  A

;; ANSWER SECTION:
node1.yqc.com.      3600    IN  CNAME   CentOS7-node-01.yqc.com.
CentOS7-node-01.yqc.com. 3600   IN  A   192.168.43.71

;; AUTHORITY SECTION:
yqc.com.        3600    IN  NS  ns1.yqc.com.

;; ADDITIONAL SECTION:
ns1.yqc.com.        3600    IN  A   192.168.43.101

;; Query time: 2 msec
;; SERVER: 192.168.43.101#53(192.168.43.101)
;; WHEN: Thu Nov 08 11:58:06 CST 2018
;; MSG SIZE  rcvd: 122

二、在192.168.43.102上搭建43.168.192.in-addr.arpa的反向解析DNS主服务器

首先,在主配置文件/etc/named.conf中添加监听地址192.168.43.102

options {
        listen-on port 53 { 127.0.0.1;192.168.43.102; };

1. 定义反向区域

/etc/named.rfc1912.zones

zone "43.168.192.in-addr.arpa" IN {
        type master;
        file "192.168.43.zone";
};

2. 建立区域数据文件

/var/named/192.168.43.zone

$TTL 3600
$ORIGIN 43.168.192.in-addr.arpa.
@       IN      SOA     ns1.yqc.com.    dnsadmin.yqc.com. (
                2018111301
                1H
                10M
                3D
                1D )
        IN      NS      ns1.yqc.com.
101     IN      PTR     ns1.yqc.com.
        IN      PTR     mx1.yqc.com.
71      IN      PTR     CentOS7-node-01.yqc.com.
        IN      PTR     node1.yqc.com.
72      IN      PTR     CentOS7-node-02.yqc.com.
        IN      PTR     node2.yqc.com.

3. 更改区域数据文件的属组和权限

~]# chown root.named /var/named/192.168.43.zone
~]# chmod o= /var/named/192.168.43.zone

4. 检查配置文件,重载配置或启动服务

~]# named-checkconf
~]# named-checkzone yqc.com /var/named/yqc.com.zone
~]# rndc reload

若未启动named服务,则直接启动

~]# systemctl start named.service

5. 客户端dig命令测试

]# dig -x 192.168.43.72 @192.168.43.102

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -x 192.168.43.72 @192.168.43.102
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16357
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;72.43.168.192.in-addr.arpa.    IN  PTR

;; ANSWER SECTION:
72.43.168.192.in-addr.arpa. 3600 IN PTR node2.yqc.com.
72.43.168.192.in-addr.arpa. 3600 IN PTR CentOS7-node-02.yqc.com.

;; AUTHORITY SECTION:
43.168.192.in-addr.arpa. 3600   IN  NS  ns1.yqc.com.

;; Query time: 1 msec
;; SERVER: 192.168.43.102#53(192.168.43.102)
;; WHEN: Thu Nov 08 17:53:46 CST 2018
;; MSG SIZE  rcvd: 130

三、在192.168.43.101上搭建43.168.192.in-addr.arpa的反向解析DNS从服务器

Slave(192.168.43.101)上的配置

1. 定义一个从区域

/etc/namd.rfc1912.zones

zone "43.168.192.in-addr.arpa" IN {
        type slave;
        file "slaves/192.168.43.zone";
        masters { 192.168.43.102; };
};

2. 检查和重载配置

~]# named-checkconf
~]# rndc reload

Master(192.168.43.102)上的配置

1.区域数据文件中添加从服务器的NS、PTR记录(注意序列号要加1)

$TTL 3600
$ORIGIN 43.168.192.in-addr.arpa.
@       IN      SOA     ns1.yqc.com.    dnsadmin.yqc.com. (
                2018111302
                1H
                10M
                3D
                1D )
        IN      NS      ns1.yqc.com.
        IN      NS      ns2.yqc.com.
101     IN      PTR     ns1.yqc.com.
        IN      PTR     mx1.yqc.com.
102     IN      PTR     ns2.yqc.com.
        IN      PTR     mx2.yqc.com.
71      IN      PTR     CentOS7-node-01.yqc.com.
        IN      PTR     node1.yqc.com.
72      IN      PTR     CentOS7-node-02.yqc.com.
        IN      PTR     node2.yqc.com.

