智能DNS安装配置

智能DNS安装配置


一、DNS-master安装配置

1. bind 安装
# cd /usr/src/
# wget ftp://ftp.isc.org/isc/bind9/9.8.1-P1/bind-9.8.1-P1.tar.gz
# tar zxf bind-9.8.1-P1.tar.gz
# cd bind-9.8.1-P1
# ./configure --prefix=/usr/local/named --enable-threads --disable-openssl-version-check
# make && make install


2. 生成rndc配置文件rndc.conf
# /usr/local/named/sbin/rndc-confgen > /usr/local/named/etc/rndc.conf


3.生成配置文件named.conf
# cd /usr/local/named/etc/
# tail -n10 rndc.conf |head -n9|sed -e s/#\//g >named.conf


4.生成key，用于主从view同步实验
每个视图使用一个key，用于主从view同步验证
# /usr/local/named/sbin/dnssec-keygen -a hmac-md5 -b 128 -n HOST beijing
# /usr/local/named/sbin/dnssec-keygen -a hmac-md5 -b 128 -n HOST shenyang
# /usr/local/named/sbin/dnssec-keygen -a hmac-md5 -b 128 -n HOST any

查看一下key的具体内容，其中红色部分是需要添加到bind的主配置文件中
# more Kbeijing.+157+15717.private
Private-key-format: v1.3
Algorithm: 157 (HMAC_MD5)
Key: bo0JTr29wbjaGGQDTA+2Sg==
Bits: AAA=
Created: 20140327010301
Publish: 20140327010301
Activate: 20140327010301


5. 新建acl
收集各个大区的IP地址，然后新建ACL，将搜集到IP放到对应的ACL中
# mkdir /usr/local/named/var/named
# vim /usr/local/named/var/named/beijing.acl //北京地区用户访问时使用的ACL，可加多个北京IP地址
acl bejing{
192.168.0.96;
};

# vim /usr/local/named/var/named/shenyang.acl
acl shenyang {
192.168.0.91;
};


6. 设置主配置文件named.conf
一共建立了三个view，分别是beijing,shenyang,any.其中beijing为北京用户处理查询请求,shengyang为沈阳用户处理查询请求,any负责处理其他的地区用户的查询请求
# vim /usr/local/named/etc/named.conf
key "rndc-key" {
       algorithm hmac-md5;
       secret "FsC08CBCt2z50GRc6zpojg==";
};

controls {
       inet 127.0.0.1 port 953
               allow { 127.0.0.1; } keys { "rndc-key"; };
};


options {
       directory "/usr/local/named/var/named";
};

logging {
       channel warning {
       file "warning.log" versions 3 size 2048k;
       severity warning;
       print-category yes;
       print-severity yes;
       print-time yes; };

       channel query {
       file "query.log" versions 3 size 2048k;
       severity info;
       print-category yes;
       print-severity yes;
       print-time yes; };
       category default { warning; };
       category queries { query; };
       };

key beijing-key {
       algorithm hmac-md5;
       secret "bo0JTr29wbjaGGQDTA+2Sg==";

       };

key shenyang-key {
       algorithm hmac-md5;
       secret "cysQcshAlJtnMqqIjxxVrw==";
};

key any-key {
       algorithm hmac-md5;
       secret "FWUReH/kX8Q15nxeepjzbQ==";
};

include "/usr/local/named/var/named/beijing.acl";
include "/usr/local/named/var/named/shenyang.acl";

view "beijing" {
match-clients { !key shenyang-key; !key any-key; key beijing-key;beijing; };
       recursion yes;
       allow-transfer {key beijing-key;};
       server 192.168.0.99 {keys beijing-key;};
   zone "." IN {
       type hint;
       file "named.root";
       };

   zone "damai.com" IN {
       type master;
       file "beijing.damai.com.zone";
       };
       };

view "shenyang" {
match-clients { !key beijing-key; !key any-key; key shenyang-key;shenyang; };
       recursion yes;
       allow-transfer {key shenyang-key;};
       server 192.168.0.99 {keys shenyang-key;};
   zone "." IN {
       type hint;
       file "named.root";
       };

   zone "damai.com" IN {
       type master;
       file "shenyang.damai.com.zone";
       };
       };


view "any" {
match-clients { !key beijing-key; !key shenyang-key; key any-key;any; };
       recursion yes;
       allow-transfer {key any-key;};
       server 192.168.0.99 {keys any-key;};
   zone "." IN {
       type hint;
       file "named.root";
       };

   zone "damai.com" IN {
       type master;
       file "any.damai.com.zone";
       };
       };


