BIND子域授權
用途:完成分佈式DNS數據庫的手段
定義子區域的方法
定義一個子區域的方法只需要在父域的區域解析庫中添加“膠水記錄”
ops.magedu.com. IN NS ns1.ops.magedu.com.
ops.magedu.com. IN NS ns2.ops.magedu.com.
ns1.ops.magedu.com. IN A 1.1.1.1
ns2.ops.magedu.com. IN A 1.1.1.2
定義轉發服務器
注意:被轉發的服務器需要能夠爲請求者做遞歸,否則,轉發請求不予進行;
(1)全部轉發:
凡是對非本機所有負責解析的區域的請求,統統轉發給指定的服務器;
#/etc/named.conf
Options {
...
forward {first|only};
fowwarders;
...
}
first: 先轉發到指定的被轉發服務器;如果;指定的被轉發服務器不予響應;則自己再次到根服務器進行迭代查詢 ;
only :只轉發到指定的被轉發服務器;如果指定的服務器不予響應;則不再繼續查詢該請求
(2) 區域轉發:僅轉發對特定的區域的解析請求中至某服務器;一般在/etc/named.rfc1912.zones中定義
#/etc/named.rfc1912.zones
zone "ZONE_NAME" IN{
type forward;
forward {first|only}
forwarders
}
實戰配置
需要
父域服務器爲172.16.6.61,域名hao123.com,先需要添加一個子域ops.hao123.com,子域服務器爲172.16.6.63,需要完成父域hao123.com對子域ops.hao123.com的授權,確保子域可以使用,將子域解析解析父域的請求向父域轉發
在父域hao23.com 的DNS服務器上定義一個子區域ops的”膠水記錄”
[root@dns1 named]# cat/var/named/hao123.com.zone
$TTL 1D
$ORIGIN hao123.com.
@ IN SOAns1.hao123.com.admin.hao123.com.(
201504042403
1h
5m
5h
1w )
IN NS ns1
IN NS ns2
IN MX 10 mx1.hao123.com.
IN MX 10 mx2.hao123.com.
ns1IN A 172.16.6.61
ns2IN A 172.16.6.62
mx1.hao123.com.IN A 172.16.6.64
mx2.hao123.com.IN A 172.16.6.64
wwwIN A 172.16.6.65
wwwIN A 172.16.6.66
hao123.com.IN A 172.16.6.65
ftpIN CNAME www
* IN A 172.16.6.65
opsIN NS ns1.ops
ns1.ops IN A 172.16.6.63
父域上檢查語法充氣服務
[root@dns1 ~]#named-checkconf
[root@dns1 ~]# rndc reload
server reload successful
先查看父域dns的狀態
[root@dns1 ~]# rndc status
version:9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6
CPUs found: 1
worker threads: 1
number of zones: 21 <--增加子域當前區域不會發生改變
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running
子區域ops.hao123.com的配置
在子域服務上添加區域ops 和區域轉發/etc/named.conf
[root@ops ~]# cat/etc/named.conf
options {
// listen-on port 53 { 127.0.0.1; };
// listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file"/var/named/data/named_mem_stats.txt";
// allow-query { localhost;};
recursion yes;
dnssec-enable no;
dnssec-validation no;
// dnssec-lookaside auto;
/* Path to ISC DLV key */
// bindkeys-file "/etc/named.iscdlv.key";
// managed-keys-directory "/var/named/dynamic";
};
logging {
channel default_debug {
file"data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include"/etc/named.rfc1912.zones";
include"/etc/named.root.key";
注意:在父域和子域上需要關閉dnssec功能:
dnssec-enable no;
dnssec-validationno;
定義子域的ops.hao123.com的zone
[root@ops ~]# tail/etc/named.rfc1912.zones
...
zone"ops.hao123.com" IN {
type master;
file "ops.hao123.com.zone";
};
創建ops.hao123.com的區域解析庫文件
[root@ops ~]# cat /var/named/ops.hao123.com.zone
$TTL 1D
$ORIGIN ops.hao123.com.
@ IN SOAns1.ops.hao123.com.admin.ops.hao123.com. (
2014042601
1H
5M
1D
1w )
IN NS ns1
ns1IN A 172.16.6.63
wwwIN A 172.16.6.161
* IN A 172.16.6.161
在子域服務器上使用dig命令測試對www.ops.hao123.com的解析
[root@ops ~]# dig -t Awww.ops.hao123.com @172.16.6.63
; <<>> DiG9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6 <<>> -t A [email protected]
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<-opcode: QUERY, status: NOERROR, id: 37697
;; flags: qr aa rd ra; QUERY:1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;www.ops.hao123.com. IN A
;; ANSWER SECTION:
www.ops.hao123.com.86400 IN A 172.16.6.161
;; AUTHORITY SECTION:
ops.hao123.com. 86400 IN NS ns1.ops.hao123.com.
;; ADDITIONAL SECTION:
ns1.ops.hao123.com.86400 IN A 172.16.6.63
;; Query time: 0 msec
;; SERVER:172.16.6.63#53(172.16.6.63)
;; WHEN: Sun Apr 26 15:39:442015
;; MSG SIZE rcvd: 86
使用父域的DNS解析子域對www.ops.hao123.com的解析
[root@ops ~]# dig -t Awww.ops.hao123.com @172.16.6.61
; <<>> DiG9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6 <<>> -t A [email protected]
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<-opcode: QUERY, status: NOERROR, id: 33785
;; flags: qr rd ra; QUERY: 1,ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;www.ops.hao123.com. IN A
;; ANSWER SECTION:
www.ops.hao123.com.86254 IN A 172.16.6.161
;; AUTHORITY SECTION:
ops.hao123.com. 86254 IN NS ns1.ops.hao123.com.
;; ADDITIONAL SECTION:
ns1.ops.hao123.com.86254 IN A 172.16.6.63
;; Query time: 0 msec
;; SERVER:172.16.6.61#53(172.16.6.61)
;; WHEN: Sun Apr 26 15:39:542015
;; MSG SIZE rcvd: 86
在子域ops DNS服務器上添加對父域hao123.com的條件轉發
配置bind的主配置文件/etc/named.rfc1912.zones
[root@ops ~]# tail /etc/named.rfc1912.zones
zone "hao123.com"IN {
type forward;
forward only;
forwarders { 172.16.6.61; };
};
在子域ops上使用dig命令測試對父域hao123.com中的www主機的解析
[root@ops ~]# dig -t Awww.hao123.com @172.16.6.63
; <<>> DiG9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6 <<>> -t A [email protected]
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<-opcode: QUERY, status: NOERROR, id: 47911
;; flags: qr rd ra; QUERY: 1,ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;www.hao123.com. IN A
;; ANSWER SECTION:
www.hao123.com. 86400 IN A 172.16.6.66
www.hao123.com. 86400 IN A 172.16.6.65
;; AUTHORITY SECTION:
hao123.com. 86400 IN NS ns1.hao123.com.
hao123.com. 86400 IN NS ns2.hao123.com.
;; ADDITIONAL SECTION:
ns1.hao123.com. 86400 IN A 172.16.6.61
ns2.hao123.com. 86400 IN A 172.16.6.62
;; Query time: 1 msec
;; SERVER:172.16.6.63#53(172.16.6.63)
;; WHEN: Sun Apr 26 16:20:302015
;; MSG SIZE rcvd: 132