更改有以下几处:

...
                2018111302
...
        IN      NS      ns2.yqc.com.
...
102     IN      PTR     ns2.yqc.com.
        IN      PTR     mx2.yqc.com.
...

2. 检查和重载配置

~]# named-checkzone 43.168.192.in-addr.arpa 192.168.43.zone 
~]# rndc reload

客户端dig命令测试

测试反向解析的从服务器192.168.43.101是否有反向解析的能力:

~]# dig -x 192.168.43.71 @192.168.43.101

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -x 192.168.43.71 @192.168.43.101
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1910
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;71.43.168.192.in-addr.arpa.    IN  PTR

;; ANSWER SECTION:
71.43.168.192.in-addr.arpa. 3600 IN PTR node1.yqc.com.
71.43.168.192.in-addr.arpa. 3600 IN PTR CentOS7-node-01.yqc.com.

;; AUTHORITY SECTION:
43.168.192.in-addr.arpa. 3600   IN  NS  ns1.yqc.com.

;; ADDITIONAL SECTION:
ns1.yqc.com.        3600    IN  A   192.168.43.101

;; Query time: 2 msec
;; SERVER: 192.168.43.101#53(192.168.43.101)
;; WHEN: Thu Nov 08 13:45:18 CST 2018
;; MSG SIZE  rcvd: 146

四、在192.168.43.102上搭建yqc.com的正向解析DNS从服务器

Slave(192.168.43.102)上的配置

1. 定义一个从区域

/etc/namd.rfc1912.zones

zone "yqc.com" IN {
        type slave;
        file "slaves/yqc.com.zone";
        masters { 192.168.43.101; };
};

2. 检查和重载配置

~]# named-checkconf
~]# rndc reload

Master(192.168.43.101)上的配置

1.区域数据文件中添加从服务器的NS、A记录(注意序列号要加1)

$TTL 3600
$ORIGIN yqc.com.
@       IN      SOA     ns1.yqc.com.    dnsadmin.yqc.com. (
                2018111302
                1H
                10M
                3D
                1D )
        IN      NS      ns1.yqc.com.
        IN      NS      ns2.yqc.com.
        IN      MX  10  mx1
ns1     IN      A       192.168.43.101
mx1     IN      A       192.168.43.101
ns2     IN      A       192.168.43.102
CentOS7-node-01 IN      A       192.168.43.71
CentOS7-node-02 IN      A       192.168.43.72
node1   IN      CNAME   CentOS7-node-01
node2   IN      CNAME   CentOS7-node-02

更改有以下几处:

...
                2018111302
...
        IN      NS      ns2.yqc.com.
...
ns2     IN      A       192.168.43.102
...

2. 检查和重载配置

~]# named-checkzone yqc.com /var/named/yqc.com.zone
~]# rndc reload

客户端dig命令测试

测试正向解析的从服务器192.168.43.102是否有正向解析的能力:

~]# dig -t A node1.yqc.com @192.168.43.102

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t A node1.yqc.com @192.168.43.102
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44717
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;node1.yqc.com.         IN  A

;; ANSWER SECTION:
node1.yqc.com.      3600    IN  CNAME   CentOS7-node-01.yqc.com.
CentOS7-node-01.yqc.com. 3600   IN  A   192.168.43.71

;; AUTHORITY SECTION:
yqc.com.        3600    IN  NS  ns1.yqc.com.
yqc.com.        3600    IN  NS  ns2.yqc.com.

;; ADDITIONAL SECTION:
ns1.yqc.com.        3600    IN  A   192.168.43.101
ns2.yqc.com.        3600    IN  A   192.168.43.102

;; Query time: 2 msec
;; SERVER: 192.168.43.102#53(192.168.43.102)
;; WHEN: Thu Nov 08 14:07:20 CST 2018
;; MSG SIZE  rcvd: 156

至此,两台互为正反向解析主从的DNS服务器已搭建完成。

五、在192.168.43.103上搭建子域ops.yqc.com的正向解析DNS服务器,并将其授权到主DNS服务器

子域DNS服务器配置

首先,在主配置文件/etc/named.conf中添加监听地址192.168.43.103

options {
        listen-on port 53 { 127.0.0.1;192.168.43.103; };