注： 关于配置文件中key 的书写语法我们根据自带的rndc的key语法书写去写就行，然后把key的名字改为对应名字，key内容改成我们刚才所生成key的红色部分；配置文件中include指定的是acl；


7. 生成根区域配置文件
# /usr/local/named/bin/dig -t NS . > /usr/local/named/var/named/named.root


8. 撰写北京，沈阳，any的区域文件
# cat /usr/local/named/var/named/beijing.damai.com.zone
@ 3600 IN SOA damai.com. root.damai.com. (
       20140328  ; Serial
       3600 ; Refresh
       900 ; Retry
       3600000 ; Expire
       3600 ) ; Minimum

@       IN NS damai.com.
       IN A 192.168.0.99
pic     IN A 192.168.0.90
video   IN A 192.168.0.80

# cat /usr/local/named/var/named/shenyang.damai.com.zone        
@ 3600 IN SOA damai.com. root.damai.com. (
       20140328  ; Serial
       3600 ; Refresh
       900 ; Retry
       3600000 ; Expire
       3600 ) ; Minimum

       IN NS damai.com.
       IN A 192.168.0.99
pic     IN A 192.168.0.91
video   IN A 192.168.0.81

# cat /usr/local/named/var/named/any.damai.com.zone        
@ 3600 IN SOA damai.com. root.damai.com. (
       20140328  ; Serial
       3600 ; Refresh
       900 ; Retry
       3600000 ; Expire
       3600 ) ; Minimum

       IN NS damai.com.
       IN A 192.168.0.99
pic     IN A 192.168.0.92
video   IN A 192.168.0.82


9.启动BIND
9.1 检查named.conf配置文件
#/usr/local/named/sbin/named-checkconf
9.2 检查zone配置文件
#/usr/local/named/sbin/named-checkzone zone名称 zone文件名
例如：
# /usr/local/named/sbin/named-checkzone beijing.damai.com /usr/local/named/var/named/beijing.damai.com.zone
9.3 调试模式启动bind
-g参数的意思是前台执行bind，这会输出启动的信息，发现没有严重的错误后，再把g参数删除重新以/usr/local/bind/sbin/named方式后台启动bind。
#/usr/local/named/sbin/named -g
9.4 设置开机启动
#echo "/usr/local/bind/sbin/named -c /usr/local/named/etc/named.conf" >> /etc/rc.d/rc.local
9.5 状态查看
#/usr/local/named/sbin/rndc status
9.6 手动添加记录
直接添加删除或修改zone文件里的记录，需要执行rndc reload zone名称重载
如#/usr/local/named/sbin/rndc realod
9.7 启动BIND
# /usr/local/named/sbin/named -c /usr/local/named/etc/named.conf

9.8 主的dns服务器在修改了正向解析文件跟反向分解析文件时，要修改相应的 serial（通常是加数值，这个值必须主的要大于从的，要不同步不了）

二、DNS-slave安装配置
1. bind 安装
# cd /usr/src/
# wget ftp://ftp.isc.org/isc/bind9/9.8.1-P1/bind-9.8.1-P1.tar.gz
# tar zxf bind-9.8.1-P1.tar.gz
# cd bind-9.8.1-P1
# ./configure --prefix=/usr/local/named --enable-threads --disable-openssl-version-check
# make && make install


2. 生成rndc配置文件rndc.conf
# /usr/local/named/sbin/rndc-confgen > /usr/local/named/etc/rndc.conf


3.生成配置文件named.conf
# cd /usr/local/named/etc/
# tail -n10 rndc.conf |head -n9|sed -e s/#\//g >named.conf


4. 将 DNS -master服务器上的/usr/local/named/var/named整个目录拷贝到 DNS -slaveslave服务器的/usr/local/named/var/目录下


5. 设置主配置文件named.conf
# cat /usr/local/named/etc/named.conf
key "rndc-key" {
       algorithm hmac-md5;
       secret "csa61V3IF58VjNV82qkeCw==";
};

controls {
       inet 127.0.0.1 port 953
               allow { 127.0.0.1; } keys { "rndc-key"; };
};


options {
       directory "/usr/local/named/var/named";
};

logging {
       channel warning {
       file "warning.log" versions 3 size 2048k;
       severity warning;
       print-category yes;
       print-severity yes;
       print-time yes; };

       channel query {
       file "query.log" versions 3 size 2048k;
       severity info;
       print-category yes;
       print-severity yes;
       print-time yes; };
       category default { warning; };
       category queries { query; };
       };

key beijing-key {
       algorithm hmac-md5;
       secret "bo0JTr29wbjaGGQDTA+2Sg==";

