bind之子域授权
BIND子域授权
用途:完成分布式DNS数据库的手段
定义子区域的方法
定义一个子区域的方法只需要在父域的区域解析库中添加“胶水记录”
ops.magedu.com. IN NS ns1.ops.magedu.com.
ops.magedu.com. IN NS ns2.ops.magedu.com.
ns1.ops.magedu.com. IN A 1.1.1.1
ns2.ops.magedu.com. IN A 1.1.1.2
定义转发服务器
注意:被转发的服务器需要能够为请求者做递归,否则,转发请求不予进行;
(1)全部转发:
凡是对非本机所有负责解析的区域的请求,统统转发给指定的服务器;
#/etc/named.conf
Options {
...
forward {first|only};
fowwarders;
...
}
first: 先转发到指定的被转发服务器;如果;指定的被转发服务器不予响应;则自己再次到根服务器进行迭代查询 ;
only :只转发到指定的被转发服务器;如果指定的服务器不予响应;则不再继续查询该请求
(2) 区域转发:仅转发对特定的区域的解析请求中至某服务器;一般在/etc/named.rfc1912.zones中定义
#/etc/named.rfc1912.zones
zone "ZONE_NAME" IN{
type forward;
forward {first|only}
forwarders
}
实战配置
需要
父域服务器为172.16.6.61,域名hao123.com,先需要添加一个子域ops.hao123.com,子域服务器为172.16.6.63,需要完成父域hao123.com对子域ops.hao123.com的授权,确保子域可以使用,将子域解析解析父域的请求向父域转发
在父域hao23.com 的DNS服务器上定义一个子区域ops的”胶水记录”
[root@dns1 named]# cat/var/named/hao123.com.zone
$TTL 1D
$ORIGIN hao123.com.
@ IN SOAns1.hao123.com.admin.hao123.com.(
201504042403
1h
5m
5h
1w )
IN NS ns1
IN NS ns2
IN MX 10 mx1.hao123.com.
IN MX 10 mx2.hao123.com.
ns1IN A 172.16.6.61
ns2IN A 172.16.6.62
mx1.hao123.com.IN A 172.16.6.64
mx2.hao123.com.IN A 172.16.6.64
wwwIN A 172.16.6.65
wwwIN A 172.16.6.66
hao123.com.IN A 172.16.6.65
ftpIN CNAME www
* IN A 172.16.6.65
opsIN NS ns1.ops
ns1.ops IN A 172.16.6.63
父域上检查语法充气服务
[root@dns1 ~]#named-checkconf
[root@dns1 ~]# rndc reload
server reload successful
先查看父域dns的状态
[root@dns1 ~]# rndc status
version:9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6
CPUs found: 1
worker threads: 1
number of zones: 21 <--增加子域当前区域不会发生改变
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running
子区域ops.hao123.com的配置
在子域服务上添加区域ops 和区域转发/etc/named.conf
[root@ops ~]# cat/etc/named.conf
options {
// listen-on port 53 { 127.0.0.1; };
// listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file"/var/named/data/named_mem_stats.txt";
// allow-query { localhost;};
recursion yes;
dnssec-enable no;
dnssec-validation no;
// dnssec-lookaside auto;
/* Path to ISC DLV key */
// bindkeys-file "/etc/named.iscdlv.key";
// managed-keys-directory "/var/named/dynamic";
};
logging {
channel default_debug {
file"data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include"/etc/named.rfc1912.zones";
include"/etc/named.root.key";
注意:在父域和子域上需要关闭dnssec功能:
dnssec-enable no;
dnssec-validationno;
定义子域的ops.hao123.com的zone
[root@ops ~]# tail/etc/named.rfc1912.zones
...
zone"ops.hao123.com" IN {
type master;
file "ops.hao123.com.zone";
};
创建ops.hao123.com的区域解析库文件
[root@ops ~]# cat /var/named/ops.hao123.com.zone
$TTL 1D
$ORIGIN ops.hao123.com.
@ IN SOAns1.ops.hao123.com.admin.ops.hao123.com. (
2014042601
1H
5M
1D
1w )
IN NS ns1
ns1IN A 172.16.6.63
wwwIN A 172.16.6.161
* IN A 172.16.6.161
在子域服务器上使用dig命令测试对www.ops.hao123.com的解析
[root@ops ~]# dig -t Awww.ops.hao123.com @172.16.6.63
; <<>> DiG9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6 <<>> -t A [email protected]
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<-opcode: QUERY, status: NOERROR, id: 37697
;; flags: qr aa rd ra; QUERY:1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;www.ops.hao123.com. IN A
;; ANSWER SECTION:
www.ops.hao123.com.86400 IN A 172.16.6.161
;; AUTHORITY SECTION:
ops.hao123.com. 86400 IN NS ns1.ops.hao123.com.
;; ADDITIONAL SECTION:
ns1.ops.hao123.com.86400 IN A 172.16.6.63
;; Query time: 0 msec
;; SERVER:172.16.6.63#53(172.16.6.63)
;; WHEN: Sun Apr 26 15:39:442015
;; MSG SIZE rcvd: 86
使用父域的DNS解析子域对www.ops.hao123.com的解析
[root@ops ~]# dig -t Awww.ops.hao123.com @172.16.6.61
; <<>> DiG9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6 <<>> -t A [email protected]
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<-opcode: QUERY, status: NOERROR, id: 33785
;; flags: qr rd ra; QUERY: 1,ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;www.ops.hao123.com. IN A
;; ANSWER SECTION:
www.ops.hao123.com.86254 IN A 172.16.6.161
;; AUTHORITY SECTION:
ops.hao123.com. 86254 IN NS ns1.ops.hao123.com.
;; ADDITIONAL SECTION:
ns1.ops.hao123.com.86254 IN A 172.16.6.63
;; Query time: 0 msec
;; SERVER:172.16.6.61#53(172.16.6.61)
;; WHEN: Sun Apr 26 15:39:542015
;; MSG SIZE rcvd: 86
在子域ops DNS服务器上添加对父域hao123.com的条件转发
配置bind的主配置文件/etc/named.rfc1912.zones
[root@ops ~]# tail /etc/named.rfc1912.zones
zone "hao123.com"IN {
type forward;
forward only;
forwarders { 172.16.6.61; };
};
在子域ops上使用dig命令测试对父域hao123.com中的www主机的解析
[root@ops ~]# dig -t Awww.hao123.com @172.16.6.63
; <<>> DiG9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6 <<>> -t A [email protected]
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<-opcode: QUERY, status: NOERROR, id: 47911
;; flags: qr rd ra; QUERY: 1,ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;www.hao123.com. IN A
;; ANSWER SECTION:
www.hao123.com. 86400 IN A 172.16.6.66
www.hao123.com. 86400 IN A 172.16.6.65
;; AUTHORITY SECTION:
hao123.com. 86400 IN NS ns1.hao123.com.
hao123.com. 86400 IN NS ns2.hao123.com.
;; ADDITIONAL SECTION:
ns1.hao123.com. 86400 IN A 172.16.6.61
ns2.hao123.com. 86400 IN A 172.16.6.62
;; Query time: 1 msec
;; SERVER:172.16.6.63#53(172.16.6.63)
;; WHEN: Sun Apr 26 16:20:302015
;; MSG SIZE rcvd: 132