###############################
###### unit2.DNS服務器集羣 ######
###############################
##########實驗環境##########
主DNS server:172.25.254.219(Master)
[root@dns-server ~]# vim /etc/resolv.conf
3 nameserver 172.25.254.219
備DNS server:172.25.254.119(Slave)
[root@station ~]# vim /etc/resolv.conf
3 nameserver 172.25.254.119
測試客戶機器:(219主機詢Master,119主機詢問Slave,Slave去同步Master)
172.25.254.219
172.25.254.119
注意:主DNS配置請參照《高速緩存DNS》,此處不做描述
主DNS的/var/named/tbr.com.zone文件信息爲:
1 $TTL 1D
2 @ IN SOA dns.tbr.com. root.tbr.com. (
3 0 ; serial
4 1D ; refresh
5 1H ; retry
6 1W ; expire
7 3H ) ; minimum
8 NS dns.tbr.com.
9 dns A 172.25.254.219
10 www A 172.25.254.19
#########Slave DNS server基礎配置#########
Slave端:
[root@station ~]# yum install bind -y
[root@station ~]# vim /etc/named.conf
11 listen-on port 53 { any; };
17 allow-query { any; };
32 dnssec-validation no;
[root@station ~]# vim /etc/named.rfc1912.zones##仿照19-23行的模板添加下面的內容
25 zone "tbr.com" IN {
26 type slave;
27 masters { 172.25.254.219; };
28 file "slaves/tbr.com.zone";
29 allow-update { none; };
30 };
[root@station ~]# cd /var/named/
[root@station named]# ls
data named.ca named.localhost slaves
dynamic named.empty named.loopback
[root@station named]# cd slaves/
[root@station slaves]# ls##該目錄下剛開始沒有任何文件
[root@station slaves]# firewall-cmd --list-all
public (default, active)
interfaces: eth0
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@station slaves]# firewall-cmd --permanent --add-service=dns
success
[root@station slaves]# firewall-cmd --reload
success
[root@station slaves]# firewall-cmd --list-all
public (default, active)
interfaces: eth0
sources:
services: dhcpv6-client dns ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
Master端:
[root@dns-server ~]# vim /etc/named.rfc1912.zones
25 zone "tbr.com" IN {
26 type master;
27 file "tbr.com.zone";
28 allow-update { none; };
29 allow-transfer { 172.25.254.219; };##允許該ip的主機與自己同步
測試:
172.25.254.119主機:
[root@station named]# dig www.tbr.com
;; ANSWER SECTION:
www.tbr.com.86400INA172.25.254.19
##########Slave DNS server自動同步主DNS數據###########
在Master端:
[root@dns-server ~]# vim /etc/named.rfc1912.zones
25 zone "tbr.com" IN {
26 type master;
27 file "tbr.com.zone";
28 allow-update { none; };
29 allow-transfer { 172.25.254.219; };
30 also-notify { 172.25.254.219; };##總是向該ip的主機通告更新後的dns解析文件
31 };
[root@dns-server ~]# vim /var/named/tbr.com.zone##需要修改serial值
##當修改serial值之後纔會認爲文件不同,從而重新更新同步
3 2016112601 ; serial
10 www A 172.25.254.18
##修改serial值的同時修改dns解析的內容(之前爲www.tbr.com——172.25.254.19)
[root@dns-server ~]# systemctl restart named
在Slave端:
保證防火牆允許dns服務或者關閉防火牆
測試:
172.25.254.219主機:
[root@dns-server ~]# dig www.tbr.com
;; ANSWER SECTION:
www.tbr.com.86400INA172.25.254.18
172.25.254.119主機:
[root@station named]# dig www.tbr.com
;; ANSWER SECTION:
www.tbr.com.86400INA172.25.254.18
#############遠程修改DNS配置###############
注意:先將上一個實驗中的部分配置刪除,否則會影響該實驗:
在Master端:
[root@dns-server ~]# vim /etc/named.rfc1912.zones
25 zone "tbr.com" IN {
26 type master;
27 file "tbr.com.zone";
28 allow-update { none; };
=======刪除以下兩行內容=======
29 allow-transfer { 172.25.254.219; };
30 also-notify { 172.25.254.219; };
===========================
##並將28行改爲如下:
28 allow-update { 172.25.254.119; };##允許該ip遠程修改DNS配置
[root@station named]# setenforce 0##修改selinux模式爲警告模式
[root@station named]# getenforce
Permissive
[root@dns-server ~]# cp -p /var/named/tbr.com.zone /mnt/##注意要加-p
##做該實驗之前,先將tbr.com.zone文件備份,方便之後還原
[root@dns-server ~]# chmod 770 /var/named/
[root@dns-server ~]# ll -d /var/named/
drwxrwx---. 5 root named 4096 11月 25 23:59 /var/named/
測試:
172.25.254.119主機:
[root@station named]# nsupdate
> server 172.25.254.219
> update delete www.tbr.com##刪除A記錄
> send
172.25.254.219主機:
[root@dns-server named]# dig www.tbr.com
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 4624
[root@dns-server named]# ls
data named.empty slaves tbr.com.zone.inter
dynamic named.localhost tbr.comNaNr tbr.com.zone.jnl
named.ca named.loopback tbr.com.zone
[root@dns-server named]# rm -fr tbr.com.zone.jnl
[root@dns-server named]# rm -fr tbr.com.zone
[root@dns-server named]# cp -p /mnt/tbr.com.zone .##將之前備份的文件拷貝回來,注意:要加-p
[root@dns-server named]# ls
data named.empty slaves tbr.com.zone.inter
dynamic named.localhost tbr.comNaNr
named.ca named.loopback tbr.com.zone
[root@dns-server var]# dig www.tbr.com
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 60307
##此時並不能查到dns信息,A記錄消失
172.25.254.119主機:
[root@station named]# nsupdate
> server 172.25.254.219
> update add www.tbr.com 86400 A 172.25.254.19##添加A記錄
> send
172.25.254.219主機:
[root@dns-server named]# dig www.tbr.com
;; ANSWER SECTION:
www.tbr.com.86400INA172.25.254.19
##再次查看,成功恢復
###########遠程修改添加密碼認證#############
Master端:
[root@dns-server named]# dnssec-keygen --help##查看dnssec-keygen的幫助
[root@dns-server named]# dnssec-keygen -a HMAC-MD5 -b 128 -n HOST tbr
Ktbr.+157+00014
##此時可能會卡住,因爲加密字符不夠導致的,可以在該主機上移動鼠標或操作來增加無序加密字符
##-a 加密方式; -b 加密長度; -n 加密類別(HOST|USER)
[root@dns-server named]# ls
data named.empty tbr.com.zone
dynamic named.localhost tbr.com.zone.inter
Ktbr.+157+00014.key named.loopback tbr.com.zone.jnl
Ktbr.+157+00014.private slaves
named.ca tbr.comNaNr
##生成了這兩個文件:Ktbr.+157+00014.keyKtbr.+157+00014.private
[root@dns-server named]# cat Ktbr.+157+00014.key
tbr. IN KEY 512 3 157 +dqtFZtEFN+NGp/2rRHJOQ==
[root@dns-server named]# cat Ktbr.+157+00014.private
Private-key-format: v1.3
Algorithm: 157 (HMAC_MD5)
Key: +dqtFZtEFN+NGp/2rRHJOQ==
Bits: AAA=
Created: 20161126061602
Publish: 20161126061602
Activate: 20161126061602
[root@dns-server named]# cp -p /etc/rndc.key /etc/tbr.key
[root@dns-server named]# vim /etc/tbr.key