       };

key shenyang-key {
       algorithm hmac-md5;
       secret "cysQcshAlJtnMqqIjxxVrw==";
};

key any-key {
       algorithm hmac-md5;
       secret "FWUReH/kX8Q15nxeepjzbQ==";
};

include "/usr/local/named/var/named/beijing.acl";
include "/usr/local/named/var/named/shenyang.acl";

view "beijing" {
match-clients { !key shenyang-key; !key any-key; key beijing-key;beijing; };
       recursion yes;
       allow-transfer {key beijing-key;};
       server 192.168.0.99 {keys beijing-key;};
   zone "." IN {
       type hint;
       file "named.root";
       };

   zone "damai.com" IN {
       type slave;
       masters { 192.168.0.99; };
       file "beijing.damai.com.zone";
       };
       };

view "shenyang" {
match-clients { !key beijing-key; !key any-key; key shenyang-key;shenyang; };
       recursion yes;
       allow-transfer {key shenyang-key;};
       server 192.168.0.99 {keys shenyang-key;};
   zone "." IN {
       type hint;
       file "named.root";
       };

   zone "damai.com" IN {
       type slave;
       masters { 192.168.0.99; };
       file "shenyang.damai.com.zone";
       };
       };


view "any" {
match-clients { !key beijing-key; !key shenyang-key; key any-key;any; };
       recursion yes;
       allow-transfer {key any-key;};
       server 192.168.0.99 {keys any-key;};
   zone "." IN {
       type hint;
       file "named.root";
       };

   zone "damai.com" IN {
       type slave;
       masters { 192.168.0.99; };
       file "any.damai.com.zone";
       };
       };


6. 启动BIND
# /usr/local/named/sbin/named -c /usr/local/named/etc/named.conf

三、测试
用dig测试


智能DNS安装配置


一、DNS-master安装配置

1. bind 安装
# cd /usr/src/
# wget ftp://ftp.isc.org/isc/bind9/9.8.1-P1/bind-9.8.1-P1.tar.gz
# tar zxf bind-9.8.1-P1.tar.gz
# cd bind-9.8.1-P1
# ./configure --prefix=/usr/local/named --enable-threads --disable-openssl-version-check
# make && make install


2. 生成rndc配置文件rndc.conf
# /usr/local/named/sbin/rndc-confgen > /usr/local/named/etc/rndc.conf


3.生成配置文件named.conf
# cd /usr/local/named/etc/
# tail -n10 rndc.conf |head -n9|sed -e s/#\//g >named.conf


4.生成key，用于主从view同步实验
每个视图使用一个key，用于主从view同步验证
# /usr/local/named/sbin/dnssec-keygen -a hmac-md5 -b 128 -n HOST beijing
# /usr/local/named/sbin/dnssec-keygen -a hmac-md5 -b 128 -n HOST shenyang
# /usr/local/named/sbin/dnssec-keygen -a hmac-md5 -b 128 -n HOST any

查看一下key的具体内容，其中红色部分是需要添加到bind的主配置文件中
# more Kbeijing.+157+15717.private
Private-key-format: v1.3
Algorithm: 157 (HMAC_MD5)
Key: bo0JTr29wbjaGGQDTA+2Sg==
Bits: AAA=
Created: 20140327010301
Publish: 20140327010301
Activate: 20140327010301


5. 新建acl
收集各个大区的IP地址，然后新建ACL，将搜集到IP放到对应的ACL中
# mkdir /usr/local/named/var/named
# vim /usr/local/named/var/named/beijing.acl //北京地区用户访问时使用的ACL，可加多个北京IP地址
acl bejing{
192.168.0.96;
};

