dns授權
dns授權分爲兩步
1】父域dns對子域dns實現授權,
2】子域對父域
1.改變根提示,把父域dns視爲根
2.轉發器
dns服務器的搭建請看dns服務器搭建
拓撲圖:
一、修改父域實現對子域的授權
修改dns服務器配置文件註釋最後一行
[root@localhost chroot]# vim etc/named.conf
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion yes;
// dnssec-enable yes;
// dnssec-validation yes;
// dnssec-lookaside auto;
/* Path to ISC DLV key */
// bindkeys-file "/etc/named.iscdlv.key";
// managed-keys-directory "/var/named/dynamic";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
//include "/etc/named.root.key";
聲明兩個區域b.com和bj.b.com
[root@localhost chroot]# vim etc/named.rfc1912.zones
19 zone "localhost" IN {
20 type master;
21 file "named.localhost";
22 allow-update { none; };
23 };
24 zone "b.com" IN {
25 type master;
26 file "b.com.zone";
27 allow-update { none; };
28 };
29 zone "bj.b.com" IN {
30 type master;
31 file "bj.b.com.zone";
32 allow-update { none; };
創建b.com.zone和sh.b.com.zone文件
[root@localhost chroot]# cd var/named
[root@localhost named]# cp named.localhost b.com
[root@localhost named]# cp named.localhost bj.b.com
[root@localhost named]# vim bj.b.com.zone
$TTL 1D
@ IN SOA ns.bj.b.com. rname.invalid. (
1 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS ns.bj.b.com.
ns IN A 192.168.3.120
www IN A 2.2.2.2
給子域sh.b.com授權
[root@localhost named]# vim b.com.zone
$TTL 1D
@ IN SOA ns.b.com. rname.invalid. (
1 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS ns.b.com.
ns IN A 192.168.3.120
www IN A 1.1.1.1
sh.b.com. IN NS ns.sh.b.com.
ns.sh.b.com. IN A 192.168.3.122
編輯完後保存退出,然後重新加載區域
[root@localhost named]# rndc reload
二、子域設置轉發
1、登錄到要設置爲子域的dns服務器的主機
[root@localhost ~]# cd /var/named/chroot
編輯配置文件設置轉發
[root@localhost chroot]# vim etc/named.conf
10 options {
11 listen-on port 53 { any; };
12 listen-on-v6 port 53 { ::1; };
13 directory "/var/named";
14 dump-file "/var/named/data/cache_dump.db";
15 statistics-file "/var/named/data/named_stats.txt";
16 memstatistics-file "/var/named/data/named_mem_stats.txt";
17 allow-query { any; };
18 recursion yes;
19
20 dnssec-enable yes;
21 dnssec-validation yes;
22 dnssec-lookaside auto;
//23行爲設置轉發
23 forwarders { 192.168.3.120; };
24 /* Path to ISC DLV key */
25 bindkeys-file "/etc/named.iscdlv.key";
26
27 managed-keys-directory "/var/named/dynamic";
28 };
29
30 logging {
31 channel default_debug {
32 file "data/named.run";
33 severity dynamic;
34 };
35 };
36
37 zone "." IN {
38 type hint;
39 file "named.ca";
40 };
41
42 include "/etc/named.rfc1912.zones";
//註釋43行
43 //include "/etc/named.root.key";
聲明sh.b.com
[root@localhost chroot]# vim etc/named.rfc1912.zones
24 zone "sh.b.com" IN {
25 type master;
26 file "sh.b.com.zone";
27 allow-update { none; };
28 };
創建並編輯sh.b.com.zone
[root@localhost chroot]# cd var/named
[root@localhost named]# cp named.localhost sh.b.com.zone
[root@localhost named]# vim sh.b.com.zone
1 $TTL 1D
2 @ IN SOA sh.b.com. rname.invalid. (
3 1 ; serial
4 1D ; refresh
5 1H ; retry
6 1W ; expire
7 3H ) ; minimum
8 @ IN NS ns.sh.b.com.
9 ns IN A 192.168.3.122
10 www IN A 3.3.3.3
編輯完後保存退出,然後重新加載區域
[root@localhost named]# rndc reload
[root@localhost named]# vim /etc/resolv.conf
# Generated by NetworkManager
nameserver 192.168.3.122
測試
[root@localhost chroot]# dig www.b.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6 <<>> www.b.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 10870
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;www.b.com.INA
;; ANSWER SECTION:
www.b.com.86400INA 1.1.1.1
;; AUTHORITY SECTION:
b.com.86400INNSns.b.com.
;; ADDITIONAL SECTION:
ns.b.com.86400INA192.168.3.120
;; Query time: 1 msec
;; SERVER: 192.168.3.122#53(192.168.3.122)
;; WHEN: Sat May 10 07:07:58 2014
;; MSG SIZE rcvd: 77