1. 定义子域的区域

/etc/named.rfc1912.zones

zone "ops.yqc.com" IN {
        type master;
        file "ops.yqc.com.zone";
};

2. 建立子域的区域数据文件

/var/named/ops.yqc.com.zone

$TTL 3600
$ORIGIN ops.yqc.com.
@       IN      SOA     ns1.ops.yqc.com.    dnsadmin.ops.yqc.com. (
                2018111301
                1H
                10M
                3D
                1D )
        IN      NS      ns1.ops.yqc.com.
        IN      MX  10  mx1
ns1     IN      A       192.168.43.103
mx1     IN      A       192.168.43.103
node1   IN      A       192.168.43.251
node2   IN      A       192.168.43.252

3. 更改区域数据文件的属组和权限

~]# chgrp named /var/named/ops.yqc.com.zone
~]# chmod o= /var/named/ops.yqc.com.zone

4. 检查配置文件,重载配置或启动服务

~]# named-checkconf
~]# systemctl start named.service

主DNS服务器192.168.43.101上的配置

1. 在区域数据文件/var/named/yqc.com.zone中定义子域ops.yqc.com

$TTL 3600
$ORIGIN yqc.com.
@       IN      SOA     ns1.yqc.com.    dnsadmin.yqc.com. (
                2018111303
                1H
                10M
                3D
                1D )
        IN      NS      ns1.yqc.com.
        IN      NS      ns2.yqc.com.
ops.yqc.com.    IN      NS      ns1.ops.yqc.com.
        IN      MX  10  mx1
ns1     IN      A       192.168.43.101
mx1     IN      A       192.168.43.101
ns2     IN      A       192.168.43.102
ns1.ops.yqc.com.        IN      A       192.168.43.103
CentOS7-node-01 IN      A       192.168.43.71
CentOS7-node-02 IN      A       192.168.43.72
node1   IN      CNAME   CentOS7-node-01
node2   IN      CNAME   CentOS7-node-02

主要更改了如下内容:

...
                2018111303
...
ops.yqc.com.    IN      NS      ns1.ops.yqc.com.
...
ns1.ops.yqc.com.        IN      A       192.168.43.103
...

2. 检查并重载配置

~]# named-checkzone yqc.com /var/named/yqc.com.zone
~]# rndc reload

客户端dig命令测试

测试192.168.43.101和192.168.43.102是否能够解析子域中的主机:

~]# dig -t A node1.ops.yqc.com @192.168.43.101

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t A node1.ops.yqc.com @192.168.43.101
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9913
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;node1.ops.yqc.com.     IN  A

;; ANSWER SECTION:
node1.ops.yqc.com.  3600    IN  A   192.168.43.251

;; AUTHORITY SECTION:
ops.yqc.com.        3600    IN  NS  ns1.ops.yqc.com.

;; ADDITIONAL SECTION:
ns1.ops.yqc.com.    3600    IN  A   192.168.43.103

;; Query time: 8 msec
;; SERVER: 192.168.43.101#53(192.168.43.101)
;; WHEN: Thu Nov 08 14:28:07 CST 2018
;; MSG SIZE  rcvd: 96
~]# dig -t A node1.ops.yqc.com @192.168.43.102

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t A node1.ops.yqc.com @192.168.43.102
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32676
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;node1.ops.yqc.com.     IN  A

;; ANSWER SECTION:
node1.ops.yqc.com.  3600    IN  A   192.168.43.251

;; AUTHORITY SECTION:
ops.yqc.com.        3600    IN  NS  ns1.ops.yqc.com.

