一、bind簡介
一、bind簡介
Linux中通常使用bind來實現DNS服務器的架設,bind軟件由isc(https://www.isc.org/downloads/bind/)維護。在yum倉庫中可以找到軟件,配置好yum源,直接使用命令yum install bind就可以安裝。當前bind的穩定版本爲bind9,bind的服務名稱爲named,監聽的端口爲53號端口。bind的主要配置文件爲/etc/named.conf,此文件主要用於配置區域,並指定區域數據庫文件名稱。區域數據庫文件通常保存於/var/named/目錄下,用於定義區域的資源類型。
二、使用bind架設DNS服務器
1.實例操作:以域名example.com爲例配置一個DNS服務器,實現正向解析與反向解析。
Master DNS(FQDN:dns1.example.com/IP: 192.168.100.199) Slave DNS(FQDN:dns2.example.com/IP: 192.168.100.198) OS:CentOS Linux release 7.3.1611 (Core) Kernel:3.10.0-514.10.2.el7.x86_64 Bind: bind-license-9.9.4-38.el7_3.2.noarch bind-9.9.4-38.el7_3.2.x86_64 binutils-2.25.1-22.base.el7.x86_64 bind-libs-lite-9.9.4-38.el7_3.2.x86_64 bind-libs-9.9.4-38.el7_3.2.x86_64 bind-utils-9.9.4-38.el7_3.2.x86_64
這裏就不再贅述如何使用VM(VirtualBox/VMware/etc),如何配置網絡IP等。
bind直接用YUM安裝(yum install epel-release; yum install bind)
2、主DNS服務器bind配置文件爲/etc/named.conf,此文件用於定義區域。每個區域的數據文件保存在/var/named目錄下。
named.conf各參數項說明:
options {
//全局選項
}
zone "ZONE name"{
//定義區域
}
logging{
//定義日誌系統
}named.conf文件內容如下:
options {
listen-on port 53 { 127.0.0.1; }; #定義監聽端口及IP地址
listen-on-v6 port 53 { ::1; }; #定義監聽的IPv6地址
directory "/var/named"; #全局目錄
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; };#允許查詢的IP地址
recursion yes; #是否允許遞歸查詢
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";注意:bind的配置文件/etc/named.conf裏必須要定義的三個區域是:根、127.0.0.1和127.0.0.1的反解。
以上options選項中有許多是我們用不到,我們先把它們註釋掉。結果如下:
[root@dns1 ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
//listen-on port 53 { 127.0.0.1; };
//listen-on port 53 { any; };
//listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
//allow-query { 192.168.0.0/16; };
//forward first;
//forwarders{
//202.106.196.115;
//219.141.136.10;
//114.114.114.114;
//};
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
//dnssec-enable yes;
//dnssec-validation yes;
//dnssec-enable no;
//dnssec-validation no;
//dnssec-lookaside no;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
[root@dns1 ~]# hostname
dns1.example.com3、打開/etc/named.rfc1912.zones文件,添加一個區域。
[root@dns1 ~]# cat /etc/named.rfc1912.zones
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};
//###############################
//自定義example.com正向解的區域
//###############################
zone "example.com" IN {
type master;
file "example.com.zone";
allow-transfer{ 127.0.0.1;192.168.100.199;192.168.100.198; };
};
//#############################
//自定義反向解析
//#############################
zone "100.168.192.in-addr.arpa" IN {
type master;
file "100.168.192.in-addr-arpa";
allow-transfer{ 127.0.0.1;192.168.100.199;192.168.100.198; };
};
[root@dns1 ~]#說明:
type: 用於定義區域類型,此時只有一個DNS服務器,所以爲master,type可選值爲:hint(根的)|master(主的)|slave(輔助的)|forward(轉發)
file:用於定義區域數據文件路徑,默認該文件保存在/var/named/目錄。
