前言:上回博客说道如何配置一台DNS服务器,本博客就来为这台主DNS服务器配置从DNS服务器
从服务器拥有一个主服务器一模一样的区域解析库,从服务器是区域的概念,主服务器可以有多个正向区域或反向区域,从服务器是相对于区域配置的,而不是相对于整个主服务器而言的,若想配置所有区域的从服务器,就要对所有的正向区域或反向区域配置从服务器.
为主DNS服务器的正向区域配置从服务器
On Master:(以下步骤在主服务器上进行)
第一步:确保区域数据文件中为每个从服务器配置NS记录和对应的A记录
[root@localhost named]# vim stu61.com.zone $TTL 3600 @ IN SOA ns1.stu61.com. tz.stu61.com. ( 2016010802 #每次修改都要+1 1H 10M 3D 1D ) @ IN NS ns1.stu61.com. @ IN NS ns2.stu61.com. #在主服务器上为从服务器添加NS记录 IN MX 10 mx1 IN MX 20 mx2 ns1 IN A 172.16.249.130 ns2 IN A 172.16.249.131 #为从服务器添加A记录 mx1 IN A 172.16.249.10 mx2 IN A 172.16.249.11 www IN A 172.16.249.130 web IN CNAME www [root@localhost named]# named-checkzone stu61.com stu61.com.zone zone stu61.com/IN: loaded serial 2016010802 OK #修改完后检查是否有语法错误
第二步:重载配置文件
[root@localhost named]# rndc reload server reload successful [root@localhost named]# rndc status version: 9.9.4-RedHat-9.9.4-29.el7_2.1 <id:8f9657aa> CPUs found: 4 worker threads: 4 UDP listeners per interface: 4 number of zones: 103 debug level: 0 xfers running: 0 xfers deferred: 0 soa queries in progress: 0 query logging is OFF recursive clients: 0/0/1000 tcp clients: 0/100 server is up and running
On Slave:(以下步骤在从服务器上进行)
第一步:
①配置BIND服务的主配置文件:
[root@centos7 ~]# vim /etc/named.conf options { listen-on port 53 { 127.0.0.1; 172.16.249.131; }; #要将53号端口监听本机地址 listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { localhost; }; dnssec-enable no; dnssec-validation no; dnssec-lookaside no; #关闭dnssec的功能 [root@centos7 ~]# systemctl start named.service #启动BIND服务
②定义区域:定义一个从区域:(配置主服务器的正向区域为从区域)
[root@centos7 ~]# vim /etc/named.rfc1912.zones zone "stu61.com" IN { type slave; #定义类型为从服务器 file "slaves/stu61.com.zone"; #必须在/var/named/slaves目录下创建从区域解析库文件 masters { 172.16.249.130; }; #指定主服务器地址 }; [root@centos7 ~]# named-checkconf #检查配置文件是否有语法错误
第二步:重载配置
[root@centos7 ~]# rndc reload server reload successful [root@centos7 slaves]# systemctl status named.service named.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named.service; disabled) Active: active (running) since Sun 2016-01-10 21:05:52 CST; 2s ago Process: 2681 ExecStop=/bin/sh -c /usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID (code=exited, status=0/SUCCESS) Process: 2592 ExecReload=/bin/sh -c /usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS) Process: 2693 ExecStart=/usr/sbin/named -u named $OPTIONS (code=exited, status=0/SUCCESS) Process: 2691 ExecStartPre=/usr/sbin/named-checkconf -z /etc/named.conf (code=exited, status=0/SUCCESS) Main PID: 2695 (named) CGroup: /system.slice/named.service ?..2695 /usr/sbin/named -u named Jan 10 21:05:51 centos7.localdomain named[2695]: zone localhost/IN: loaded serial 0 Jan 10 21:05:51 centos7.localdomain named[2695]: zone localhost.localdomain/IN: loaded serial 0 Jan 10 21:05:51 centos7.localdomain named[2695]: all zones loaded Jan 10 21:05:51 centos7.localdomain named[2695]: running Jan 10 21:05:52 centos7.localdomain systemd[1]: Started Berkeley Internet Name Domain (DNS). Jan 10 21:05:52 