;; ADDITIONAL SECTION:
ns1.ops.yqc.com.    3600    IN  A   192.168.43.103

;; Query time: 12 msec
;; SERVER: 192.168.43.102#53(192.168.43.102)
;; WHEN: Thu Nov 08 14:28:13 CST 2018
;; MSG SIZE  rcvd: 96

至此,两个主从DNS服务器已经可以解析子域中的主机,但子域DNS服务器还无法解析yqc.com中的主机

六、在子域DNS服务器上定义转发功能

子域的转发有两种:区域转发和全局转发

区域转发

只把某个区域的请求转发给指定服务器。
比如本次实验中,需要将yqc.com域的请求转发给192.168.43.101和192.168.43.102去解析。

全局转发

除了在本地通过zone定义的区域,其他所有DNS请求都转发给指定服务器。
比如本次实验中,除了ops.yqc.com域的请求,其余所有请求都转发给192.168.43.101和192.168.43.102。

因为实验中每台服务器都接入了互联网,所以子域DNS服务器除了yqc.com,其余都可以自行解析,所以这里只做区域转发。

ops.yqc.com的子域DNS服务器定义对yqc.com域的区域转发

在/etc/named.rfc1912.zones配置文件中定义转发域

zone "yqc.com" IN {
        type forward;
        forward only;
        forwaders { 192.168.43.101;192.168.43.102; };
};

检查并重载配置

~]# named-checkconf
~]# rndc reload

客户端dig命令测试192.168.43.103是否可以解析yqc.com中的主机

~]# dig -t A node1.yqc.com @192.168.43.103

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t A node1.yqc.com @192.168.43.103
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55272
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;node1.yqc.com.         IN  A

;; ANSWER SECTION:
node1.yqc.com.      3600    IN  CNAME   CentOS7-node-01.yqc.com.
CentOS7-node-01.yqc.com. 3600   IN  A   192.168.43.71

;; AUTHORITY SECTION:
yqc.com.        3600    IN  NS  ns2.yqc.com.
yqc.com.        3600    IN  NS  ns1.yqc.com.

;; ADDITIONAL SECTION:
ns1.yqc.com.        3600    IN  A   192.168.43.101
ns2.yqc.com.        3600    IN  A   192.168.43.102

;; Query time: 10 msec
;; SERVER: 192.168.43.103#53(192.168.43.103)
;; WHEN: Thu Nov 08 14:53:22 CST 2018
;; MSG SIZE  rcvd: 156

七、简单的安全配置

先在三台DNS服务器主配置文件/etc/named.conf中定义一个192.168.43.0/24网络中主机的acl:

acl mynet {
        192.168.43.0/24;
};

然后分别定义访问控制指令:

访问控制指令的作用范围分为全局和区域两种:

  1. 在/etc/named.conf中定义为全局有效;
  2. 在/etc/named.rfc1912.zones中的zone中定义,为指定区域有效。
    本次实验中做全局配置

192.168.43.101:

  1. 只允许本网络主机查询
  2. 只向192.168.43.102做区域传送
  3. 只允许本网络主机的递归查询
  4. 不允许动态更新区域数据文件中的内容

/etc/named.conf

options {
        ...
        allow-query     { mynet; };
        allow-transfer  { 192.168.43.102; };
        allow-recursion { mynet; };
        allow-update    { none; };
        ...
};

检查并重载配置:

~]# named-checkconf
~]# rndc reload

192.168.43.102:

  1. 只允许本网络主机查询
  2. 只向192.168.43.101做区域传送
  3. 只允许本网络主机的递归查询
  4. 不允许动态更新区域数据文件中的内容

/etc/named.conf

options {
        ...
        allow-query     { mynet; };
        allow-transfer  { 192.168.43.101; };
        allow-recursion { mynet; };
        allow-update    { none; };
        ...
};

检查并重载配置:

~]# named-checkconf
~]# rndc reload

192.168.43.103:

  1. 只允许本网络主机查询
  2. 不允许做区域传送
  3. 只允许本网络主机的递归查询
  4. 不允许动态更新区域数据文件中的内容

/etc/named.conf

options {
        ...
        allow-query     { mynet; };
        allow-transfer  { none; };
        allow-recursion { mynet; };
        allow-update    { none; };
        ...
};

检查并重载配置:

~]# named-checkconf
~]# rndc reload

此实验只是根据本人对DNS服务的浅显认识,搭建的一个DNS服务架构,和生产环境肯定存在不小的差距,旨在梳理自己的知识点。

你可能感兴趣的:(Bind实践 - 搭建解析yqc.com域的主从DNS服务器)