bind配置中之DNS主从同步,区域安全传送

实现DNS的主从同步:

   主DNS的bind版不能高于从DNS的版本

   向区域中添加从服务器的关键两步:

           a:在上级得到授权

           b:在区域数据文件中为服务器添加一条NS记录和对应的A记录或PTR记录


   1.为主DNS服务器添加一条NS记录和对应的A记录

# vim /var/named/mageedu.com.zone
$TTL 86400
@       IN      SOA     dsn.mageedu.com. admin.mageedu.com (
2014031901
1D
12H
1D
12H )
IN      NS      dns
IN      NS      ns
IN      MX 20mail
dns     IN      A       172.16.19.100
ns      IN      A       172.16.19.1
mail    IN      A       172.16.19.2
www     IN      A       172.16.19.3
pop     IN      CNAME   mail
ftp     IN      CNAME   www

    2.为从DNS服务器添加一条NS记录和对应PTR记录

# vim /var/named/172.16.19.zone
$TTL 86400
@       IN      SOA     dsn.mageedu.com. admin.mageedu.com (
2014031902
1D
12H
1D
12H )
IN      NS      dns.mageedu.com.
IN      NS      ns.mageedu.com.
100IN      PTR     dns.mageedu.com.
1IN      PTR     ns.mageedu.com.
2IN      PTR     mail.mageedu.com.
3IN      PTR     www.mageedu.com.

   3.并编辑配置文同上


   4.在从服务器添加mageedu.com区域    

zone "mageedu.com"IN {
type slave;
masters {172.16.19.100;};
file "slaves/mageedu.com.zone";
};


   5.在从服务器添加19.16.172.in-addr.arpa区域  

zone "19.16.172.in-addr.arpa"IN {
type slave;
masters {172.16.29.100;};
file "slaves/172.16.19.zone";
};

   6.启动named服务  

# named -u named

7.查看日志文件    

# tail /var/log/messages
Mar 1705:44:18stu19 named[31977]: zone 19.16.172.in-addr.arpa/IN: Transfer started.
Mar 1705:44:18stu19 named[31977]: transfer of '19.16.172.in-addr.arpa/IN'from 172.16.19.100#53: connected using 172.16.19.1#47647
Mar 1705:44:18stu19 named[31977]: zone 19.16.172.in-addr.arpa/IN: transferred serial 2014031902
Mar 1705:44:18stu19 named[31977]: transfer of '19.16.172.in-addr.arpa/IN'from 172.16.19.100#53: Transfer completed: 1messages, 8records, 255bytes, 0.003secs (85000bytes/sec)
Mar 1705:44:18stu19 named[31977]: zone 19.16.172.in-addr.arpa/IN: sending notifies (serial 2014031902)
Mar 1705:44:18stu19 named[31977]: zone mageedu.com/IN: Transfer started.
Mar 1705:44:18stu19 named[31977]: transfer of 'mageedu.com/IN'from 172.16.19.100#53: connected using 172.16.19.1#40334
Mar 1705:44:18stu19 named[31977]: zone mageedu.com/IN: transferred serial 2014031901
Mar 1705:44:18stu19 named[31977]: transfer of 'mageedu.com/IN'from 172.16.19.100#53: Transfer completed: 1messages, 11records, 283bytes, 0.002secs (141500bytes/sec)
Mar 1705:44:18stu19 named[31977]: zone mageedu.com/IN: sending notifies (serial 2014031901)

  8.查从服务器中/var/named/slave/目录  

# ls /var/named/slaves/
172.16.19.zone  mageedu.com.zone


区域传送安全控制

   提高DNS服务器的安全性

   在主服务器的区域文件中添加allow-transfer{IP};

   只允许127.0.0.1和172.16.19.1进行区域传送

zone "mageedu.com"IN {
type master;
file "mageedu.com.zone";
allow-transfer {127.0.0.1;172.16.19.1;};
};
zone "19.16.172.in-addr.arpa"IN {
type master;
file "172.16.19.zone";
allow-transfer {127.0.0.1;172.16.19.1;};
};

  重启主服务器的DNS服务    

# service named reload

  成功配置区域传送安全控制

# dig -t axfr mageedu.com @172.16.19.100
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6 <<>> -t axfr mageedu.com @172.16.19.100
;; global options: +cmd
; Transfer failed.
# dig -t axfr mageedu.com @172.16.19.1
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6 <<>> -t axfr mageedu.com @172.16.19.1
;; global options: +cmd
mageedu.com.        86400IN  SOA dsn.mageedu.com. admin.mageedu.com.mageedu.com. 201403190186400432008640043200
mageedu.com.        86400IN  MX  20mail.mageedu.com.
mageedu.com.        86400IN  NS  dns.mageedu.com.
mageedu.com.        86400IN  NS  ns.mageedu.com.
dns.mageedu.com.    86400IN  A   172.16.19.100
ftp.mageedu.com.    86400IN  CNAME   www.mageedu.com.
mail.mageedu.com.   86400IN  A   172.16.19.2
ns.mageedu.com.     86400IN  A   172.16.19.1
pop.mageedu.com.    86400IN  CNAME   mail.mageedu.com.
www.mageedu.com.    86400IN  A   172.16.19.3
mageedu.com.        86400IN  SOA dsn.mageedu.com. admin.mageedu.com.mageedu.com. 201403190186400432008640043200
;; Query time: 5msec
;; SERVER: 172.16.19.1#53(172.16.19.1)
;; WHEN: Sun Mar 1616:29:232014
;; XFR size: 11records (messages 1, bytes 283)

 对从服务配置区域安全传送控制:不允许任何人进行同步  

zone "mageedu.com"IN {
type slave;
masters {172.16.19.100;};
file "slaves/mageedu.com.zone";
allow-transfer {none;};
};
zone "19.16.172.in-addr.arpa"IN {
type slave;
masters {172.16.19.100;};
file "slaves/172.16.19.zone";
allow-transfer {none;};
};

  重启从服务器的DNS服务

# service named reload


   测试区域传送安全控制配置成功

[root@stu19 ~]# dig -t axfr mageedu.com @127.0.0.1
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6 <<>> -t axfr mageedu.com @127.0.0.1
;; global options: +cmd
; Transfer failed.


你可能感兴趣的:(bind,DNS主从同步,DNS区域安全传送)