Linux-DNS服务器(3):子域授权
4. BIND子域授权及转发
通常自己架设DNS服务器给自己使用的公司都是内部有特殊需求,或者公司内部域名较多,为了方便以后的管理而架设。我们知道一个域名就是一个区域,一般每个区域都会有专人负责管理,当一个公司人员足够多时,这时就会有划分子域给下级部门管理的需求。在一个区域下划分子域,并给子域指定一个新的DNS服务器,这种方法是可以实现的,我们通常称这种划分子区域的方法为子域授权。
4.1 子域授权过程
在父域的配置文件中添加如下项:
授权的子区名称
子域的名称服务器
子区域的名称服务器的IP地址
例子:
fin.magelinux.com. IN NS dns.fin.magelinux.com. dns.fin.magelinux.com. IN A 172.168.200.21
4.2 创建子域并在父域授权
#给enzhi.com域名划分一个blog.enzhi.com的子域,bind的安装及主DNS架设这里不再演示。根据前文自行安装即可。
主机规划:
| 角色 | IP地址 |
主机名 |
| DNS-MASTER | 192.168.233.135 | dns_master |
| dns_blog |
192.168.233.136 | dns_blog |
#创建子域
[root@dns_blog ~]# yum -y install bind
[root@dns_blog ~]# mv /etc/named.conf/etc/named.conf.ori
[root@dns_blog ~]# vim /etc/named.conf
options {
directory "/var/named/";
};
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "named.localhost";
};
zone "1.0.0.127.in-addr.arpa"IN {
type master;
file "named.loopback";
};
zone"blog.enzhi.com." IN {
type master;
file "blog.enzhi.com.zone";
};
#创建子域,区域数据文件
[root@dns_blog ~]# cd /var/named/ [root@dns_blog named]# vimblog.enzhi.com.zone $TTL 600 @ IN SOA ns.blog.enzhi.com. admin.blog.enzhi.com. ( 2016032401 2H 5M 7D 1D ) IN NS ns.blog.enzhi.com. IN MX 10 mail ns IN A 192.168.233.136 mail IN A 192.168.233.33 www IN A 192.168.233.34
#检查配置文件语法并启动
[root@dns_blog named]# /etc/init.d/namedconfigtest zone localhost/IN: loaded serial 0 zone 1.0.0.127.in-addr.arpa/IN: loadedserial 0 zone blog.enzhi.com/IN: loaded serial2016032401 [root@dns_blog named]# /etc/init.d/namedstart Generating /etc/rndc.key: [ OK ] Starting named: [ OK ]
#修改父域的区域数据文件
[root@dns_master ~]# cd /var/named/ [root@dns_master named]# vimenzhi.com.zone $TTL 600 @ IN SOA ns.enzhi.com. admin.enzhi.com. ( 2016032401 2H 5M 7D 1D ) IN NS ns IN NS ns2 IN MX 10 mail ns IN A 192.168.233.135 ns2 IN A 192.168.233.134 mail IN A 192.168.233.11 www IN A 192.168.233.10 ftp IN CNAME www blog.enzhi.com. IN NS ns.blog.enzhi.com. ns.blog.enzhi.com. IN A 192.168.233.136
注意:以上最后两行为子域的DNS服务器,只要在主DNS服务器定义好了子域的DNS服务器就等于给子域授权了;
4.3 测试解析
#父域解析子域测试
[root@dns_master named]# dig -t Awww.blog.enzhi.com @192.168.233.135 ; <<>> DiG9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6_7.7 <<>> -t A [email protected] ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode:QUERY, status: NOERROR, id: 50086 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1,AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;www.blog.enzhi.com. IN A ;; ANSWER SECTION: www.blog.enzhi.com. 462 IN A 192.168.233.34 ;; AUTHORITY SECTION: blog.enzhi.com. 462 IN NS ns.blog.enzhi.com. ;; ADDITIONAL SECTION: ns.blog.enzhi.com. 462 IN A 192.168.233.136 ;; Query time: 1 msec ;; SERVER:192.168.233.135#53(192.168.233.135) ;; WHEN: Thu Mar 24 13:26:40 2016 ;; MSG SIZE rcvd: 85
#解析blog.enzhi.com的NS服务器
[root@dns_master named]# dig -t NSblog.enzhi.com @192.168.233.135 ; <<>> DiG9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6_7.7 <<>> -t NS [email protected] ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode:QUERY, status: NOERROR, id: 49046 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1,AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;blog.enzhi.com. IN NS ;; ANSWER SECTION: blog.enzhi.com. 398 IN NS ns.blog.enzhi.com. ;; ADDITIONAL SECTION: ns.blog.enzhi.com. 398 IN A 192.168.233.136 ;; Query time: 1 msec ;; SERVER:192.168.233.135#53(192.168.233.135) ;; WHEN: Thu Mar 24 13:27:44 2016 ;; MSG SIZE rcvd: 65
#子域解析父域测试
[root@dns_blog named]# dig -t Awww.enzhi.com @192.168.233.135 ; <<>> DiG9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6_7.7 <<>> -t A [email protected] ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode:QUERY, status: NOERROR, id: 36945 ;; flags: qr aa rd ra; QUERY: 1, ANSWER:1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;www.enzhi.com. IN A ;; ANSWER SECTION: www.enzhi.com. 600 IN A 192.168.233.10 ;; AUTHORITY SECTION: enzhi.com. 600 IN NS ns2.enzhi.com. enzhi.com. 600 IN NS ns.enzhi.com. ;; ADDITIONAL SECTION: ns.enzhi.com. 600 IN A 192.168.233.135 ns2.enzhi.com. 600 IN A 192.168.233.134 ;; Query time: 2 msec ;; SERVER:192.168.233.135#53(192.168.233.135) ;; WHEN: Thu Mar 24 13:29:05 2016 ;; MSG SIZE rcvd: 114