# vim /usr/local/named/var/named/shenyang.acl
acl shenyang {
192.168.0.91;
};


6. 设置主配置文件named.conf
一共建立了三个view，分别是beijing,shenyang,any.其中beijing为北京用户处理查询请求,shengyang为沈阳用户处理查询请求,any负责处理其他的地区用户的查询请求
# vim /usr/local/named/etc/named.conf
key "rndc-key" {
       algorithm hmac-md5;
       secret "FsC08CBCt2z50GRc6zpojg==";
};

controls {
       inet 127.0.0.1 port 953
               allow { 127.0.0.1; } keys { "rndc-key"; };
};


options {
       directory "/usr/local/named/var/named";
};

logging {
       channel warning {
       file "warning.log" versions 3 size 2048k;
       severity warning;
       print-category yes;
       print-severity yes;
       print-time yes; };

       channel query {
       file "query.log" versions 3 size 2048k;
       severity info;
       print-category yes;
       print-severity yes;
       print-time yes; };
       category default { warning; };
       category queries { query; };
       };

key beijing-key {
       algorithm hmac-md5;
       secret "bo0JTr29wbjaGGQDTA+2Sg==";

       };

key shenyang-key {
       algorithm hmac-md5;
       secret "cysQcshAlJtnMqqIjxxVrw==";
};

key any-key {
       algorithm hmac-md5;
       secret "FWUReH/kX8Q15nxeepjzbQ==";
};

include "/usr/local/named/var/named/beijing.acl";
include "/usr/local/named/var/named/shenyang.acl";

view "beijing" {
match-clients { !key shenyang-key; !key any-key; key beijing-key;beijing; };
       recursion yes;
       allow-transfer {key beijing-key;};
       server 192.168.0.99 {keys beijing-key;};
   zone "." IN {
       type hint;
       file "named.root";
       };

   zone "damai.com" IN {
       type master;
       file "beijing.damai.com.zone";
       };
       };

view "shenyang" {
match-clients { !key beijing-key; !key any-key; key shenyang-key;shenyang; };
       recursion yes;
       allow-transfer {key shenyang-key;};
       server 192.168.0.99 {keys shenyang-key;};
   zone "." IN {
       type hint;
       file "named.root";
       };

   zone "damai.com" IN {
       type master;
       file "shenyang.damai.com.zone";
       };
       };


view "any" {
match-clients { !key beijing-key; !key shenyang-key; key any-key;any; };
       recursion yes;
       allow-transfer {key any-key;};
       server 192.168.0.99 {keys any-key;};
   zone "." IN {
       type hint;
       file "named.root";
       };

   zone "damai.com" IN {
       type master;
       file "any.damai.com.zone";
       };
       };


注： 关于配置文件中key 的书写语法我们根据自带的rndc的key语法书写去写就行，然后把key的名字改为对应名字，key内容改成我们刚才所生成key的红色部分；配置文件中include指定的是acl；


7. 生成根区域配置文件
# /usr/local/named/bin/dig -t NS . > /usr/local/named/var/named/named.root


8. 撰写北京，沈阳，any的区域文件
# cat /usr/local/named/var/named/beijing.damai.com.zone
@ 3600 IN SOA damai.com. root.damai.com. (
       20140328  ; Serial
       3600 ; Refresh
       900 ; Retry
       3600000 ; Expire
       3600 ) ; Minimum

@       IN NS damai.com.
       IN A 192.168.0.99
pic     IN A 192.168.0.90
video   IN A 192.168.0.80

# cat /usr/local/named/var/named/shenyang.damai.com.zone        
@ 3600 IN SOA damai.com. root.damai.com. (
       20140328  ; Serial
       3600 ; Refresh
       900 ; Retry
       3600000 ; Expire
       3600 ) ; Minimum

       IN NS damai.com.
       IN A 192.168.0.99
pic     IN A 192.168.0.91
video   IN A 192.168.0.81

# cat /usr/local/named/var/named/any.damai.com.zone        
@ 3600 IN SOA damai.com. root.damai.com. (
       20140328  ; Serial
       3600 ; Refresh
       900 ; Retry
       3600000 ; Expire
       3600 ) ; Minimum

       IN NS damai.com.
       IN A 192.168.0.99
pic     IN A 192.168.0.92
video   IN A 192.168.0.82