1 key "tbr" {##此處將key名稱改爲自己設置的(eg.tbr)
2 algorithm hmac-md5;
3 secret "+dqtFZtEFN+NGp/2rRHJOQ==";##此處將加密字符改爲上面生成的key字符
4 };
##將加密字符文件與DNS相關聯:(如下)
[root@dns-server named]# vim /etc/named.conf
44 include "/etc/tbr.key";
[root@dns-server named]# vim /etc/named.rfc1912.zones
28 allow-update { key tbr; };
##最後將key文件發送給遠程修改的客戶機
[root@dns-server named]# scp Ktbr.+157+00014.* [email protected]:/mnt/
測試:
172.25.254.119主機:
[root@station named]# cd /mnt##需要進入到有key文件的目錄下操作
[root@station mnt]# ls
Ktbr.+157+00014.key Ktbr.+157+00014.private
[root@station mnt]# nsupdate -k Ktbr.+157+00014.private ##-k表示用密碼認證
> server 172.25.254.219
> update delete www.tbr.com
> send
>
#############Dynamic DNS 動態DNS###############
注意:
做該實驗之前,先將上一個實驗的部分配置還原:
Master端:
[root@dns-server named]# rm -fr tbr.com.zone.jnl
[root@dns-server named]# rm -fr tbr.com.zone
[root@dns-server named]# cp -p /mnt/tbr.com.zone .##將之前備份的文件拷貝回來,注意:要加-p
[root@dns-server named]# systemctl restart named##重啓服務後生效
Master端:
[root@dns-server ~]# yum install dhcpd -y
[root@dns-server named]# cp /usr/share/doc/dhcp-4.2.5/dhcpd.conf.example /etc/dhcp/dhcpd.conf
cp: overwrite ‘/etc/dhcp/dhcpd.conf’? y
[root@dns-server named]# vim /etc/dhcp/dhcpd.conf
7 option domain-name "tbr.com";
8 option domain-name-servers 172.25.254.219;
14 ddns-update-style none;##將該條配置啓用
||
14 ddns-update-style interim;##並將參數修改爲interim
=============刪除以下兩行===============
27 subnet 10.152.187.0 netmask 255.255.255.0 {
28 }
======================================
30 subnet 172.25.254.0 netmask 255.255.255.0 {
31 range 172.25.254.240 172.25.254.244;
32 option routers 172.25.254.219;
33 }
34
35 key tbr {##修改key名稱爲tbr
36 algorithm hmac-md5;##默認使用hmac-md5加密
37 secret +dqtFZtEFN+NGp/2rRHJOQ==;##將密碼修改爲之前的key值
38 };
39
40 zone tbr.com. {##修改zone的名稱爲tbr.com.
41 primary 127.0.0.1;##默認使用環回口進行通信
42 key tbr;##使用的key爲tbr
43 }
========================================
##上述補充的內容可以通過下面的方式查詢:
[root@dns-server ~]# man 5 dhcpd.conf
/dns##搜索關鍵字dns
========================================
[root@dns-server named]# systemctl start dhcpd##啓動服務
測試:
172.25.254.119主機:
修改爲DHCP獲取地址:(不做詳細描述)
[root@station Desktop]# hostname
station.domain19.example.com
[root@station Desktop]#
hostnamectl set-hostname music.tbr.com
[root@station Desktop]#reoot
[root@music ~]# systemctl restart network
[root@music ~]# ifconfig
inet 172.25.254.241 netmask 255.255.255.0 broadcast 172.25.254.255
[root@music ~]# dig music.tbr.com
;; ANSWER SECTION:
music.tbr.com.300INA172.25.254.241
去修改Master端的/etc/dhcp/dhcpd.conf中的ip範圍爲172.25.254.242 172.25.254.244,再
[root@music ~]# systemctl restart network
[root@music ~]# ifconfig
inet 172.25.254.241 netmask 255.255.255.0 broadcast 172.25.254.255
[root@music ~]# dig music.tbr.com
;; ANSWER SECTION:
music.tbr.com.300INA172.25.254.242