區域添加好後,使用命令:named-checkconf 或 service named configtest測試配置文件語法格式。
[root@dns1 ~]# named-checkconf
沒有提示則表示文件語法正常。
4、新建數據庫文件/var/named/example.com.zone,並添加資源記錄。
說明:
資源記錄的格式: name [ttl] IN RRtype Value 資源記錄名 有效時間 IN 類型 資源記錄的值SOA: 只能有一個,而且必須是第一個
name: 只能是區域名稱,通常可以簡寫爲@ value: 主DNS服務器的FQDNNS: 可以有多條 name: 區域名稱,通常可以簡寫爲@ value: DNS服務器的FQDN(可以使用相對名稱)A: 只能定義在正向區域文件中 name: FQDN(可以使用相對名稱) value: IPMX: 可以有多個 name: 區域名稱,用於標識smtp服務器 value: 包含優先級和FQDN 優先級:0-99,數字越小,級別越高;CNAME: name: FQDN value: FQDNPTR: IP --> FQDN, 只能定義在反向區域數據文件中,反向區域名稱爲逆向網絡地址加.in-addr.arpa.後綴組成 name: IP, 逆向的主機地址,主機地址反過來寫加上.in-addr.arpa. value: FQDN[root@dns1 ~]# cat /var/named/example.com.zone $TTL 300 ; @ IN SOA dns1.example.com admin.example.com( 2017032800 ; Serial 300 ; Refresh 1800 ; Retry 604800 ; Expire 300 ; TTL ) ; IN NS dns1 IN NS dns2 dns1 IN A 192.168.100.199 dns2 IN A 192.168.100.198 ; ; agent IN A 192.168.100.102 puppet IN A 192.168.100.101 [root@dns1 ~]#
說明:
$TTL爲定義的宏,表示下面資源記錄ttl的值都爲600秒。
@符號可代表區域文件/etc/named.conf裏面定義的區域名稱,即:"wubinary.com."。
每個區域的資源記錄第一條必須是SOA,SOA後面接DNS服務器的域名和電子郵箱地址,此處電子郵箱地址裏的@因爲有特殊用途,所以此處要用點號代替。SOA後面小括號裏的各值所代表的意義如下所示:
@ IN SOA dns.example.com admin.example.com ( 2017032800 ;標識序列號,十進制數字,不能超過10位,通常使用日期 2H ;刷新時間,即每隔多久到主服務器檢查一次,此處爲2小時 4M ;重試時間,應該小於刷新時間,此處爲4分鐘 1D ;過期時間,此處爲1天 2D ;主服務器掛後,從服務器至多工作的時間,此處爲2天)
區域數據文件配置好後,可以使用命令named-checkzone檢查語法錯誤。
命令格式:
[root@dns1 ~]# named-checkzone "example.com.zome" /var/named/example.com.zone zone example.com.zome/IN: loaded serial 2017032800 OK [root@dns1 ~]#
5、兩個文件都配置好後,記得查看一下文件的所屬組。因爲bind程序的服務名稱爲named,bind默認是使用named組的身份操作文件,所以我們新建的文件所屬組都要改爲named,並且爲了安全起見不能讓別人有修改的權限,權限最好改爲640。
[root@dns1 ~]# ll /var/named/ total 24 -rw-r--r-- 1 root named 463 Mar 28 10:46 100.168.192.in-addr-arpa drwxrwx---. 2 named named 23 Mar 27 13:28 data drwxrwx---. 2 named named 60 Mar 28 13:28 dynamic -rw-r--r-- 1 root named 403 Mar 28 10:45 example.com.zone -rw-r-----. 1 root named 2076 Jan 28 2013 named.ca -rw-r-----. 1 root named 152 Dec 15 2009 named.empty -rw-r-----. 1 root named 152 Jun 21 2007 named.localhost -rw-r-----. 1 root named 168 Dec 15 2009 named.loopback drwxrwx---. 2 named named 6 Feb 15 21:16 slaves [root@dns1 ~]#
6、設置妥當當後我們就可以開啓服務了。
[root@dns1 ~]# systemctl restart named.service [root@dns1 ~]# systemctl status named.service ● named.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled) Active: active (running) since Tue 2017-03-28 13:33:15 CST; 10s ago Process: 5001 ExecStop=/bin/sh -c /usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID (code=exited, status=0/SUCCESS) Process: 5012 ExecStart=/usr/sbin/named -u named $OPTIONS (code=exited, status=0/SUCCESS) Process: 5010 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z /etc/named.conf; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS) Main PID: 5014 (named) CGroup: /system.slice/named.service └─5014 /usr/sbin/named -u named Mar 28 13:33:15 dns1.example.com named[5014]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0 Mar 28 13:33:15 dns1.example.com named[5014]: zone localhost/IN: loaded serial 0 Mar 28 13:33:15 dns1.example.com named[5014]: zone 100.168.192.in-addr.arpa/IN: loaded serial 2017032800 Mar 28 13:33:15 dns1.example.com named[5014]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN...rial 0 Mar 28 13:33:15 dns1.example.com named[5014]: zone example.com/IN: loaded serial 2017032800 Mar 28 13:33:15 dns1.example.com named[5014]: zone localhost.localdomain/IN: loaded serial 0 Mar 28 13:33:15 dns1.example.com named[5014]: all zones loaded Mar 28 13:33:15 dns1.example.com named[5014]: running Mar 28 13:33:15 dns1.example.com named[5014]: zone 100.168.192.in-addr.arpa/IN: sending notifies (serial 2017032800) Mar 28 13:33:15 dns1.example.com named[5014]: zone example.com/IN: sending notifies (serial 2017032800) Hint: Some lines were ellipsized, use -l to show in full. [root@dns1 ~]#
7、使用dig命令測試DNS。
命令格式:
dig [-t type] [-x addr] [name] [@server]
-t: 指定資源類型,用於正解
-x: 指定IP地址,用於反解
[root@dns1 ~]# dig -t A puppet.example.com @192.168.100.199 ; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3.2 <<>> -t A puppet.example.com @192.168.100.199 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17827 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;puppet.example.com. IN A ;; ANSWER SECTION: puppet.example.com. 300 IN A 192.168.100.101 ;; AUTHORITY SECTION: example.com. 300 IN NS dns2.example.com. example.com. 300 IN NS dns1.example.com. ;; ADDITIONAL SECTION: dns1.example.com. 300 IN A 192.168.100.199 dns2.example.com. 300 IN A 192.168.100.198 ;; Query time: 0 msec ;; SERVER: 192.168.100.199#53(192.168.100.199) ;; WHEN: Tue Mar 28 14:14:02 CST 2017 ;; MSG SIZE rcvd: 133
[root@dns1 ~]# dig -x 192.168.100.102 @192.168.100.199 ; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3.2 <<>> -x 192.168.100.102 @192.168.100.199 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58688 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;102.100.168.192.in-addr.arpa. IN PTR ;; ANSWER SECTION: 102.100.168.192.in-addr.arpa. 300 IN PTR agent.example.com. ;; AUTHORITY SECTION: 100.168.192.in-addr.arpa. 300 IN NS dns2.example.com. 100.168.192.in-addr.arpa. 300 IN NS dns1.example.com. ;; ADDITIONAL SECTION: dns1.example.com. 300 IN A 192.168.100.199 dns2.example.com. 300 IN A 192.168.100.198 ;; Query time: 0 msec ;; SERVER: 192.168.100.199#53(192.168.100.199) ;; WHEN: Tue Mar 28 14:15:31 CST 2017 ;; MSG SIZE rcvd: 158 [root@dns1 ~]#
測試成功!