centos7.localdomain named[2695]: zone stu61.com/IN: Transfer started. Jan 10 21:05:52 centos7.localdomain named[2695]: transfer of 'stu61.com/IN' from 172.16.249.130#53: connected using 172.16.249.131#50209 Jan 10 21:05:52 centos7.localdomain named[2695]: zone stu61.com/IN: transferred serial 2016010802 Jan 10 21:05:52 centos7.localdomain named[2695]: transfer of 'stu61.com/IN' from 172.16.249.130#53: Transfer completed: 1 messages, 12 records, 280 bytes, 0....ytes/sec) #显示传输成功 Jan 10 21:05:52 centos7.localdomain named[2695]: zone stu61.com/IN: sending notifies (serial 2016010802) Hint: Some lines were ellipsized, use -l to show in full. [root@centos7 slaves]# ls stu61.com.zone #在/var/named/slaves自动生成一个解析库文件
配置完成之后在从服务器上测试解析结果:
[root@centos7 slaves]# dig -t A www.stu61.com @172.16.249.131 ; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7 <<>> -t A www.stu61.com @172.16.249.131 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43056 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.stu61.com. IN A ;; ANSWER SECTION: ;; AUTHORITY SECTION: stu61.com. 3600 IN NS ns2.stu61.com. stu61.com. 3600 IN NS ns1.stu61.com. ;; ADDITIONAL SECTION: ns1.stu61.com. 3600 IN A 172.16.249.130 ns2.stu61.com. 3600 IN A 172.16.249.131 ;; Query time: 1 msec ;; SERVER: 172.16.249.131#53(172.16.249.131) ;; WHEN: Sun Jan 10 21:10:20 CST 2016 ;; MSG SIZE rcvd: 126
为主DNS服务器的反向区域配置从服务器
On Master:(以下步骤在主服务器上进行)
第一步:确保区域数据文件中为每个从服务器配置NS记录和对应的PTR记录
[root@localhost named]# vim 172.16.249.zone $TTL 3600 $ORIGIN 249.16.172.in-addr.arpa. @ IN SOA ns1.stu61.com. tz.stu61.com. ( 2016010802 1H 10M 3D 12H ) IN NS ns1.stu61.com. IN NS ns2.stu61.com. #为从服务器增加NS记录 130 IN PTR ns1.stu61.com. 10 IN PTR mx1.stu61.com. 11 IN PTR mx2.stu61.com. 130 IN PTR www.stu61.com. 131 IN PTR ns2.stu61.com. #为从服务器增加PTR记录 [root@localhost named]# named-checkzone 249.16.172.in-addr.arpa 172.16.249.zone #检查是否有语法错误
第二步:重载配置文件
[root@localhost named]# rndc reload
On Slave:(以下步骤在从服务器上进行)
第一步:
①配置BIND服务的主配置文件:
[root@centos7 slaves]# vim /etc/named.rfc1912.zones zone "249.16.172.in-addr.arpa" IN { type slave; #设置类型为从服务器 file "slaves/172.16.249.zone"; #在从服务器中的slaves/目录下生成反向解析库文件 masters { 172.16.249.130; }; }; [root@centos7 ~]# named-checkconf #检查配置文件是否有语法错误
第二步:重载配置文件
[root@centos7 slaves]# rndc reload server reload successful [root@centos7 slaves]# systemctl status named.service named.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named.service; disabled) Active: active (running) since Sun 2016-01-10 21:44:00 CST; 31min ago Process: 2785 ExecStop=/bin/sh -c /usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID (code=exited, status=0/SUCCESS) Process: 2592 ExecReload=/bin/sh -c /usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS) Process: 2797 ExecStart=/usr/sbin/named -u named $OPTIONS (code=exited, status=0/SUCCESS) Process: 2795 ExecStartPre=/usr/sbin/named-checkconf -z /etc/named.conf (code=exited, status=0/SUCCESS) Main PID: 2799 (named) CGroup: /system.slice/named.service ?..2799 /usr/sbin/named -u named Jan 10 22:15:14 centos7.localdomain named[2799]: reloading zones succeeded Jan 10 22:15:14 centos7.localdomain named[2799]: all zones loaded Jan 10 22:15:14 centos7.localdomain named[2799]: running Jan 10 22:15:14 centos7.localdomain named[2799]: zone 249.16.172.in-addr.arpa/IN: Transfer started. Jan 10 22:15:14 centos7.localdomain named[2799]: transfer of '249.16.172.in-addr.arpa/IN' from 172.16.249.130#53: connected using ...1#36407 Jan 10 22:15:14 centos7.localdomain named[2799]: zone 249.16.172.in-addr.arpa/IN: transferred serial 2016010802 Jan 10 22:15:14 centos7.localdomain named[2799]: transfer of '249.16.172.in-addr.arpa/IN' from 172.16.249.130#53: Transfer complet...es/sec) Jan 10 22:15:14 centos7.localdomain named[2799]: zone 249.16.172.in-addr.arpa/IN: sending notifies (serial 2016010802) Jan 10 22:15:21 centos7.localdomain named[2799]: client 172.16.249.130#56183: received notify for zone '249.16.172.in-addr.arpa' Jan 10 22:15:21 centos7.localdomain named[2799]: zone 249.16.172.in-addr.arpa/IN: notify from 172.16.249.130#56183: zone is up to date Hint: Some lines were ellipsized, use -l to show in full. [root@centos7 slaves]# ll total 8 -rw-r--r--. 1 named named 478 Jan 10 22:15 172.16.249.zone #在slaves目录下生成从服务器的反向解析库文件 -rw-r--r--. 1 named named 538 Jan 10 21:53 stu61.com.zone
配置完成之后在从服务器上测试解析结果:
[root@centos7 slaves]# dig -x 172.16.249.130 @172.16.249.131 ; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7 <<>> -x 172.16.249.130 @172.16.249.131 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37248 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;130.249.16.172.in-addr.arpa. IN PTR ;; ANSWER SECTION: 130.249.16.172.in-addr.arpa. 3600 IN PTR ns1.stu61.com. 130.249.16.172.in-addr.arpa. 3600 IN PTR www.stu61.com. ;; AUTHORITY SECTION: 249.16.172.in-addr.arpa. 3600 IN NS ns2.stu61.com. 249.16.172.in-addr.arpa. 3600 IN NS ns1.stu61.com. ;; ADDITIONAL SECTION: ns1.stu61.com. 3600 IN A 172.16.249.130 ns2.stu61.com. 3600 IN A 172.16.249.131 ;; Query time: 0 msec ;; SERVER: 172.16.249.131#53(172.16.249.131) ;; WHEN: Sun Jan 10 22:26:53 CST 2016 ;; MSG SIZE rcvd: 165
总结
当DNS服务器不仅有主的还有从的时候,客户端配置DNS服务器时就可以分开配置,一半配置为主的一半配置为从的,这样一来在客户端解析请求增多时就能大大加快客户端的解析速度。
子域授权:
当我们有了二级域名的时候,就可以为二级域名设置三级域,三级域就可以在一定区域内使用了,在主DNS服务器中为三级域进行授权即可,例如ops.stu61.com
正向解析区域授权子域的方法:
第一步:在主DNS服务器上修改正向区域配置文件增加子域的NS记录以及A记录:
[root@localhost named]# vim stu61.com.zone $TTL 3600 @ IN SOA ns1.stu61.com. tz.stu61.com. ( 2016010804 #序列号得+1 1H 10M 3D 1D ) @ IN NS ns1.stu61.com. @ IN NS ns2.stu61.com. IN MX 10 mx1 IN MX 20 mx2 ns1 IN A 172.16.249.130 ns2 IN A 172.16.249.131 mx1 IN A 172.16.249.10 mx2 IN A 172.16.249.11 www IN A 172.16.249.130 web IN CNAME www tzz IN A 172.16.249.132 ops IN NS ns1.ops.stu61.com. #为三级域增加NS记录 ns1.ops IN A 172.16.249.147 #为三级域增加A记录
第二步:重载配置文件
[root@localhost named]# rndc reload server reload successful
第三步:为子域服务器配置BIND服务并启动