9.启动BIND
9.1 检查named.conf配置文件
#/usr/local/named/sbin/named-checkconf
9.2 检查zone配置文件
#/usr/local/named/sbin/named-checkzone zone名称 zone文件名
例如：
# /usr/local/named/sbin/named-checkzone beijing.damai.com /usr/local/named/var/named/beijing.damai.com.zone
9.3 调试模式启动bind
-g参数的意思是前台执行bind，这会输出启动的信息，发现没有严重的错误后，再把g参数删除重新以/usr/local/bind/sbin/named方式后台启动bind。
#/usr/local/named/sbin/named -g
9.4 设置开机启动
#echo "/usr/local/bind/sbin/named -c /usr/local/named/etc/named.conf" >> /etc/rc.d/rc.local
9.5 状态查看
#/usr/local/named/sbin/rndc status
9.6 手动添加记录
直接添加删除或修改zone文件里的记录，需要执行rndc reload zone名称重载
如#/usr/local/named/sbin/rndc realod
9.7 启动BIND
# /usr/local/named/sbin/named -c /usr/local/named/etc/named.conf

9.8 主的dns服务器在修改了正向解析文件跟反向分解析文件时，要修改相应的 serial（通常是加数值，这个值必须主的要大于从的，要不同步不了）

二、DNS-slave安装配置
1. bind 安装
# cd /usr/src/
# wget ftp://ftp.isc.org/isc/bind9/9.8.1-P1/bind-9.8.1-P1.tar.gz
# tar zxf bind-9.8.1-P1.tar.gz
# cd bind-9.8.1-P1
# ./configure --prefix=/usr/local/named --enable-threads --disable-openssl-version-check
# make && make install


2. 生成rndc配置文件rndc.conf
# /usr/local/named/sbin/rndc-confgen > /usr/local/named/etc/rndc.conf


3.生成配置文件named.conf
# cd /usr/local/named/etc/
# tail -n10 rndc.conf |head -n9|sed -e s/#\//g >named.conf


4. 将 DNS -master服务器上的/usr/local/named/var/named整个目录拷贝到 DNS -slaveslave服务器的/usr/local/named/var/目录下


5. 设置主配置文件named.conf
# cat /usr/local/named/etc/named.conf
key "rndc-key" {
       algorithm hmac-md5;
       secret "csa61V3IF58VjNV82qkeCw==";
};

controls {
       inet 127.0.0.1 port 953
               allow { 127.0.0.1; } keys { "rndc-key"; };
};


options {
       directory "/usr/local/named/var/named";
};

logging {
       channel warning {
       file "warning.log" versions 3 size 2048k;
       severity warning;
       print-category yes;
       print-severity yes;
       print-time yes; };

       channel query {
       file "query.log" versions 3 size 2048k;
       severity info;
       print-category yes;
       print-severity yes;
       print-time yes; };
       category default { warning; };
       category queries { query; };
       };

key beijing-key {
       algorithm hmac-md5;
       secret "bo0JTr29wbjaGGQDTA+2Sg==";

       };

key shenyang-key {
       algorithm hmac-md5;
       secret "cysQcshAlJtnMqqIjxxVrw==";
};

key any-key {
       algorithm hmac-md5;
       secret "FWUReH/kX8Q15nxeepjzbQ==";
};

include "/usr/local/named/var/named/beijing.acl";
include "/usr/local/named/var/named/shenyang.acl";

view "beijing" {
match-clients { !key shenyang-key; !key any-key; key beijing-key;beijing; };
       recursion yes;
       allow-transfer {key beijing-key;};
       server 192.168.0.99 {keys beijing-key;};
   zone "." IN {
       type hint;
       file "named.root";
       };

   zone "damai.com" IN {
       type slave;
       masters { 192.168.0.99; };
       file "beijing.damai.com.zone";
       };
       };

view "shenyang" {
match-clients { !key beijing-key; !key any-key; key shenyang-key;shenyang; };
       recursion yes;
       allow-transfer {key shenyang-key;};
       server 192.168.0.99 {keys shenyang-key;};
   zone "." IN {
       type hint;
       file "named.root";
       };

   zone "damai.com" IN {
       type slave;
       masters { 192.168.0.99; };
       file "shenyang.damai.com.zone";
       };
       };


view "any" {
match-clients { !key beijing-key; !key shenyang-key; key any-key;any; };
       recursion yes;
       allow-transfer {key any-key;};
       server 192.168.0.99 {keys any-key;};
   zone "." IN {
       type hint;
       file "named.root";
       };

   zone "damai.com" IN {
       type slave;
       masters { 192.168.0.99; };
       file "any.damai.com.zone";
       };
       };


6. 启动BIND
# /usr/local/named/sbin/named -c /usr/local/named/etc/named.conf

三、测试
用dig测试