注意:通常在應用中,DNS的反向解析並不是很重要,可以不配置,當服務器中有域名作爲郵件服務器時,此時可以配置反向解析,因爲郵件中過濾垃圾郵件的技術通常是解析郵箱地址,如果IP地址不能反解成一個域名則視爲垃圾郵件。
三、使用bind架設輔助DNS服務器,實現主從數據同步
DNS從服務器也叫輔服DNS服務器,如果網絡上某個節點只有一臺DNS服務器的話,首先服務器的抗壓能力是有限的,當壓力達到一定的程度,服務器就會宕機罷工,其次如果這臺服務器出現了硬件故障那麼服務器管理的區域的域名將無法訪問。爲了解決這些問題,最好的辦法就是使用多個DNS服務器同時工作,並實現數據的同步,這樣兩臺服務器就都可以實現域名解析操作。
主DNS服務器架設好後,輔助的DNS服務器的架設就相對簡單多了。架設主從DNS服務器有兩個前提條件,一是兩臺主機可以不一定處在同一網段,但是兩臺主機之間必須要實現網絡通信;二,輔助DNS服務器必須要有主DNS服務器的授權,纔可以正常操作。
1、從DNS服務器bind配置文件爲/etc/named.conf,此文件用於定義區域。每個區域的數據文件保存在/var/named目錄下。
[root@dns2 named]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
//listen-on port 53 { 127.0.0.1; };
//listen-on port 53 { any; };
//listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
//allow-query { 192.168.0.0/16; };
//forward first;
//forwarders{
//202.106.196.115;
//219.141.136.10;
//114.114.114.114;
//};
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
//dnssec-enable yes;
dnssec-validation yes;
//dnssec-enable no;
//dnssec-validation no;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
[root@dns2 named]#2、打開輔助DNS服務器的/etc/named.rfc1912.zones文件,添加兩個區域記錄,這兩個記錄是主DNS服務器配置文件裏已經存在的記錄,一個是正向解析記錄,一個是反向解析記錄。
////////////////////////////
//從服務器正解配置
////////////////////////////
zone "example.com." IN {
type slave;
masters { 192.168.100.199; };
file "slaves/example.com.zone";
allow-transfer { none;};
};
/////////////////////////
//從DNS服務器反解設置
/////////////////////////
zone"100.168.192.in-addr.arpa." IN {
type slave;
masters { 192.168.1.199; };
file"slaves/100.168.192.in-addr.zone";
allow-transfer{ none; }; //作爲從服務器不應該讓其他服務器zone傳送。
};說明:type: slave,表示此時DNS服務器爲輔助DNS服務器,於是下面一行就要定義主DNS服務器的IP地址,輔助DNS服務器才知道去哪裏同步數據。輔助DNS服務器的資源類型數據文件通常保存在slaves目錄,只需定義一個名稱,文件內容通常是自動生成。
配置好後,直接開啓DNS服務,然後再回到主DNS服務器上。
3、修改主DNS服務器的數據文件,添加一條輔助DNS服務器記錄,給輔助DNS服務器授權。
修改正向解析文件/var/named/example.com.zone。
[root@dns1 ~]# cat /var/named/example.com.zone $TTL 300 ; @ IN SOA dns1.example.com admin.example.com( 2017032800 ; Serial 300 ; Refresh 1800 ; Retry 604800 ; Expire 300 ; TTL ) ; IN NS dns1 IN NS dns2 dns1 IN A 192.168.100.199 dns2 IN A 192.168.100.198 ; ; agent IN A 192.168.100.102 puppet IN A 192.168.100.101 [root@dns1 ~]#
說明:添加了一條NS記錄,值爲,dns2.example.com.,對應的A記錄也要增加一條,把IP地址指向對應的輔助DNS服務器的IP地址。修改完成後,記得要把序列號的值加1,用於通知輔助DNS服務器自動更新數據文件。
4、重新加載主DNS服務器的配置文件,這時再到回輔助DNS服務器,在/var/named/slaves/目錄下會多了兩個文件。
[root@dns2 named]# ll /var/named/slaves/ total 4 -rw-r--r-- 1 named named 392 Mar 28 14:34 example.com.zone [root@dns2 named]#
5、測試輔助DNS服務器。
[root@dns2 slaves]# dig -t A puppet.example.com @192.168.100.198 ; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3.2 <<>> -t A puppet.example.com @192.168.100.198 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53695 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;puppet.example.com. IN A ;; ANSWER SECTION: puppet.example.com. 300 IN A 192.168.100.101 ;; AUTHORITY SECTION: example.com. 300 IN NS dns1.example.com. example.com. 300 IN NS dns2.example.com. ;; ADDITIONAL SECTION: dns1.example.com. 300 IN A 192.168.100.199 dns2.example.com. 300 IN A 192.168.100.198 ;; Query time: 0 msec ;; SERVER: 192.168.100.198#53(192.168.100.198) ;; WHEN: Tue Mar 28 15:10:43 CST 2017 ;; MSG SIZE rcvd: 133 [root@dns2 slaves]# [root@dns2 slaves]# [root@dns2 slaves]# [root@dns2 slaves]# dig -x 192.168.100.102 @192.168.100.198 ; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3.2 <<>> -x 192.168.100.102 @192.168.100.198 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 55340 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;102.100.168.192.in-addr.arpa. IN PTR ;; Query time: 0 msec ;; SERVER: 192.168.100.198#53(192.168.100.198) ;; WHEN: Tue Mar 28 15:10:50 CST 2017 ;; MSG SIZE rcvd: 57 [root@dns2 slaves]#