[root@Tzz ~]# vim /etc/named.conf options { listen-on port 53 { 127.0.0.1; 172.16.249.147; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; //allow-query { localhost; }; recursion yes; dnssec-enable no; dnssec-validation no; dnssec-lookaside no; [root@Tzz ~]# service named start Generating /etc/rndc.key: [ OK ] Starting named: [ OK ]
第四步:为子域服务器配置正向解析文件:
[root@Tzz ~]# vim /etc/named.rfc1912.zones zone "ops.stu61.com" IN { type master; file "ops.stu61.com.zone"; };
第五步:在从服务器的/var/named/目录下创建正向区域解析文件:
[root@Tzz named]# vim ops.stu61.com.zone $TTL 3600 $ORIGIN ops.stu61.com. @ IN SOA ns1.ops.stu61.com tz.ops.stu61.com. ( 2016010801 1H 10M 1D 2H ) IN NS ns1 ns1 IN A 172.16.249.147 www IN A 172.16.249.147 [root@Tzz named]# chmod o= ops.stu61.com.zone #修改权限 [root@Tzz named]# chown :named ops.stu61.com.zone #修改属组
第六步:重载文件
[root@Tzz named]# rndc reload server reload successful
第七步:测试解析结果:
[root@Tzz named]# dig -t A www.ops.stu61.com @172.16.249.147 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6 <<>> -t A www.ops.stu61.com @172.16.249.147 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30865 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;www.ops.stu61.com. IN A ;; ANSWER SECTION: www.ops.stu61.com. 3600 IN A 172.16.249.147 ;; AUTHORITY SECTION: ops.stu61.com. 3600 IN NS ns1.ops.stu61.com. ;; ADDITIONAL SECTION: ns1.ops.stu61.com. 3600 IN A 172.16.249.147 ;; Query time: 1 msec ;; SERVER: 172.16.249.147#53(172.16.249.147) ;; WHEN: Sun Jan 10 11:51:36 2016 ;; MSG SIZE rcvd: 85
测试成功,说明子域配置成功。
但这时就会有一个问题,当在子域中解析父域stu61.com时,因为不是自己的负责区域,子域只能迭代查查找,这样的话未免太过复杂,明明是自己的父域,查找时却还要迭代查找,我们可以设置转发机制,就能解决此问题,可以在子域中定义转发。
定义转发:
注意:被转发的服务器必须允许为当前服务做递归;
(1) 区域转发:仅转发对某特定区域的解析请求;
zone "stu61.com" IN { #定义父域 type forward; #定义类型为转发 forward only; #定义为仅转发(转发无响应就结束,不迭代) forwarders { 172.16.249.130; 172.16.249.131; } #定义的转发器 };
配置完后测试:
[root@Tzz named]# dig -t A www.stu61.com @172.16.249.147 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6 <<>> -t A www.stu61.com @172.16.249.147 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8578 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;www.stu61.com. IN A ;; ANSWER SECTION: www.stu61.com. 3600 IN A 172.16.249.130 ;; AUTHORITY SECTION: stu61.com. 3600 IN NS ns2.stu61.com. stu61.com. 3600 IN NS ns1.stu61.com. ;; ADDITIONAL SECTION: ns2.stu61.com. 3600 IN A 172.16.249.131 ns1.stu61.com. 3600 IN A 172.16.249.130 ;; Query time: 4 msec ;; SERVER: 172.16.249.147#53(172.16.249.147) ;; WHEN: Sun Jan 10 12:46:47 2016 ;; MSG SIZE rcvd: 115
(2) 全局转发:针对凡本地没有通过zone定义的区域查询请求,通通转给某转发器;
[root@Tzz named]# vim /etc/named.conf options { ... ... forward {only|first}; forwarders { SERVER_IP; }; .. ... };
bind中的安全相关配置:
acl:访问控制列表;把一个或多个地址归并一个命名的集合,随后通过此名称即可对此集全内的所有主机实现统一调用;
acl mynet { 172.16.0.0/16; 127.0.0.0/8; };
bind有四个内置的acl
none:没有一个主机;
any:任意主机;
local:本机;
localnet:本机所在的IP所属的网络;
访问控制指令(在options中定义的话是全局定义的,在区域定义就在当前区域生效):
allow-query {}:允许查询的主机;白名单;
allow-transfer {}:允许向哪些主机做区域传送;默认为向所有主机;应该配置仅允许从服务器;
allow-recursion {}:允许哪此主机向当前DNS服务器发起递归查询请求;
allow-update {}:DDNS,允许动态更新区域数据库文件中内容;