2020-08-13 搭建DNS 主从服务器

• 基本环境 redhat 7.3
  master 10.8.10.30
  slave 10.8.10.204

0 安装bind

yum install -y bind bind-utils

1 MASTER 配置

1.1 修改 /etc/named.conf

a.编辑配置文件/etc/named.conf，找到listen-on这一行，改为：

listen-on port 53 { any; }; #any是匹配所有的意思

b.找到allow-query这一行，改为：

allow-query     { any; };

c.修改dnsec为no

dnssec-enable no;
dnssec-validation no;

1.2 修改 /etc/named.rfc1912.zones

a.添加正向解析和反向解析配置

zone "example.com" IN {
        type master;
        file "example.com.zone";
        allow-transfer { 10.8.10.204; };
        allow-query { any; };
        notify yes;
        also-notify { 10.8.10.204; };
};                                                                                                                                                                           

zone "10.8.10.in-addr.arpa" IN {
        type master;
        file "10.8.10.arpa";
        allow-transfer { 10.8.10.204; };
        allow-query { any; };
        notify yes;
        also-notify { 10.8.10.204; };
};

1.3 添加正向解析和反向解析配置文件

1.3.1 正向解析

cd /var/named/

cp -a named.localhost example.com.zone

vim example.com.zone

a.配置如下 (注意，注释用;，不同其他脚本）

$TTL 1D
@       IN SOA  @ example.com.   (   
              20200812        ; serial  #更新序列号
                      1D      ; refresh #更新时间
                      1H      ; retry   #重试时间
                      1W      ; expire   #失效时间
                      3H )    ; minimum  #无效解析记录的缓存时间
@ IN NS dns1.example.com.
  IN NS dns2.example.com.

dns1 IN A 10.8.10.30
dns2 IN A 10.8.10.204

@ IN MX 20 mail2.example.com.
  IN MX 10 mail1.example.com.

mail1 IN A 10.8.10.30
mail2 IN A 10.8.10.204

www  IN  CNAME  servs.example.com.
ftp  IN  CNAME  servs.example.com.
servs  IN  A  10.8.10.20
;        NS      ns.example.com.  
;ns      A       10.8.10.130  
;www     A       10.8.10.130 
;mail    A       10.8.10.120  
;        MX 10   mail.example.com. 
;example.com.    A 10.8.10.129
$GENERATE 1-245 server$ A 1.1.1.$
;bbs     CNAME   www                                                                                                                                                         
*       A       10.8.10.30

1.3.2 反向解析

cp -a /var/named/named.loopback /var/10.8.10.arpa

a.配置如下

$TTL 1D
@   IN SOA  @ example.com. (
            20200812    ; serial
                    1D  ; refresh
                    1H  ; retry
                    1W  ; expire
                    3H )    ; minimum

@ IN NS dns1.example.com.
  IN NS dns2.example.com.

30 IN PTR dns1.example.com.
204 IN PTR dns2.example.com.  

1.4 检查配置

a.主配置

named-checkconf

b.区域配置

named-checkzone example.com /var/named/example.com.zone

named-checkzone 10.8.10 /var/named/10.8.10.arpa 

c.重启服务

systemctl restart named

2 SLAVE 配置

2.1 修改 /etc/named.conf

a.编辑配置文件/etc/named.conf，找到listen-on这一行，改为：

listen-on port 53 { any; }; #any是匹配所有的意思

b.找到allow-query这一行，改为：

allow-query     { any; };

c.修改dnsec为no

dnssec-enable no;
dnssec-validation no;

d.在options中添加一行，使得master 同步到 slave的配置文件格式相同

masterfile-format text;

2.2 修改 /etc/named.rfc1912.zones

a.添加正向解析和反向解析配置（注意file的目录不能是在/var/named/下，在/var/named/data/ 或者 /var/named/slaves/都可以）

zone "example.com" IN {
        type slave;
        file "slaves/example.com.zone";
        masters { 10.8.10.30; };
};

zone "10.8.10.in-addr.arpa" IN {
    type slave;
    file "slaves/10.8.10.arpa";
    masters { 10.8.10.30; };
}; 

2.3 检查配置

a.主配置

named-checkconf

3 重启测试

3.1 修改master slave的/var/named/ 目录及所有文件的属性

chown -R named:named /var/named/

3.2 主备 重启

a.重启

systemctl restart named

b.查看 /var/log/messages是否有错误
常见错误

• 1> dumping master file: tmp-Jf88DjE6Zl: open: permission denied
  chown -R named:named /var/named/ 修改/var/named/属性好像不管用
  file "slaves/example.com.zone"; 修改同步区域配置文件写入目录，可以成功
• 2> error (no valid KEY) resolving './DNSKEY/IN': 192.228.79.201#53
  原/etc/named.conf开启了DNS安全扩展（DNSSEC）参数，非权威DNS不能开启这个配置，否则会造成dns请求为
  不信任链，最终导致解析失败。

c.查看slaves目录下是否有同步过来的区域配置文件
d.修改 /etc/resolv.conf

nameserver      10.8.10.30

e.通过dig / nslookup 测试

dig -t A www.example.com @10.8.10.30

; <<>> DiG 9.9.4-RedHat-9.9.4-37.el7 <<>> -t A www.example.com @10.8.10.30
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6484
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.example.com.       IN  A

;; ANSWER SECTION:
www.example.com.    86400   IN  CNAME   servs.example.com.
servs.example.com.  86400   IN  A   10.8.10.20

;; AUTHORITY SECTION:
example.com.        86400   IN  NS  dns1.example.com.
example.com.        86400   IN  NS  dns2.example.com.

;; ADDITIONAL SECTION:
dns1.example.com.   86400   IN  A   10.8.10.30
dns2.example.com.   86400   IN  A   10.8.10.204

;; Query time: 0 msec
;; SERVER: 10.8.10.30#53(10.8.10.30)
;; WHEN: Thu Aug 13 16:12:29 CST 2020
;; MSG SIZE  rcvd: 150

dig -x 10.8.10.30 @10.8.10.30

; <<>> DiG 9.9.4-RedHat-9.9.4-37.el7 <<>> -x 10.8.10.30 @10.8.10.30
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35056
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;30.10.8.10.in-addr.arpa.   IN  PTR

;; ANSWER SECTION:
30.10.8.10.in-addr.arpa. 86400  IN  PTR dns1.example.com.

;; AUTHORITY SECTION:
10.8.10.in-addr.arpa.   86400   IN  NS  dns1.example.com.
10.8.10.in-addr.arpa.   86400   IN  NS  dns2.example.com.

;; ADDITIONAL SECTION:
dns1.example.com.   86400   IN  A   10.8.10.30
dns2.example.com.   86400   IN  A   10.8.10.204

;; Query time: 1 msec
;; SERVER: 10.8.10.30#53(10.8.10.30)
;; WHEN: Thu Aug 13 16:13:55 CST 2020
;; MSG SIZE  rcvd: 147