四、主從同步數據的安全性
DNS服務器的數據同步默認是沒有限定主機的,也就是說,網絡上只要有一臺DNS服務器向你的DNS服務器請求數據,都能實現數據同步,那麼這樣就相當的不安全了。我們可以使用一個選項allow-transfer,指定可以同步數據的主機IP。主DNS服務器的數據可以給別的服務器同步,相對的,輔助DNS服務器的數據也是可以給其它輔助DNS服務器同步,於是,所有的主從DNS服務器都要設置該參數。
1. 指定可以從主DNS服務器上同步數據的主機。
修改/etc/named.rfc1912.zones文件:
[root@dns2 named]# cat /etc/named.rfc1912.zones
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};
////////////////////////////
//從服務器正解配置
////////////////////////////
zone "example.com." IN {
type slave;
masters { 192.168.100.199; };
file "slaves/example.com.zone";
allow-transfer { none;};
};
/////////////////////////
//從DNS服務器反解設置
/////////////////////////
zone"100.168.192.in-addr.arpa." IN {
type slave;
masters { 192.168.1.199; };
file"slaves/100.168.192.in-addr.zone";
allow-transfer{ none; }; //作爲從服務器不應該讓其他服務器zone傳送。
};
[root@dns2 named]#說明:
我們只有一臺輔助DNS服務器,所以根本不會有主機從這臺機器同步數據,所以我們設置成不允許任何人同步。
在每塊區域上添加參數allow-transfer,花括號內填寫可以同步的主機IP,一般填寫輔助DNS服務器的IP地址。可以使用dig命令測試,區域同步:
dig -t axfr ZONE_NAME @DNS_SERVCER_IP
[root@dns2 named]# dig -t axfr example.com @192.168.100.199 ; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3.2 <<>> -t axfr example.com @192.168.100.199 ;; global options: +cmd example.com. 300 IN SOA dns1.example.com.example.com. admin.example.com.example.com. 2017032800 300 1800 604800 300 example.com. 300 IN NS dns1.example.com. example.com. 300 IN NS dns2.example.com. agent.example.com. 300 IN A 192.168.100.102 dns1.example.com. 300 IN A 192.168.100.199 dns2.example.com. 300 IN A 192.168.100.198 puppet.example.com. 300 IN A 192.168.100.101 example.com. 300 IN SOA dns1.example.com.example.com. admin.example.com.example.com. 2017032800 300 1800 604800 300 ;; Query time: 1 msec ;; SERVER: 192.168.100.199#53(192.168.100.199) ;; WHEN: Tue Mar 28 14:31:02 CST 2017 ;; XFR size: 8 records (messages 1, bytes 239) [root@dns2 named]#
非指定IP不可以同步數據。
[root@dns2 slaves]# dig -t axfr example.com @192.168.100.102 ;; Connection to 192.168.100.102#53(192.168.100.102) for example.com failed: host unreachable.
2.指定可以從輔助DNS服務器上同步數據的主機。
修改/etc/named.rfc1912.zones文件:
////////////////////////////
//從服務器正解配置
////////////////////////////
zone "example.com." IN {
type slave;
masters { 192.168.100.199; };
file "slaves/example.com.zone";
allow-transfer { none;};
};
/////////////////////////
//從DNS服務器反解設置
/////////////////////////
zone"100.168.192.in-addr.arpa." IN {
type slave;
masters { 192.168.1.199; };
file"slaves/100.168.192.in-addr.arpa.zone";
allow-transfer{ none; };
};我們只有一臺輔助DNS服務器,所以根本不會有主機從這臺機器同步數據,所以我們設置成不允許任何人同步。
五、測試DNS解析的其它命令
測試DNS解析的命令不只是dig可以實現,還有兩個命令也可以實現相同的效果。
1、host命令
host命令格式:
# host [-t type] {name} [server]2、nslookup命令
這個命令很神奇,在windows的dos裏面也可以使用:
nslookup>
server DNS_SERVER_IP
set q=TYPE
{name}Refer: http://www.cnblogs.com/fatt/p/4494695.html